Inquisitive:TNG — Drupal 8

Drupalicon vs. Tux: FIGHT!

I've been using Drupal to power websites since version 4, a long time ago. In fact, i just dug up my old Drupal account information (i used a Hotmail email to register; that's how ancient this account is!) and it says i've been a member for 12 years and two months.  Drupal is an Open Source content management system (CMS), meaning it provides a web interface to create and present "content" as a web page. There are, and have been, a lot of free CMSes around, but Drupal is the one i've always rooted for because it uses the PHP language and has a friendly, open attitude. It also has what has helped to make Linux so successful: an oddly-named, smart creator from across the puddle that based the product name on his own (hmmm... a Linus Torvalds vs. Dries Buytaert celebrity deathmatch?)... and a cute logo. Now that i think about it, i'm sorta also describing the phenomally popular Angry Birds (okay, so not the name part). This month marks this site's transition to Drupal 8, and i thought i'd discuss the state of the Drupal from a casual user's perspective.

Drupal 8 was a monumental effort, taking far longer than previous releases, because it represented a clean slate for the project. A chance to modernize. As Dries describes on his webpage, the rewrite was a chance to reimplement the project in an object-oriented paradigm (OOP). This paradigm involves more work up front and produces a larger codebase that requires more processing time. I can attest to the slower and bigger code. The last release from the 7.x branch that i applied is 16MB (3.2MB compressed), while the current 8.x release (8.3.4) is 100MB (13MB compressed)! To be fair, there's an entire new framework included in that download (Symfony), as well as an editor. My web host's server is slow even on a good day, and it's been absolutely hammered over this 4th of July weekend: it keeps timing out when loading the new Drupal 8 site. That's not likely to be a common problem, though. So what were the advantages of a move to OOP that justified the bloat?

  1. Less "drupalisms" that create a barrier-to-entry to new Drupal developers.
  2. More familiar code paradigm for site developers.
  3. Ease of maintenance.
  4. Security.

Let's talk about the more immediately apparent good things that Drupal 8 brings.

I. Ease of installation.

Each time i have installed a Drupal site in the past, it has been a pretty involved process. I've added on extra modules to provide features i wanted and tweaked the server settings (chiefly the .htaccess files) to do some extra tricks. There have been a lot of searches and a lot of tweaking. Well, i've progressed to a certain zen state now. I prefer not to create database tables by hand and twiddle arcane webserver configuration files to install a CMS. The good news is... Drupal has also progressed. Drupal 8 will install itself far more than any previous release. It will set file permissions, create tables, and configure itself. There were only two errors that i had to resolve to complete installation, and only one of them couldn't be done from Drupal's web browser interface.

The first was a new security configuration option that required me to list the trusted hosts in Drupal's settings.php file to avoid header spoofing attacks.

$settings['trusted_host_patterns'] = array(

This allows drupal to issue from both the main domain and subdomains (for example,

The second error was also a security issue, and had to do with the temporary files directory requiring an .htaccess file. This error is only encountered when hosting the site on a shared server, so that you don't have access to /tmp. This is resolved by changing the location of the temporary file in Drupal's configuration menu to tmp (no slash). At that point, Drupal itself will create the appropriate directory and add the needed .htaccess file.

II. Core module functionality

As i mentioned, in the past i have usually used several external modules to get the features i wanted from Drupal (i count 15 external modules enabled in Drupal 7, but of course some are parts of a whole or dependencies). These included modules to manage images, categorization, views, markup options in posts, user access levels, text editoring, and spam prevention in comments, and give drupal more wiki-like behavior. The good news is that a lot of this has been integrated into the core, particularly image management. My needs and ambitions for now are much less complicated than previous sites, but it appears i will be able to get it to where i want it with only a single external module, freelinking, and that one is only there because i like to pepper in links to wikipedia, and freelinking makes it a lot less cumbersome. I did consider installing pathauto to automatically create more descriptive page URLs, but it had two dependencies ... and i don't create so much content that naming it is a chore.

III. A better editor

I hate WYSIWYG editors for web content. Even WYSIWYG editors for print i regard with suspicion. My master's thesis was composed with LaTeX , which was encouraged by my department, but sort of flew under my Microsoft-philic advisor's radar. Alas, i couldn't exactly pull a night crossing with my phd thesis, so that one was eventually wrested from the maw of Word, intact, with the aid of a rotating series of backups to revert to when something went horribly wrong and couldn't be "undone" (and it did, more than once).

It could be that my tendency to tweak and re-tweak things is in fact both the reason for my disregard for WYSIWYG web editors and  why i tend to break Word so much. In any case, i don't like the lack of control that WYSIWYG editors for CMSes have offered, but the latest version of CKEditor that is included and embedded in Drupal 8 is a big step up. I do still switch to source view now and then (for example, to add the <abbr> tag above for WYSIWYG), and it is annoying that the editor doesn't maintain focus and cursor position when you do that, but with the additional buttons, the freelinking-enabled markdown for links (which can be added without switching to source view), and the built-in nature of the editor in D8, this editor is finally something i will use.

IV. Security?

Okay, i don't know if the theoretical security advantages of OOP have resulted in Drupal 8 being more secure, but at least it hasn't had a Drupalgeddon 2014 equivalent. That security hole in Drupal 7 saw crackers deploying automated attacks against a lot of Drupal sites, including this one. It led to recurring compromises of this site (because there were backdoors left behind in both the file system and the database, and i hadn't backed up the database recently... kids, don't try this at home!). I eventually took the site down until i could rebuild it to prevent it from being used to distribute spam and malware. Obviously, i'd rather not have to deal with a security problem as big as that in my CMS again.

But overall i'm pleased to see how Drupal has developed. It's a whole different world now than it was back when i first used it. In 2005 the conversation was about what framework, language and library the CMSes used. Now, there are now a million libraries and frameworks that sit on top of the CMS itself to handle to presentation aspect, the new frontier of innovation and competition. It's great that Drupal has created a solid and modern platform to manage the underlying client-server essentials so that developers and webmasters can focus more on what is presentated and how it's presented.

The one cloud i see on the horizon for Drupal is the stagnation of its review process for new projects. I discovered this as i set about to find a good theme for the D8 update... and was surprised how few themes have been added in the past couple years. I discovered this blog which quantifies just how extreme the slowdown is, and that pointed me to a more direct discussion of the underlying problem: a huge queue of submissions waiting to pass the gatekeepers, with wait times of more than a year! I hope that this will addressed by Dries and a more functional system adopted before too many would-be developers and their future contributions are driven away.

In the meantime, welcome to Inquisitive: The Next Generation! I'm looking forward to spending more time creating content and less time maintaining and working around limitations in the CMS.