Accidentally creating duplicate content in Drupal is like... a cold:
Catching it is as easy as falling off a log.
All it takes is to:
further submit your valuable content on other websites, as well, and thus challenging Google with 2 or more identical pieces of content
move your website from HTTP to HTTPs, but skip some key steps in the process, so that the HTTP version of your Drupal is still there, “lurking in the dark”
have printer-friendly versions of your Drupal site and thus dare Google to face another duplicate content “dilemma”
So, what are the “lifebelts” or prevention tools that Drupal “arms” you with for handling this thorny issue?
Here are the 4 modules to use for boosting your site's immunity system against duplicate content.
And for getting it fixed, once the harm has already been made:
1. But How Does It Crawl into Your Website? Main Sources of Duplicate Content
Let's get down to the nitty-gritty of how Drupal 8 duplicate content “infiltrates” into your website.
But first, here are the 2 major categories that these sources fall into:
malicious
non-malicious
The first ones include all those scenarios where spammers post content from your website without your consent.
The non-malicious duplicate content can come from:
discussion forums that create both standard and stripped-down pages (for mobile devices)
printer-only web page versions, as already mentioned
items displayed on multiple pages of the same e-commerce site
Also, duplicate content in Drupal can be either:
identical
or similar
And since it comes in “many stripes and colors”, here are the 7 most common types of duplicate content:
1.1. Scraped Content
Has someone copied content from your website and further published it? Do not expect Google to distinguish the copy from its source.
That said, it's your job and yours only to stay diligent and protect the content on your Drupal site from scrapers.
1.2. WWW and non-WWW Versions of Your Website
Are there 2 identical version of your Drupal website available? A www and a non-www one?
Now, that's enough to ring Google's “duplicate content in Drupal” alarm.
1.3. Widely Syndicated Content
So, you've painstakingly put together a list of article submission sites to give your valuable content (blog post, video, article etc.) more exposure.
And now what? Should you just cancel promoting it?
Not at all! Widely syndicated content risks to get on Google's “Drupal 8 duplicate content” radar only if you set no guidelines for those third-party websites.
That is when these publishers don't place any canonical tags in your submitted content pointing out to its original source.
What happens when you overlook such a content syndication agreement? You leave it entirely to Google to track down the source. To scan through all those websites and blogs that your piece of content gets republished on.
And often times it fails to tell the original from its copy.
1.4. Printed-Friendly Versions
This is probably one of the sources of duplicate content in Drupal that seems most... harmless to you, right?
And yet, for search engines multiple printer-friendly versions of the same content translates as: duplicate pages.
1.5. HTTP and HTTPs Pages
Have you made the switch from HTTP to HTTPs?
Entirely?
Or are there:
backlinks from other websites still leading to the HTTP version of your website?
internal links on your current HTTPs website still carrying the old protocol?
Make sure you detect all these less obvious sources of identical URLs on your Drupal website.
1.6. Appreciably Similar Content
Your site's vulnerable to this type of duplicate content “threat” particularly if it's an e-commerce one.
Just think of all those too common scenarios where you display highly similar product descriptions on several different pages on your eStore.
1.7. User Session IDs
Users themselves can non-deliberately generate duplicate content on your Drupal site.
How? They might have different session IDs that generate new and new URLs.
2. 4 Modules at Hand to Identify and Fix Duplicate Content in Drupal
What are the tools that Drupal puts at your disposal to detect and eliminate all duplicate content?
2.1. Redirect Module
Imagine all the functionality of the former Global Redirect module (Drupal 7) “injected” into this Drupal 8 module!
In fact, you can still define your Global Redirect features by just:
accessing the Redirect module's configuration page
clicking on “URL redirects”
Image Source: WEBWASH.net
What this SEO-friendly module does is provide you with a user-friendly interface for managing your URL path redirects:
create new redirects
identify broken URL paths (you'll need to enable the “Redirect 4040” sub-module for that)
set up domain level redirects (use the “Redirect Domain” sub-module)
import redirects
Summing up: when it comes to handling duplicate content in Drupal, this module helps you redirect all your URLs to the new paths that you will have set up.
This way, you avoid the risk of having the very same content displayed on multiple URL paths.
2.2. Taxonomy Unique Module
How about “fighting” duplicate content on your website at a vocabulary level?
In this respect, this Drupal 8 module:
prevents you from saving a taxonomy term that already exists in that vocabulary
is configurable for every vocabulary on your Drupal site
allows you to set custom error messages that would pop up whenever a duplicate taxonomy term is detected in the same vocabulary
2.3. PathAuto Module
Just admit it now:
How much do you hate the /node125 type of URL path aliases?
They're anything but user-friendly.
And this is precisely the role that Pathauto's been invested with:
To automatically generate content friendly path aliases (e.g. /blog/my-node-title) for a whole variety of content.
Let's say that you want to modify the current “path scheme” on your website with no impact on the URLs (you don't want the change to affect user's bookmarks or to “intrigue” the search engines).
The Pathauto module will automatically redirect those URLs to the new paths using any HTTP redirect status.
2.4. Intelligent Content Tools
Personalization is key when you strive to prevent duplicate content in Drupal, right?
And this is precisely what this module here does: it helps you personalize content on your website.
How? Through its 3 main functionalities delivered to you as sub-modules:
auto tagging
text summarizing
detecting plagiarized content
Leveraging Natural Language Processing, this last sub-module scans content on your website and alerts you of any signs of duplicity detected.
Word of caution: keep in mind that the module is not yet covered by Drupal's security advisory policy!
3. To Sum Up
Setting a goal to ensure 100% unique content on your website is as realistic as... learning a new language in a week.
Instead, you should consider setting up a solid strategy ”fueled” by (at least) these 4 modules “exposed” here. One that would help you avoid specific scenarios where entire pages or clusters of pages get duplicated.
Now, that's a far less utopian goal to set, don't you think?
Adriana Cacoveanu / Jan 16'2019
It's a fact: “the next generation” of web apps aren't just extremely fast, they're highly scalable, as well. Which brings us to the next question: “How do you scale a web application in Drupal?”
What tools, best practices, and latest techniques do you use for leveraging Drupal 8's scalability capabilities?
For ensuring that your custom web app will keep on scaling to:
handle sudden spikes in traffic
avoid downtime
withstand “surprise” content overloads
Well, here they come:
1. But Is Drupal Scalable? How Scalable?
Let's just say that:
Drupal's built with scalability in mind and that Drupal 8 is... extremely scalable.
It's powering some of the world's most trafficked and content-rich websites (Weather, Grammy, Princess Cruises...). Therefore, it's designed to cope with heavy infrastructures of thousand content contributors, Drupal users and site/app visitors...
And when gauging Drupal 8's scalability you need to go beyond Drupal's unmatched modularity: +30,000 free modules.
Instead, just think of:
Drupal turned into a central API
all the improvements brought to Drupal 8's scalability till this day
Drupal 8 enabling you, right out of the box, to integrate it with a wide range of third-party apps, software, and systems
RESTful API now in core!!!
… and how all that empowers you, the Drupal web app developer, to easily serve JSON or HTML code.
And Drupal 8's unparalleled scalability comes down to this:
Empowering developers to create content and send it to any third-party app via JSON.
Of course, its out-of-the-box scalability can get further optimized via:
an established set of best practices
additional support from various tools and technologies
2. How to Scale a Web Application in Drupal: Server Scaling Techniques
Let's say that... “it's time”:
You've applied all the optimization techniques on your web application so that it should seamlessly “accommodate” the increasing influxes of traffic and content load. And still, its server hardware has started to show its limitations.
So, it's time to scale your server hardware. And you have 2 options at hand:
2.1. You scale up your server vertically
This is the handiest method, so to say. That “emergency” technique to go for when:
you don't have time to install a caching module
there's no one in your team with the needed expertise for adding more servers
So, what do you do? You increase your existing server size.
You boost its performance by adding more resources.
This way, it could keep up with all those new traffic challenges calling for more memory, more CPU cores...
Word of caution: there' no such thing as “sky is the limit” here; you'll still reach the limit of the hardware at some point when you scale up a web app in Drupal using this method.
2.2. You scale up your server horizontally
The second best practice for scaling up your server is a bit more complex.
And it involves 2 approaches, actually:
a. You separate your database from your Drupal web app.
Basically, your database will have its own server and thus you get to split the load in 2. Then, you can vertically scale each one of the 2 servers.
b. You add multiple servers and distribute the load between them.
This is the most complex way to scale a web app in Drupal.
Just think about it:
How will the servers included in this whole “ecosystem” “know” which users to take over?
It goes without saying that you'll need a load balancer for properly “splitting up” the traffic load. And a database server, as well.
See? It already gets more complex compared to the other 2 above-mentioned server scaling techniques.
Nevertheless, this is the method which, when done properly, will reduce dramatically the load that each server must handle.
3. “Juggling with” Multiple App Servers for Drupal
Let's say that you've opted for the last method of scaling up your server, so:
Now you find yourself facing the challenge of handling multiple app servers.
How will you deploy code to each of them simultaneously? That is the biggest question when you scale a web app in Drupal.
The best practice is to keep all your servers on the same local network.
Having one single data center will speed up the data transfer compared to having it traveling through the internet.
The END! This how you can leverage Drupal 8's scalability capabilities and easily “adjust” your web app to withstand unexpected surges of traffic.
Have you tried other techniques and best practices?
RADU SIMILEANU / Dec 10'2018
"A Drupal 8 initiative to improve Drupal's content workflow", this is how Dries Buytaert first defined the Workflow Initiative, back in 2016. Now, coming back to 2018, you must be asking yourself a legitimate question: “How do I set up a content workflow in Drupal 8?”
“How do I manage, extend and customize an editorial workflow to fit my Drupal 8 website's publishing needs? One including multiple users, with different permissions, that manages the workflow status of... different content types.”
Which are the (not so) new content management features and functionality implemented to Drupal core by now? Those aimed at improving the user experience (editors, content authors...)?
Let's get you some answers:
1. Introducing: The Content Moderation Drupal 8 Module
Content Moderation has reached stable version in Drupal 8.5.
Why should you care? What makes this core module of critical importance for creating your content publication workflow?
because otherwise, you'd have only two built-in states to “juggle with”: published and unpublished
because it enables you to build a simple workflow for drafts, too
… to set up new custom editorial workflows, as well, in addition to the default one
In short, what this module does is that it enables you to create a flexible content workflow process where:
one of the editors in your team stags a “Draft” content
and another user on your Drupal 8 website, with a different permission, reviews/updates it
It comes as a powerful tool for you to leverage when your workflow needs are more complex than “ON/OFF”.
2. How to Set Up a Simple Content Workflow in Drupal 8
You'll only need 2 modules for putting together the workflow for a basic content publishing scenario:
Workflows, that will provide just the framework needed for managing the states and transitions included in the process
Content Moderation, which will add the “Draft” state, a “Draft to Published” content workflow, and an admin view for handling all the drafts
And here's setting up a basic content publishing workflow in 4 simple steps:
Enable the “Content Moderation” core module
Go to “Configuration” and click the “Workflow” tab; it's the last one in the unfolding drop-down menu
Open the “Workflows” page
Tada! You've just turned on your default “Editorial workflow”
For now, you should be having 3 major states in your workflow:
draft
published
archived
Note: use permissions to grant content contributors the right to edit/create drafts, editors the “Transition drafts to published” permission, admins the right to “restore to draft transitions” and so on...
And voila! Your default editorial workflow, with the Content Moderation module ON, should suit your basic state tracking needs. It should fit any standard use case.
Now, if your workflow needs are a bit more complex and website-specific... keep on reading:
3. Content Revisions in Drupal 8
One of the most powerful features that Content Moderation will “turbocharge” your editorial workflow with is:
Saving each change as a content revision in the database.
It stores all revisions in the system.
But let's take a common scenario, shall we?
Let's say that a second editor decides to make an update to a piece of content (either a content type or a custom block type). He/she updates it, then saves it as a “Draft”. You'll then still have the published version of the content, that's live, on your Drupal website, as well as this Draft (or several of them), stored, as a revision, in your database.
A crucial functionality for any complex content publishing workflow:
with content revisions, you get to keep track of who's updated what and when
… to trigger log messages regarding those changes, informing other content authors that a given content has been edited
and you can also revert to the oldest revisions if needed
4. How to Extend and Customize Your Content Publishing Workflow
Rest assured: there's no need for custom code writing, even if your content publishing needs are a bit more complex.
Here's what it takes to extend and to custom-tune your default content workflow in Drupal 8:
While on your “Workflow” page, just click the “Add a new state” button and add more workflow states: “Needs Review” or “Second Review” etc.
Next, make sure you adjust your transitions to support your newly added state(s). For instance, a “Second Review” state would require a “Move to Second Review” transition.
Then, apply your extended workflow to either a specific content type or to a custom block type
You can also create new separate content publishing workflows to have a different one for your press releases, a separate publishing workflow, an editorial workflow for your blog posts, a warehouse workflow etc.
Defining multiple workflows in Drupal 8, each one with its specific “ecosystem” of states and transitions, is now possible.
Notes:
the transitions in your workflow will stand for the permissions that you'll assign to different Drupal roles in your team
use clear, descriptive verbs to name them
remember to grant editors the permission to undo transitions, as well (they might need to revert a piece of content to “Needs Work” once they've reviewed it, for instance)
In short:
By defining multiple states for your piece of content (Published, Pending Review, Ready for Review, Ready for Second Review, Unpublished, Draft etc.) and managing the permissions corresponding to the state transitions you can build a content workflow in Drupal 8 capable to support even the most complex publishing scenarios.
Now, another common scenario where a custom content workflow in Drupal 8 is needed is when you have a website publishing content to multiple platforms.
You have a Drupal 8 website, a native application and an internal portal, let's say...
Your publishing workflow would look something like this:
first, content gets moderated to be published on the front-facing Drupal website
then, it gets put in the queue for review before it gets published (or declined) on each one of the other 2 platforms
Note: if you need to further extend your editorial workflow and to apply it to a custom entity, for example, you can always write a WorkflowType plugin that meets your specific needs.
Then, you can apply your custom workflow to... steps in ordering in a resto app, steps in a manufacturing process and to pretty much any entity (think beyond content) that needs to change its workflow states...
5. How Do You Know If You Really Need an Editorial Workflow?
Do you really need to use content moderation? To set up a whole workflow for your publishing scenario?
You do, if and only if:
there are multiple content authors uploading content on your website, content that needs to be reviewed before it gets published
you're managing a team of multiple admins, with different user roles
each moderator knows his/her role in the publishing chain
But if the content authors in your team have the very same type of permission as the admins and they just push content through, a content moderation workflow is useless.
It would only slow down the publishing process.
So, just because you have the option to set up a content workflow in Drupal 8, doesn't mean that you should rush to implement it on your own website, too... Maybe you just don't need a workflow.
The END!
What do you think about these content management capabilities in Drupal 8? Are they powerful and diverse enough to suit your workflow needs?
Adriana Cacoveanu / Nov 14'2018
What's your favorite tool for creating content layouts in Drupal? Paragraphs, Display Suite, Panelizer or maybe Panels? Or CKEditor styles & templates? How about the much talked about and yet still experimental Drupal 8 Layout Builder module?
Have you "played” with it yet?
As Drupal site builders, we all agree that a good page layout builder should be:
flexible; it should empower you to easily and fully customize every single node/content item on your website (not just blocks)
intuitive, super easy to use (unlike "Paragraphs", for instance, where building a complex "layout", then attempting to move something within it, turns into a major challenge)
And it's precisely these 2 features that stand for the key goals of the Layout Initiative for Drupal:
To turn the resulting module into that user-friendly, powerful and empowering page builder that all Drupal site builders had been expecting.
Now, let's see how the module manages to “check” these must-have strengths off the list. And why it revolutionizes the way we put together pages, how we create, customize and further edit layouts.
How we build websites in Drupal...
1. The Context: A Good Page Builder Was (Desperately) Needed in Drupal
It had been a shared opinion in the open source community:
A good page builder was needed in Drupal.
For, even if we had a toolbox full of content layout creation tools, none of them was “the One”. That flexible, easy to use, “all-features-in-one” website builder that would enable us to:
build complex pages, carrying a lot of mixed content, quick and easy (with no coding expertise)
fully customize every little content item on our websites and not just entire blocks of content site-wide
easily edit each content layout by dragging and dropping images, video content, multiple columns of text and so on, the way we want to
Therefore, the Drupal 8 Layout Builder module was launched! And it's been moved to core upon the release of Drupal 8.6.
Although it still wears its “experimental, do no use on production sites!” type of “warning tag”, the module has already leveled up from an “alpha” to a more “beta” phase.
With a more stable architecture now, in Drupal 8.6, significant improvements and a highly intuitive UI (combined with Drupal's well-known content management features) it stands all the chances to turn into a powerful website builder.
That great page builder that the whole Drupal community had been “craving” for.
2. The Drupal 8 Layout Builder Module: Quick Overview
First of all, we should get one thing straight:
The Drupal 8.6. Layout Builder module is Panelizer in core!
What does it do?
It enables you, the Drupal site builder, to configure layouts on different sections on your website.
From selecting a predefined layout to adding new blocks, managing the display, swapping the content elements and so on, creating content layouts in Drupal is as (fun and) intuitive as putting Lego pieces together.
Also, the “content hierarchy” is more than logical:
you have multiple content sections
you get to choose a predefined layout or a custom-design one for each section
you can place your blocks of choice (field blocks, custom blocks) within that selected layout
Note: moving blocks from one section to another is unexpectedly easy when using Layout Builder!
3. Configuring the Layout of a Content Type on Your Website
Now, let's imagine the Drupal 8 Layout Module “in action”.
But first, I should point out that there are 2 ways that you could use it:
to create and edit a layout for every content type on your Drupal website
to create and edit a layout for specific, individual nodes/ pieces of content
It's the first use case of the module that we'll focus on for the moment.
So, first things first: in order to use it, there are some modules that you should enable — Layout Builder and Layout Discovery. Also, remember to install the Layout Library, as well!
Next, let's delve into the steps required for configuring your content type's (“Article”, let's say) display:
go to Admin > Structure > Content types > Article > Manage Display
hit the “Manage layout” button
… and you'll instantly access the layout page for the content type in question (in our case, “Article”).
It's there that you can configure your content type's layout, which is made of:
sections of content (display in 1,2, 3... columns and other content elements)
display blocks: tabs, page title...
fields: tags, body, title
While you're on that screen... get as creative as you want:
choose a predefined layout for your section — “Add section” — from the Settings tab opening up on the right side of the screen
add some blocks — “Add block”; you'll then notice the “Configure” and “Remove” options “neighboring” each block
drag and drop the layout elements, arranging them to your liking; then you can click on either “Save Layout” or “Cancel Layout” to save or cancel your layout configuration
And since we're highly visual creatures, here, you may want to have a look at this Drupal 8 Layout Builder tutorial made by Lee Rowlands, one of the core contributors.
In short: this page builder tool enables you to customize the layout of your content to your liking. Put together multiple sections — each one with its own different layout — and build website pages, carrying mixed content and multiple layouts, that fit your design requirements exactly.
4. Configuring and Fully Customizing the Layout of a Specific Node...
This second use case of the Drupal 8 Layout Builder module makes it perfect for building landing pages.
Now, here's how you use it for customizing a single content type:
go to Structure>Content types (choose a specific content type)
click “Manage display” on the drop-down menu
then click the “Allow each content item to have its layout customized” checkbox
and hit “Save”
Next, just:
click the “Content” tab in your admin panel
choose that particular article that you'd like to customize
click the “Layout” tab
… and you'll then access the very same layout builder UI.
The only difference is that now you're about to customize the display of one particular article only.
Note: basically, each piece of content has its own “Layout” tab that allows you to add sections, to choose layouts.
Each content item becomes fully customizable when using Drupal 8 Layout Builder.
5. The Drupal 8.6. Layout Builder vs Paragraphs
“Why not do everything in Paragraphs?" has been the shared opinion in the Drupal community for a long time.
And yet, since the Layout Builder tool was launched, the Paragraphs “supremacy” has started to lose ground. Here's why:
the Layout builder enables you to customize every fieldable entity's layout
it makes combining multiple sections of content on a page and moving blocks around as easy as... moving around Lego pieces
By comparison, just try to move... anything within a complex layout using Paragraphs:
you'll either need to keep your fingers crossed so that everything lands in the right place once you've dragged and dropped your blocks
or... rebuild the whole page layout from scratch
The END!
What do you think:
Does Drupal 8 Layout Builder stand the chance to compete with WordPress' popular page builders?
To “dethrone” Paragraphs and become THAT page layout builder that we've all been expected for? Or do you think there's still plenty of work ahead to turn it into that content layout builder we've all been looking forward to?
RADU SIMILEANU / Nov 02'2018
Just imagine... automatic updates in Drupal core.
Such a feature would put an end to all those never-ending debates and ongoing discussions taking place in the Drupal community about the expectations and concerns with implementing such an auto-update system.
Moreover, it would be a much-awaited upgrade for all those users who've been looking for (not to say “longing for") ways to automate Drupal core and modules for... years now. Who've been legitimately asking themselves:
“Why doesn't Drupal offer an auto-update feature like WordPress?”
And how did we get this far? From idea to a steady-growing initiative?
first, it was the need to automate Drupal module and security updates
then, the issues queues filled with opinions grounded in skepticism, valid concerns, and high hopes started to “pile up” on Drupal.org,
then, there was Dries' keynote presentation at Drupalcon Vienna in 2017, raising awareness around the need to re-structure Drupal core in order to support a secure auto-update system
… which grew into the current Auto Update Initiative
that echoed, recently, at Drupal Europe 2018, during the “Hackers Automate, but the Drupal Community still Downloads Modules from Drupal.org” session
Many concerns and issues have been pointed out. Many questions have been added to the long list.
Yet, one thing's for sure:
There still is a pressing, ever-growing need for an auto-update feature in Drupal...
So, let me try to answer my best to some of your questions regarding this much-awaited addition to Drupal core:
What's in it for you precisely? How will an auto-update pre-built feature benefit you?
Does the user persona profile suit you, too? Is it exclusively low-end websites that such a feature would benefit? Or are enterprise-level, company websites targeted, as well?
What are the main concerns about this implementation?
1. The Automatic Updates Initiative: Goal & Main Challenges
Let's shift focus instead and pass in review the inconveniences of manually installing updates in Drupal:
it's time-consuming
it's can get risky if you don't know what you're doing
it can be an intimidatingly complex process if you have no dedicated Drupal support & maintenance team to rely on
it can get quite expensive, especially for a small site or blog owner
See where I'm heading at?
This initiative's main objective is to spare Drupal users of all these... inconveniences when it comes to updating and maintaining their websites. Inconveniences that can easily grow into reasons why some might get too discouraged to adopt Drupal in the first place.
The goal is to develop an auto-update mechanism for Drupal core conceptually similar to those already implemented on other platforms (e.g. WordPress).
And now, let's dig up and expose the key challenges in meeting this goal:
enabling update automation in Drupal core demands a complete re-engineering of the codebase; it calls for a reconstructing of its architecture and code layout in order to support a perfectly secure auto-update system
such an implementation will have a major impact on the development cycle itself, causing unwanted disruption
such a built-in auto-update feature could get exploited for distributing and injecting malware into a whole mass of Drupal websites
2. Automatic Updates in Drupal: Basic Implementation Requirements
What would be the ideal context for implementing such a perfectly secure auto-update system?
Well, its implementation would call for:
multiple (up to date) environments
released updates to be detected automatically and instantly
an update pipeline for quality assurance
existing automate tests with full coverage
a development team to review any changes applied during the update process
3. How Would These Auto-Updates Benefit You, the Drupal User?
Let's see, maybe answering these key questions would help you identify the benefits that you'd reap (if any):
do you outsource your Drupal Maintenance tasks to a professional team?
has it been a... breeze for you so far to cope with Drupal 8's release cycle (one new patch each month and a new minor release every 6 months sure claim for a lot of your time)?
have you ever got tangled up in Composer's complexities and a whole load of third-party libraries when trying to update your Drupal 8 website?
did you run the Drupalgeddon update fast enough?
have you been secretly “fancying” about a functionality that would just update Drupal core and modules, by default, right on the live server?
To sum up: having automatic updates in Drupal core would keep your website secured and properly maintained without you having to invest time or money for this.
4. Drupal Updating Itself: Main Concerns
And concerns increase exponentially as the need for an update automation in Drupal rises (along with the expectations).
Now, let's outline some of the most frequently expressed ones:
there is no control over the update process, no quality assurance pipeline; basically, there's no time schedule system enabling you to test any given update, in a development environment, before pushing it live
there's no clearly defined policy on what updates (security updates only, all updates, highly critical updates etc.) should be pushed
with Drupal updating itself, rolling back changes wouldn't be possible anymore (or discouragingly difficult) with no GIT for version control
again: automatic updates in Drupal could turn into a vulnerability for hackers to exploit for a mass malware attack
there's no clear policy regarding NodeJS, PHP and all the JS libraries in Drupal 8, all carrying their own vulnerabilities, too
it's too risky with all those core and module conflicts and bugs that could break through
such a feature should be disabled by default; thus, it would be every site owner's decision whether to turn it on or not
could this auto-update system cater to all the possible update workflows and specific behaviors out there? Could it meet all the different security requirements?
So, you get the point: no control over the update pipeline and no policy for handling updates are the aspects that concern developers the most.
6. Does It Cater for Both Small & Enterprise-Level Websites' Needs?
There is this shared consensus that implementing automatic updates in Drupal core would:
not meet large company websites' security requirements; that it would not fit their specific update workflows
benefit exclusively small, low-end websites that don't benefit from professional maintenance services
Even the team behind the automatic updates initiative have prioritized low-end websites in their roadmap.
But, is that really the case?
Should this initiative target small websites, with simple needs and writable systems, that rarely update and to overlook enterprise-level websites by default?
Or should this much-wanted functionality be adjusted so that it meets the latter's needs, as well?
In this case, the first step would be building an update pipeline that would ensure quality.
What do you think?
7. How About Now?"What Are My Options for Automating Updates in Drupal?"
In other words: what are the currently available solutions if you want to automate the Drupal module and security updates?
7.1. You Can Use Custom Scripts to Automate Updates
… one that's executed by Jerkins or another CI platform.
Note: do bear in mind that properly maintaining a heavy load of scrips and keeping up with all the new libraries, tools, and DevOp changes won't be precisely a “child's play”. Also, with no workflow and no integrated tools, ensuring quality's going to be a challenge to consider.
7.2. You Can Opt for a Drupal Hosting Provider's Built-In Solution
“Teaming up” with a Drupal hosting provider that offers you automated updates services, too, is another option at hand.
In this respect, solutions for auto-updating, such as those provided by Pantheon or Acquia, could fit your specific requirements.
Note: again, you'll need to consider that these built-in solutions do not integrate with your specific DevOps workflows and tools.
And my monologue on automatic updates in Drupal ends here, but I do hope that it will grow into a discussion/debate in the comments here below:
Would you turn it on, if such a feature already existed in Drupal core?
Definitely yes
No way
It depends on whether...
RADU SIMILEANU / Sep 28'2018
The media management experience had been one of the well-known sources of frustration for Drupal content editors for a long time. For, let's face it: Drupal's out-of-the-box media support was just... basic. But not anymore: there are new exciting features for media handling in Drupal 8.6.0 that will dramatically change the way you manage your media assets on your Drupal website!
Now, let's take a sneak peek at these most-anticipated media handling features that Drupal 8.6.0 comes equipped with:
adding media from a remote source
adding various types of media
embedding Youtube and Vimeo videos in the content (via URL)
easily accessing and reusing the existing media
uploading new media types right out of the box
And this is almost... overwhelming:
From almost no built-in media support in Drupal, for so many years, to a whole set of modern, powerful media management options now in Drupal 8.6.0.
But let's not ramble about this topic anymore and dive right in! Into the pile of new features meant to enhance the whole media management experience in Drupal:
But First: An Update on The Progress of the Media in Drupal 8 Initiative
The main goal of this media initiative was to:
Add a rich media support to Drupal 8.
One that would empower the content editors to easily reuse existing media assets, add new media entities and to overall gain more control (and meta information) over their media.
And there are 3 core milestones that we can trace while tracking the progress of this initiative for Drupal 8:
adding the experimental Media module to Drupal 8.4 in late 2017
leveling up this module from experimental to stable phase in Drupal 8.5.0
turning it into the standard way of storing media in Drupal
Moreover, starting with Drupal 8.6.0 a new key module for handling media has been added to core — Media Library — along with a few more exciting options:
quick access to the existing media assets
oEmbed support
a new media type: remote video content
Quite a “leap” forward, to a great media management experience in Drupal, I would say...
2. Welcome a New Media Type in Drupal 8: Remote Video
Let us list the 4 media types that you could add to your site's content up to Drupal 8.6.0:
file
image
video
audio
OK, now it's time you welcomed a new media type to the group: remote video!
Basically, as a content editor you're now able to add videos from remote sources, as well — Vimeo and Youtube — via their URLs.
In short: you're no longer constrained to settle for the default media types in Drupal 8. No sir, now you get to create new custom ones mentioning their media sources.
Summing up: embedding new media to your website content is nothing but a two-step process: Content-Add Media.
3. Reusing Media Is Now Possible: Media Library
One of the much-awaited features for media handling in Drupal 8.6.0 had been reusable media.
Well, here it is now: Media Library! It's where you can save and store all your media assets to be further reused whenever needed.
Note: do keep in mind that this an experimental module and that you'll also need to enable the Media module first things first.
“And how does it work more precisely?”
while in your content edit screen
just browse through all the media assets stored in your Media Library
select the one you need
and simply “inject” it into your page
Note: it's the “Media library” widget, added to the Media field, that enables you to scan through all your media entities straight from the content edit screen.
4. The New “Media” Field: A Quick Way to Embed Media in Your Content
Handling media in Drupal 8.6.0 is as simple as... adding a new field — “Media” — to the content type in question (be it news, blog post, article and so on).
Once the new field is added on, just go through the 5 media types available in Drupal 8.6.0 and select the one you need to embed.
Next, you can simply integrate it into your content, while in your edit screen, positioning it to your liking.
5. New Media Handling in Drupal 8.6.0: Youtube & Vimeo Embeds
A new media management tool that significantly improves the whole content editing experience in Drupal.
You're able to embed remote videos from Youtube and Vimeo via URL, thanks to the now added oEmbed media support.
“How precisely?” Basically, you simply:
add that new “Media” field to your content type, as previously stated
select the “Remote Video” option from the “Media Type” drop-down menu
enter your video's URL in the “Video URL” field, while in your “Add Remote Video” screen
and click “Save”
And voila: you'll have your remote video integrated into your content!
The END!
As Steve Burge from OSTraining would say:
“Finally we're getting somewhere with media in Drupal!”
What do you think about the new features for media handling in Drupal 8.6.0? What other options and tools are there on your wishlist?
To be able to embed remote videos right from the node create page, maybe? Or to have other video platforms, as well, supported in Drupal?
Silviu Serdaru / Sep 21'2018
We all love Drupal's granular permission and access control system! And yet: its life-saving hierarchy of user roles and permission levels is strictly for creating/editing content. Since Drupal wrongly assumes that all site visitors should be able to visualize all published content, right? But what if this default assumption doesn't suit your specific use case? What if you need to restrict access to content in Drupal 8?
… to limit users' access to certain content on your website? So that not all visitors should be able to see all published nodes.
In this case, Drupal's typical access control system for creating and editing content is not precisely the functionality that you need.
But there's hope!
And it comes in the form of 6 Drupal 8 access control modules that enable you to give content access of different levels, ranging from “average” to “more refined”.
But First: An Overview of Drupal's Typical Access Control System
Now, we can't just jump straight to the “more sophisticated” content access solutions in Drupal 8, not until we've understood how its basic access control system works, right?
As you can see, in the screenshot here below, the logic behind it is pretty straightforward:
while in your admin panel, you need to access the People menu > Permissions
and there, you just assign different user types (authenticated, admin or anonymous) with specific sets of permissions (to administer blocks, to post/edit comments, to modify menus on your Drupal site etc.)
As you can see, Drupal's typical access control system is not configured so as to enable you to restrict visitors' access to specific content on your website.
Or to limit user access to a more granular level other than the standard “logged in/not logged in user”.
1. Access by Entity
If you're not looking for anything “too fancy”, just a straightforward functionality for controlling access to view/edit/delete content entities, then this module's THE one.
And here are 2 of its most common use cases:
you define some access-restricted premium content areas on your Drupal site, for “privileged” user roles only
you grant publish/edit permissions to certain groups on your website, having specific predefined user roles
2. Content Access
Definitely a go-to module when you need to restrict access to content — to specific content types — in Drupal 8.
It enables you to:
set up specific access control roles
define custom granular restrictions based on different user permissions (you could, for instance, limit access to certain content on your website for non-authenticated users only...)
set up content types with restricted access
Note: do bear in mind that, once you've enabled Content Access, you'll need to rebuild your entire “collection” of access content permissions. The module is going to alter the way they work, that's why.
Tip: if you need to control access to content nodes on your Drupal 8 site, this module's built to help you “refine” your restriction; for that you'll just need to define some more detailed permissions in People menu > Permissions tab.
3. Permissions by Term
A lightweight solution to restrict access to content in Drupal 8. One that enables you to set up access-restricted content sections on your website.
Now, what makes it stand out from the other 5 modules in my list here is:
The refined, taxonomy term-based restrictions that it allows you to create for specific nodes on your Drupal site.
You can limit access to these nodes for:
specific user roles
certain individual user accounts
How do you set everything up?
first, you enable the module
then, on the term edit page, you define a specific role access for each taxonomy term
And there's more to look forward to!
Unlike Organic Groups and Group, the Permissions by Term module comes with very little overhead, in the form of light contributed code.
In other words: for the taxonomy terms-based access control that it enables you to set up, it adds a new field to your current content types. That's all!
4. Node View Permissions
When it comes to Drupal role-based access control (to content types or nodes) this module's simple, straightforward approach is exactly what you need.
Not as “sophisticated” as Content Acess, yet conveniently easy to configure and to maintain.
And also, the perfect choice if it's just a basic kind of content type access restriction that you need to set up.
Summing up its functionality now, what you should know is that Node View Permissions enables you to define 2 types of... permissions:
“View any content”
“View own content”
… for every content type listed on your Drupal site's Permissions page.
5. Group
It enables you, as the site admin, to structure content into... groups.
Different group types, with their own hierarchies of group roles:
anonymous
member
outsider (a logged in user, but not a group member)
other group roles that, as an administrator, you'll need to create
Needless to add that with Group you'll restrict access to content in Drupal 8 based precisely on these group roles that you'll set up.
Furthermore, it allows you to define:
the most suitable permissions (view/edit/delete) for specific content types
the most appropriate group roles
… per group type.
And the best is yet to come:
All group types, group roles, group/content relationships are set up as entities. Meaning that they're fully fieldable, exportable, extendable!
6. Taxonomy Access Control Lite
It's a restricted access to nodes, based on taxonomy terms, users and roles, that you get to define using this module:
A user role-based access control...
Note: mind you don't forget that, in order to restrict access to viewing/editing nodes on your Drupal website, you'll first need to reconfigure the existing user permissions.
The END!
A bit curious now: which one of these solutions, ranging from straightforwardly simple to most refined, would you go for to restrict access to content in Drupal 8?
RADU SIMILEANU / Aug 30'2018
You've put so much effort into crafting and polishing the content on your Drupal website and it just won't... rank? Why is it that search engines' web crawlers won't index its “juicy” content? Why they won't give your site a big push right to first-position rankings? As it clearly deserves... Could it be because you're making these 10 Drupal SEO mistakes?
Knowingly or just recklessly...
And with the first 5 of them already exposed in the first part of this blog post, I'm keeping my promise and here I am now, with 5 more SEO mistakes that you don't want to make on your Drupal website, ranging from:
embarrassing gaffes
to faux pas
to catastrophes...
1. Underrating Meta Tags: One of (Too) Common, Yet Costly Drupal SEO Mistakes
And let me just say it: forgetting (or choosing not to) to check those 3 on-page ranking factors:
description
page title
tags
... is one rookie SEO mistake.
And one costly neglect, too...
Why? Because by simply checking your meta tags, making sure that the content entered there:
contains all the relevant keywords
is user-friendly and engaging
you hit 2 birds with just one stone:
search engines' crawlers will just know whether specific web pages on your site are relevant for specific search queries or not; whether the keywords that you will have added to your meta elements are precisely those that online visitors use
users will get a “teaser” of what the page is about, helping them decide whether it matches their searches and expectations or not
Note: Drupal's got your back with a dedicated Metatag module that you should install even before you “release your website out into the wild".
2. Ignoring the Slow Page Loading Speed
If it takes more than 2 seconds to load... then you'll lose them. Visitors on your Drupal site will lose all interest in accessing that given page.
And could you blame them?
Instead, you'd better:
blame yourself for accepting this status quo and refusing (or just postponing or not putting enough effort into it) to optimize your site for high speed
rush to address this major UX issue risking to grow into a critical SEO issue
How? By:
compressing all JS and CSS files using a dedicated tool of your choice (and thank God there are plenty of those to choose from!)
compressing all overly large pages
reducing images, graphics, and videos to reasonable sizes
disabling all those Drupal modules that you haven't used in ages (or maybe never...)
enabling caching (and luckily there are Drupal cache modules — like Memcache, for instance — that can help you with that)
upgrading your server or even moving to a new hosting company
optimizing your site's current theme
See? Improving your Drupal site's load time is no rocket science and it doesn't require overly complex measures, either. They're no more than... “common sense” techniques.
Assess the resources that implementing them would require and... just do it:
the user experience on your Drupal website will improve significantly
search engines will “detect” this increase in user satisfaction
… which will translate into a higher ranking
3. Overlooking to Redirect From Its HTTP to Its Secure HTTPs Version
Migrating your Drupal site to HTTPS is a must these days. Just face it and deal with it or... be ready to face the consequences!
Yet, if you overlook to redirect your site to its new HTTPS version, thus sending its visitors out to... nowhere — to error pages — then... it's all but wasted effort and resources.
One of those SEO Drupal mistakes with long-term consequences on your website's ranking.
4. Broken Internal Images
Leaving broken internal images and missing ALT attributes behind is a clear sign of SEO sloppiness...
And now, here's what we would call a “broken image”:
an image that has an invalid file path
an image with a misspelled URL
The result(s)?
first, a broken image has an impact on the overall user experience; your site visitor gets discouraged and quits the page in question
next, search engines rate your site's content as “of poor quality”
and finally, all these lead to an inevitable drop in Google search rankings
5. Underestimating (or Just Ignoring) the Importance of an XML Sitemap for SEO
Not generating an XML sitemap of your Drupal site is more than just one of those Drupal SEO mistakes that you should avoid: it's a missed opportunity! A huge one!
Here's why:
an XML sitemap would include all the URLs on your website
… as well as information (via heading tags) about your site's infrastructure of web pages, for search engine crawlers to use
… “alerts” about which pages they should be indexing first
an XML sitemap provides an early index of your website
all the pages on your website get submitted to the search engine database even before they get indexed in their own database
Note: the sitemap.xml file not only that communicates with and informs search engines about the current content ecosystem on your Drupal site, but will “keep them posted” on any updates of your site's content, as well.
So, what an XML sitemap provides is a prioritized, conveniently detailed and easily crawlable map of your Drupal website meant to ease web crawlers' indexing job.
And the easier it gets for them to crawl through your site's content, the faster your site's indexing process will be.
In short: if the robots.txt file alerts search engines about those pages that they shouldn't crawl into, the sitemap.xml file lets them know what pages they should index first!
Tip: discouraged by the thought of manually building your site's sitemap? Well, why should you, when there are Drupal modules built especially for this?
Site map (Drupal 7)
Sitemap (Drupal 8)
Simple XML (Drupal 8)
XML Sitemap
From taxonomy terms, menu links, nodes, useful entities, to custom links, these modules will automatically generate all the entities that you'd need to include in a detailed sitemap of your Drupal site.
The END!
Just face it now: you'll inevitably continue to make gaffes influencing your site's SEO, no matter how many precautions you might take...
Yet, these10 Drupal SEO mistakes here, ranked from least to most damaging, are the ones that you should strive to avoid at all costs...
Adriana Cacoveanu / Aug 27'2018
With the Drupalgeddon2 "trauma" still “haunting” us all — both Drupal developers and Drupal end-users — we've convinced ourselves that prevention is, indeed, (way) better than recovery. And, after we've put together, here on this blog, a basic security checklist for Drupal websites and revealed to you the 10 post-hack “emergency” steps to take, we've decided to dig a bit deeper. To answer a legitimate question: “What are some good ways to write secure Drupal code?”
For, in vain you:
build a “shield” of the best Drupal security modules and plugins around your website
enforce a rigid workplace security policy
… if you leave its code vulnerable to various types of cyber attacks, right?
But how do I know how unsecured code looks like, to begin with?
What are the site configuration gotchas that I should pay attention to?
What are the most common vulnerabilities that I risk exposing my Drupal site to?
And how can I test it for security issues that might be lurking in its code?
But most of all: What top secure coding practices should I and my Drupal development team follow?
Now, let's get you some answers:
1. SQL Injection Vulnerabilities: How You Can Fix & Prevent Them
SQL injections sure make one of the most “banal”, nonetheless dreadful types of attacks. Once such vulnerabilities are exploited, the attacker gets access to sensitive data on your Drupal site.
1.1. Prevent SQL Injection Attacks Using The Database Abstraction Layer
In other words: the proper use of a database layer makes the best shield against any SQL injection exploit attempts.
Now, let's talk... code.
For instance, linking together data right into the SQL queries does not stand for a secure coding practice:
db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);
In this case here, this is how you write secure Drupal code:
db_query("SELECT foo FROM {table} t WHERE t.name = :name", [':name' => $_GET['user']]);
Notice the usage of the proper argument substitution with db_query. The database abstraction layer uses a whole range of named placeholders and works on top of the PHP PDO.
Now, as for a scenario requesting a variable number of arguments, you can use either db_select() or an array of arguments:
$users = ['joe', 'poe', $_GET['user']];
db_query("SELECT t.s FROM {table} t WHERE t.field IN (:users)", [':users' => $users]);
$users = ['joe', 'poe', $_GET['user']];
$result = db_select('table', 't')
->fields('t', ['s'])
->condition('t.field', $users, 'IN')
->execute();
1.2. Have You Detected an SQL Injection Vulnerability? Here's How You Can Fix It
There are some key Drupal security best practices to follow for addressing SQL injection issues:
always stick to the well-known Drupal database API
always filter the parameters that you get (be twice as vigilant and cautious about those who can type anything on your Drupal site)
always use placeholders: db_query with :placeholder
always check the queries in the code: db_like()
Tip: remember to follow these coding practices for addressing and preventing SQL injections on your contrib modules, as well.
2. How to Protect Your Drupal Site Against Cross-Site Scripting (XSS) Attacks
We could easily say that XSS attacks “rival” SQL injection attacks in “popularity”:
Drupal's highly vulnerable to cross-site scripting.
All it takes is some wrong settings — input, comment, full HTML — as you configure your website, to make it vulnerable to this type of attacks:
They make a convenient gateway into your website for remote attackers to use to inject HTML or arbitrary web.
2.1. Check Functions to Rely on for Sanitizing the User Input (in Drupal 7)
Securing your Drupal 7 site against cross-site scripting attacks always starts with:
Identifying the very “source” of that submitted data/text.
Now, if the “culprit” is a user-submitted piece of content, depending on its type you have several check functions at hand to use for sanitizing it:
check_url
check_plain (for plain text)
filter_xss (when dealing with pure HTML)
filter_xss_admin (if it's an admin user that entered the “trouble-making” text)
check_markup
Note: always remember never to enter the user input as-is into HTML!
Tip: a good way to write secure Drupal code is to use t() with % or @ placeholders for putting together translatable, safe strings.
2.3. Cross-Site Scripting In Drupal 8: Twig & 3 Useful Sanitization Methods
In Drupal 8, handling cross-site scripting attacks gets significantly easier.
Here's why:
you have TWIG, with its autoescaping and “sanitize all” HTML mechanism!!!
no SQL queries
no access to Drupal APIs
Now, besides Twig, you have 3 more sanitizing methods at hand for fixing cross-site scripting issues in Drupal 8:
HTML: :escape(), for plain text
Xss: :filterAdmin(), for admin-submitted content
Xss: :filter(), where HTML can be used
2.4. Testing Your Code Against XSS
In order to check whether certain user inputs are vulnerable, all you need to do is:
take the “suspicious” user input as a field, as an input HTML
enter them both (or just one of them) in your test
Note: feel free to user Behat or another framework of choice to automate the whole process.
2 clear signs that you've detected an XSS vulnerability are:
you get this pop up alert: <script>altert ('xss') </script>
or this error message close to the IMG tag: img src="a" onerror="alert ('title')"
3. Use Twig Templates: They Sanitize All Output... Automatically
Did you know that a lot of the Drupal security issues on your website occur precisely because you've skipped sanitizing the user-submitted content before displaying it?
And someone's neglect quickly turns into another one's opportunity...
By skipping to clean up that text beforehand, you lend the attacker a “helping hand” with exploiting your own Drupal site.
Now, getting back to why using Twig templates is one of the best ways to write secure Drupal code:
they sanitize the user input and output (all HTML, basically) by default; you can write your custom code without worrying about it risking to break up your website
you won't run the risk of having safe markup escaped
In short: securing your Drupal 8 website is also about having all HTML outputted from Twig templates.
4. How to Write Secure Drupal Code for Finding & Fixing Access Bypass Issues
One of Drupal's strongest “selling points” is precisely its granular permission system. Its whole infrastructure of user roles with different levels of permissions assigned to them.
Furthermore, there are all kinds of access controls that you can “juggle with”:
Node access system
field access
Views access control
Entity access
In short: you're free to empower users to access different sections/carry out different operations on your Drupal site.
4.1. How You Can Check for Access Bypass Issues
How do you know whether there are access bypass flaws on your website, that could be easily exploited?
It's easy:
you simply visit some nid/node and other URL on your site
and just run your Behat automated tests
4.2. And How You Can Fix the Identified Access Bypass Issues
Do keep in mind that there are quite a few access callbacks to consider:
entity_access
user_access for permissions
Squery – addTag ('node_access')
Menu definitions (make sure you set those correctly)
node_access
All you need to do is write automated tests to address any detected problems related to access bypass.
5. 3 Ways Deal With Cross-Site Request Forgery (CSRF) in Drupal
What does it take to write secure Drupal code?
Writing it... strategically, so that it should prevent any possible cross-site request forgery attack...
Now, here are 3 ways to safeguard it from such exploits:
sending and properly validating the token
using Form API
using the built-in csrf_token in Drupal 8
In conclusion: a trio of good practices keeps the CSRF attacks away...
6. 7 Best Contrib Security Modules to Back Up Your Coding With
Now, after we've gone through some of the best ways to write secure Drupal code, let's see which are the most reliable contrib security modules to strengthen your site's shield with:
Hacked!
Permission report
Encrypt
Composer Security Checker
Security Review
Paranoia
Text Formats Report
The END! This is how your solid Drupal security “battle plan” could look like. It includes:
some of the most frequent types of attacks and security issues to pay attention to
most effective preventive measures
vulnerability detecting methods
post-attack emergency actions and sanitization mechanisms
What ways to write secure Drupal code would you have added or removed from this list?
RADU SIMILEANU / Aug 24'2018