Drupal scanner: a public pre-check before maintenance or upgrades
The real state of a Drupal website is best checked with access to code, logs, configuration and the database. A public scanner still helps reveal visible warning signs quickly.
The WebPro Drupal scanner is a simple public pre-check. You enter a website address, start the scan and get a first view based on information visible from the outside. It does not log in, change the site or require credentials.
The result is not an official audit and it does not prove that a site is safe. A lower result means only that public data did not show an obvious high-risk signal. If you do not know when the site was last updated, it should be checked properly.
What it checks
The scanner looks for signals that are often visible without logging in:
- public Drupal and PHP traces;
- Drupal and PHP support risks;
- security headers and the TLS certificate;
- accidentally public files such as backups, test files or
composer.lock; - public endpoints and error messages;
- visible privacy and cookie signals;
- initial accessibility signals.
If a public composer.lock file is found, dependencies can be checked against known vulnerabilities through sources such as OSV. Drupal teams should also follow Drupal.org security advisories, and PHP support should be checked against the official PHP supported versions page.
What it cannot prove
A public scanner cannot see everything. It cannot review code quality, backups, user permissions, server configuration, Drupal administration, logs or whether updates have been applied in a controlled way.
It also cannot make a final decision about GDPR or accessibility. Cookie consent, privacy wording, forms, logging, data retention and consent handling may include details that are not visible in public HTML. Accessibility can be partly checked automatically, but WCAG conformance also needs manual review. We are not GDPR experts and this is not legal advice.
Why the first check matters
Security risk does not wait. Attackers search for weak signals at scale, and AI tools make that easier to automate. Anthropic has described how AI can help attackers perform broader technical preparation and automate tasks that previously needed more manual effort: Anthropic threat intelligence.
The scanner should be treated as an early warning tool. If it finds issues, the next step is not always a full rebuild. The first task is to decide whether the website needs maintenance, an upgrade, a migration or a technical audit.
For a simple site, maintenance and security updates may be enough. For Drupal 6, 7 or 8, migration may be the more realistic path. For a business-critical site, ecommerce platform or system with integrations, dependencies and risks should be mapped before work begins — our technical audit service helps with that.
Kaido Toomingas
WebPro Company OÜ
Need Drupal help?
If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.