LATEST FROM OUR BLOG

Take your daily dose of (only) relevant news, useful tips and tricks and valuable how to's on using the latest web technologies shaping the digital landscape. We're here to do all the necessary information sifting for you, so you don't have to, to provide you with content that will help you anticipate the emerging trends about to influence the web.

Set Up a Local Drupal Site with Lando in no Time: Get Started with Docker
Let's say that you need to spin up a new Drupal environment in... minutes. To quickly test a new patch to Drupal core, maybe, or to switch between 2 or more clients on the same day and thus to run multiple copies on several websites... In this case, how about taking the quick and easy way and set up a local Drupal site with Lando? "What is Lando?" you might legitimately ask yourself. A DevOps tool and Docker container-based technology enabling you to spin up all the services and tools that you need to develop a new Drupal project in no time. "Why would I choose Lando as a method to set up a local Drupal site?" Let me list here some of the strongest reasons:   it makes setting up a local Drupal site unexpectedly easy (and I'm talking about "minutes" here) it makes getting started with Docker container technology a whole lot easier it enables you to share your Drupal site's configuration within your team right on your Git repository (taking the form of a YAML file) it puts several development environments (LEMP, MEAN, LAMP) at your disposal   Are these reasons strong enough for you? If so, here's a quick step-by-step guide on how precisely to set up a Drupal site with Lando:   Step 1: First, Make Sure You Meet the System Requirements If, as a web developer, you're not efficient with using the command line... well... then there are high chances that you find this tutorial here a bit discouraging. And if being more than just familiar with the command line is not a strict requirement, then the following system requirements () are:   macOS 10.10+ Linux (with kernel version 4.x or higher) Windows 10 Pro+ (or equivalent) with Hyper-V running   These are the 3 operating systems that Lando's currently compatible with. Now, let's move on...   Step 2: Download and Install Lando and Docker  Go to Lando releases on Github and download the latest version for your OS. Just run the installer and let it "do the job" for you:   install Docker for Windows, Docker for Mac, Docker CE install Lando: for Mac run brew cask install Lando and for other OS download the .rpm, .dmg, .exe or .deb   Step 3: Create a New Drupal Project Luckily for you, there are several ways to get a Drupal codebase. Pick the one that you're most comfortable with as you set up a local Drupal site with Lando:   install Drupal 8 the standard way (the first step there being "Get the Code"); next, grab the latest version of Drupal 8 navigating to "Download & Extend" or use Composer to create your new Drupal project: composer create-project drupal-composer/drupal-project:8.x-dev my_drupal_project --stability dev --no-interaction or just navigate somewhere on your PC and use GIT to clone it: git clone --branch 8.6.x https://goo.gl/Q3MoVu lando-d8   Step 4: Set Up a Local Drupal Site with Lando: Extract Drupal To extract Drupal just: open up your terminal window enter the commands here below: cd Sites tar xzf /tmp/drupal-8.5.1.tar.gz mv drupal-8.5.1 drupal-lando cd drupal-lando And thus set up the Sites/drupal-lando/ directory inside your home directory Step 5: Set Up Lando    Now's time to initialize Lando and enable it to create a basic configuration file for you. And, again, you have more than just one option at hand:   while still in your terminal window, run the following command and specify the Drupal 8 recipe and your web root as web, next name it "drupal-lando": lando init --recipe drupal8 --webroot=. --name="drupal-lando" or just launch the interactive session: run "lando init" interactively   Next, it's the following YAML file/ ".lando.yml", that it will create: name: drupal-lando recipe: drupal8 config: webroot: . Note: feel free to ignore the "lando init" step and to jump straight to copying and pasting this file here.   Step 6: Start Your Environment & Wait for Your Docker Containers to Get Set Up And here you are now, at that step from the whole process where you set up a local Drupal site with Lando where you start your Docker engine. For this, just run the following command in your terminal window: lando start  If everything goes according to plan, this is where Lando starts Docker and sets up 2 containers. Next, feel free to run: lando composter install It's going to use PHP/Composer inside the newly created Docker container for building Drupal's Composer dependencies.   Step 7: Browse to Your Site's URL and Walk Through the Drupal Installation Process Time to install your new clean Drupal 8 site now. Just visit your local site in the web browser and walk through the Drupal wizard install process (since your new site starts with an empty database, you will be automatically directed to the Install page) Once you reach the step where you need to configure your database, enter these options here:   Database host: database Database name, username, password: drupal8   Next, unfold the "Advanced Options" drop-down menu and:   replace "localhost", currently showing up in the "Host" field, with "database" hit the "Save and Continue" button and let the Drupal installation process carry out   You'll set up a local Drupal site with Lando in... minutes! A brand new website that you can then easily:   test debug manage with Composer   Optionally, you can add a new service of your liking (e.g. MailHog, for catching outbound mails) and custom tune your setup right from your .lando.yml.file. The END! And this is how you do it... Told you it was just a matter of a few easy steps!  ... Read more
RADU SIMILEANU / Jul 10'2018
These Are the 15 Best Drupal Security Modules Worth Installing on Your Website
I'm a woman of my word, as you can see: here I am now, as promised in my previous post on the most effective ways to secure a Drupal website, ready to run a “magnifying glass” over the best Drupal security modules. To pinpoint their main characteristics and most powerful features and thus to reveal why they've made it to this list. And why you should put them at the top of your own Drupal security checklist. So, shall we dig in?   1.  Login Security   It's only but predictable that since the login page/form is the entry to your Drupal site, it is also the most vulnerable page there, as well. Therefore, secure it! In this respect, what this module enables site admins to do is : define a certain number of login attempts; too many invalid authentication attempts will automatically block that account block/limit access for specific IPs   Moreover, you get notified by email or via Nagios notifications when someone is just username/password guessing or using other kinds of brute force techniques to log into your Drupal site. In short: the Login Security module, through its variety of options that it “spoils” you with, empowers you to set up a custom login policy on your site. To define your own restrictions and exceptions. 2. Drupal Core Update Module     As already mentioned here, on this blog, when we've tackled the topic of Drupal security: Keeping your Drupal core updated is that easily underrated, yet most powerful security measure that you could implement! Now what this module here does is assisting you in keeping your Drupal codebase up to date: safely patched and having all the crucial upgrades. And I don't need to remind you the security risk(s) that all those site owners ignoring the latest patches to Drupal core expose their websites to, right?    3. Captcha   Captcha is one of the best Drupal security modules since it's one of the most used ones. And no wonder: could you imagine submission forms on your website with no Captcha? The age-old system is one of the handiest ways to keep spammers and spambots away. So, having this module “plugged in”, providing you with the needed captcha support, becomes wisely convenient.   4. Password Policy   The module enables you, as your Drupal site's admin, to define specific rules for “wannabe users” to follow when they set up their account passwords. From constraints related to:   special symbols that those passwords should include, to ramp up both the given account's and your own site's security to uppercase letters to numbers...   … once you plug in this Drupal security module in, it's you who gets to set up the policy for creating account passwords.   5. Security Review, One of the Best Drupal Security Modules The Security Review module is that “Swiss knife” that you need for hardening your site's shield. Meaning that it's an all-in-one tool. One that comes with its own Drupal security checklist that it regularly goes through and sets against your website, detecting any missing or improperly implemented security measures. Moreover, it automates a whole series of tests for tracking down any signs of exploits and brute-force attacks:   arbitrary PHP execution XSS exploits SQL injection suspicious PHP or JavaScript activity in content nodes   Once it identifies the vulnerabilities, it “alerts” you and gives you the best recommendations for mitigating those security risks. All you need to do is follow the suggestions.   6. Security Kit Another module that “empowers” you to take full control over the security strategy on your Drupal site. To set up specific options for minimizing the chances of exploitable “cracks” showing up in its security shield: For instance, it could recommend you to set up HTTP headers on your Drupal site.   7. Session Limit     Here's another one of those best Drupal security modules that's also one of the widely used ones. Why is it a must-have on your own Drupal site? Because it enables you to set a limit to the number of simultaneous sessions per user, per role. This way, you trim down the chances of suspicious activity being carried out on your site and eventually leading to brute-force attacks.   8. Automated Logout       Another module that's a must on your Drupal site: It basically enables you, the site admin, to define a policy that would log out users after a specified time period of inactivity.    9. Two Factor Authentication     LinkedIn, Google, Twitter, Instagram, Facebook are just some of the big names that have adopted this user authentication method for security reasons. So, why shouldn't you, too? Especially when you have a dedicated module at hand, Two Factor Authentication, to:   provide you with various methods to select from: pre-generated codes, time-based one-time PINS or passwords, codes sent via SMS etc. give you full freedom in defining that two-factor authentication strategy that suits your site best   The principle is as simple for the user, as it is effective for your website, from a security standpoint: The user gets a security code that he/she'll then need to use for logging into your Drupal site.   10. Coder   A command-line tool, with IDE support, that gives your codebase a deep scan and detects any drift from the coding standards and best practices. Why has it made it to this exclusive list of 15 best Drupal security modules? Cause vulnerabilities might be lurking right in your Drupal code, not necessarily in your users' weak passwords or unpatched core modules. Having a tool at hand that would identify and notify you of all those weak links in your code, where the best practices aren't being followed, is just... convenience at its best.   11. SpamSpan     Another key module to add to your Drupal security checklist.  For you do agree that email addresses are some of hackers' easiest ways to infiltrate into your website, don't you?  Now what this module here does is obfuscate email addresses so that spambots can't collect them. Note: a key strength of SpamSpan is that it uses JavaScript for this process, which enhances accessibility.   12. ACL       “A set of APIs” This is how we could define this module here, which doesn't come with its own UI. Its key role? To enable other Drupal modules on your website to set up a list of users that would get selective access to specific nodes on your site.   13. Paranoia       Why is Paranoia one of the best Drupal security modules? Because it will end your “paranoia” — as its name suggests — that an ill-intentioned user might evaluate arbitrary code on your site. The module practically identifies all those vulnerable areas where a potential attacker could exploit your site's code and blocks them.   14. Content Access         Limiting or blocking access to key content types on your site is no more than a common-sense security measure to take, don't you agree? Therefore, this module here's designed to assist you throughout this process:   as you define detailed permissions on your site: to view/edit/ delete specific content types … by user role and by author    Word of caution: do keep in mind that, since Content Access uses Drupal's node API, you shouldn't enable other modules using the same endpoints on your website!   15. Google Apps Authentication         A module that ramps up not just your site's security, but also its accessibility. Just think about it: Nowadays anyone has at least one Google account. Therefore, “anyone” can easily log into your website using his/her own Google account credentials. Once, of course, you will have installed and turned this Drupal module on. END of list! These are the 15 best Drupal security modules worth installing on your site.  Scan them through, weigh their key features, set them against your site's specific security needs and make your selection! ... Read more
Adriana Cacoveanu / Jul 04'2018
OPTASY Is a Gold-Level Sponsor of Drupal North Regional Summit 2018: Moving Drupal Forward!
Save the date(s): 10-12 August! And join us for a 3-day conference on building with Drupal, driving this open-source technology forward and strengthening & growing the community behind it: Drupal North Regional Summit 2018.  You'll find us in our booth at the Toronto Reference Library's exhibit hall, to be more specific, since this year OPTASY's a proud gold sponsor of the fourth edition of this event:  The biggest annual summit in Canada focused on promoting Drupal.    Why Would You Attend Drupal North Regional Summit 2018? That's right: why would you pack your bags and get en route for Toronto's Reference Library when summer is at its peak and everyone's looking for a place in the sun? For a bunch of strong reasons, actually:   first of all, if you're already living in Canada, why would you want to miss the biggest annual event in North America promoting Drupal? no less than 300+ individuals and organizations will be attending it if you're a Drupal developer, this is a once-in-a-year opportunity to grow and to... outgrow yourself; the event's schedule is “overcrowded” with sessions covering a variety of Drupal-related topics, with “can't miss” keynote sessions and networking opportunities … grow your profile by sharing your knowledge and expertise all while enriching it as you learn from other Drupalists attending the event as a Drupal-powered organization, Drupal North Regional Summit 2018 is a great chance to recruit new talent (and this is the event's key “mandate”: to showcase Canadian Drupal talent), to make connections with other Drupal-fueled businesses...   Whether you're:   in the government, nonprofit, education, business field a freelancing Drupal enthusiast looking to keep his/her knowledge up to date … don't miss the largest summit in Canada promoting Drupal!   It'll be a win-win-win type of situation:   you (the Drupal developer) get to keep your knowledge up to date you (the organization) get to dig through a pool of Drupal talent and also to network with other key decision-makers from some of the most notorious companies in Canada running their businesses on Drupal and it's a winning situation for Drupal itself: all the individuals and companies attending the summit will help to extend its reach to more people and more businesses    OPTASY Proudly Supports Drupal and the Drupal North Regional Summit 2018 Why? What's in it for us? Why are we so proud to be one of the gold sponsors of this Drupal summit in Canada? Because we like to practice what we preach: To give back to the (Drupal) community, what the community gave to us for free. And along these +15 years years since we've been developing in Drupal there's been plenty of work done by all those developers contributing to Drupal and moving this open-source technology forward that we leveraged in our own projects. It's only but common sense to give something back now and to contribute ourselves, too. And sponsoring Drupal events is one way that we can do that. But there are other reasons, too, why we decided to support the Drupal North Regional Summit 2018 as a gold sponsor. All of them deriving from the above-presented reasoning:   the 3-day conference makes the perfect “lab” where brilliant solutions to well-known issues in Drupal get identified and shared with the community, new Drupal modules get put into the spotlight, new ways of innovating this technology get presented in other words: investing in this Drupal summit we invest in us, as a team and as a company, and implicitly in our own clients, as well ... all the knowledge and “steamy-fresh information” that we get from this conference will then be put to use when working on our clients' future projects it's also a great place to network with existing and potentially new Drupal-using companies and an opportunity for us to “expose” the key advantages that set OPTASY apart as a Drupal agency: +15 years hands-on experience, proven Drupal expertise, pure passion for what we do, a strong work ethic and stellar communication skills confirmed by our clients   So, are you curious about Drupal's main strengths as a technology of the future? Interested to discover what precisely helps it stand out? Are you looking for a Drupal partner with both the proven experience and the proper “weakness” for innovation to turn your ideas into digital reality? Stop by our booth then, in August, and let's talk Drupal, growth opportunities and everything in between! ... Read more
Adriana Cacoveanu / Jul 02'2018
What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist
You have patched your Drupal website, haven't you? If so, then that critical 3-month-old security flaw, Drupalgeddon2, can't get exploited on your site. Even so, with the menace of a cryptocurrency mining attack still lurking around the unpatched websites, you legitimately ask yourself: what are some quick and easy ways to secure Drupal? “Which are the most basic steps to take and the simplest best practices to adopt to harden my Drupal site's security myself?” Now, using keywords such as “security measures”, “quick”, “easy” and “handy”, I've come up with a list of 7 basic steps that any Drupal site owner can (and should) take for locking down his/her website. Here they are, in no particular order:   1. Keep Your Drupal Core and Modules Updated  Not only is this one of the simplest ways to secure Drupal, but one of the most effective ones, as well. Even so more now, with the Drupalgeddon2 Drupal security threat still fresh in our memory, ignoring the regularly released security updates for both Drupal core and its modules is just plain recklessness or... self-sabotage. Keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that! And where do you add that this is one of those Drupal security best practices that's the easiest to integrate into your routine. Since to run the latest updates you only need to:   sign in to your Admin panel go to “Manage”  scroll down to “Reports” → “Available Reports” click on “Check manually” if there are any critical security updates that you're advised to run, just click “Update”   This is all it takes for you to: seal any security loopholes in your Drupal core prevent any identified vulnerability from growing into a conveniently easy to access backdoor for hackers to get in   2. Install Drupal Security Modules  Strengthening the shield around your Drupal site with some powerful Drupal security modules is another both handy and effective measure that you, yourself, can easily implement. Luckily, you're definitely not out of options when it comes to good security modules in Drupal. And I'm only going to run a short module inventory here, since I'm already preparing a blog post focused precisely on this topic. Therefore, I promise to delve deep into details about each one of the here-listed modules in my next post:   Secure Login   The Security Review (Drupal 7 only)     Paranoia    Captcha     Two-factor Authentication    Content Access         Security Kit     Password Policy       Automated Logout     Password Strength     Downloading, installing security modules on your Drupal site is both:   quick and simple to do highly effective    And they serve a wide range of purposes, from:   enforcing strong password policies to monitoring DNS changes to locking down your site from security threats to blocking malicious networks to turning on a firewall on your site   As for their selection, it depends greatly on your list of priorities when it comes to improving your site's security. Take some time to weigh and to compare their features.   3. Remove Unused Modules: One of the Easiest Ways to Secure Drupal  Being the “easiest” security measure to implement doesn't make it also “the most popular” among Drupal site owners. Owners who more often than not:   underrate the importance of running a regular module usage audit on their sites ignore the Drupal security threat that an outdated piece of code (or an unused module) could turn itself into, once exploited by an attacker   So, don't be one of those site owners! Are there modules on your site that you no longer use?  That have grown outdated and that are just... lingering there, using your site's resources and risking to grow into an exploitable backdoor for hackers? Identify them and remove them! It won't take more than just a few priceless minutes of your time.   4. Enforce a Strong Password Policy Since it's not just the admin (you do have a smart username and password for logging into your admin dashboard, don't you?) that will log into your Drupal site, but users, too, implementing some strong user-side security measures is a must. In this respect, creating a strong password policy — one that would enforce the creation of complex, “hard-nut-to-crack” type of login credentials — is one the best and the easiest ways to secure Drupal on the user's side. Come up with a policy that defines specific requirements for setting up passwords of high enough entropy (letters, uppercase/lowercase, symbols, different characters combos). And don't hesitate to rely on dedicated Drupal modules for enforcing those requirements defined in your policy:   Password Strength   Secure Login    5. Block Access to All Your Sensitive Files I bet you don't want important folders, core files — upgrade.php., install.php, authorize.php, cron.php —  to be easily accessible to just... anyone, right? So, how about limiting or blocking access to them? And you can easily do that by configuring your .htaccess file —  it's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site: Just specify the IP addresses allowed to access those core folders, files and subdomains. Here's one “enlightening” example: <FilesMatch "(authorize|cron|install|upgrade)\.php"> Order deny, allow deny from all Allow from 127.0.0.1 </FilesMatch> Note! Now speaking of limiting access, don't limit your restrictions to your core folders and files. Remember to restrict/block access to your web server, to your server login details, as well. How? By adding a basic layer of authentication limiting server access and file access usage. Also, do remember to cautiously manage access to certain port numbers that your site/app might be using.   6. Back Up, Back Up, then... Back Up Some More  You can't anticipate brute-force attacks, but you sure can “land back on your feet” if the worst scenario ever happens. And you can only do that if you have a clean and recent backup at hand to just rollback and restore your website. In other words: back up regularly!  And remember to always back up your files and MySQL database before any update that you run on your Drupal code and modules. It is one of those common sense Drupal security best practices that should be included in any basic security checklist! Where do you add that you even have a dedicated Drupal module —  Backup and Migrate — to assist you with this process. Some of the back up “burdens” that this module will take off your shoulders are:   backing up/restoring code and multiple MySQL databases integrating Drush  backing up files directory setting up several backup schedules AES encryption for backups 7. Review All User Roles and Grant the Minimum Permissions Necessary How many user roles are there assigned on your Drupal site? If you don't quite know the answer, then it's obvious: You must give your entire user role system an audit! And to stick to this habit, one of the simplest ways to secure Drupal, after all. Review all the user roles and, most of all, review each one's set of permissions and make sure you trim them down to the minimum necessary for each role.  This way, you'll also limit access to critical files for those users that shouldn't have the permission to download or visualize them. And speaking of permission, do keep in mind to review all your file permissions, as well! See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary. The END! Of course, this isn't even close to a complete list of ways to secure Drupal. If it had been an exhaustive one, it would have continued with more Drupal security best practices, such as:   getting the SSL Certificate securing HTTP headers using secure connections only   Etc. etc. I've only focused on some of the easiest and quickest measures that anyone, with little, close to no technical know-how at all, can implement. And I feel like stressing out the term “practice” here: Securing your Drupal site is a constant process; a series of persistent efforts and not a one time thing. Remain vigillant and cautious and don't rely on just a one-time, multifaceted security hardening “marathon”.   ... Read more
Adriana Cacoveanu / Jun 28'2018
My Drupal Site Has Been Hacked: What Do I Do? How Do I Restore It? 10 Steps to Clean It Up
Oops! The worst has happened: your Drupal site has been hacked! Maybe it was precisely one of those critical vulnerabilities, that the Drupal security team has been drawing attention to these last months, that the attacker(s) exploited?  Now what? What to do? Should you be:   rushing to restore your website to a healthy, good-working state (that, of course, if you do have a clean and recent backup available)? starting to rebuild it? investigating how your Drupal site got contaminated in the first place: where's the “open door” that the attackers used to get in? focusing on closing any backdoors that could make new attacks possible?   Now “tormenting” yourself with too many questions simultaneously will only distract you from what should be your main objective: cleaning up your website (and preventing further hacks I should add). So, let's go about it methodically, step by step:   Step 1: Write Down Issues, Steps to Take, Preventive Measures to Apply Keep your cool and go for a methodical approach to crisis management: Just open up a document and start... documenting:   the issues and any suspicious activity that you identify on your site all the steps that your strategy for removing malware and restoring your site should include the preventive security measures you commit to taking for preventing such a scenario from happening again the future   Step 2: Make a Forensic Copy of Your Drupal Site  Before you start running your “investigations” on the attack, on how your Drupal site has been hacked, and way before you get to rebuild anything: Make a forensic copy of all your files, you database and your operating system environment! Note: go with an external storage medium for these copies and store them offsite. As you're scanning through your files, detecting viruses and malware and having them cleaned up, feel free to make new and new “working backups”. And to store them in a different directory (from your regular backup files, I mean). “But why bother? When will these backups turn out particularly useful?”   when you call out to a third party to assist you with the troubleshooting process; these “working” backups will then provide a clear picture of the site before you started “malware detecting” on your own when you try to fix the issues you detect, but instead you make them worse; then, you can easily roll back those changes    Step 3: Scan Your Servers and PC for Malware, Malicious Code Injections, Viruses Before you rush to change all the passwords on your site, pause for a moment to think through your next “move”: What if the attack has been “programmed” so that the attacker should get notified once you change your password(s)? And what if it's precisely your PC or one of your servers that's got infected? Then storing a clean backup of your site precisely there would only make it even more vulnerable. So, how do you prevent that? You give both your PC and your servers a deep scan before making any change. And, thank God, you sure aren't nickel and dimed in anti-malware tools and anti-virus software: AVG, BitDefender, Malwarebytes, ESET, AV-Comparatives etc.   Step 4: Detect & Remove the Backdoors One of the crucial steps to take, once you realize that your Drupal site has been hacked, is to “close” all the backdoors. These could easily turn into hackers' access ticket into your site even after you've removed malware and restored it to its healthy state. But, for closing them you first need to... find them right? So, where to look? Here are a few key places on your site that you should focus your “searches” on:   access logs: while scanning them, be vigilant and look for PHP scrips and POST requests added to directories that have writable access   eCommerce set up: check all the payment methods, shipping addresses, credit card addresses, linked accounts, looking for any suspicious, newly added data   passwords: FTP passwords, admin passwords, control panel passwords   email rules and filters: check that the answers to the security questions are “legitimate”, that messages are being forwarded to correct email addresses etc.   Step 5: Consider Taking Your Site Offline And your decision depends greatly on the nature of your site: If it's a hacked eCommerce Drupal site that we're talking about here, then don't wait even one more minute: take your site down (along with the internal network and servers) and install a placeholder! This way, you'll prevent:   malware from being further distributed spam from being sent to your online store's customers   Note: do keep in mind that taking your site offline will instantly let the attackers know that you've detected the malware that they've “infiltrated” and that you are about to “take action”. If you decide not to take your Drupal site offline at the web server level, ensure that you've got your clean forensic copy at hand before deleting all the sessions. Note: have you detected suspicious changes of the passwords? If so, use this query here for updating them (Drupal 7):   update users set pass = concat('ZZZ', sha(concat(pass, md5(rand())))) As for the users, they can easily use the reset password tool for updating their passwords. Word of caution: mind you don't take "Drupal on maintenance mode” for “offline Drupal". They're 2 completely different things! Once your Drupal site has been hacked, the malware could be of such nature that it allows the attacker to infiltrate as long as the site's online.   Step 6: Notify Your Hosting Provider That Your Drupal Site Has Been Hacked  They should be informed about the breach and about your site being taken offline (if it's the case) immediately. The sooner the better, this way they can:   start scanning their own systems for incursions get ready to assist you with your site recovery and securing process   Step 7: Handle Client Data with Extra Precaution  And these are the specific scenarios where you'll need to take extra precautions when handling client information:   your Drupal site stores client information on the web host … it leverages the data POST method for sending form data via e-mail … it doesn't integrate with a 3rd party payment gateway, but manages the payment processes itself   If one of these 3 scenarios suits your case, then here are some of these extra precautions that you need to make to ensure the private user data doesn't get exposed:   update your SSL certificate re-check all logfiles (have any of the hosted client information been copied, updated or downloaded?) implement AVS (address verification system)  add CVV (card verification value) encrypt connections to back-end services used for sending confidential user data    Step 8: Investigate the Attack: Identify the Source(s) of Infection No matter how much pressure you might find yourself under to get your site back online ASAP, don't let take control over your site's restoring process! Not until you've detected the main source of contamination on your site. The key vulnerability that attackers exploited, the key reason why your Drupal site has been hacked in the first place. That being said, make sure that:   you first audit, on a staging server, that “clean” backup of your site that you're planning to get online; this way, you track down and remove infected files, unauthorized settings, malicious code  you compare pre- and post-hack files, looking for any suspicious changes   Now if you have a clean (and recent) backup at hand for running this comparison, the problem's almost solved. Just use the right tools to compare your files and track down discrepancies. But if you don't have a backup at hand, then there's no other way but to: Manually inspect your files and databases to identify any suspicious changes that have been made. look for any suspicious iframe or JavaScript at the end of the files (if detected, save the code in an external file) look for any sources of “Drupal site hacked redirect”; for links to external URLs   Now, as for the places that you should be running your investigations on, let me give you just a few clues:   .php files, .html files  sessions table  newly modified/created files new/updated user accounts  in writable directories and database    Step 9: Do a Full Restore of Your Site  So, you've noticed that your Drupal site has been hacked, you've assessed all the damage caused, removed malware and even detected the vulnerability that hackers exploited to get in, not it's only but logical to: Try to repair your website, right? Word of caution: never ever run your changes on your production site; instead, fix all detected issues on a staging site. Also, once you've cleaned it all up, remember to run the latest Drupal security updates, as well! Now, getting back to repairing your site, you have 2 options at hand:   you either restore a clean backup, if you know the date and time that your Drupal site has been hacked and you're also 100% sure that none of the system components, other than Drupal, got contaminated or you rebuild your Drupal site    The latter method is, undoubtedly more cumbersome, yet a lot more cautious. Go for it if:   you do not know the precise date and time when your site's got contaminated you do not have a clean (and recent) backup available to restore you've evaluated the damages as being already too widespread     Step 10: Give Your Restored Site a Full Check Before Going Live  Do remember to give your newly recovered site a final audit before getting it back up:   remove all malicious code detected suspicious files unauthorized settings   And, most of all: Close all the backdoors!   Final Word  A pretty long, complex and discouragingly tedious recovery process, don't you think?  So, why wouldn't you avoid all these steps that you need to go through once your Drupal site has been hacked? Why not avoid the risk of finding yourself forced to take your website offsite for... God knows how long, risking to impact your site's reputation and to drive away users/online customers? Don't you find it wiser to:   be prepared instead? opt for ongoing Drupal maintenance and support services? make a habit of regularly backing up your website? keep your system and software up to date (and to install all the recommended patches)? stop underrating the security advisories that the Drupal team makes?   ... Read more
RADU SIMILEANU / Jun 25'2018
What Is the Best Way to Port an Android App to iOs and Vice Versa? 5 Aspects to Consider 
If only there was a... button that you could just press to convert your app to Android or iOS, right? Or if only a quick and easy recompilation process had been enough. Or if the “Let's just make it look similar” approach was your “winning card”... There is no such thing as “easier way” to port an Android app to iOS and vice versa. Instead, there are essential aspects to consider and to adjust your whole app porting process to, meant to stir you in the right direction:   navigation design considerations/UX screen size and resolution  code and essential app architecture differences 3rd party services, frameworks, extensions, and used libraries    And, as you might just guess, the list is incomplete. For it includes other factors, as well, such as device support, customer and business model considerations and so on... To keep your app's architecture intact, while porting your app between Android and iOS — 2 platforms with drastically different UIs and core structures — considering the above-mentioned 5 factors becomes crucial. Therefore, let's detail them, shall we?   But What Does App Porting Actually Mean? Its 4 Key Stages  Let's start with some sort of definition of the whole process: By porting your mobile app you're changing or rewriting its code so that it should work on a different mobile OS than the one that it's been initially developed for. Clear enough? “How long does it take to port an Android app to iOS and vice versa?” you might ask yourself. Usually from 1 to 6 months, but it depends greatly:   on your app's complexity on its core architecture on the entire ecosystem of libraries that it uses, on its design particularities on the business logic behind   Speaking of which, analyzing precisely the driving business logic is as critical as it is underrated by developers who usually stick to: adapting a platform and eventually writing the needed extra code. “And what are the essential steps to take to porting my app?” Glad you asked. Here are the main stages that an effective mobile app porting process should include:   analysis and plan technical assessment the porting itself intensive QA    1st Factor to Consider When You Port an Android App to iOS: Navigation  Navigation is the factor that "miles" sets apart the user behavior on Android phone from the user behavior on iPhones.  Here's why:   Android devices are equipped with 3 different buttons: Home, Back and Multitasking button iPhones only have the home button    Now, imagine tapping a multitasking button as in the Android platform: you can't get away with a simple transfer to iOS. Instead, you'll need to write the proper code for it from scratch. And there's more to navigation and to the way that it is drastically different from one platform to the other. For instance:  Both horizontally and vertically displayed elements on iOS vs vertical elements only, on Android devices. Tip: if you wish your iOS app to look similar to its Android alternative, there's always the handy compromise that you can make of placing in-app tabs in the bottom of the screen.   2nd Factor to Consider: Design Considerations/UX You'll have to reconstruct your app's user interface from scratch to convert it from Android to iOS (or the other way around)! Face it, deal with it and... adapt your “battle plan” to it! There's no way around this: When it comes to UI, Android and iOS are just... worlds apart! Android taps into material design, contrasting Apple's signature flat design. Now here are the key design elements that you should pay special attention to, along with some tips on how to make their porting... smoother:   icons: each platform provides you with its rich icon library dialogs font styles: San Francisco or Helvetica Neue in iOS and Roboto in Android content navigation lists object placement: flat vs hierarchical object placement text alignment: center aligned test in iOS vs left alignment of the text in Android buttons: iOS “favors” flat buttons with shadows, whereas in Android you'll find both flat and floating action buttons   Word of caution: when porting apps to Android or from Android, keep in mind the pixels vs points (pt) difference when it comes to measuring icons and font sizes in the two platforms             3rd Factor to Consider: Screen Size and Resolution  Briefly put: it will be conveniently smoother to port an Android app to iOS than vice versa. Why? Because in Android you have a varied collection of screen sizes and resolutions at hand, whereas in iOS it's significantly lighter. So, if it's an app porting to Android that you're planning, do take into consideration all those screen resolutions that are missing in iOS.   4th Factor to Consider: Your App's Essential Architecture  And here's the right approach to adopt when you port an Android app to iOS (or vice versa) and you're preparing to build its new architecture: Identify the minimum OS version that your ported mobile app should support and set up its architecture accordingly.    5th Factor(s) to Consider: Frameworks, Libraries, Extensions, Code Your current app's “infrastructure” of libraries, extensions, 3rd party services and frameworks play a critical role.  A “too critical role” not to turn it into an essential factor to consider once you decide to port your app to a new OS. Therefore, for each one of the used libraries that's not compatible for cross-platform usage you'll need to find a suitable equivalent. And it goes without saying that this calls for: A proper testing of each given framework and 3rd party library, to know for sure which ones support both OS and which ones don't. The good news is that most of them do support them both, making it smoother for you to duplicate most of your app's basic functionalities when converting it to another OS. Now when it comes to the aspect of code, the fact that the 2 platforms use different programming languages influences greatly the way you should port an Android app to iOS: Kotlin and Java are used for building Android apps, whereas Swift is used to develop iPhone apps. Therefore, you can't get away with simply compiling your app's current code into its new ported version. Note: I know what you might be thinking, that both OS support the C-code instead and so, that you could transfer your codebase to the other platform. Yet, it has already been proven that porting apps to Android from iOS calls for a complete rewriting in a different language. How long would it take you? It depends greatly on your app's feature set, on the used 3rd party libraries, complexity etc.   Final Word  As you can see, once you decide to create a “clone” of your iOs app for the Android platform or vice versa, you'll need to take “recompilation” out of your mind. Porting your app won't be that simple! With the 2 platforms having completely different user interfaces and core structures:   careful planning and in-depth analysis (and yes, I'm thinking business logic here) becomes crucial taking into account all those elements that set these OS worlds apart (interface, navigation...) and adjusting your porting strategy accordingly is the only effective way to port an Android app to iOS or vice versa ... Read more
Adrian Ababei / Jun 21'2018
How to Fix a Hacked WordPress Site: A Step-by-Step Guide on Identifying and Removing Malware
“Mysterious” pop-ups that you did not initiate, inexplicable auto-linking keywords, frequent freezing of your website... These are all but clear signs that your WordPress site has been hacked! Now what? Where should you look for the “infection”? Here's a step-by-step guide on how to fix a hacked WordPress site. And it goes without saying that the very first step to take is to: Keep calm! Next, you'll need to figure out how precisely that malicious individual has found his/her way into your site. What security vulnerability has he detected and exploited? Once you've determined how your WordPress website's got hacked, figuring out how to remove the malware is already a half-solved problem. So, let's dig in before this hypothetical infection has spread out throughout your entire website:   Step 1: Identify the Hacked Files (and Change Your Password) Remember what we've already agreed upon, that the very first step to take is precisely not to panic? So, while keeping your cool, start your “investigations” by asking yourself 3 key questions  — this, of course, after you've already asked yourself “How to remove malware from my WordPress site?”:   Are you able to access your admin panel? Is your site already marked as insecure (by Google)? Is your site redirecting automatically to another website once you log yourself in?   At this point, I also strongly recommend that you changed your password, as well. And this before you jump to the next step of your investigation. Note: remember to change it again after you've cleaned up your website, as well.   1.1. Give Your Site a Thorough Scan Using a Security Tool/Plugin And I do think that it never gets redundant for me to stress out: Turning on a powerful WordPress security plugin on your website is one of the best shields that you could activate around it. In case of an emergency situation, like this one here, you'd simply enable it to scan your site remotely and track down malware locations and malicious payloads and, most of all: A good security plugin would identify and alert you, in real-time, of all the changes made to your website. Note: everyone knows it, yet most website owners stubbornly ignore the importance of keeping their loads of WordPress themes and plugins updated regularly. They just overlook the fact that out-of-date files are by far hackers' “top favorite” security vulnerabilities.    1.2. Check Whether Your Core Files Have Been Compromised And since they're by far the most valuable files on your site, it's only normal to check their integrity first things first:   wp-includes root folders wp-admin   Most of these core files should never ever be modified. And there are 2 ways of checking them:   you either use the diff command in your terminal or you check them manually, via SFTP   If they're unchanged and therefore clean, move on to the next step of this “how to fix a hacked WordPress site” guide:   1.3. Check the Integrity of the Recently Modified Files It may also be that precisely the recently modified files on your WordPress site are the “corrupted” ones. To know for sure, identify the files that have been recently modified. And again, you have 2 options at hand for this type of “investigation”:   the manual check running the right commands in your Linux terminal   For manually identifying these newly changed files that might have been hacked just go through these steps here:   log into your server (use the SSH terminal or an FTP client) if it's SSH that you're using, then it's this command that will automatically list all the files that got modified the last 15 days: $ find ./ -type f -mtime -15 if it's SFTP that you're using, just scan through the last modified date column for all files on your server … detect any files that recent changes have been made to   Now for tracking down these possibly “infected” recently modified files using the terminal, just follow these 2 simple steps:   run this command in your terminal: $ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r  next, if you want to identify the directory files, enter this command: $ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r    Are there any unexplainable changes made to those files in the last 7-30 days?   1.4. Check the Diagnostic Pages  A conveniently handy way to remove a virus from your WordPress website is to “track it down” using Google's or another website security authority's tool to give your site a deep scan with. Has yours already been blacklisted by one of these authorities? Then simply run the Google Transparency Report:   go to Safe Browsing Site Status website enter your website's URL there check both the Site Safety Details and the Testing Details sections    It's a quick and easy way to collect valuable information about any suspicious downloads, redirects, and spams on your site, as well as priceless data about Google's recent scan that ended in malware being detected. Note: another way of identifying malware that's within your reach is by using a free webmaster tool — Google Webmasters Central, Norton SafeWeb, Bing Webmaster Tools etc.   Step 2: How to Fix a Hacked WordPress Site: Removing the Detected Malware After all your preliminary investigations, you should put together your battle plan for actually removing the identified hack from your WordPress site. And for restoring it to its pre-hack clean state, too, obviously. For this, here are the most effective measures at hand for you to apply:   2.1. Is a Clean Backup Available? Use It to Compare Pre-Hack to Post-Hack Files Is there any need for me to stress out that: You should back up your website on a daily basis! And the very situation that you're in now is by far one of the strongest reasons to do that: “How to fix a hacked WordPress site” will get reduced to: “simply comparing a clean backup to the current hacked version of your site!" Identify the files that have been modified and get them removed. It goes without saying that you risk losing some of your files —  those added/updated after the last backup — but you do want a clean website now, don't you? 2.2. Remove the Identified Infected Files from Your Website Once you've restored your WordPress backup, you can easily remove any suspicious plugin, theme or other types of file. Note: do handle core files with utmost caution, though! Mind you don't accidentally overwrite your wp-content folder or your wp-config.php file. When it comes to infected custom files, you could replace them with a clean recent backup or with fresh new copies. “But how do I remove “malicious” code manually?” you might ask yourself. Let me go briefly through all the key steps required:   log into your server (via SSH or SFTP) back up your website track down the recently modified files replace any suspicious files with copies from the WordPress repository use a text editor for opening up any custom files there and remove any suspicious code that you'll detect  test your newly cleaned up website   Word of caution: manually removing a malware infection from your WordPress site does call for special safety measures. Never remove corrupted code without first backing everything up!   2.3. Remove All Malware Infections from Your Database Tables, as Well  Now, you do agree that a “how to fix a hacked WordPress site” tutorial couldn't possibly skip the step where database tables get cleaned up of any malware infection. Here's how you do it:   connect to your database using your database admin panel create a backup of your database give it a deep scan looking for any suspicious content  if detected, open the table containing that specific link or spammy keywords manually remove that infected piece of content give your website a “post database clean up” test remove any tools that you might have used specifically for this operation —  Adminer or maybe Search-Replace-DB   2.4. Check All The User Permissions: Look for New, Unfamiliar User Accounts My advice to you, when it comes to user accounts, to user roles and permissions on your WordPress site is to: Keep just one single admin user and stick to the essential user roles (and granted permissions): author editor contributor  etc.   This is one of the most effective prevention measures that you could take so you don't end up asking yourself “How to clean up a hacked WordPress site?” Now, coming back to our investigation here, here's how you remove all the unfamiliar WordPress user accounts from your website:   first, back up both your site and your database log into your admin panel and click the “Users” tab track down any unfamiliar new user accounts there, hover over them and delete them   Note: another wise thing to do is to re-check each user's roles and permissions. If you feel like updating them, simply use the users' role editor plugin.   2.5. Detect and “Close” all the Backdoors And you want to treat this aspect with maximum seriousness. Otherwise, following each and every step indicated to you in this “how to fix a hacked WordPress site” tutorial becomes... pointless. For the attackers would always have this “secret passage” to infiltrate themselves into your website over and over again. “But what are backdoors more precisely?” you might ask yourself. They're files similar to your site's core files — wp-config.php and key directories such as /uploads, /themes, /plugins —  yet strategically placed in the wrong directories.  Here are some PHP functions that you could recognize them by:   str_rot13 assert base64 move_uploaded_file eval system stripslashes gzuncompress   Word of caution: keep in mind that there are plugins on your WordPress website that could be legitimately be using these PHP functions; therefore, make sure you test all those "apparently suspicious changes" before rushing to remove the so-called "malicious" functions. Otherwise, by removing benign functions, you might just break your website.   2.6. Request a Review of Your Site, to Have all Malware Warnings Removed Now, once you've repaired all the damage caused on your Wordpress site, it's only but logical to... let the blacklisting authorities know that your site's clean now. For this, you can just request a review of your recovered website.   2.7. Change Your WordPress Salt Keys  The very last step to take in this “How to fix a hacked WordPress site” process is to change the security keys from your wp-config.php file: This way, even if a potential attacker stole your password, he would get automatically auto-logged out once you've changed your WordPress salt keys. Next, you can just change your password, as well as the ones of other users on your site.   Or, Just Cut All These Steps Down to a Single One: Preventive Maintenance Which means adopting a WordPress maintenance and support plan tailored just for you and your specific security feature needs. This way, not only that you'd save the time (and spare your nerves) that you'd otherwise invest in carrying out all the steps included in a tedious “how to fix a hacked WordPress site” process, but: From running regular updates to on-going maintenance of your website's core components to regular security audits, you wouldn't need to... move a single finger. Our WordPress maintenance and support team would handle it for you. “Prevention is better than cure” is so much more than just a saying... ... Read more
Adriana Cacoveanu / Jun 19'2018
What Is the Best Way to Style React Components? 4 Most Widely-Used Approaches to Styling
Sorry to disappoint you, but: there's no such thing! No such thing as “the best way to style React components”. Or “the most effective approach” or “the currently best option” for styling reusable components within your application. What you do have, instead, is: “The most popular or commonly-used ways of styling components!” 4 of them, actually. And rating one of these approaches as “the best” is totally up to you:   to your personal preferences to your React app's level of complexity to what precisely it is that you need to style in your React project and to your feature needs   Is it just a few style properties that you need to add? Then the inline styling approach suits your “component styling scenario” perfectly. Or maybe it's a more complex React app that you're working on? In this case, you might want to go for the classic approach: using CSS classes and stylesheets and tying them all together with webpack.  But let's just put each of the 4 popular ways of styling React components into the spotlight and clear the picture for you a bit more! I'll be highlighting each option's main advantages and drawbacks, so you can knowingly decide which one's the best option for you.   1. The Classic Approach: Using Regular CSS Stylesheets  You always have classes and stylesheets to rely on when it comes to styling. Simply tie them all with webpack after you've imported CSS file: import './DottedBox.css' … ensuring, this way, that you have a separate CSS file for each one of the components to be styled. The main advantages of this common approach?   it'll then be easier for you to move between your CSS and the browser it will streamline overriding or MVT in case you'll need to go in that direction   Yet, there's also a bit discouraging drawback to this approach to styling React components: Do expect to face all the “standard” CSS problems: potential conflicts between definitions and mutual classes, attribute inheritance (both good and... bad)...   2. CSS Modules  And before we delve into the:   “why” you might rate using CSS modules as “the best way to style React components” “how” to leverage their styling capabilities   ... let us try to define them: They're CSS files where all animation and all class names get automatically scoped. Moroever, CSS modules help you “keep things clean” when it comes to all the previously mentioned problems that CSS stylesheets can challenge you with. They make the most efficient approach to styling React components when you're dealing with complex applications. And now, here are the steps to take for styling your reusable components using CSS modules:   import CSS file: import styles './DashedBox.css' next, access className as you access to the object   And here you have 2 options at hand:   :local(.className) if/when you opt for create-react-app due to webpack configurations .className in case it's your own React boilerplate that you're using    “OK, but how do I make my CSS modules work with Webpack now?” A legitimate question that you might be asking yourself right now. Here's how:   you simply include the modules early mentioned next add the loader here below to your webpack.config.js file: . . . { test: /\.css$/, loader: 'style!css-loader?modules&importLoaders=1&localIdentName=[name]__[local]___[hash:base64:5]' } . . . 3. Styled Components: Is This the Best Way to Style React Components? “It is if working with class names to compose stylesheets is not really... your thing.” Take it as a more “non-traditional” way of styling components, where you: Create encapsulated styles and integrate them with the props of your components. In other words: instead of using className, you'd be using style attribute. And styled-components — a JavaScript and CSS “combo —  are no more than a library enabling you to use component-level styles within your React app.  Or, you can also see them as a “wrapper component”: mapped to HTML tags in order to style itself and its child elements. This way, you can easily write regular CSS in your JS file.  The main advantages?   you get to store all the styling within the component  … to have separate and reusable UI for your React stateful/stateless components … to build “isolated” components    And now, let me take you through all the steps required for leveraging this library's styling capabilities:   fist, just install the library itself: npm install styled-components –save next, set up a variable by selecting a specific HTML element, to store your style keys const Div = styled.htmlElemnet`color: pink`  and finally, use that variable's name as a wrapper <Div></Div> type of React component     4. Inline Styling  This might just be the best way to style React components for you if it's only a few style properties that you need to add. Don't expect for inline styles to be specified as a string in React:  They're not! Instead, they're mentioned with an object: whose key is the style name's camelCased version whose value is usually a string, the style's own value, actually   And you have 2 options at hand for “triggering” the styling capabilities with this approach:   you create a variable storing style property and get it sent through to the element like style={nameOfvariable} you pass the styling — style={{color: 'pink'}} — directly   Still, don't get overly “enthusiastic” about using this approach to styling! At least not until you've taken note of all the challenges that it presents, as well (and there are quite a few):   you won't be able to use pseudo-classes, one of the core features of CSS (:active, :hover, :focus etc.)   expect duplication in markup each time you'll use a specific component: you won't be having your styles in your JS only, meaning that doing server-side rendering will lead to duplication, to using repetitive rules and the same style code for multiple components   you won't get any media queries: you're left with the solution of using a JS approach for “juggling with” different screen variations   and you can't use vendor prefixes, nor override a rule on the very same selector   In a few words: using inline styling might just not be the best way to style React components if: ... It's a UI-heavy, complex application that you're working on and this is due to the approach's highly restrictive usage. Nevertheless, if you still consider that this option suits your preferences and your app's feature needs best, go for it! You could always use a library such as React JSS, Readium, React style to deal with the above-mentioned inline styling limitations. The END! These are 4 most widely-used ways of styling components in React, along with their key benefits and their most discouraging drawbacks. Which one would you rate as “the best way to style React components” according to your personal preferences and to your current app's “needs” in terms of styling capabilities? ... Read more
Adrian Ababei / Jun 14'2018
What Does It Take to Develop a Mobile-First Content Strategy for Your Drupal Website?
There's no way around it, not anymore: with Google's index now mobile-first, adopting a mobile-first approach when building a new Drupal site (or redesigning a legacy one) is… a must! It no longer depends on a specific project's needs or on the used technology. The need to develop a mobile-first content strategy has gone from particular to universal. And facing the challenge of:   (re)creating optimizing structuring   … content on your Drupal website means conforming to those specific patterns that mobile users have developed for reading content on their smartphones. In short: developing a fully responsive Drupal site comes down to centering your mobile content strategy around the idea that: It's for the smallest screen sizes that you should plan your content for, first things first … then scale it up from there. Now, let's see precisely what it takes to develop a mobile-first content strategy. What focus points and must-have components to include:   1. Take the Smallest Screen Size as the Starting Point In other words: think mobile-first! And by “mobile” I do mean “smartphones” — the smaller the screen size, the better.  This way, you'll be adjusting your content so that it makes the most of the smallest interface. Starting “small” is the best way to stick to the “keep it simple” approach: Thinking through every content-related decision in the light of the viewport size challenge will constrain you to keep the truly essential content elements only. Hence, this “spartan” way of eliminating the unnecessary will reflect on your site's desktop design, as well:  It will turn out cleaner and lighter.   2. Use Visual Content Wisely: Weigh Your Choices of Images  The golden rule when it comes to the imagery that you'll use on your responsive website is: If an image doesn't enhance and complement your content, then you're better off without it! And I know what you must be thinking: “But people remember what they see far more easily than what they read.” True, you need to keep in mind that visuals do come at a cost, though: Those stunning, visually-arresting images on your website risk to divert your users' attention from the message itself. And still, probably the most heavy-weighing reason why you should use images wisely when you develop a mobile-first content strategy is: weigh. Visuals risk to take up valuable screen space and thus:   outshine your calls to action themselves impact your site's overall performance (leading to frustration)   Now that doesn't mean that you should strip your content off ALL the visuals! Absolutely not! Just to be cautious and weigh your every choice, think through your every decision involving the usage of an image.  Once you've selected the truly essential ones, keep in mind:   not to no resize them (or optimize them in any other way) before uploading them to your CMS: let Drupal do the heavy-lifting here  to leverage the Responsive Image module's (Drupal 8) capabilities for resizing them to fit the given screen sizes   3. Content Before Design This is the right sequence to follow when you're designing (or re-designing) your Drupal site with mobile users in mind: First, you create and strategically organize your content and upload it to your Drupal 8 CMS. It's only then that you focus on styling and developing a responsive and visually-striking web design. If it's legacy content that you're dealing with, trying to convert it to mobile, the very first step to take when you develop a mobile-first content strategy is: Removing all the design elements from your written content.   4. Create a Hierarchy of Your Calls to Action Making the most of a small interface means also setting your priorities in terms of calls to action: Pair each one with a corresponding objective, evaluate them all wisely, then select THE call to action that's most critical for you and place it — and it alone — above the fold.   5. Organize and Optimize Your Content for Mobile Devices I'll briefly list all the key requirements that mobile-friendly content should meet — aspects to pay attention to when writing content for mobile devices — for I'm sure they're nothing new to you: the phrases should be kept short and concise, thus eliminating the burden of “never-ending-scrolling” the content should be sharp, targeted and skimmable, so users can easily “digest” it and modular, so that users can swiftly browse through it “modular” meaning made either of multiple clear paragraphs — each one standing for one thought — or chunks of 3 paragraphs at most    6. Optimize Media, too, When You Develop a Mobile-First Content Strategy And there are a couple of essential steps that you mustn't overlook when it comes to mobile-optimizing your media:   always go for thumbnails instead of video players that your users would have to load and thus strain on your site's valuable resources don't ever use autoplay on your audio and video content  optimize your sound, image and video files both for large and small devices   7. Trim Down Your Navigation Menu In other words: when you develop a mobile-first content strategy, consider simplifying your navigation to its truly essential links. No user would gladly scan through a “beefy” navigation menu taking his device's entire screen:   flatten your navigation: stay away from the technique of piling up submenus, layers and navigation points feel free to place the links that you'll remove on other places on your website (or even to turn them into calls to action)   8. Convert Your Legacy Content to Mobile-Friendly Content  If it's a legacy Drupal website that you need to restructure and to adapt to your mobile users' specific patterns for browsing through and consuming content on their smartphones, then it's time you:   dug into your static HTML … and cleaned it up   And by “cleaning it up” I do mean:   removing inline media removing the fixed-width tables eliminating floats with content  breaking it down into skimmable chunks of content   … that can be easily structured into content fields. The END! These are the 8 main aspects to focus on when you develop a mobile-first content strategy.  Now time to test the “saying” that: “Creativity strives under constraints.” … and to make the most of those small interfaces. ... Read more
Adriana Cacoveanu / Jun 11'2018