Tag Archives: drupal

Drupalgeddon – our response

drupalgeddonDrupalgeddon!

The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).

For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’  was a security weakness in the Drupal content management system which allowed attackers to take over websites.

http://www.bbc.com/news/technology-29846539

Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.

Whilst we wait for an auto-update mechanism in Drupal (perhaps in Drupal 8?), we’ve always been able to update Drupal for our customers. It’s a free service but one done “on request”.

We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a  customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.

The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.

What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.

Inspiration for the scripting came from Dane Powell ‘s blog: http://danepowell.com/node/69

Our version of the script is:

Update Multiple Drupal Sites Script


#!/usr/bin/env bash
installpath[1]=/our/pathtosite1
installpath[2]=/our/pathtosite2
installpath[3]=/our/pathtosite3
for index in 1 2 3
do
filepath=${installpath[index]}
printf "Updating %s\n" "$filepath"
cd $filepath
drush pm-refresh
drush archive-dump --overwrite --destination=/pathforbackups/backup.tar
yes | cp .htaccess ../
drush vset --always-set maintenance_mode 1
drush cache-clear all
drush up drupal --yes
drush vset --always-set maintenance_mode 0
drush cache-clear all
yes | cp ../.htaccess ./
chown -R apache:apache ./
done

 Notes on the script.

This script is for discrete Drupal sites, not Drupal multisite.

We copy .htaccess out of the way and put it back afterwards and we noticed Drupal updates sometimes overwrote the original.

The final steps resets the file ownership permissions on the site to whatever your webserver runs as. If using suphp this would need to be changed.

Output is written to the command line so you can see what is going on.

Use at your own risk. Comments and improvements are welcome.

CMS Trends

Content Management Systems Market Share

We last looked at market share of web content management systems in 2011 so we thought it was time for an update.

Last time we looked, WordPress had a 14% market share of the entire web. Now its higher. WordPress is used by 17.7% of all the websites, that is a content management system market share of 54.9% (as many websites don’t use a recognisable content management system at all).

WordPress now claim to serve 65 million websites, up from 50 million 22 months ago. This includes hosted blogs.

Best of the Rest

Joomla has maintained it’s position as No.2 CMS with a 2.7% market share. Drupal is in 3rd place with 2.3%. Blogger (Google Blogs) has overtaken vBulletin with 1.3% of the web.

content management systems
Top content management systems May 2013

How to read the diagram from Web Technology Surveys:
67.8% of the websites use none of the content management systems that are monitored.
WordPress is used by 17.7% of all the websites, that is a content management system market share of 54.9%.

Trends

The trends look good for WordPress. It’s growth continues, and it is actively maintained and updated. New releases are generally welcomed by the community.

Trends
Trends

And not so good for Joomla. However Joomla has been much more active recently, so it will be worth watching to see if it can recover. Drupal appears to be in the midst of an internal restructuring so we will see how things change in the next 12 months. However it’s a firm favourite with a loyal band of developers so it’s not likely to disappear any time soon.

CMS Everywhere?

This graph shows the decline in websites that don’t use a content management system at all (that we could detect).

It’s goes from over 80% in 2010 to under 70% today. That’s a drop of 15% in 3 years.

Decline of sites with no cms
Decline of sites with no cms

The trend does seem to be flattening out, but here at 2020Media, we would say most – say 70% of new websites we host use a content management system.

Why use a CMS?

Content Management Systems (CMS) give non technical people the tools to add/edit web pages. Using a CMS running a website becomes all about the content and not the ins and outs of how it works. With a CMS a user doesn’t need to understand html or any other type of coding, a CMS allows a website owner to concentrate on the important stuff, the content.

Benefits:

  • Lower setup and operating costs
  • Website Owners keep control over site content
  • Page styles can be changes from a single source file
  • Multiple users can update a site at once

Why NOT use a CMS

  • Lack of personality – many CMS based sites use off the shelf templates and don’t look distintive or truly reflect the company or person they are about.
  • Lack of quality – A CMS can allow anyone to edit the site – and as it’s now so easy, this job is sometimes delegated to someone inadequately trained to do justice to the job. A website is your company or your personality on the web. Should it really be controlled by someone you barely trust to make the tea?
  • Poor design – When designing a site from scratch, a good designer will seek to find the right calls to action. Some CMS based sites are a morass of irrelevant information with no clear priority given to the most important content. But good design work can overcome this and succeed with a CMS.
  • Security – security is the bugbear of all CMS systems – they are victims of their own success and a target for hackers. Bad actors can target thousands of sites with the same attack script and will get some success. A hand coded site rarely gets attacked in the first place – even though it may still contain vulnerabilities. If someone is going after you in particular neither option is a guarantee of safety.

2020Media is a UK host specialising in hosting popular content mangement systems like WordPress, Joomla and Drupal. We also provide standard PHP, ASP, Java and ColdFusion hosting platforms for any website.

CiviCRM for Drupal 7 and Joomla 1.6

CiviCRM 4.0.0 has been released for the latest Drupal version – 7 and the new Joomla version – 1.6. Up until now it was necessary to install CiviCRM on the older Drupal 6 and Joomla 1.5.

Highlights

  • CiviCampaign has been integrated with other components such as CiviContribute, CiviMember, CiviEvent, CiviMail and CiviEngage
  • Joomla v1.6 introduced an ACL based permissioning system. This gets CiviJoomla to much closer parity with CiviDrupal.
  • CiviMember now allows membership upsell. This allows membership type to be changed on renewal
  • CiviCRM Extensions. You can now browse and download CiviCRM extensions from within your CiviCRM install.
  • A new API – version 3, introduces standardisation of functions, inputs and outputs.

For users of existing Drupal 6 and Joomla 1.5 CiviCRM installs, the simultaneous release of 3.4 for these versions includes the same features.

2020Media provides free installation of CiviCRM on all Drupal and Joomla hosting plans.

Ease of Upgrade – Joomla, WordPress, Drupal

Comparison of the upgrade methods used in Joomla, WordPress and Drupal

the logo's of Joomla, WordPress and DrupalPopular content management systems require updating from time to time. Sometimes this is for new features, often because a security loophole needs patching. In this article we’re not going to look at which CMS most often requires updates, but at the upgrade procedure itself. How easy is it, are the instructions clear and easy to follow, what the potential problems, and what can you do if something goes wrong? At the time of writing new major versions of Drupal (7.0) and Joomla (1.6) have been released and no updates have yet been produced for these releases. We therefore concentrate on the older versions, which run the vast majority of existing sites. Continue reading Ease of Upgrade – Joomla, WordPress, Drupal

The Economist migrates to Drupal

The Economist runs Drupal

Drupal is used on many thousands of websites, but a recent convert to Drupal is The Economist. The Economist is now using Drupal 6 to serve the vast majority of content pages to its primary web site, economist.com. Drupal powers the homepage, along with all articles, channels, comments, and more.

The site is incredibly busy – over 100,000 stories and a Posting rate exceeding a comment per minute. It also boasts 20-30 million page views per month with 3-4 millon unique visitors over the same period.

The Economist has a large varied dataset and moving from the previous system (based on ColdFusion and Oracle) was no easy task. They hired  a specialist company called Cyrve who’ve written and open-sourced a Drupal module to enable migrations of existing complex databases to Drupal. Read more about the migration, or check out Drupal Hosting from 2020Media.