Chris Shattuck

Skip to video and slides

A couple weeks ago I put out a blog to garner feedback on why Drupal kicks serious a**, and a big thanks to everyone who responded. I integrated a number of the comments with my own personal experience with Drupal and presented my talk last week to a diverse group of 20 or so web tech people in the local Boise Idaho area. Judging from the audience participation, I think the presentation went really well. I recorded the talk (from two different camera angles, no less!) and am posting the video and slides for folks that are curious about what they missed, or who are interested in giving a similar talk themselves.

I did a little research before hand about how Drupal compares to popular CMSes like Joomla, Plone, Wordpress, ExpressionEngine, and SharePoint. The talk was also directed in many ways to audience members who have rolled their own CMS, because that was my experience coming into Drupal and I found that Drupal solved many of the problems I was attempting to solve myself, but in much more elegant ways.

Drupal kicking butt - Video and slideshow

The format of the talk was "10 ways Drupal (might) kick your CMS's a**", and here are the 10 things about Drupal that stand out to me as particularly steller:

#1 - The Drupal Community

The community is a big part of what keeps me involved in Drupal at the level I am. I helped found and participate in a local Drupal users group, which provides important face-to-face time with other people using the Drupal, and keeps us all abreast of important news in the project. I also talk about regional conferences and Drupalcon, IRC, and leadership in the community.

#2 - Central Module Repository

Drupal keeps all of its modules in one place, unlike many other CMSes. This has many benefits, and has helped to keep significant licensing problems to be an issue in the community. Also, a standard module release process allows both developers and administrators to have a clear path forward with module upgrades and choosing the correct module version for the Drupal version they use

#3 - Drupal is a Framework

For developers, Drupal does a lot of heavy lifting and really lets you get plugged virtually anywhere in the platform. The module structure encourages good coding practices and good organization.

#4 - Drupal is Mature

Drupal has been actively developed for 8 years, and lots of big web sites are using it, like the White House, The Onion, Fast Company, BMG Records, NASA, Warner Brothers and Yahoo Research. Even if you don't understand the nuances of security and scalability, you can point to hear examples of how Drupal must provide a solid framework for both.

#5 - Flexible Data Structures

Drupal allows you to create flexible content, much like Access or Filemaker, and even creates full CRUD (Add, edit, view and delete forms) on the fly. So, storing custom content is easy, and doesn't require any programming or touching the database. (video includes demo)

#6 - Flexible Content Feed Output

Once you have content, you have many options for how you want to output the data. You can pass content filters via the URL or even expose filters to users so they can narrow down content based on whatever criteria you specify. The ability to generate these lists of data via configuration without touching queries or code can be a powerful administrative tool.

#7 - Flexible Path Aliasing

In Drupal, you can specify how you want a path to look based on virtually any information in your content, including title, date, or custom fields. Drupal can handle redirecting duplicate URLs (also called aliases) to a single URL with a 301 redirect to prevent a duplicate content filter in search engines.

#8 - Multi-Language Support

Including another language is trivial, and you can even override content within the same language. There's community infrastructure to support translators even if they don't know how to use, install or develop in Drupal.

#9 - Making Forms is a Breeze

Creating forms in Drupal is as easy as creating content types, and can be done without any programming. If you do need to program a form, however, there is a powerful API which will allow you to generate a secure, robust form in just a couple of steps. There is also a nice utility for generating module configuration forms.

#10 - A Bunch of Other Stuff

Including distributions for intranets and social aggregation, cross-database compatibility, an active usability team, hierarchical taxonomy, a powerful theme layer and AJAX framework.

Post-presentation discussion

During and after the presentation, there were a lot of great questions and discussion about topics like:

• How does Drupal store content types?
• Can Drupal work with obscure databases like BDB?
• How do you create a wiki in Drupal?
• How much does Drupal break from one version to the next?
• How difficult is the upgrade process from one Drupal version to the next?
• How much of this stuff is handled by core Drupal, and how much by contributed modules?
• What versions of MySQL and PHP are the different Drupal versions compatible with?
• How many people non-developers use Drupal?
• Discussion on ecommerce solutions for Drupal

I'm going to be doing a talk in a couple of weeks called "10 reasons why Drupal (might) kick your CMS's a**" to a local group of web tech folks, only a couple of which use Drupal. I have some ideas, but wanted to crowdsource this a bit and see if I can get some input from the community. I have a very limited exposure to other popular CMS's, so any input on comparing and contrasting Jooma, Wordpress and Drupal would be appreciated. Also, any nifty graphs or diagrams that might hit the points home? So far, here are some items on my list:

• Caching - The various caching tools enable Drupal to perform nearly as fast as static HTML
• Community - Lots of IRC participation, local user groups, positive leadership
• No forking - The community hasn't yet reached the point where a schism caused forking.
• Central module repository - This has meant that all projects are supported in similar ways (version control, issue queues, etc) and that they are GPL compliant. Also, this adds exposure for the modules and they get vetted by the community.
• Drupal is a programming framework plus a CMS - Drupal does a lot of heavy lifting, and helps you organize your code in a meaningful way other folks can plg into.
• Drupal modules don't have to hack core to work - As opposed to other CMSs
• Drupal scales well - And this will only get better with Drupal 7 and the new database layer
• Drupal is mature - It's been around a while, it's stable and is being supported by a lot of big projects (need some good diagrams here)
• Extendable data structures (i.e. fields in core) - Makes all data flexible at the interface level

I'd love to have some good visuals for this, and I'd also like to get some ideas on what I might be missing. I will gladly open source this presentation as well once it's complete.

Thanks!

As part of this review process, I interviewed Ben Finklea. We covered his new book, "Drupal 6 Search Engine Optimization," as well as other interesting topics like how you might need to start your own church to write a book, what it's like to overcome the stigma of doing SEO, and what to expect in the future of search engines and Drupal 7. Listen to the interview here. (right-click and select 'save as' to download)

Props

I have a lot of respect for business owners forging new niches in the Drupal space. Not only has Ben Finkea done this, but he's done it in a niche that's rife with controversy. SEO as a subject is highly polarizing, and choosing it as the topic of a book directed at an open-source audience that highly values the transparency often neglected in the SEO sector seems downright masochistic. So, before even addressing the content of the book I have to applaud Ben's gumption. To have success in a controversial arena like this, I think you have to be quite skilled at filtering out and responding positively the inevitable negative feedback - something that's not always easy to do.

The book

To begin with, I think the name of this book is understandably misleading. While "Drupal 6 Search Engine Optimization" covers many topics related to optimizing a site for search engines, a large part of the book is dedicated to teaching the reader how to improve conversion rates, attract readers and organize content. I think this is a good thing, but going into the book knowing that a variety of non-SEO topics will be covered might allow the reader to enjoy it more.

I've had enough SEO experience to be a bit beyond the curve the book takes on, so I felt a little outside the target audience range. In spite of this, I still found a lot of value in it, and surprisingly this value was mostly in the material that wasn't directly SEO-related. Also, if I step back about 5 years to before I knew much about Drupal or SEO, the value multiplies significantly. If you're new to Drupal, sifting through the module repository to find ones that will help your site become more friendly to search engines is tricky, because they're not all labeled as such. The first part of the book introduces the reader to a variety of helpful modules and walks them through the steps required to configure them. Along the way, the reader is exposed to some basics concepts in SEO, such as the importance of targeting keywords, cleaning up URLs, dealing with redirects and the benefits of writing semantically-correct markup. If you find that you have too few tools in your SEO toolbox, then this initial coverage is important and will get you headed in the right direction. Pages 11-17 in particular lists out a number of useful SEO modules that are mentioned throughout the book, and this list alone is a great resource.

A number of more advanced topics are covered as well, including how to optimize your robots.txt file (something I don't have much experience in), and tips on speeding up your site. For a typical site maintainer who hasn't given much thought to optimizing their site for search engines, there is enough material here to keep busy for a while. And based on my knowledge of SEO, using the collection of tools Ben suggests is an excellent defensive strategy for getting your content indexed by search engines properly, without any fear of sketchy tactics getting your site penalized or banned.

At about page 150, SEO starts to take a back seat and traffic optimization takes the wheel. My favorite two sections in this second part are labeled "Don't Stop" and "Find Inspiration." Don't Stop is a short, single paragraph, but summarizes a principle that is just about the most essential aspect of building meaningful traffic, which is continuing to build content and keep things fresh - an excellent reminder. "Find Inspiration" is a list of around 20 suggestions for sources and structures you can build content from. Ben mentions that he refers to this list when he gets stuck, and I found the list useful enough that I'm going to start doing the same. Some suggestions include subscribing to Google Alerts, reviewing emails and questions from customers, and doing original research. If you've attempted to write on a regular basis, then you know that some days you're more inspired than others. There's something on this list for just about any level of inspiration.

Some interesting additional topics are covered in this second part, such as how to write compelling copy, organize large amounts of content and improve conversion rates, which are all very useful to those responsible for managing web site content.

Criticism

I understand that one book can't be everything to everybody, and this book serves its purpose well. However, If you have some experience with SEO, you'll notice that there are some notable omissions in this book. With controversial subject matter, one can be be bold, in-your-face, opinionated and passionate, taking a side and sticking with it. Or, one can be cautious and careful and avoid arguable material. This book takes the latter approach. It definitely outlines a clear path of SEO defense which useful material that is difficult to argue against, but leaves out a lot of the meaty bits I find most interesting about SEO. Subjects like inbound and outbound linking, link building campaigns, conducting tests against search engines to see how PageRank is transferred (and is it even important?). Link text - generally thought to be one of the most important aspects of passing value from one page to another - is only briefly mentioned. What about changing content on pages that have been indexed, or how search engines consider the longevity of links? The book but doesn't take the SEO talk further than the basics, which may be disappointing to some.

Those things being said, I recognized a number of suggestions in the book that I don't apply regularly enough, and the argument can be made as to the amount of good the material I'd like to hear about would do me if I'm not executing the essentials properly.

The only other criticism I have is that I would have liked to see more sources referenced. Matt Cutt's blog is mentioned briefly, but I would be really interested to see where the rest of the material came from or from where it was inspired. That kind of list would also be helpful for folks ready to dive a little deeper into SEO.

Summary

I think this book can provide a lot of value to new web development shops or freelancers. If you become familiar enough with the material it covers, you will have an arsenal of answers to tough questions you're inevitably going to get from potential customers regarding SEO and managing content. It will take a while to gather this information yourself, and the time it saves you will be worth the cost of the book.

As a new site administrator or owner of a site that needs to optimize its traffic sources, a lot can be gained from utilizing this book as a reference guide for writing and organizing content. As an intermediate Drupal user, I would suggest reviewing this book to make sure you're following the different strategies it outlines. If you find yourself running out of ideas for improving your site and building content, there's some excelent material in the second half of the book for you, too.

Interview notes

Ben was kind enough to interview with me, and some really interesting topics came up. One notable bit that got missed in the interview was that the book probably wouldn't have been written if Ben didn't get appendicitis and had been high on drugs in the hospital with nothing to do but find the bottom of his e-mail inbox. Here's a quick list of what you'll hear about:

• How the Drupal community has responded to an SEO company in their midst
• Is organic SEO dead?
• How will SEO in Drupal 7 be different?
• How are search engines changing and what can we do?
• Reflections and tips on writing a book (everyone should do it!)
• Listen to the interview here

One thing that's really nice about working on your own Drupal projects is that you get to share what you're working on (no NDAs, woot!). This particular project (Build a Module.com) is a video tutorial site for newer Drupal developers. For a while, I had a single product offering, but feedback made me realize that people like options. So, I decided to to offer single video purchases as well as 'collections,' or groups of videos bundled up into a single product. I also needed to make sure that customers had the right permissions set on files depending on their purchases.

Here's a video outlining the solution I came up with. Scroll down below the video for further details.

About the flow

I have 3 node types:

1. Videos - Contains description and video file in a file field
2. Single Video Product - Is an Ubercart product with a node reference CCK field pointing to a single video
3. Collection Product - Another Ubercart product, but this one has a node reference CCK field that points to a number of videos

I didn't realize that a node reference field could point to multiple nodes before a fellow Drupalista pointed it out to me. Eesh! I really could have used that info a year ago.

So here's the flow:

1. A user adds a Single Video Product or a collection to their cart
2. They check out and complete the purchase
3. They visit a video page
4. A custom function checks against their orders to see if they have access to the video. If they do, they're in.

The function used in step 4 uses several queries to determine access. The queries check for the following:

1. Is the product free? If so, show the video.
2. Has the user purchased a product that includes the video file that this Single Video Product type points to?
3. Same check for a Collection Product type
4. If there is no product for the video, then give access (some videos, like the intro video, don't have an associated product)

In the hook_file_download, the same function is called, but I first have to figure out what node the file belongs to. In Drupal 6, hook_file_download only supplies you with the name of the file. No node associations or anything, so you have to connect the dots with your own query. I think the reasoning is that a file can belong to multiple nodes, but since my workflow doesn't allow that, it's not an issue.

There are some good things about this approach, such as when files change in the nodes (i.e. you upload a video with corrections), even though there is a new file name, the node association will remain the same and access will be granted.

For a while I was using a module called File Access, which allows you to set granular permissions for each file based on user or role, but because I would have to build a connector action between a purchase and the access, and then respond when new files are uploaded, I figured I would keep it simpler and just cross-reference the orders instead. The downside is that if my products change, so will access. Also, using File Access would enable access based on field, rather than on node. So, if I have two different versions of a file on the node (iPod version and full-size) and wanted to sell them separately, I would need something more complex.

Part of the reason I'm putting this info out there is to get feedback and see if a module that handles this type of access and setup would be a welcome addition to Drupal contrib, so feel free to drop me some feedback below.

On October 24 and 25 I'm going to be in Seattle for the Pacific Northwest Drupal Summit. From my understanding, this un-conference is aimed specifically at intermediate and advanced Drupal users, so most of the topics are hitting the folks a little higher up the Drupal learning curve. There will be a whopping 4 rooms of sessions, which means that we'll have a lot of choices, and there will be a lot of people hanging out in the halls looking at the schedule, trying to figure out where to go. Perfect for me, because I love hanging out in the halls.

The Summit's web site was donated by This By Them, the same folks that did the uber-nice DrupalCamp LA site. You can see some similarities. I'm happy to see this re-purposing of a DrupalCamp web site (A full distribution and case study for the site can be found here). First of all, it saves the organizers time, and secondly it gives us attendees a familiar framework when registering, planning and voting on sessions. When we finally get a DrupalCamp Idaho off the ground, using this distribution will be a slam dunk.

There's some good topics being covered, such as deployment, Drupal 7 theming, Open Layers and SEO. I've also submitted a few sessions on AJAX development, Drupal security, themeing, and making friends. I've also been asked to do a BOF (Birds of a Feather) on the Navigate module. You can check out what sessions I've voted for by going to my profile page and clicking "My picked sessions."

I've you're planning on attending and want to say hi, drop me a line. Look forward to seeing you there!

One thing I appreciate about Drupal is that it attracts fantastic people. Every time I attend a Drupal event, I know I can grab some random person to chat with (which I often do) and end up in an interesting conversation, and the DrupalCamp in Victoria BC was no disappointment. The event was held in the offices of NorthStudio, a web dev / marketing firm and training facility. I judge a venue selection successful when the rooms are just barely big enough to fit the audience with standing room only, and the two rooms chosen for the presentations were perfect in this respect. Because the the rooms were their training facilities, everyone seated had a shiny Mac computer (running Windows) they could use to follow along with.

While I tend to gravitate towards lobby-talk during presentations, I caught most of several presentations that were quite interesting, and heard good things about the others. Here are some highlights.

DrupalCamp Highlights

Open Layers with Patrick Hayes. Open layers is a Drupal module that allows users to generate layered maps, with virtually any base layer (Google maps, Yahoo maps, NASA, etc). You can draw geometrical shapes and save them as nodes, as well as traditional points. After chatting with Patrick and Charles (his business partner over at GeoMemes), I heard my first ever argument for using PostgreSQL over MySQL. In summary, MySQL's support of geographical calculations and indexing flat out doesn't compare. Good to know. The demo was compelling and well presented, and makes me really excited to have a reason to use Open Layers.

Information Architecture, Design and Theming. Tom James and Alex Ventpap from Image-X gave a dual presentation on tips for designing, including wireframing, using Photoshop effectively and handing the finished design off to the Themer. I now have a few new Photoshop tricks up my sleeve, like make repeating backgrounds vector graphics (they're smaller in file size and expand more cleanly), clear your cache every once in a while to free up RAM, and a bit I need to follow up on about how you can minimize the file size of your PSD with a couple minor settings. After Alex's coverage of design, Tom took over and gave some good tips about theming, including using Aegir for deployment, minimizing theme customization by starting with a custom theme and using version control.

Next, Vanessa Turke, another member of the Image-X team, presented on information architecture (IA). She managed to cover a ton of stuff in a really tight time slot. A couple bits I took from it is 1) If your client doesn't buy into IA, and you can only spend a little time on it, then find out what the primary goal of the site is. I know from experience that you can't get far without that bit of info, but it's good to hear an IA expert say so. Also, Vanessa stepped aside to let a really fun, enlightening video about the typical web user play through. The video was a set of street interviews where the interviewer asked 'What is a browser?'. The bottom line was that you shouldn't overestimate your audience. They tend to not know what the **** they're doing, so you have to help.

Dan Howard with a bag of Developer tricks: This presentation was particularly cool because I'd just recorded a series of Drupal training videos for new developers at Build a Module.com. Dan covered a lot of similar topics, and it a spookily similar way. It's strange how even though each developer is different, we all develop a common set of tools and strategies (and mistakes).

Drupal Development Evolved!

Finally, I had a great time presenting a session called "Drupal Development Evoloved!" The core of the talk was meant to give new and intermediate developers a grasp of the tools that they might use someday soon to improve their workflow. Afterwards, some of the attendees suggested that the scale could be used to help people explain where they are in their personal development. The scale is based loosely on the number of sites one has built, but I discovered that some people find it more effective to use one of the strategies in the middle even though they've worked on many more sites. Here's the scale:

• 1st site: Download Drupal, install, download modules, install modules, etc.
• 2nd site: Copy the first site and gut it, use it again
• 3rd site: Create a base install and use this as a base (prevents embarrassing leftovers from copying and gutting)
• 4th site: Create multiple base installs for different kinds of sites (blogs, e-commerce sites, social networks)
• 5th site: Integrate team development
• 6th site: Share and collaborate using install profiles, Features, distributions and the like

The presentation featured many references to WebEnabled, a pretty groovy service I did a writeup on a while back and have more recently been doing some User Experience (UX) work for. At several of the stages outlined in the presentation, WebEnabled offers handy shortcuts and powerful deployment options. For example, instead of setting up a database, downloading and installing Drupal, you can just spin up a new instance of Drupal 5, 6, 7 or Acquia Drupal with a click. It sets up a shell account automatically for the application, so you can use an IDE like Coda or Komodo to work with the files remotely. Think Drupal Gardens for developers. It's pretty neat, if you haven't seen it yet, check it out.

I unfortunately wasn't able to record the session live, but below are the slides, and a dry run I did to get some peer reviews before the camp:

Summary

Overall, I was happy to make the 13 hour trip from Idaho to Victoria BC. I met a lot of great people, derived several insights form interesting conversations, and had some rather excellent sushi. Next year, I'm going to plan on sticking around a little longer to explore what I've been told is some of the most beautiful coastline in Canada. And I'm going to bring some extra garden burgers.

It recently came to my attention that there are some gaps in my conceptualization of Drupal security. I was fortunate enough to have this pointed out to me by the Drupal Security Team, and not by a DOS, CSFR, SQL injection or XSS attack. After publicly bemoaning the mild lashing I received, four members of the Drupal community suggested I read Cracking Drupal. One of them even sent me a copy. No other book was even mentioned, which says to me that - considering how recently it was released - the book fills a void of knowledge that was seriously aching for coverage, and fills it well.

Over years of developing, I've become familiar with the various vulnerabilities that make their way into code, but I've never felt like I could build a complete defense. My knowledge has been piecemeal, drawing from documentation, books, interesting conversations and other people's code. In my case, Cracking Drupal did a fantastic job of gluing these pieces together into a comprehensive frame of mind.

What becomes clear very quickly in Cracking Drupal is that Drupal is quite a wily beast that gives developers real incentive to learn security. There are few functions in Drupal whose exclusive purpose is security, and Greg makes it clear that learning how to secure your site has definite side benefits: "When developers learn and use the API, they are not only safer but more effective and more efficient." When you learn how to use different aspects of the Drupal API (forms, translations, helper functions, theming) you gain bits of security as a bonus. If you set out to learn Drupal security, you'll come out the other end with a pretty solid grasp of Drupal APIs. Either way, it's a win.

Cracking Drupal is surprisingly brief. In 134 pages, Greg covers a lot of ground including:

• An overview of the different types of attacks one is likely to encounter, from physical to social
• Most (if not all) aspects of the Drupal API that have security implications
• Coverage of security-related contributed modules
• An introduction to the Drupal Security Team
• Demonstrations of exploiting common weaknesses in Drupal modules and how to fix them

An interesting choice is made in Cracking Drupal to keep a somber atmosphere around the subject matter. In almost any other context, this would be an immediate turn-off. I appreciate humor and optimism to drive my enthusiasm when reading. In contrast with other instructional books which end a chapter with a "go for it, get things done!" message, this book ends chapters with lines like "This paranoid perspective is a good one to maintain as you write, review, and implement features on your site." and "Remember that it is nearly impossible to fully protect yourself from a dedicated and persistent attack." and "If nothing else, I hope this chapter has scared you a bit about the realities of just how easy it is to exploit insecure code and sites".

In a book covering attacks that can result in a very serious loss of time and money, this lack of optimism is probably a good thing. And the final chapter, "Un-cracking Drupal" does leave the reader with the sense that something can be done. It's difficult work, but it's doable. Ultimately, I think the book drives home the fact that the most effective way to make a module or theme secure is to do it right from the start.

The title chapter of Cracking Drupal was probably the most lively and hands-on part of the book. I came out of it feeling like I could really enjoy exploiting vulnerabilities for the greater good. Because of this reaction, I think it would have been a good candidate for a first chapter to really whet people's appetites.

Overall, I think Cracking Drupal does a tremendous service to the community by pulling together the most important aspects of Drupal Security into one solid, compact document. While I came into the book having already been introduced to many of the concepts, it filled in a few gaps, and made the subject matter finite and approachable (albeit a little scary). I suspect this book will serve well as a guide and quick reference as I dive into identifying and patching up vulnerabilities in the modules I maintain.

A couple things I learned

While the greatest benefit to this book was the broad, sweeping overview of security, there were a few additional gems that will come in handy later on:

• There's a lot more to hook_menu() than I was aware of. Good coverage of examples on p.55
• I didn't realize that you had to exit after using drupal_access_denied(). p.59
• Ah, db_placeholders() - a useful function for passing a number of variables to db_query() p.65
• I had no idea there was such a robust node access API. Wow!

Notes in the margin

Below are a few unorganized comments that constitute my wish-list for future versions and complements to the author:

• Good quote regarding the definition of security: "For this book I’ll define site security as follows: A site is secure if private data is kept private, the site cannot be forced offline or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users."
• I would have liked to see more AJAX security strategies and techniques covered.
• I liked all the Drupal 7 references, gives a good feel as to the direction of things
• I was surprised that there were not more brutal admonitions about hacking core, but suspect that's because they represent much fewer vulnerabilities than badly designed contrib.
• I was happy to see some coverage of CVS and DRUSH, namely using CVS to keep code up-to-date
• Nice coverage of security-related modules starting around p.41
• A brief mention is made that using mixed-mode SSL is pretty pointless. This is a big deal, I wish it had gotten further coverage.
• Being more of an optimist, I appreciated this particular phrase: " Every day there are more and more techniques beingdeveloped to attack sites, but every day there are also Drupal users reviewing code and providing new modules and enhancements to core to keep your site safe." Ahh, a glimmer of hope!
• Would have liked to see more coverage on the use of form tokens. If one must step outside of the forms api, this could be very important
• I liked that theme safety was covered, and thought the take on it was interesting: Make the theme secure by giving themers no reason to make stupid mistakes.
• Since the 'Vulnerable' module was patched up in the end, maybe it should actually be named to indicate that it's meant to be a useful module. That would feel more like a practical example.