How we dealt with Heartbleed and Drupal

I just wanted to share how we have dealt with the Heartbleed bug at work in case there is anyone else out there that runs a Drupal site that needs some help.

Obviously we have patched the servers and got new certificates issued, but the job of resetting passwords is the tricky one.  Now we could use the approach of asking our users to change their passwords, but if more than 5% of users actually did that I would be shocked.

Below is a hook_update snippet of code similar to that we have used to force every user to reset their password.

The code works by forcefully ending every users session (by truncating the sessions table).  We then update every users password with a randomly generated password (that we do not know) to prevent them from being able to log in with their insecure password. Finally, we send every user the reset your password email with the one time login link to make it easy for them to get back in.

function HOOK_update_7???() {
  require_once DRUPAL_ROOT . '/includes/';

  // Log users out.

  // Generate a password.
  $password = user_password();

  // Hash password.
  $password = user_hash_password($password);

  // Update all the passwords to hashed generated password, not user 0 or 1.
  $updatepass = db_update('users')
      'pass' => $password,
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')

  // Get users to send email.
  $users = db_select('users', 'u')
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')
    ->fields('u', array(

  // Send emails to the users
  foreach ($users as $user) {
    $mail = _user_mail_notify('password_reset', $user);

Why not use a module like Mass Password Reset? Simple, we run 100+ sites on our installation and it would be a pain to run that on all sites.  This is in our profile so all we have to do is deploy the code and run updates.

Kudos goes out to pbz1912 who actually wrote the code.


As mentioned in the comment from Luca, it’s not best practice to just send your users the reset password email, but to let them know whats going on.  We also used a similar snippet of code to the one below to add some help text to the login form.

function HOOK_form_user_login_alter(&$form, $form_state) {
  $form['heartbleed'] = array(
    '#type' => 'markup',
    '#markup' => t("

Put your friendly help text in here, it will appear above the login form

"), '#weight' => -50, ); }