Drupalgeddon!The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).
For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’ was a security weakness in the Drupal content management system which allowed attackers to take over websites.
The London Joomla user group meeting took place on 21 October 2014. I went along and this is my report.
The London meetup takes place every month on the 3rd Tuesday. More details can be found at the user group’s dedicated website at http://www.joomlalondon.co.uk/
We were reminded that several security fixes have been released recently and these should be applied by website administrators as soon as possible.
One of the meeting regulars, Hugh, is a JED maintainer (the JED is the Joomla Extension Directory and is where you’ll find all the possible extensions, plugins and components to Joomla). Hugh reported that there is a new version of the JED imminent. However unlike the last overhaul, extensions will not need to be resubmitted.
A useful tip for developers was that right-clicking and viewing source in Firefox/Chrome will highlight in red any unclosed tags.
We learned that Chrome’s developer mode has an option for viewing a site as if it was on a mobile device, along with connection speeds. However some users said it wasn’t very accurate.
Phil and Joe from SoftForge demonstrated the useful ability to set breakpoints in code within Chrome, which is a useful technique for debugging Javascript – and extremely helpful if using AJAX.
Hugh gave us a useful demo of a recently built site for a client and demonstrated some beautiful design techniques.
Workflows with Joomla and Administrator Shortcuts. Both presented by Hugh. Hugh’s company can be found at http://www.webappz.co.uk/
Hugh presented a walkthrough of creating a workflow using off-the-shelf Joomla components. The example given was a website that offers loan applications.
The workflow given was for a customer to apply for a loan and then the various steps of processing the application being setup and viewable.
The technique used was using User Groups to keep track of the different stages. Menu items are given permission such that they are only visible to specific user groups, and the user is moved from group to group as they progress through the process.
The first stage, where the user submitted the form required some custom PHP code to change the usergroup for the user, and to refresh the session so that the user immediately saw the updated menu.
Too many to mention but a few highlights for me:
A particlualry useful extension which most of us had not heard about was Kazaam – an automatic menu manager. Whenever a new article is created, this plugin will create a menu item for it.
This is a plugin that creates a menu, and automatically maintains it. You can see the menu in your Joomla menu manager, and use it exactly like any other menu. It is a tree menu, and it maintains your category and article tree structure perfectly in your new menu.
Of particular interest to me, was the revelation that Joomla is so dependent on menus that if you create articles that aren’t linked in menus (I tend to link only the top level of a site to the main menu, and then link within articles to other articles), Joomla really doesn’t like this and you will see in the url that it’s created a baffling structure of sub-categories. If however every article belongs in a menu, then this does not happen and you can control your url structure. The menu does not need to be shown – it can be inactive.
Finally, Joomla 2.5 LTS is coming to end of life in December 2014. This means the Joomla team will no longer be providing security and other updates to it. The LTS stands for Long Term Support, and there will be a version of Joomla 3 that will become the new LTS version in due course. The new mechanism for this is that Joomla 3.x will continue with regular releases until Joomla 4 comes along. At that point, the final released version of Joomla 3.x will become the LTS version.
If you’d like to know more about Joomla, need help with your website, or would like to see the services 2020Media offers for Joomla, please see: http://www.2020media.com/shared-hosting/joomla-hosting
2020Media is a internet company with a established track record. In this post we’ll find out why 2020Media and WordPress make such a strong solution for any business or non-commercial site.
WordPress has come a long way in the past ten years, evolving from a niche blogging tool into the undisputed king of content management systems in the world.
But what was it about WordPress that allowed it to flourish where so many have languished? The story of its success is simple: bloggers needed a quick and easily customisable platform to host their content and WordPress offered a free, open sourced publishing tool that people could adopt and tweak as they wished. But the days of WordPress being simply a ‘blogging platform’ are long gone. The past 10 years have seen the software evolve into a sophisticated content management system that users can build entire websites and applications on.
Over the years it’s seen its fair share of rivals from the likes of Blogger to Joomla, but with recent research revealing that WordPress now accounts for a 62% share of the content management system market, it’s clear the system is now leagues ahead of the competition. An astonishing 23% of all websites in the world are published using WordPress (source: http://w3techs.com/technologies/overview/content_management/all).
2020Media was founded by three friends in 1999. Initially working in streaming media and Java, the company soon broadened it’s services into web hosting, domain names and internet services. Over the first few years (and the first DotCom bubble), 2020Media gradually brought all the essential services in house so that it was no longer dependent on any one supplier for any part of it’s services. This included joining RIPE in 2002, using independent datacentres, and becoming an accredited domain name registrar.
With a keen personal interest in Internet Governance, emerging web technologies and the open source movement, the directors have guided 2020Media into it’s current position as a leading UK web host with a highly skilled and knowledgeable team of experts ideally placed to help the SME market, tech-savvy entrepreneurs, local government and the non-profit sector achieve their goals on the internet.
2020Media has specialised in hosting WordPress sites for several years. We proudly support many WordPress events, share our knowledge, and try to give back to this open-source project in as many ways as we can.
Our friendly UK support team is available 24/7 by phone, web and email. The expert team solves hosting, domain and WordPress specific issues. We make sure every team member sees each support issue as a personal challenge and we’ve never found a problem too tough to solve.
Our aim in providing superior WordPress Hosting is threefold:
Through our community involvement in WordPress, our daily experience in working with the software, and our established track record as a UK web host, 2020Media could be the last host you’ll ever need.
Hosting plans come as off-the-shelf or bespoke and range from shared hosting for under £50/year to virtual and dedicated servers. Support is included. Managed WordPress (WordPress maintenance services) brings additional peace of mind to keep each site fully patched, optimised and backed up.
Read more about our web hosting plans, our WordPress maintenance services, or 2020Media the company.
Contact us and we’ll be delighted to talk about what you need from an ISP – that’s Internet Services Partner…
London is a leading world city and a vibrant centre for business, investment, technology, creativity, education and tourism. London is made up of the City of London Corporation and 32 boroughs, has a population of 7,900,500 and is home to 331,540 businesses. London attracts over 100,000 international students from 200 nations to its higher education institutions and welcomes millions of visitors each year.
London is the powerhouse of the UK economy and is Europe’s leading centre for technology. According to a recent report on London?s Digital Economy (GLA, 3 Jan 2012), there are over 23,000 ICT and software companies in London, the highest number of any European city. London hosts a quarter of all British jobs in computer and related activities and 22% of jobs in telecommunications. According to the Experian Business Strategies Regional Planning Service, in 2010 the Gross Value Added of communications companies in London was £7.9 billion.
Now London adds something new to these figures – a unique web address for London. Dot London. A domain name that links the thousands of businesses and millions of people living and working here, with their city. The benefits:
Dot London domains will be on general sale from the 9th September 2014 at midday and we are expecting strong demand.
Place your order here: https://pfs.2020media.com/index.php?option=com_rsform&formId=9
The domains have no restrictions and are open to all.
Neustar, Inc. have released a report using New gTLD data to give a breakdown by industry category:
There are a total of 1751 new TLD applications, comprised of brands (635), generics (1060), and geographies (56). More than half of all brand TLDs fall into financial and technology verticals. Furthermore, 41% of brand TLDs were applied for by Fortune 500 companies, mostly in financial services, retail, technology and transportation.
You can download the full report here new-tld-faqs
Website owners concerned that switching to an untried domain will lose their search engine ranking need not be concerned.
Popular start-up tech publication Tech Cocktail recently switched from using its keyword inclusive URL techcocktail.com to a shorter name: tech.co. As shown below, it sustained all of its original search rankings
with the new .co extension, and it continues to rank #1 for “Tech Cocktail” in search
According to Jeff Neuman, Vice President, Registry Services at Neustar, a .brand TLD may in fact decrease customer confusion across the globe:
“Today, brands are securing a large portfolio of domain name extensions depending on where in the world their website is accessed. While .com is prominent in the U.S., brands also use a number of country-specific
extensions like .ca in the Canada and .cn in China. Combined names like .com.au and .co.uk make an even more complicated experience for global customers and brands”.
2020Media is an experienced domain name registrar – we can help you make the right choice in the new domain name space. Review our registrar services and contact us with your questions.
http://www.bbc.com/news/technology-29846539
Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.
Whilst we wait for an auto-update mechanism in Drupal (perhaps in Drupal 8?), we’ve always been able to update Drupal for our customers. It’s a free service but one done “on request”.
We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.
The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.
What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.
Inspiration for the scripting came from Dane Powell ‘s blog: http://danepowell.com/node/69
Our version of the script is:
Update Multiple Drupal Sites Script
#!/usr/bin/env bash
installpath[1]=/our/pathtosite1
installpath[2]=/our/pathtosite2
installpath[3]=/our/pathtosite3
for index in 1 2 3
do
filepath=${installpath[index]}
printf "Updating %s\n" "$filepath"
cd $filepath
drush pm-refresh
drush archive-dump --overwrite --destination=/pathforbackups/backup.tar
yes | cp .htaccess ../
drush vset --always-set maintenance_mode 1
drush cache-clear all
drush up drupal --yes
drush vset --always-set maintenance_mode 0
drush cache-clear all
yes | cp ../.htaccess ./
chown -R apache:apache ./
done
Notes on the script.
This script is for discrete Drupal sites, not Drupal multisite.
We copy .htaccess out of the way and put it back afterwards and we noticed Drupal updates sometimes overwrote the original.
The final steps resets the file ownership permissions on the site to whatever your webserver runs as. If using suphp this would need to be changed.
Output is written to the command line so you can see what is going on.
Use at your own risk. Comments and improvements are welcome.