The experience we gained in over 6 years of doing Drupal and 2 years of doing Drupal 8 is extremely valuable for us and our clients. We are an ardent advocate of using the latest iteration of Drupal in order to take advantage of its new features and provide modern, secure and reliable applications.
We get lots of questions from our clients so we want to share with you our Drupal knowledge base, hope you will find it useful and choose Drupal as the platform for your enterprise application. While some best practices are generic, we will mostly refer to Drupal 8 when addressing the questions below.
Drupal is more than a regular CMS, it is a content management framework, handling site building through a modular approach. Drupal tries to encompass the flexibility of a high-level framework while still providing the simplicity of a content management system.
While Drupal has plenty of out of the box features like great performance, excellent security, easy content authoring and more, its main appeal comes from its flexibility. Modularity is one of its core principles which makes it a very configurable platform.
Other advantages that Drupal has, that distinguish it from a regular CMS are:
- Easy handling of data in the backend;
- Sophisticated APIs available to developers that make Drupal a very powerful web application framework;
- Strong user management, role and access level permission capabilities;
- Granular user settings for complex processes / editorial workflows and social media applications;
- Rapid prototyping through the use of site building;
- Core support for creating RESTful web services;
- Vendor lock in is minimal because there is a large community of web developers that are fluent in Drupal;
- Framework-level support for mobile-first designs.
Drupal is the platform of choice for many online businesses and can be used to build almost any type of small, medium or especially large web application.
We believe it gains the upper hand and you should choose it over the use of other similar solutions (eg: WordPress, Joomla! etc.) if you are building an enterprise-ready solution, where security and performance are essential to you and if you need to manage and organize a vast amount of content.
By enterprise-ready, we mean a solution that is easy to integrate with your corporate website and other internal tools that you are using, like your organization’s email service, analytics and marketing tools or even external CRM / ERP / HRM and service-desk type solutions.
Social apps are also a good use case for Drupal as you always need to be connected with every aspect of your organization. For Mobiliar we developed an internal platform that encourages employees to learn company policies through gamification. Users can test their knowledge on quizzes, share their discoveries in order to get points and reach top ranks. All news, ranks and activities are updated in real time using WebSockets, and user information is imported automatically from Active Directory which allows for single sign-on functionality and enables employees to log in automatically. Read more about our case study here.
We are an ardent advocate of using “the latest and the greatest” iteration of Drupal. If you are starting now, we highly recommend you start with Drupal 8 in order to take full advantage of the performance improvements, easier content authoring, native support for web services and more.
From a developer’s perspective the switch from Drupal 7 to Drupal 8 can take some getting used to as Drupal 8 is written in a modern, object-oriented style, makes heavy use of several Symfony 2 components and requires understanding of more advanced concepts like service containers and dependency injection. If this seems like too much, one can still use Drupal 7 which will continue to get bug-fixes until late 2017 and official security support will be offered until at least 2019.
All major releases before Drupal 7 do not receive long-term support from the community anymore, and even though there are vendors still offering this, we recommend you use a version receiving long-term support.
Because of the innovation that comes into play when developing a new version of Drupal, all major versions until Drupal 8 are not backwards compatible. Each major release of Drupal can be viewed as a new product, with just the core principles remaining the same. Because of this, upgrading from Drupal 7 to 8 is complicated and costly, so we strongly recommend starting out with Drupal 8.
Since the project has matured a lot over the years, this has changed starting with Drupal 8, and the move to Drupal 9 will simply mean removing deprecated code and support for older modules, while keeping backwards compatibility. If a website will not use deprecated functions and/or APIs, the update to Drupal 9 will be as simple as swapping the code of Drupal 8 with the code of Drupal 9.
In conclusion, upgrading Drupal to future versions is smooth, but only starting with Drupal 8. If you are considering upgrading an older project in order to take advantage of the new features or to continue to receive long term support from the community, we have plenty of experience with this and can help you with the process.
Regarding internationalization we want to point out that things are done very differently in Drupal 7 (and earlier versions) and Drupal 8.
In a nutshell, before Drupal 8, internationalization was done by installing and configuring several contributed modules and add-ons (most importantly the Internationalization module). From Drupal 8 onwards most of the functionality has moved to the Drupal core, where several key components (Language, Interface Translation, Content Translation and Configuration Translation) allow you to configure languages and translations.
Both options offer good multilingual capabilities and allow you to go international and have a global reach with your business.
Drupal 8 allows you to install Drupal natively in over 90 languages and assign a language to everything (nodes, users, views, blocks and menus). You can also translate the built-in user interface, your content and configuration options and also the language of your modules and themes.
Yes, you can use themes in about the same way as you can use them on WordPress, but there are fewer themes to choose from and quality is not that good, so premium themes are not very popular.
As usual with generic themes, a lot of things cannot be handled exactly the way you want them to, but rather in the way that the theme was designed to handle them. We strongly recommend you to go for a custom theme if your budget allows you to.
First of all, it is very easy to use modules. You simply download and configure the ones you need in order to build your desired features.
Modules that are poorly maintained or contain bugs can seriously affect the security, stability and performance of your website. We recommend that you check drupal.org for important details such as the number of open issues / bugs and whether the module is still actively maintained.
For example you can check the Google Analytics module that we use and all relevant information about it on the Drupal organization website.
It depends a lot on the functionality you want to obtain, as there are plenty of contributed modules to choose from. We will be highlighting a few other modules in this FAQ at each specific topic.
Most of the times however you will end up building your own custom modules, because what you need turns out to be too specific and you prefer to be in full control of your codebase. This is where we come along since it is what we have been doing for the past 6 years with Drupal.
Drupal offers great performance for your project. Drupal 8 has a very sophisticated caching system that greatly improves performance on several layers. Once configured and enabled, caching is completely automatic, and significantly increases loading speed.
In its simplest form, once a page has been rendered, we can take a snapshot of it and quickly pull it up the next time a user requests it, delivering it orders of magnitude faster. But what if something changed in the meantime, or what if the page contains elements that are inherently varying from page to page? Drupal 8 gives developers a very extensive toolset in their quest to cache as much as possible, while keeping the content dynamic, as you would expect.
More to the point, what really makes Drupal 8 fly is:
- More precise cache invalidation;
- More precise cache variation;
- A new render pipeline (BigPipe);
- Server-side dynamic content substitution;
- Client-side dynamic content substitution;
- Complete asset dependency information;
While Drupal offers great out of the box performance, there is still a lot you can do to improve this further.
Running the latest version of Drupal can improve page speed as updates usually contain bug fixes and sometimes performance improvements. You should always keep the core, contributed modules and themes up to date.
You can improve your page speed even further by taking into account generic, common-sense development practices, such as:
- Serve compressed images to reduce bandwidth need;
- Make sure that you do not load large media assets (maybe an ultra-high resolution image is not really needed);
- Use a Content Delivery Network (CDN) like KeyCDN;
- Use dedicated caching backends like Memcached, Redis or Varnish;
- Use extra caching modules (Internal Page Cache Module and Dynamic Page Cache Module)
- Uninstall your unused modules.
Don’t forget that choosing a good host also plays an important role. Shared hosting usually accounts for slower website load speed and frequent downtime during high traffic periods.
There are over 200 new features introduced in Drupal 8. Some of the ones we consider to be the most important are:
- Easier content authoring through WYSIWYG;
- Great integration with third-party services;
- Native web-services built-in;
- Responsive by nature and mobile-first;
- Improved multilingual and globalization capabilities;
- A new PHP templating engine called Twig.
Powered by Symfony 2, Drupal 8 also aligns with the latest PHP 7 standards to offer a more modern, object-oriented approach to writing code.
A very important area where Drupal 8 also offers significant new features is security. The most important improvements are:
- Automated CSRF protection in route definitions;
- Removed PHP filter, including the ability to use PHP for block visibility;
- Added an autoescape API to prevent cross-site scripting in many of the places where Drupal outputs HTML;
- Better user session and session ID handling;
- Managing fields for each entity type is now a separate permission.
You can explore other improvements that came with Drupal 8 and that we use daily by reading our “Overview of Working with Drupal 8” article.
In short, no. However, hosting is a very complex topic that we explored in depth in our “Hosting and Server Considerations” article which you can read here.
What you normally have to take into account is independent of the choice of CMS, but we can tell you that Drupal has better performance than most other CMSs. This can translate to a less expensive hosting setup.
Drupal 8 allows for easy integration with third-party digital media solutions and services. It is very powerful when it comes to integrating and connecting all your apps.
This can be done easily thanks to Drupal’s highly modular and scalable architecture. The integration requirements are handled by Drupal’s Library API and its Services Layer which ensure the consumption of third-party external APIs.
The Drupal community also contributes generic modules for specific integration requirements, which helps in this effort, alongside with native support for the most widely used web services added in the Drupal core.
One last resource we would like to share with you on this topic is Drupal Integration, an online independent repository that lists every third-party application or service that has been integrated or is in the process of being integrated with Drupal. It also reviews the status of the integration, stability of the module, its features and the integration complexity as well as provide all relevant documentation.
Drupal inherently offers good out of the box security and is considered to be a very secure platform. However, developers still need to be careful and respect security best practices and guidelines.
Professional security audits of Drupal websites found that more than 90% of security vulnerabilities come from custom themes or modules and not from the Drupal core or contributed modules. This happens because custom code does not go through the same public scrutiny that all the code on drupal.org goes through. Drupal also has a dedicated security team, the first ever for any CMS and one of the best, which tests and reviews the core and several contributed modules.
On top of that, problems at the server level, such as not having your host OS up to date and using insecure protocols like FTP are more likely to be the cause of a vulnerability than the Drupal core.
If by any chance security vulnerabilities are found in the Drupal core, they are patched very fast and provided that you are up to date with your security fixes, the chances of a successful attack are very unlikely.
Like we said in our WordPress FAQ when we talked about this, security is an extensive topic and more complex security features can be added on top of what your CMS offers by default. We will explore some security considerations in this section and showcase our approach to security and the recommendations we always give to our clients.
Even as a client you can take several steps to minimize security risks. Some of them are:
- Always use strong passwords, especially for users with elevated permissions;
- Use a password management solution like LastPass;
- Change your passwords regularly and employ two factor authentication;
- Never login while using public or insecure networks if your website does not have an SSL certificate installed;
- Always login from trusted devices and make sure your system is up to date on the device(s) you are using to log into your website;
- Choose a reliable hosting provider known for its security.
We recommend you let us deal with any and all technical and security concerns that your website might face.
In most cases the human factor can be the greatest vulnerability your website might face, so protect your passwords and respect your internal security procedures.
To an important extent your website’s security depends on simple best practices that your developers should stick to when writing custom modules and themes. Such best practices include obvious things like using Twig as a templating engine, proper configuration of user roles and access levels, and most importantly, making sure you have your Drupal core and modules up to date.
We have built a strong culture in our company around taking care of these aspects for you. When it comes to development, we follow a strict security checklist which, among others, includes:
- Sanitizing the frontend in order to avoid safe markup being escaped;
- Sanitizing database outputs to avoid cross-site scripting (XSS) attacks;
- Using a database abstraction layer to avoid SQL injection attacks;
- Using a custom database prefix for the tables;
- Using read-only storage classes in production environments;
- Disabling any unneeded functionality and modules;
- Making sure that all user roles do not have higher permission levels that intended;
- Never using role names as usernames (such as “admin” for an administrator user).
There are many in depth technical guidelines to keep in mind when writing secure code. We strongly agree with the ones on drupal.org and encourage all developers to start with them in mind. We review and test this during our development process and perform a security audit before delivering a website to any of our clients.
Other important factors that we take into account are:
- Applying security fixes as soon as they are made available;
- Always checking module ratings and relevant user reviews before installing a module;
- Installing and using security modules (eg: Duo Two-Factor Authentication, Login Security, Password Policy, Paranoia, Security Review, and more).
We closely follow the latest security reports for the Drupal core and contributed modules and only choose modules which are tested by the Drupal security team and have a good track record of being secure. We also avoid using modules with a well known history of security issues or which are usually targeted by hackers.
In the case of a hack you first need to make an unaltered local copy of the hacked website. You can use that later on for analyzing the vulnerability and understanding what caused it.
You should notify any stakeholders immediately and make a decision of whether you should take the site offline or not. To minimize the damage of the hack, we recommended that you have a backup of your website stored locally to make sure you do not compromise your data. You can temporarily switch to the backup site (with limited or restricted functionality) until the vulnerability is analyzed and a security fix is applied.
After you identify the vulnerability that lead to the hack (a SQL query that was not sanitized, a server security issue, a weak password, etc.) you should take steps into fixing it or reverting to the latest uncompromised version. You also need to check for modified files (added files that are not yours) or changes in the database, identify what has been altered and rollback the changes.
Finally you should report your issue to the Drupal security team. They are unable to help with individual websites, but they do like to keep track of compromised websites to see patterns and improve Drupal security as a whole.