In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

What Are Some Good Ways to Write Secure Drupal Code? Most Common Vulnerabilities and Secure Coding Practices

What Are Some Good Ways to Write Secure Drupal Code? Most Common Vulnerabilities and Secure Coding Practices

by RADU SIMILEANU on Aug 24 2018

With the Drupalgeddon2 "trauma" still “haunting” us all — both Drupal developers and Drupal end-users — we've convinced ourselves that prevention is, indeed, (way) better than recovery. And, after we've put together, here on this blog, a basic security checklist for Drupal websites and revealed to you the 10 post-hack “emergency” steps to take, we've decided to dig a bit deeper. To answer a legitimate question: “What are some good ways to write secure Drupal code?”

For, in vain you:

 

  • build a “shield” of the best Drupal security modules and plugins around your website
  • enforce a rigid workplace security policy 

     

… if you leave its code vulnerable to various types of cyber attacks, right?

  • But how do I know how unsecured code looks like, to begin with?
  • What are the site configuration gotchas that I should pay attention to?
  • What are the most common vulnerabilities that I risk exposing my Drupal site to?
  • And how can I test it for security issues that might be lurking in its code?

But most of all: What top secure coding practices should I and my Drupal development team follow?

Now, let's get you some answers:

 

1. SQL Injection Vulnerabilities: How You Can Fix & Prevent Them 

SQL injections sure make one of the most “banal”, nonetheless dreadful types of attacks. Once such vulnerabilities are exploited, the attacker gets access to sensitive data on your Drupal site.

 

1.1. Prevent SQL Injection Attacks Using The Database Abstraction Layer

In other words: the proper use of a database layer makes the best shield against any SQL injection exploit attempts.

Now, let's talk... code.

For instance, linking together data right into the SQL queries does not stand for a secure coding practice:

db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);

In this case here, this is how you write secure Drupal code:

db_query("SELECT foo FROM {table} t WHERE t.name = :name", [':name' => $_GET['user']]);

Notice the usage of the proper argument substitution with db_query. The database abstraction layer uses a whole range of named placeholders and works on top of the PHP PDO.

Now, as for a scenario requesting a variable number of arguments, you can use either db_select() or an array of arguments:

$users = ['joe', 'poe', $_GET['user']];
db_query("SELECT t.s FROM {table} t WHERE t.field IN (:users)",  [':users' => $users]);
$users = ['joe', 'poe', $_GET['user']];
$result = db_select('table', 't')
  ->fields('t', ['s'])
  ->condition('t.field', $users, 'IN')
  ->execute();

1.2. Have You Detected an SQL Injection Vulnerability? Here's How You Can Fix It

There are some key Drupal security best practices to follow for addressing SQL injection issues:

 

  • always stick to the well-known Drupal database API
  • always filter the parameters that you get (be twice as vigilant and cautious about those who can type anything on your Drupal site)
  • always use placeholders: db_query with :placeholder
  • always check the queries in the code: db_like()

     

Tip: remember to follow these coding practices for addressing and preventing SQL injections on your contrib modules, as well.

 

2. How to Protect Your Drupal Site Against Cross-Site Scripting (XSS) Attacks

We could easily say that XSS attacks “rival” SQL injection attacks in “popularity”:

Drupal's highly vulnerable to cross-site scripting.

All it takes is some wrong settings — input, comment, full HTML — as you configure your website, to make it vulnerable to this type of attacks:

They make a convenient gateway into your website for remote attackers to use to inject HTML or arbitrary web.

 

2.1. Check Functions to Rely on for Sanitizing the User Input (in Drupal 7)

Securing your Drupal 7 site against cross-site scripting attacks always starts with:

Identifying the very “source” of that submitted data/text.

Now, if the “culprit” is a user-submitted piece of content, depending on its type you have several check functions at hand to use for sanitizing it:

 

  • check_url
  • check_plain (for plain text)
  • filter_xss (when dealing with pure HTML)
  • filter_xss_admin (if it's an admin user that entered the “trouble-making” text)
  • check_markup

     

Note: always remember never to enter the user input as-is into HTML!

Tip: a good way to write secure Drupal code is to use t() with % or @ placeholders for putting together translatable, safe strings.

 

2.3. Cross-Site Scripting In Drupal 8: Twig & 3 Useful Sanitization Methods

In Drupal 8, handling cross-site scripting attacks gets significantly easier.

Here's why:

 

  • you have TWIG, with its autoescaping and “sanitize all” HTML mechanism!!!
  • no SQL queries
  • no access to Drupal APIs

     

Now, besides Twig, you have 3 more sanitizing methods at hand for fixing cross-site scripting issues in Drupal 8:

 

  1. HTML: :escape(), for plain text
  2. Xss: :filterAdmin(), for admin-submitted content
  3. Xss: :filter(), where HTML can be used

     

2.4. Testing Your Code Against XSS

In order to check whether certain user inputs are vulnerable, all you need to do is:

 

  • take the “suspicious” user input as a field, as an input HTML
  • enter them both (or just one of them) in your test

     

Note: feel free to user Behat or another framework of choice to automate the whole process.

2 clear signs that you've detected an XSS vulnerability are:

 

  1. you get this pop up alert: <script>altert ('xss') </script>
  2. or this error message close to the IMG tag: img src="a" onerror="alert ('title')"

     

3. Use Twig Templates: They Sanitize All Output...  Automatically 

Did you know that a lot of the Drupal security issues on your website occur precisely because you've skipped sanitizing the user-submitted content before displaying it?

And someone's neglect quickly turns into another one's opportunity...

By skipping to clean up that text beforehand, you lend the attacker a “helping hand” with exploiting your own Drupal site.

Now, getting back to why using Twig templates is one of the best ways to write secure Drupal code:

 

  • they sanitize the user input and output (all HTML, basically) by default; you can write your custom code without worrying about it risking to break up your website
  • you won't run the risk of having safe markup escaped

In short: securing your Drupal 8 website is also about having all HTML outputted from Twig templates.

 

4. How to Write Secure Drupal Code for Finding & Fixing Access Bypass Issues

One of Drupal's strongest “selling points” is precisely its granular permission system. Its whole infrastructure of user roles with different levels of permissions assigned to them.

Furthermore, there are all kinds of access controls that you can “juggle with”:

 

  • Node access system
  • field access
  • Views access control
  • Entity access

     

In short: you're free to empower users to access different sections/carry out different operations on your Drupal site.

 

4.1. How You Can Check for Access Bypass Issues

How do you know whether there are access bypass flaws on your website, that could be easily exploited?

It's easy:

 

  • you simply visit some nid/node and other URL on your site 
  • and just run your Behat automated tests

     

4.2. And How You Can Fix the Identified Access Bypass Issues

Do keep in mind that there are quite a few access callbacks to consider:

 

  • entity_access
  • user_access for  permissions
  • Squery – addTag ('node_access')
  • Menu definitions (make sure you set those correctly)
  • node_access

All you need to do is write automated tests to address any detected problems related to access bypass.

 

5. 3 Ways Deal With Cross-Site Request Forgery (CSRF) in Drupal 

What does it take to write secure Drupal code? 

Writing it... strategically, so that it should prevent any possible cross-site request forgery attack...

Now, here are 3 ways to safeguard it from such exploits:

 

  1. sending and properly validating the token
  2. using Form API
  3. using the built-in csrf_token in Drupal 8

     

In conclusion: a trio of good practices keeps the CSRF attacks away...

 

6. 7 Best Contrib Security Modules to Back Up Your Coding With

Now, after we've gone through some of the best ways to write secure Drupal code, let's see which are the most reliable contrib security modules to strengthen your site's shield with:

 

  1. Hacked!      
  2. Permission report  
  3. Encrypt      
  4. Composer Security Checker        
  5. Security Review          
  6. Paranoia      
  7. Text Formats Report

     

The END! This is how your solid Drupal security “battle plan” could look like. It includes:

 

  • some of the most frequent types of attacks and security issues to pay attention to
  • most effective preventive measures
  • vulnerability detecting methods
  • post-attack emergency actions and sanitization mechanisms

     

What ways to write secure Drupal code would you have added or removed from this list?

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

What Are Some Good Examples of Drupal Sites for Nonprofit Organizations? Top 10 Nonprofit Websites Built with Drupal
Feeling a bit... uninspired? Or maybe you just don't see why you should consider Drupal for your NGO website? What if you could have a look at the top 10 nonprofit websites built with Drupal? And we're talking here about some of the world's most influential charity and non-profit organizations. Here are the 2 main criteria that we've used for putting together this top:   to be straightforward and easy to navigate to be visually pleasing and engaging: a clean and simple design helps the NGO's message shine through   Are these your own requirements, as well, for your non-profit website? Then, get ready to find plenty of inspiration by scanning through these great examples of what other non-profits have managed to do with Drupal: 1. Equal Opportunity Community Initiative  Who is EOCI?  The organization defines its own mission so clearly on its website: “... to build a world where children have equal opportunities to reach their dreams.” And all their projects and initiatives converge to meet this goal: providing equal access to educational resources for all children. Equal opportunity to compete and to succeed. The website that we've built for this international profit (revamping an age-old site, with little traffic and low conversion rate) is still one of the projects in our portfolio that we're most proud of. What makes it a great nonprofit website?   it's visually engaging: it tells a compelling story through visuals it's well-organized and easy to navigate: Drupal 8 has made it easier for us to structure content and to put together an information architecture that's easy to step through it's fast: the better the user experience, the higher the chances that they should turn themselves into the future volunteers or donors supporting the EOCI's initiatives   “The site’s beautiful and performing exactly how we’d hoped it would. The company that manages our Google Ads has found that our conversions have increased...  A couple of our donors are thrilled with the website and have committed their support again. They’re happy to be on the partners' page with a fresh look and approach to the public.” (Sean Kelly, Executive Director, Equal Opportunity Community Initiative, Source: Clutch.co)  2. Rotary International, One of the Top 10 Nonprofit Websites Built with Drupal  Who hasn't heard of Rotary International? A global network of community volunteers (1.2 million leaders and problem-solvers) actively involved in a wide variety of campaigns:   kicking Polo out of Africa providing clean water growing local economies supporting education   Why did they go for Drupal? For 2 strong reasons:   it's flexible: there's a module for almost any feature, any functionality they needed to implement to their nonprofit website it's extensible: no matter how "ambitious" the organization's future causes and campaigns and expectations from their website might get, Drupal's built to scale up to their growing needs 3. Doctors Without Borders Probably one of the best examples of nonprofit websites built with Drupal is Doctors Without Borders (Médecins Sans Frontières). A Nobel Prize-awarded organization of volunteering doctors, nurses, other staff, and journalists. Their mission? Providing medical aid to people affected by pandemics, epidemics, natural disasters or armed conflicts, no matter their sex, nationality, religion, or political affiliation. Why Drupal?   because it's a multisite network that this global NGO needed and Drupal's reputation for its built-in multi-site support. because Drupal's robust enough to withstand massive amounts of traffic (it's the biggest NGO in the world), all while being a conveniently flexible content management solution. 4. Habitat for Humanity International (HFHI)   Another one of the top 10 nonprofit websites built with Drupal. HFHI is an international, Christian NGO with a clear mission: building and renovating houses for low-income people.  To carry out its mission, it brings together donors, volunteers, and members of the families in need, who're co-opted in the process of building/repairing their own houses. How come their website is built on Drupal 8?   Drupal 8 is mobile-ready right out of the box it's open-source, which translates into lower costs it's flexible enough to empower their team to create, update, publish, and manage content on the go it scales to meet all the organization's future needs it ships with outstanding multi-language support it's fast 5. World Vision International "What are the most popular nonprofit websites that run in Drupal?" World Vision International's website is listed in any "top 5". No wonder:   the organization is the world's largest international children charity their website taps into Drupal 8's best features: easy third-party integration, freedom of customization, flexibility, and scalability guaranteed by its rich module collection   A nonprofit multisite that tells a series of highly compelling stories and grants a simplified donation process. 6. Human Rights Watch   A worldwide known independent organization, headquartered in New York, dedicated to protecting human rights.  And they define their own cause better than anyone else: "... we give voice to the oppressed and hold oppressors accountable for their crimes.”  Why did one of the most powerful NGOs in the world opt for Drupal?   because it's the best option for multilingual websites because it makes it easy to keep consistency while "joggling with" multiple content types  because it empowers content authors and editors to publish content quick and easy 7. Save the Children Spain   A member of the Save the Children International — the world's leading NGO dedicated to protecting and improving children's lives — Save the Children Spain has its website running on Drupal 8. And it is, by far, one of the 10 best nonprofit websites out there. Not just due to the global reputation of this humanitarian organization, but thanks to the complex needs that the Drupal website manages to meet:   it handles an entire network of operations that are critical for the NGO's activities: donations, news publishing, crowd fundings, training, collecting signatures, communicating with the press, etc. it withstands large influxes of traffic it supports a multi-site infrastructure it makes it easy for multiple teams (see Drupal's granular permission and access control system) to operate on the website, to integrate the tools they need for doing their work it integrates easily with all kinds of e-commerce third-party platforms (needed for their donation process, signature, membership, etc.) 8. Great Ormond Street Hospital Children's Charity   One of the UK's largest charities, Great Ormond Street Hospital Children's Charity (GOSH ) is dedicated to supporting the Bloomsbury-based children hospital and its patients. How? By focusing their efforts in 4 major areas:   supporting the little patients and their families investing in rebuilding and renovation projects pioneering research into children's health investing in life-saving medical equipment   When did Drupal come into the picture?  When the charity looked for a platform that would provide them with:   scalable architecture for their website, robust enough to scale up and down, to their fluctuating levels of traffic multi-site support, out of the box: GOSH.org is made out of 2 large websites and an ecosystem of 10 different sub-sites easy third-party integration: they needed to keep the same staff, so they looked to streamline their team's work, by integrating time-saving tools  9. The Wildlife Trusts We couldn't have left the Wildlife Trusts website out of our list Drupal nonprofit organization websites that stand out. The UK-wide group, comprising 45 local Wildlife Trusts, shares a common interest in preserving the wildlife and the biodiversity in their local area. And we're here talking about 2,300 nature reserves, on 98,000 hectares. 46 different independent charities, each with its specific activities, constitution, and membership criteria, under one “umbrella”? This multi-site project had “Drupal” written all over it... Now, let me outline, briefly, the key reasons why Wildlife Trusts has chosen Drupal for its website:   it provides great multi-site capabilities: the organization wanted to empower each trust to control its own content creation and publishing process, but they still needed some sort of a “central hub” it provides outstanding content management capabilities, much needed in this case, where huge volumes of content had to be managed effectively it meets their need of delivering the best mobile user experience it empowers the Wildlife Trusts editors to tailor page layouts as needed: and we're talking here about a multi-site that's rich in stunning visuals and video content 10. Top 10 Nonprofit Websites Built with Drupal: Allard Prize for International Integrity Another project from our portfolio that we're particularly proud of. The Allard Prize for International Integritiy is a photography competition that recognizes and awards people and organisations standing out through their efforts in fighting corruption and defending human rights. Why did they go with Drupal?   because they wanted to give their website a performance boost because Drupal provides them with a reliable translation system, a crucial feature when dealing with a global audience In Short, Why Would You Choose Drupal for Your Nonprofit Website? Here's a short inventory of the main reasons why you'd choose Drupal for setting up your nonprofit website:   you save money (Drupal's open-source) you get your multi-site, multi-language website ready to go in no time (especially if you opt for a Drupal distribution) you're free to further extend your website's capabilities by adding new modules and integrating new third-party apps  you get robust SEO features right out of the box you get a website that scales to fluctuating levels of traffic  you get to categorize, neatly structure, create, edit, publish, and manage your content quick and easy you're free to customize your page layouts to your liking   Need help setting everything up? Just send us a message with your feature requirements and specific expectations from your future nonprofit website and let's get your message out there. ... Read more
Adriana Cacoveanu / Jun 05'2020
What’s the Best Drupal Managed Hosting Provider? Here Are Your Top 4 Options
You want it to be easy to use, to provide you with as much automated maintenance as possible and... up to 100% uptime. So, what's the best Drupal managed hosting solution for your needs? And, let me guess: your “feature wishlist” is a bit longer actually:   autoscaling capability multi-site support: you want to be able to manage all your Drupal websites from a single dashboard CDN backups and easy restores on a daily basis support for migration Given your list of requirements, what are your best choices here? I've done my research and narrowed down your options to 4. 4 fully managed hosting solutions for Drupal that you should consider first. Here they are:   But First: Why Managed Hosting? What Does It Really Get You? Why would you want to go for a fully managed hosting solution for your Drupal website(s) instead of a... self-managed one? Because:   you gain so much time; time that you'd otherwise invest in setting the Drupal infrastructure yourself, from the ground up you avoid the risk of getting tangled up in software installation, configuration, infrastructure management (which can turn into a time and energy-consuming ordeal even if you have the know-how to set up a scalable VPS on AWS yourself) you avoid the headache of maintaining a whole infrastructure of Drupal sites you get remote administration that covers mundane, regular operations such as module updating   In short: you delegate your managed hosting provider with everything outside the codebase. Why spend time on the ongoing maintenance of your website when you can invest it in... improving it? In growing it?   1. Pantheon Drupal Hosting   Disclaimer: it's the Drupal hosting that we are using here, at OPTASY. But is Pantheon the best solution for your own use case? For your expectations of a hosting platform? It is if it's a simplified, easy to use hosting solution that you need for your Drupal website(s). One that provides you with:   great support solid tooling  almost instant patching great developer experience ease of use with Drupal high availability and scaling intuitive interface, which makes migrating and cloning your Drupal websites so much easier lots of integrations   But let's see precisely what services it provides you with.   Pantheon Drupal's Key Features   php7 Git 24/7 Drupal support  Once-click core updates  Built-in stagging environments: dev, test, live Global CDN Solr Developer dashboard   2. Acquia, One of the Best Drupal Managed Hosting Solutions   Acquia Drupal hosting is another great option to consider when you're trying to figure out which is the best service for you. Why? Because it provides you with:   some of the best tools: both powerful and easy to use enterprise-level security cloud hosting specifically tailored to suit Drupal websites unmatched scalability: Acquia Drupal 8 hosting powers some of the largest Drupal websites in the world    Acquia Drupal Hosting Key Features   Enterprise-grade security and recovery: a whole set of firewall controls and access and authentication controls; Acquia-hosted websites are known to be better equipped to recover from cyber attacks A hosting platform optimized for Drupal exclusively A turnkey solution: the built-in Node.js support enables you to develop your Drupal back-end apps, as well as your server-side rendered front-end apps, on the same hosting platform Robust development tools: APIs, integrations, and command-line tools that help you build and optimize your apps in no time Real-time monitoring, analyzing, and troubleshooting Close to 100% uptime: Drupal hosting Acquia makes the best choice for you if your uptime and performance requirements are way beyond basic Centralized dashboard for all your websites and a unique Drupal codebase Source: acquia.com   3. SiteGround Drupal Hosting Another popular hosting option for Drupal websites is Siteground, a platform robust enough to withstand the challenges of user-heavy, high traffic sites. It's also the most versatile managed hosting solution on this list, for it meets the needs of both small website owners and enterprise and large organizations. But why would you choose if over other Drupal 8 hosting services? SiteGround Drupal 8 Hosting Key Features   Daily backups 1-Click Drupal installation Responsive support from actual Drupal developers by mail, chat, helpdesk ticket Dynamic NGINX caching (available only on some of the hosting plans) Website transfer assistance with zero downtime   4. Cloudways Managed Drupal Cloud Hosting     Cloudways is not just one of your best Drupal managed to host options. It's also one of the most... different. It allows you to choose the cloud hosting provider for your Drupal infrastructure. You're free to go for Amazon AWS or Digital Ocean, Google Cloud or maybe Vultr, you name it. Why cloud hosting? Because it's easier to scale, more cost-effective, and faster.  In short: it's top performance hosting that scales that you get with Cloudways. But there are also other strong reasons why you'd want to choose to host your Drupal website(s) on Cloudways. Cloudways Managed Drupal Hosting Key Features   Composer support  ease of use: just sift through all the different options that it provides you with through an intuitive UI, select the ones that you prefer via quick one-click access, and set up your Drupal website in no time  HTTP/2 support PHP migration support Free migration SSD-Based Drupal Cloud Hosting CloudwaysCDN you get to host multiple Drupal websites on one server you can add more team members and share server access across your entire team  built-in caching options auto-scalable kyup servers: they downscale and upscale, depending on the amount of traffic on your website(s), with zero downtime managed platform: you can spin up servers and deploy your apps in the blink of an eye   Final Word  The key takeaway is that choosing the best hosting services for your Drupal site(s) is crucial. Imagine that you'd buy yourself a Porsche, but you don't afford a... garage for it. Or its maintenance costs. See my point? When you run your website on a performance powerhouse like Drupal, you need to look for a hosting platform that can match such a robust setup. And speaking of keeping your Drupal infrastructure secure and well-maintained, we have an entire team of Drupal experts that you can delegate your time-consuming maintenance tasks to:   updating Drupal modules running security patches as they get released monitoring your website's performance monitoring it for suspicious activities ...   Just drop us a line and let's tailor a Drupal security and maintenance plan to suit your website(s) needs.   Image by kropekk_pl from Pixabay ... Read more
Adriana Cacoveanu / May 28'2020
Drupal 9 Features: From “No New Features” to... 9 New Shiny Things You Can Expect to See in Drupal 9
What new Drupal 9 features can you expect to see on June 3rd, 2020? For, it's a bit confusing, isn't it?   on one hand, you have the “no new features“ statement on the other hand, you get answers like: “the easiest upgrade in a decade”, “newer PHP libraries”, “a brand new admin theme”, and so on   So, are there any new shiny things in Drupal 9 that you can look forward to? Or maybe get worried about... There is one shiny new feature and 8... improvements, from what I've seen. And I've grouped all together in a list. Here it is: 1. The New Shiny Thing: Easy Upgrade from Drupal 8 to Drupal 9 A smooth upgrade experience, this is the only new shiny thing that Drupal 9 ships with. In short, moving to Drupal 9 will be as easy as updating from one minor Drupal 8 version to another. Source: Drupal.org Word of caution: the upgrade path to Drupal 9 is “buttery smooth” if and only if you stick to a “healthy” routine of weeding out old and deprecated code from your current codebase. 2. Drupal 7 and 8 Will Continue to Get Supported Alongside Drupal 9 One of the biggest Drupal 9 vs Drupal 8 (and even Drupal 9 vs Drupal 7) difference is the overlap of security coverage: Till Drupal 9, whenever a new stable version got released, the previous one lost its support. Starting with the 9th version of the CMS, Drupal 7, and Drupal 8 will continue to get community support till November 2021. In other words, Drupal 8, cleaned-up of all deprecated API will continue to work on Drupal 9.  And Drupal 7 will get community support for... 1-1.5 years after Drupal 9 gets released.  One of the unexpected Drupal 9 features. For it disrupts the way that the Drupal community used to approach major versions once they were no longer “the latest” ones. 3. Claro Becomes the Default Administration Theme … once it gets stable. 4. New Drupal 9 Features: CKEditor 5 Gets Implemented ... in a future version of Drupal 9. Security support will drop for CKEditor 4 sometime around Drupal 9's end of life. Therefore, Drupal 9's roadmap includes adding CKEditor 5 to a future version (and eventually removing CKEditor 4 completely in Drupal 10).   5. The Workspace Module Goes from Experimental to Stable Source: Drupal.org How is this good news for you? Let's say that you need to prepare multiple versions of your Drupal site and, depending on certain factors, to push live only one of them. The Workspace module allows you do to precisely that: to replicate content between workspaces on the same Drupal site. And, luckily, the module will be generally available starting with Drupal 9... 6. What's New in Drupal 9? Twig 2 That's right, Drupal 9 comes with support for newer PHP libraries. Support for Twig 2 here included. 7. Drupal 9 Will Be Backward-Compatible with Drupal 8 from Day One What are the new Drupal 9 features? Minor upgrade versions of Drupal 8 will be backward-compatible with Drupal 9. This means that all your Drupal 8 components will work with Drupal 9. This ninth version of Drupal is built on top of Drupal 8, basically.  In other words: no need to panic that your (Drupal 8) website's key features will no longer be valid in Drupal 9. This is going to be the first time that 2 major versions of Drupal are fully compatible.   8. From Symfony 3 to Symfony 4.4 “What's new in Drupal 9?” Symfony 4.4. Since its third version will no longer be supported in November 2021, Symfony 4.4 gets integrated with Drupal 9. All while making sure that Drupal 9 is forward-compatible with Symfony 5, as well...   9. Olivero Becomes Drupal's New Default Theme New Drupal version, new front-end theme. Olivero will come to replace Bartik, the current default theme in Drupal.   Wrap-Up: 5 Drupal 9 Requirements Your Drupal Site Should Meet Now you know which are the predictable, the new and the... shiny new features in Drupal 9. What next? How do you ensure that your Drupal website's Drupal 9-ready? Here are 5 key steps to take for a buttery-smooth upgrade:   Make sure your environment is Drupal 9-compatible: PHP 7.3, MySQL 5.7.8, Drush 10   Update to the latest minor versions of Drupal 8 as soon as they get released: you'll be able to upgrade your website to Drupal 9 only from Drupal 8.8. and Drupal 8.9    Keep your modules up to date: do all your contributed modules run on their latest versions?   Weed out any deprecated API from the custom projects that your website's using   Update core to Drupal 9   Word of caution: if your website (still) runs on Drupal 7, upgrade to Drupal 8.  To sum up, the shortest path to a smooth upgrade to Drupal 9 is sticking to the best practices:   remove all deprecated code (go for an automated tool like drupal-check or Rector to identify deprecations on your website) update your Drupal core and contributed projects to their latest versions   Or, you can leave all the preparations to us. Just drop us a line and we'll evaluate your website's level of... readiness:   Is there any deprecated code still “lingering in there? Does it run on Drupal 7? Are there any outdated versions of PHP or MySQL that it is still using?   Then, we can come up with a plan to get it Drupal 9-ready. Image by Marsel Elia from Pixabay   ... Read more
Adriana Cacoveanu / May 20'2020