Last week was a very frustrating time for me. For whatever reason, an unusually number of botnets decided to zero in on my Drupal site and created what I call an unintentional  Denial of Service attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of “page not found” and “access denied” error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.

These type of attacks on Drupal sites are nothing new and have been observed and discussed at great length at Drupal.org. However, my search at Drupal.org as well as Google didn’t really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn’t easy to begin with and at first the answers alluded me.

I originally looked at Drupal for the solution to my problems. While I’ve used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn’t exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model Bad Behavior. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an “unofficial” version of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from Project Honey Pot.

As I had already suspected, looking for Drupal to solve this botnet attack wasn’t the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering “page not found” error pages and use it to deliver “access denied” error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn’t have access to the hardware, I decided it was time to look at my Apache configuration.

read more

As much as I talk about Drupal here at CMS Report, I often don’t talk about Drupal point releases that provide solely security and bug fixes and no new features. Every once in awhile though there is a new version of Drupal 6 that has been especially polished by Drupal’s developers. Drupal 6.17 is one of those releases which contain significant changes I think are worthy a mention.

I’m probably most excited about the improvements made in Drupal 6 for better PHP 5.3 compatibility. A couple weeks ago I tried upgrading my server to PHP 5.3 and there were just too many annoying errors showing up in the Drupal 6 system logs.  I’m hoping with Drupal 6.17, I have better luck this time around (currently running this Drupal 6 sites with PHP 5.3).

With over 55 patches committed to improve Drupal 6, the following are the highlights of changes included in Drupal 6.17:

• Improvements of session cookie handling
• Better processing of big XML-RPC payload
• Improved PostgreSQL compatibility
• Better PHP 5.3 and PHP 4 compatibility (my fingers are crossed)
• Improved Japanese support in search module
• Better browser compatibility of CSS and JS aggregation
• Improved logging for login failures
• An incompatibility of Drupal 6.16’s new lock subsystem with some contributed modules was also resolved

The latest version of Drupal may be downloaded from the project page at Drupal.org. Whether you’re new to Drupal or currently maintaining a Drupal site, this latest release of Drupal is a clear indication that there is plenty of life and plenty of development taking place with the Drupal 6 release. Now what other Drupal 6 sites do I have that still need this upgrade to Drupal 6.17.

read more

While I was at DrupalCon last week, Chris Pliakas sent a tweet out that he used screenshots from CMS Report in his Apache Lucene presentation. I’m always flattered when this site gets noticed for something we’re apparently doing right. In this particular case, we’re using the contributed Drupal module Search Lucene API for our search engine as well as for faceted search and content recommendations (recommended links).

If you had talked to me a few years ago, I would have told you that the Search module that comes with the Drupal CMS is all a site like mine needs. After I became a beta tester for the Acquia Network along with their implementation of Apache Solr called Acquia Search, my opinion quickly changed. I’m now convinced that an enterprise quality search engine is truly something that can make or break your website. If you’re a smaller Drupal site that feels like Solr or Acquia Search is overkill or not in your cost range, Search Lucene API may be the answer you’ve been looking for all this time.

The actual name of Chris’ DrupalCon presentation is: Build a Powerful Site Search with the User-Friendly, Easy-to-Install Search Lucene API Module Suite. The video of his presentation can be viewed at Archive.org and has been embedded above. Screenshots from CMSReport.com can be seen in the time frame from 19 minutes to 21 minutes.

read more

Dries Buytaert, Drupal Project Lead, will give his bi-annual State of Drupal talk in the beginning of DrupalCon SF, where he’ll discuss where Drupal is and where it is going. In particular, he’ll discuss Drupal 7, usability, the Drupal.org redesign, and other developments to Drupal.

CMS Report is here live at Drupal Con and we’ll be blogging about the presentation as we hear it.

Edited: Video from the keynote speech has also been embedded at the end of this post. This video can also be found at archive.org.

2:30 PM: Dries finishing his speech with a pep rally cry. Drupal is growing up and Drupal 7 will bring in more users. As Drupal grow, Dries sees we need to stick to the culture…sharing and contributing, show passion, and innovating. Lastly it needs to stay a culture of fun. All together “awesome happens”.

2:25 PM: Drupal as it follows the market to stay relevant but the desire is to also still needs to serve the low end of the market. This is why distributions will need to be utilized to serve both high end and low end of the market.

To succeed Drupal needs to focus on missing features. To succeed in the low end, Drupal needs to focus on creating better experiences. Both missions do overlap.

215 PM: Consolidation = One Big Winner. Lots of CMS runner ups…and very few winners. Drupal needs to be a winner. Winners have richness and reach to be successful.

Trend: Cloud computing and SaaS is hot. “Computing is transforming from an innovation to a service.” How does Drupal stay relevant? Dries is talking about Christensen’s The Innovator’s Dilemma. The dilemma is the innovation makes room for a lower-end product often causing the original product to fail.

read more

I spent Sunday flying to San Francisco for this year’s DrupalCon. Attending this Drupal conference is a first for me. For the past few years. I’ve wanted to attend the conference but either personal or professional distractions came up that prevented me from attending the conference. This year is my year for DrupalCon and I’m anxious to get to know the Drupal community better than I have in the past.

While I do plan to do live blog updates during the Keynote addresses, I’m attending this conference less as a reporter and more as an attendee in a crowd of 3000 people. I spend way too much of my time through the year either leading IT discussions or managing the IT discussions that I rarely get a chance to just observe and listen. There are a lot of smart Drupal people and content management folks at this conference that I would be a fool to not take the opportunity and learn from the experts.

So this week you can expect a lot of Drupal talk. If you don’t want to hear about Drupal this week, I suggest you submit an article focused on your favorite CMS. I have a feeling I’m only going to be writing about Drupal this week…

Drupal’s “premier conference” is quickly approaching. This Drupal conference is known as DrupalCon and will be held in San Francisco from April 19-21, 2010. As with previous years, the unofficial theme of the conference is to “learn about all things Drupal”. If the conference sessions aren’t enough, the schedule is also packed with plenty of development, documentation, and training events that are being held the days prior to and following the conference.

Presently over 1500 people have signed up to attend the conference. The price of attending a DrupalCon has always been reasonably priced which is one of the reasons this conference always sees a high turnout rate. If you plan on attending the conference, I would urge you to buy your tickets to DrupalCon now. Procrastinators like me have been known to wait too long to register for this conference only to find out that the maximum number of available tickets for the conference has already been reached.

Also, CMS Report is proud to be a media sponsor for DrupalCon – San Francisco 2010. This is our first time we have sponsored a DrupalCon event and we’re excited to be helping out by promoting this event. While you can learn quite a bit about Drupal at this conference, the conference also gives you a chance to see and hear directly from the the open source community that is supporting Drupal. As a user of Drupal, it’s not just about the software that sparks our interest in DrupalCon but also the people in Drupal’s community we have come to know and appreciate.

read more

For 40 years, scientists have searched for a way to bring nuclear fusion to the masses. If successful in bringing fusion online, we all could have an inexhaustible form of power to meet our world’s energy needs. The promise of fusion is a dream that many have hoped to see become a reality in their lifetime.

Perhaps not for as noble of cause, Drupal users have sought better themes for their Drupal sites. Four years ago, it seemed to me that creating a good theme for Drupal was almost done as an afterthought. There simply were not too many places for a user to go for a quality Drupal theme. I recall spending a lot of wasted time maintaining my own (boring) themes for Drupal sites. The Drupal days of version 4.4, 4.5, 4.6 and even 4.7 for themes were dark days indeed. Luckily, Drupal 5 introduced us to a new theme called Garland. Garland may not have been a perfect theme but in my opinion the theme marked the beginning of an era for a new style of Drupal themes.

In the past few years, the number of Drupal themes provided under open source or via private companies have exploded. Along with that explosion, various starter and base themes have been introduced too. On the top of my head I can think of Zen, Genesis, Basic, and AdaptiveTheme. These starter/base themes offer theme developers opportunities for everyone to build or use professional sub-themes. In fact, this site used Zen in the theme’s early years and today we’re currently using a Genesis based theme called Extreme Updates (slightly modified). With each passing year, the theme offerings for Drupal has steadily improved in quality and quantity. This year is no exception and brings us a new official base theme to carry us over into the next generation of themes made for Drupal.

The year 2010 brings us Drupal’s newest base theme, Fusion.  Currently, there probably isn’t a Drupal theme that offers site owners more control over layout and style than a Fusion based theme. Fusion has the support and backing of well-known Drupal theme shop, TopNotchThemes. TopNotchThemes appear to be serious enough about Fusion revolutionizing the way themes are done in Drupal. This week they publicly announced their new line of themes and a website called Fusion Drupal Themes. Most of the themes offered at the site are for a price, but there are a couple free themes also being offered that should give you a chance to see what Fusion is all about.

read more

Earlier this week, I announced a new site that I’m working on under the domain SocPub.com. What I didn’t say in the announcement was which CMS I was going to use for the site. I also didn’t say that my choice in the CMS version could be considered by some as risky. I have decided to use the alpha/beta/release candidates of Drupal 7 for the SocPub site.

Using an alpha version of any CMS for a production site is never recommended, but I have some personal reasons for why I want to do this. No doubt, there will be bumps in the road using these early versions of Drupal 7. However, I’m hoping the benefits outweigh the risks and in a small way testing early versions of Drupal 7 may offer me an opportunity to give back to the Drupal community. For example, installing Drupal 7 has allowed me to collect some screenshots of a Drupal 7 Alpha 1 install.

If someone wants to use the screenshots below for one of the image galleries at Drupal.org or any Drupal community site, then permission is granted to use the images.

Using the above image, one of the first things you will notice is that you now have a choice in the type of Drupal install you would like to do. Currently, you have a choice between a “Standard” install or a “Minimal” install. I personally never like to make things more difficult than they should be and so I recommend you select “Standard”.

As the image above reminds us, Drupal 7 has some server requirements that must be considered. Is PHP 5.2 or greater available on your server? Have you initiated your settings file correctly? In Drupal 7 this walk-through is improved by letting you know Drupal’s latest requirements and giving you some hints on how to resolve potential install issues.

read more

In the world of open source CMS there is no comparison more attention getting than an article comparing Drupal and Joomla!. Probably, the grand daddy Drupal versus Joomla! comparisons of them all was posted over three years ago by the Joomla SEO company, Alledia. I extended the discussion Alledia started with my own comparison between Drupal and Joomla. My article evidently struck a chord in late 2006 and currently is approaching near 200,000 reads.

Good comparisons between Drupal and Joomla! are popular because quality comparisons between the two applications are rare. It’s very difficult to have passion for one CMS, be well informed on both CMS, and in the end be non-bias in your comparison. In the three years since I wrote my article, I’ve only come across three additional comparisons between Drupal and Joomla! that I thought worthy to bookmark.

I haven’t updated my own article comparing Drupal and Joomla because I have developed a bias opinion over the years that I can’t overcome…I prefer Drupal over Joomla! Both are good applications in their own right, but in the end I almost always recommend Drupal over Joomla!. That’s why I’m glad to see Alledia update their own comparison between these popular CMS with Joomla and Drupal – Which One is Right for You? Version 2.

read more

Passwords, user accounts, email verification. I have never liked requiring my website’s visitors to register before they can leave a comment. There is a large segment of people that like to submit quality comments online, but they don’t want to be required to leave their personal information there. So from the beginning, I have always allowed anonymous commenting by unregistered visitors and for the most party, they quality of the comments haven’t suffered. However, allowing for anonymous comments also invited my site into a war against comment spam. My latest weapon to do the fighting for me in this war is Mollom.

I was first introduced to Mollom in the Fall of 2007 as a beta tester. Prior to Mollom, I had been using a number of techniques, modules, and services with limited success in blocking unwanted spam. While some of these filtering methods did help me filter out unwanted content, I was still spending quite a bit of my time moderating the comments for potential spam. Worse, in long absences from the site I had to disable anonymous commenting for fear that I would come back to a site riddled with ads for the latest popular pharmaceutical drugs or some girl that wanted to be seen for a price. That’s when Mollom entered the picture and helped stop most of the spam from entering my site.

In the two years since I’ve used Mollom, the service probably has blocked more than 100,000 pieces of spam from being posted at my site. Since, the current statistics provided by Mollom only date back to early 2008, the official number of spam blocked stands at around 77,000. In other words, I receive an average of 120 comments a day that require no moderation on my part.

read more