Drupal News

Subscribe to Drupal News feed
Drupal.org - aggregated feeds in category Planet Drupal
Updated: 27 min 34 sec ago

Mediacurrent: Culture, Code and Karaoke

6 hours 42 min ago

What is “culture” and why do we take so much time trying to define it? Is it really important or just another buzzword? This past weekend, we were afforded the opportunity to have a company retreat, that went the distance in proving that culture is something that can’t be bought and paid for, it’s something unique to us and our success really does hinge on its influence. Our people, our relationships, our “culture” is what makes Mediacurrent, Mediacurrent. 

Acquia: Learning from hackers a week after the Drupal SQL Injection announcement

7 hours 59 min ago

Since October 15th, hackers have been busy coming up with creative ways to exploit the SQL Injection in Drupal 7 sites revealed by SA-CORE-2014-005. A week has already passed, and attacks are still ongoing. In a previous post, Moshe Weitzman explained how we were able to protect our customers' sites the moment the vulnerability was announced.

Zero to Drupal: Headless Drupal & AngularJS Hackathon (Recap)

9 hours 35 min ago

Last night I had the privilege of walking us through our first interactive Drupal meetup here in St. Louis. I'll be honest, I didn't have time to fully plan the night out like I had hoped but everything actually turned out great and it was one of the most fun I've had at a meetup in a while.

Security Release

First up, we discussed the recent security release for Drupal 7. Thankfully, everyone in the room was aware of the release and had taken action to patch their sites. Beaven Rudge wrote a great article discussing how important it is to take action against any public Drupal 7 site you've got up. I highly recommend reading through the info-graphic that he posted.

Digging in - The Fun Part

Our goal for the evening was to build two applications for our faux pizza company "Dangulo's" (special credit goes to Jeff Geerling for the name). The first would use Drupal as a backend admin and data api. It would also be used to manage ingredient inventory and process orders. The second would be a separate AngularJS application that would serve a fairly dynamic form that customers would use to order our world-famous pie.

Before we dove in, we had to give an impromptu (and hopefully coherent) walkthrough of how AngularJS works and why we would chose to use it in this case. It's important to note that nearly any front-end framework could have been used for the customer-facing app. However, lately a good portion of my time has been spent with AngularJS so that's the route we chose for this project.

Once we had a good understanding of our architecture and how everything needed to be structured, we moved to the Drupal side. For this project, we decided to go with the beta2 version of Drupal 8. Thankfully, most in the room didn't have much trouble getting D8 up and running.

Drupal Configuration

Within our Drupal app, we needed to:

  • Create a Toppings vocabulary with:
    • Title - the name of the topping
    • In Stock (boolean) - Whether the topping was in stock
  • Create an Orders content type with the following fields:
    • Name (text) - The name of the customer
    • Quantity (number) - The number of pizzas being ordered
    • Toppings (taxonomy term reference) - Referencing Toppings
  • Create a view that ouput a json-formatted list of toppings with:
    • Title
    • In stock

After creating the taxonomy, content type, and views, we created some sample ingredients and ended up with a pretty cool api endpoint for our ingredients.

Hello AngularJS

Next, we moved onto the AngularJS side. For this project, I created a starter app (which can be cloned/downloaded at github) that everyone downloaded so that they wouldn't have to start from zero. I actually used Yeoman to generate this app but decided to just push up a build of the app since no one had had node and/or grunt installed. This led to a small issue that all of the files were minified & uglified but given that we only had two hours to get things going, we forged ahead. If you're interested in working with the full app, it can be found here.

After configuring our controller to use $http to query our Drupal endpoint, and adding some markup to our orders view, we ended up with a list of ingredients from Drupal. Woot!

I'll admit, the app isn't that exciting at this point but the fact that we were able to manage content in Drupal, have it output in a standard format, and then use a completely decoupled application to view that data was very rewarding. Sadly, we ran out of time before we could go any further but in the end, I think we covered a lot of ground.

Next up?

Obviously, our apps are lacking a lot of functionality before they could be considered "production-ready". Things that we weren't able to get to include:

  • Nesting ingredients into categories (ie meats, cheeses, veggies, etc)
  • Building the actual form in AngularJS that has dynamic components (ie showing/hiding toppings selection, order total, etc)
  • Creating order nodes in Drupal from the AngularJS app

Given that we've got so much work to do, we've decided to extend our interactive session into a second meetup. So mark your calendars as we will meet again in November for our last meetup of the year. Our goal will be to finish out our app and head into the holidays with a better understanding of this brave new world.

Special Thanks

Lastly, I'd like to send a special thanks to Relay Technology for hosting our meetup. Josh Paydon stopped by and gave us some great insight into their company, as well as how the tech scene is evolving in St. Louis. If you're a developer looking for work in the St. Louis area, I highly recommend getting in touch with them as they're a great company with some great opportunities available.

Tags

Zivtech: Experiencing Portland at the HighEdWeb 2014 Conference

10 hours 58 min ago

Over the past few days, Alex and I have been out in Portland, Oregon for the HighEdWeb Association’s annual conference. The conference, which is focused on technology in higher education, took place from October 19-22, and featured many incredible presentations, riveting keynote speakers, and talented higher education professionals. As sponsors of the conference, we were proud to be able to support an organization that is built upon the use of technology and the web in higher education, and we were excited to be surrounded by so many dedicated professionals.

One of my favorite parts of the conference (which was my first big conference, by the way), was the opportunity to learn about the jobs many of the attendees had within their universities. Hearing first-hand their experiences, struggles, and successes helped put their needs into perspective in a way I had not yet experienced. As a previous student, it was heart-warming to see the dedication of these professionals and to learn how integral each and every one of them is to the success of their college or university.

Thanks to the HighEdWeb Association and its sponsors, we were also able to attend some of the awesome evening gatherings throughout Portland. My favorite event was the social at the World Forestry Center, complete with a live karaoke band, incredible doughnuts from Portland's own Voodoo Doughnut, and various other food and drinks. The karaoke band, Karaoke from Hell, really made the night, as everyone bravely belted out some tunes from their favorite songs. At times it felt like a true, live concert--some of you HighEdWeb members can really sing!

I am truly thankful that HighEdWeb was my first big conference experience, and I am so happy I was able to go and meet many of the wonderfully talented individuals who attended. It was great getting to hear from everyone, and I loved learning more about their work. I know everyone I spoke with had a blast, and we are all looking forward to 2015.

Were you at the HighEdWeb 2014 conference? Let us know what you loved most down below in the comments.

Terms: HigherEdWebHEWeb14Higher EducationDrupalDrupal PlanetSponsorshipHighEdWeb

Deeson: Five Drupal modules you're probably missing out on

11 hours 30 min ago

Here are five under-rated Drupal modules with less than 10,000 installs (at the time of writing!) which we use all the time.

1. Paragraphs 

Take a look at this fully flexible content creation module called Paragraphs which has 822 reported installs.

Our Content & Marketing Strategist, Emily Turner, explains: 

"Paragraphs enables me to create visually interesting content easily. I can choose from a variety of block types which support text, images and iframe content. I can reorder them and control the look quickly, switching alignment left or right. At Deeson, we've put a lot of effort into customising Paragraphs to help with the editing and publishing process. It makes blogs look more lively and gives creators the control they crave."

2. Coffee

Navigate through Drupal admin quickly with Coffee, which has 7,577 installs reported.

So if you're finding the nav bar a little slow, give this a go! Just Alt+D and type away.

Mac users will know this as similar to Alfred

3. Navbar

Take a look at Navbar, with 6,238 reported installs, for a mobile friendly nav bar. 

This is a backport of the Drupal 8 mobile friendly nav bar. We are using this for all new sites.

4. Image Field Focus

We're a big fan of Image Field Focus, which has 5,525 reported installs.

It allows smart cropping of images and combines well with the Picture element, as we explored in our recent post.

5. Publication date

The Publication Date module is the missing date stamp in Drupal and has 1,548 reported installs.

It automatically sets itself when you tick the publish box so that newly published content will always be at the top of your listings, even if it’s been in draft for months.

Have we missed any?

Come and tell us on Twitter the Drupal modules you think need a shout out. 

Drupal Watchdog: Drupl'Art

12 hours 9 min ago
Column

I like new movies and old music.

Why new movies but old music?

Maybe new TV is better because old movies – and TV – were not very good simply because moving pictures were a new medium, and it has taken artists time to mature.

Maybe old music is better because rock 'n' roll of the ‘60’s and ‘70’s was particularly brilliant, a musical Renaissance era.

But we do know that art is subjective; what I like is not necessarily what you like.

So though I prefer contemporary movies over the classics, some people opt for the opposite; they think old TV shows were the Renaissance period – and I just have no taste for good television.

Is there possibly another explanation, having to do with repetition?

Does repetition strengthen and reinforce one’s preference? Or do we just repeat things we like... a lot?

I often watch every episode and every season of a TV show I enjoy, but I watch each episode only once. Each episode is similar, but different. The patterns of the characters and interactions are similar, but the dialogue and exact story is, of course, different.

But with music, not only do I listen to the same artists, I listen to the same songs over and over again. I’ve heard “Jailhouse Rock” a million times, but only watched the movie once or twice. Hearing something I like, repeatedly, reinforces the song’s pattern, makes me more comfortable with it, and, I think, ultimately leads me to liking it more.

The same could be said of software patterns.

Building on my last article on “Sculpting Conditionals,” nothing helps me more than reviewing someone else's code. I can quickly detect a pattern I’m not familiar with. Frequently, an unfamiliar design pattern indicates trouble. And if the bad pattern occurs once in a code review, it’s worth checking to see if it was done elsewhere in code that is already committed. Unfamiliar patterns should be a klaxon horn, something deserving attention. After some study I might discover that the new pattern is actually better than the old pattern, and it will become something I adopt, but it is always initially a warning.

Code Karate: Entity Reference View Widget

13 hours 28 min ago
Episode Number: 175

If you have ever built a site using the entity reference module, then the Entity Reference View Widget module is a module that you should know about. It isn't always necessary, but can be a lifesaver if you have a lot of referenced content that you need to sort through and select from on your Entity Reference fields. This is a good replacement for using a traditional autocomplete field for your entity reference fields..

In this lesson you will learn:

Tags: DrupalEntity ReferenceDrupal 7Drupal Planet

Drupal Bits at Web-Dev: Drupal: Altering Page Title and or Title Tag

Thu, 10/23/2014 - 18:41

Sometimes you need to alter the title that appears on the page and or the title tag in Drupal 7. If you need to make them both the same, a call to drupal_set_ttile() from within a hook_preprocess_page() will do it.

Drupal core announcements: All the sprints at and around DrupalCon Latin America Bogotá

Thu, 10/23/2014 - 15:10
Start:  2015-02-08 (All day) - 2015-02-13 (All day) America/Chicago User group meeting

https://latinamerica2015.drupal.org/sprints

We have a great tradition of extended sprints around big Drupal events including DrupalCons and Drupal Dev Days. While there is a sprint day included in DrupalCons (usually) on the last day of the con, given that a lot of the Drupal core and contrib developers fly in for these events, it makes a lot of sense to use this opportunity to start sooner and/or extend our stay and work together in one space on the harder problems.

DrupalCon Latin America in Bogotá is the next DrupalCon! We are still looking for space and additional sponsors for the sprints before/after to help with space, internet, coffee, tea and maybe food. There are already various sprints signed up including Multilingual and Sign me up for anything. We are really friendly and need all kinds of expertise!

Now is the time to consider if you can be available and book your travel and hotel accordingly!

Join the sprinters -- sign up now! Practical details
Dates
February 8 - 13 2015 (all days at DrupalCon and some days both before and after).
Times and locations
Day/Time Location Feb 8 Extended sprint, location: TBD Feb 9 Maybe at the venue. There is also training this day). Feb 10 - 11 These are session days. Sprint lounge at venue. Feb 12 Official sprint day, location: TBD Feb 13 Extended sprint, location: TBD
Sponsors

??

Looking for sponsors

We are looking for more sponsors to be able to pay for extra expenses. If you are interested sponsoring or if you need sponsors to cover expenses, please contact me (YesCT).

Frequently asked questions What is a sprint?

Drupal sprints are opportunities to join existing teams and further Drupal the software, our processes, drupal.org and so on.

Do I need to be a pro developer?

No, not at all. First of all sprints include groups working on user experience, designs, frontend guidelines, drupal.org software setup, testing improvements, figuring out policies, etc. However you can be more productive at most sprints if you have a laptop.

Why are there 6 consecutive days of sprints?

DrupalCon is the time when most people in the Drupal community get together. We try to use this time to share our knowledge as well as further the platform in all possible ways. Therefore there is almost always an opportunity and a place to participate in moving Drupal forward.

What if I'm new to Drupal and/or sprinting, how can I join?

If you feel new and would love helping hands, the best day to start is the Thursday Feb 12 sprint day. This is the biggest sprint day with lots of people sprinting and different opportunities based on experience level. For a guided introduction to the tools and processes we use to collaborate, go to the First Time Sprinter workshop in the morning. If you know the tools but still could use help picking issues and going through the process, the Mentored Core Sprint is for you.

I worked on Drupal before, which sprints are for me?

If you have experience with Drupal issues and maybe already know a team/topic, any days of a DrupalCon may be your sprint days, and even the days before and after. These sprints do not have formal mentoring available, but of course if you have questions, there are always plenty of friendly people to help you. The community organizes off-site sprint opportunities for the days before/after DrupalCon and the event itself provides sprint locations from Feb 10 -12 throughout the session days in the event venue and in the official event hotel. These sprints are broken down to teams working on different topics. It is very important that you sign up for them, so we know what capacity to plan with.

Further questions?

Ask me (YesCT), I am happy to answer.

#node-427578 .picture, #node-427578 h3 { display: none; } #node-427578 .field-type-datestamp { margin: 0 0 2em 0; } #node-427578 dl { margin-bottom: 1em; } #node-427578 dd { margin-top: 0.5em; } #node-427578 h3.content { display: block; }

Last Call Media: The Drupal Throbber

Thu, 10/23/2014 - 14:42

Blair Wadman: Improve Drupal email delivery rates by using Mandrill

Thu, 10/23/2014 - 14:40

Recently one of my clients had a problem with a large portion of transactional email never being seen. The emails were being directed to the recipients' spam folders and were generally being over-looked. These were important emails regarding things like membership confirmations, invoices and event information and were critical to the experience of the members.

Why was this happening? Mostly because the emails were being sent by the web server. I switched it to a Mandrill, a service designed to take care of the headaches of sending transactional email, and this greatly improve the delivery rate.

It is notoriously difficult to ensure emails from your application (such as Drupal) actually get delivered without getting caught in spam filters. Email providers like Mandrill have the expertise to maximise delivery rate. You are unlikely to have the time or expertise to manage this process for your own web server.

Mandrill provides great stats so that you can gain a greater understanding of email delivery, if it is getting caught by spam filters, bounces, open rates etc. You can also test different versions of the same email to see which one performs best in terms of open rates.....

Tags: Drupal Site buildingPlanet Drupal

Mediacurrent: Drupal at Dreamforce

Thu, 10/23/2014 - 14:16

It’s been several days since the finale of Dreamforce 2014. With over 100,000 attendees, Dreamforce is one of the world’s largest cloud computing and business conferences.

Drupal core announcements: Drupal Global Sprint Weekend January 17, 2015 and January 18, 2015

Thu, 10/23/2014 - 13:33

Small local sprints everywhere (well, not everywhere, but anywhere) will be held during the weekend of January 17 and 18 2015. Listed alphabetically by continent, country, locality.

This is a wiki page. Please edit.

Africa

  1. ?

Asia

  1. ?

Europe

  1. ?

North America (ordered by country, then state)

  1. ?

South America (ordered by country, then state)

  1. ?

To participate,

  • use "Drupal Sprint Weekend 2015" in the description of your sprint meetup, sprint camp session, mini-sprint, wind-sprint, or all-day sprint, like: "Drupal All-day Sprint in Anywhere Town, IL, USA is part of Drupal Sprint Weekend 2015."
  • add a link to your sprint on this page. The link can be to a website, meetup, event on groups.drupal.org, blog post or whatever is appropriate for your event.
  • link back to this listing of local sprints
  • add an "event" of type "sprint" on groups.drupal.org in a group for your area, to put your sprint on drupical.com and get exposure to people in your area
  • use the hash tag #SprintWeekend on twitter
  • use the tag "SprintWeekend2015" on d.o issues

For resources to help plan your sprint:

Resources for participating in a sprint (needs updating for 2015, but this is a start):

A blurb to add to your session/event description (edit to fit your event):

Everyone is welcome; if you have built a site in Drupal, you can contribute. We will split into groups and work on Drupal core issues. Bring your laptop. For new folks: you can get a head start also by making an account on Drupal.org, getting some contribution tools, and developers can install git before coming and git clone Drupal 8 core.

The curious might want to see the locations from 2014 and 2013.

Drupal Watchdog: Drupal Static Caching

Thu, 10/23/2014 - 11:10
Article

Drupal at scale is possible, and indeed, even powerful. Ask someone what they think of Drupal, though, and more often than not they'll tell you that they've heard it's slow. I've seen a lot of poorly-performing Drupal sites in my line of work, and caching is by far the most common reason for the gap between possibility and practice. Even the most basic Drupal installation brings an excellent multi-tier caching architecture to the table, but unfortunately it's easy for developers to break it.

Perhaps the most frustrating caching problem is when developers miss easy opportunities to leverage static caching in their custom modules. By storing computed function results in static PHP variables, further calls to the same method can be made hundreds or thousands of times faster. Taking advantage of this technique requires minimal developer effort: if a result has already been computed, return it; otherwise, store the new result in the cache before returning it.

function apachesolr_static_response_cache($searcher, $response = NULL) { $_response = &drupal_static(__FUNCTION__, array()); if (is_object($response)) { $_response[$searcher] = clone $response; } if (!isset($_response[$searcher])) { $_response[$searcher] = NULL; } return $_response[$searcher]; }

The Apache Solr module uses static caching in several places, such as ensuring that only one Solr search will be performed per request, even when there are several search-related blocks on the page.

Like any caching solution, the performance benefits of static caching depend on whether the speed benefit of cache hits outweighs the performance overhead associated with cache misses. The largest performance gains come from caching functions that are time-consuming, repeated often within a single PHP execution, and expected to return the same value more often than not. This is a well-defined set of conditions, and a lot of Drupal code meets them.

Aten Design Group: Organizing Features for Complex Drupal Sites

Thu, 10/23/2014 - 10:34

We build Drupal sites with a combination of site code and the settings that Drupal stores in the database. Settings are easy for someone with no coding experience to change; but we can't track setting changes in the database as easily as we can track changes in code.

Drupal’s Features module is the most widely adopted solution in Drupal 7 for storing settings as version-controlled configuration in code. Like with most things Drupal, there isn’t just one approach to configuration in code: a few Aten folks have been working on another approach called CINC.

If you do decide to use the Features module, you’ll quickly learn there isn’t a single way of creating features. Drupal Kit provides some guidelines, but structuring and organizing Features-created modules is largely left up to the developer. Things can quickly get unwieldy on a complex site with multiple developers and many Features. In cases where Features is a project requirement, we’ve created a process that has worked well for us.

Be consistent with Features naming conventions

Our Feature names follow this convention: [projectshortname][summary][package_name]_feature

  • [projectshortname] This three-character code is decided at the beginning of a project and keeps the custom module and feature names unique to the project.
  • [summary] This is a super-short summary of the specifics of the feature.
  • [package_name] This should closely follow the package naming convention set for the project. Keep reading to learn more about package names.
  • feature This lets others know that this module was created by Features and also helps keep the module name unique.
Examples in practice
  • Page content type - abc_page_entity_feature
  • Image style definitions - abc_image_styles_config_feature
  • Blog View - abc_blog_views_feature
Categorize Features by providing a package name

When creating a new Feature, you can specify a package name. This is the same as defining “package = [something]” in a custom module .info file. The Package name groups your feature on the Features list page and the overall modules page. Being consistent with package names makes it easier for other developers and clients to find available features. We suggest nailing down package names at the beginning of a project. Our package names typically look something like this:

  • [projectshortname] Configuration (image styles, text formats, search settings, various module settings)
  • [projectshortname] Entity (content types, fields, field collections, taxonomies, etc.)
  • [projectshortname] Views (views defined by views module)
  • [projectshortname] Page (page manager & panels)
Create a directory structure for modules created by Features

Our typical modules directory (sites/all/modules) is structured like this:

  • contrib (modules downloaded from Drupal.org)
  • custom (modules that aren’t contrib and specific to the project)
  • features (modules created by Features)
  • patched (patched contrib modules)

The Features directory (sites/all/modules/features) is then broken down a bit further to make it easier to find what you need. We try to make this mirror package names as much as possible.

  • features
    • configuration
    • entity
      • content_type
      • field_collection
      • shared
      • taxonomy
    • page
    • views
Limit cross-Feature dependencies

It is normal for a Feature to be dependent on other Drupal modules. For example, a content type Feature will be dependent on the Field Group module if using field groups. When creating content type Features, fields used by the content type are tightly coupled with each feature. The quickest way to a cross-Feature dependency is by creating two content type Features that have several shared fields (e.g. body, tags). Content Type One may contain the field base for the body field. Content Type Two also uses the body and now has a dependency on Content Type One.

Cross-Feature dependencies make it hard to have Features that are truly independent and reusable across projects. Our way around this is being very intentional about when we use shared fields and adding them in a completely different Feature. We call this Feature “Shared Field Base”. This shared Feature allows Content Type One and Content Type Two to be completely independent of one another.

At the end of the day, the important thing is to pick an approach and stick with it throughout the project. We’ve created a process that works well for us, but there are other approaches. How does your approach differ from ours? What other tips do you have for creating features and keeping them organized? Are you excited about Drupal 8’s plans for configuration in code?

groups.drupal.org frontpage posts: Unsolicited email incident on Groups.drupal.org

Thu, 10/23/2014 - 09:57

Hi all,

2 days ago there was an unsolicited email incident on Groups.drupal.org. A number of people were added to a group without their permission and subsequently received email notifications for posts and comments in that group. This was done via 'Add members' functionality, which was available to all group organizers on Groups.drupal.org. The problem was reported via the Groups issue queue and other channels and site maintainers took immediate steps to delete the group in question and disable comments on posts to stop email notifications going out to all affected users.

Our next step was to disable 'Add members' functionality to prevent such situations in the future. Group organizers still have 'Invite friend' functionality available to invite people to their groups, which will require users to accept invitation, giving their explicit permission to be added to the group.

We apologize for the inconvenience this caused.

Groups.drupal.org team

Mike Stiv - Drupal developer and consultant: Drush pro for the lazy: Aliases

Thu, 10/23/2014 - 01:00

Drush aliases allow us to execute commands on a remote site from the local console. It is the perfect tool for the lazy drupal developer. With drush aliases I rarely login to a remote server, I execute all the drush commands from my local console. It is also a great for workflow automation. Continue reading to help you set up your aliases.

Blink Reaction: 27 Questions (and Answers) From My First Drupal 8 Site Build

Wed, 10/22/2014 - 13:40

Blinker, Matt Korostoff takes us through the questions he stumbled upon while building his first Drupal 8 site. Take a look.

Drupal core announcements: Drupal core critical issue sprint in Ghent, Dec. 10-14

Wed, 10/22/2014 - 13:18
Start:  2014-12-10 (All day) - 2014-12-14 (All day) America/Chicago Sprint Organizers:  xjm Sprint on criticals during Drupal 8's beta

We had a fantastic sprint at and around DrupalCon Amsterdam earlier this month, and thanks to our big push, Drupal 8 is now in the beta phase (second beta as of this writing). Now it is essential to focus on Drupal 8's remaining critical issues, especially upgrade path blockers.

To help move these critical issues forward, the Drupal Association and Wunderkraut are sponsoring a focused sprint in Ghent, Belgium between Wednesday, December 10 and Sunday, December 14 in Wunderkraut's offices (Dendermondsesteenweg 48A-101, 9000 Gent, Belgium).

Space is limited but we welcome your help!

Confirmed attendees include: alexpott, xjm, fago, berdir, plach, yched, swentel, dawehner, Wim Leers, and Gábor Hojtsy. (damiankloip and catch may also be at the sprint.)

The sprint space takes 15-20 sprinters, so we only have limited additional space available, but would love to extend the group more with people who would love to focus on resolving critical issues together. We will likely not be able to take surprise attendees, so please contact xjm to sign up for the sprint.

Remote attendance is also welcome. If you cannot afford traveling to Ghent for this sprint, we can collaborate on IRC as well! See you in #drupal-contribute. You can also help us at the Drupal 8 Critical Burndown sprint during the BADCamp extended sprints and Core Development summit.

(Thanks to Joe Saylor and Gábor Hojtsy for their help!)

Modules Unraveled: How to Restore Your Hacked Site

Wed, 10/22/2014 - 12:30

RestoreAHackedSite tl;dr

Rollback a server backup (files and database) from before October 15th 2014.

No server backup?

  1. Run "git status" to find new and modified files.
    • Delete new files
    • Checkout modified files
  2. Thouroughly check files directory for anything unusual.
  3. Make sure the .htaccess file in the files directory restricts code execution
  4. Restore database from pre Oct. 15th backup
  5. Update Drupal Core to latest release

... Read on for details...

I think I might have been hacked. What do I do?

Hi, this is Brian Lewis with Modules Unraveled.

As you probably already know, there was a huge security fix released for Drupal 7 on October 15th (SA-CORE-2014-005). The patch to update Drupal is actually quite small, but the implications of not updating your site are massive. As a matter of fact, if you haven't already updated your site, chances are you have already been hacked. There were automated programs systematically attacking Drupal sites hours after the fix was released. In this video I'm going to show you how to find out whether or not your site has been hacked. And if so, I'll walk you through what you need to do now, to reduce the damage done.

There are two ways to find out whether your site has been hacked. With "git status" and by searching the database.

  • Run "git status" inside Drupal root
    • This will show us any files that have been modified since our last commit. On the live server, there shouldn't be any, so anything listed here, I know is a result of being hacked.
    • This is a huge reason you should be using version control on your site. If you're not, you can try to re-download every module, theme and library you have and download a fresh copy of the version of Drupal core that you had before the attack and replace all of those on your server. I'm hesitant to recommend this as a full fix though, because there may be hidden files, or files in places you don't think to look. Really, my recommendation is a full re-install. If you're in this situation, I'm sure you don't want to hear that, but I hope this gives you a reason to look into Git.
  • Search for "file_put_contents" in database
    • If there is a result. You've been hacked.
    • Click "Browse".
    • Click the "BLOB" link under "access_arguments". This should download a file to your local machine.
    • Open that file with a text editor.
    • Notice that only one file is listed. There may be others that need to be deleted.
  • If there are no extra files in your git repo, and no results in database search. You're not hacked. Update Drupal Core now! Or at least do the hotfix mentioned here as a temporary measure.
  • Delete/checkout all files listed by "git status" (Also check your files directory. The files directory should not be in Git, but that means there's no easy way to view new and modified files, but they could have been placed there. By default, the .htaccess file that is in that directory prevents php code from being executed, but Michael said he has seen an attack that modified that .htaccess file. So, you need to check your site.)
  • Restore Database (Otherwise thouroughly check Users, Node, etc.)
  • Install latest Drupal Core update
Recap:
  1. Run "git status" to find new and modified files.
    • Delete new files
    • Checkout modified files
  2. Thouroughly check files directory for anything unusual.
  3. Make sure the .htaccess file in the files directory restricts code execution
  4. Restore database from pre Oct. 15th backup
  5. Update Drupal Core to latest release
Updates:
  1. Drupal security team member Greg Knaddison (greggles) wrote up a great guide on what to do when you get hacked. He includes things I didn't mention like making a forensic copy of your site to inspect later, and notifying site stakeholders. You can read that here.
Tags: Securityplanet-drupal

Pages