You have found yourself newly-responsible for administering and updating a Drupal site created by somebody else, and you’re struggling. Maybe you’re new to Drupal and you’ve been thrown into the fire. Or maybe you’re experienced with Drupal but the site creator used an unfamiliar approach. Or even worse, perhaps the site was not built according to best practices, and you need to dig deep to figure out how it works and keep it updated. Whatever your situation, this presentation has something for you.
2. About me...
● Working with Drupal since 2007.
● Run my own consultancy.
● Implemented sites of all sizes on
Drupal 5, 6, 7, and 8.
● Have inherited many Drupal sites. paul@turbojettech.com
Twitter: @paulmckibben
3.
4. Don’t panic! You can figure this out.
We will cover:
● Drupal basics.
● Determining the state of your inherited
Drupal site.
● Learning how your site works.
● Pitfalls, bad behavior, and war stories.
7. Terminology
● Module: code package that extends Drupal’s capabilities.
(Panels, Webform, Views …)
● Theme: code package that influences what Drupal’s output looks like.
● Install profile: a packaged distribution of Drupal core plus extra
modules and themes for a specific purpose.
(Commerce Kickstart, Panopoly, OpenPublic …)
8. Most common versions of Drupal
● Drupal 8 was released about a year ago. Latest release is 8.2.1.
● Drupal 7 was released in 2011. Latest release is 7.51. Community
support continues until Drupal 9 is released, years from now.
● Drupal 6 is end-of-life. Final release was 6.38, early this year. Some
companies still provide long-term support and provide security patches
on https://www.drupal.org/project/d6lts
9. Drupal 7 code structure (Drupal 6 is similar)
includes
misc
modules
profiles
scripts
themes
sites
authorize.php
cron.php
index.php
install.php
update.php
Drupal
core files
all
modules
contrib
custom
themes
default
files
settings.php
(may have multisite directories too)
Modules downloaded
from drupal.org
Custom-coded
modules
This is where you extend and
customize Drupal’s functionality
Contributed and
custom themes
Uploaded files (images,
documents, etc.)
Site configuration (database
connection settings, etc.)
Install profile code
goes here if
applicable
10. Drupal 8 code structure
core
profiles
vendor
sites
autoload.php
index.php
Drupal
core files
modules
contrib
custom
themes
default
files
settings.php
(may have multisite directories too)
Modules downloaded
from drupal.org
Custom-coded
modules
This is where you extend and
customize Drupal’s functionality
Contributed and
custom themes
Uploaded files (images,
documents, etc.)
Site configuration (database
connection settings, etc.)
services.yml
Service container settings
Install profile code
goes here if
applicable
11. Drush: the Drupal Shell
● Drush is a command line tool for managing your Drupal installation.
● Useful for accomplishing administrative tasks quickly.
● Essential for auditing and accessing a Drupal site you have inherited.
● Drush resources:
○ Drush homepage: http://www.drush.org/
○ FAQ: https://www.drupal.org/drush-faq
○ Drupalize.me drush series: https://drupalize.me/videos/what-drush?p=1156
13. State of Your Site: First Look
● Can you log in?
● Drupal version
● Install profile?
● Installed modules
● Status report
14. Logging in - becoming User 1
● Only the Drupal user with uid=1 is
guaranteed full privileges.
● Get User 1 credentials from
previous developer, if you can.
● Try drush commands such as
drush user-login.
15. Logging in - becoming User 1
● If you have database access:
○ Change the user 1 email address
○ Go to /user/password and mail yourself a reset link.
UPDATE users SET mail="myaddress@example.com" WHERE uid=1;
● More ideas from Drupal.org documentation:
https://www.drupal.org/node/201871
16. What version of Drupal do I have?
Go to the status report
page,
admin/reports/status
This report will also tell you if you have an install profile.
17. Another way to see the Drupal core version
Look at the .info or .info.yml file for a
core module (I use “node”):
Drupal 6 or 7:
[root]/modules/node/node.info
Drupal 8:
[root]/core/modules/node/node.
info.yml
18. What else is in the status report?
● When was cron last run?
● Are updates available for core or contributed code?
● Are security updates required?
● Are any database updates outstanding?
● PHP version and link to “phpinfo” configuration information
● Database type and version
● Some Drupal modules also add messages to this screen.
21. State of Your Site: Digging Deeper
● Setting up a local copy of your site
● Site audit tools
● Has any code been hacked?
● Are there security issues?
● Are updates available?
22. Setting up a local copy of your site
● Why? Because you can test changes and make mistakes without affecting the
live site.
● Need a local *AMP stack: Apache, MySQL, PHP. Options include:
○ Install Apache, MySQL, and PHP directly.
○ Tools such as MAMP, WAMP, Acquia Dev Desktop, etc.
○ Virtual machine: run a virtual Linux server on your PC or Mac. The
drupal-vm project is excellent for this.
● See https://www.drupal.org/docs/develop/local-server-setup for guidance.
23. Setting up a local copy of your site
Once you have your *AMP stack set up, you’ll need:
● The entire Drupal code tree, except (optional) sites/default/files
○ Transferring large file uploads to your local copy is time/bandwidth consuming.
○ Use the stage_file_proxy module to access your hosted files from your local site
● A database dump from your live site
○ The backup/migrate module may be helpful
○ phpMyAdmin, mysqldump, and drush sql-dump are also great
24. Site Audit Tools
Great tools to help you find problems on your site:
Project URL Type Drupal Versions
Hacked https://www.drupal.org/project/hacked Drupal module 6, 7, 8
Site Audit https://www.drupal.org/project/site_audit Drush tool 7, 8
Security Review https://www.drupal.org/project/security_review Drupal module 6, 7, 8
Drupalgeddon https://www.drupal.org/project/drupalgeddon Drush tool 7
25. Has any code been hacked?
● Hacked means: Drupal core
or contributed module code
has been modified from the
downloaded version.
● Strongly discouraged (think
of the kittens).
● The “Hacked” module allows
you to detect modified code.
(But it’s not perfect.)
26. Example report from Hacked module
Drush version of hacked
project report:
drush hacked-list-projects
27. FAQs about hacks
● If hacking is so bad, why does it happen?
○ Desperation
○ Inexperienced developer
● Why is hacked code a problem?
○ Makes updating Drupal code difficult.
○ Must either preserve the hack or build the
equivalent change correctly.
● What’s the right way instead of hacking?
○ Use a custom module or theme to override
functionality.
I will not hack Drupal...
I will not hack Drupal...
30. The Drupageddon Exploit
● Drupal 7 exploit announced October 15, 2014,
corrected in Drupal version 7.32. See
https://www.drupal.org/SA-CORE-2014-005
● Many sites not promptly updated or patched
got exploited. See
https://www.drupal.org/PSA-2014-003
● Your inherited site may be a victim, even if it is
on 7.32 or higher.
31. What is Drupageddon?
● A security hole in Drupal 7 core (prior to 7.32) allowed SQL
injection. (Also Drupal 8 prior to 8.0.0 beta 2)
● Made it possible for a malicious user to modify the database
from (e.g.) the login page and gain complete access.
● Exploiters installed malicious backdoor code and then covered
their tracks.
32. Detecting Drupageddon
● Use the drupalgeddon (with an L) tool.
https://www.drupal.org/project/drupalgeddon
● If it shows issues, your site is (or was) infected.
● If it does not show issues, it doesn’t mean your site is not infected.
● Any site that was publicly-accessible October 15, 2014 and did not get promptly
patched was probably impacted.
If your site was exploited, recovery is not easy.
A good discussion of what you can do: https://www.drupal.org/node/2365547 -
“Your Drupal site got hacked. Now what?”
33. Check Available Updates: admin/reports/updates
Make sure the core
“Update Manager”
module is enabled.
34. Should I update?
Imperative: have the latest security release of core and contributed modules.
Recommended: have the latest stable release of core and contributed modules.
Drupal core
major version
6 7 8
Latest security release 6.38 7.44 8.1.10
Latest release 6.38 7.51 8.2.1
Information current as of October 19, 2016
35. Update vs. Upgrade
Definitions:
● Update: installing the latest software for your major version (e.g. 7.44 to 7.51)
● Upgrade: moving to a newer major version of Drupal (e.g. 7.44 to 8.2.1)
Updating Drupal core is usually straightforward:
● Replace old core files with new core files, but preserve site-specific changes to .htaccess,
robots.txt, settings.php, etc.
● Run the database update script (update.php or drush updb).
Upgrading Drupal core is usually not straightforward. In most cases, best approach is to
rebuild and migrate.
36. How to update Drupal core
Where to find instructions for updating:
● ALWAYS test your update in a non-production environment first.
● Drupal 6: https://www.drupal.org/node/390448 - also, see UPGRADE.txt
● Drupal 7: https://www.drupal.org/docs/7/update - also, see UPGRADE.txt
● Drupal 8: https://www.drupal.org/docs/8/update - also, see core/UPDATE.txt
37. How to update contributed modules
Updating contributed modules is similar to updating Drupal core:
● Replace the old module code with the new module code.
● Run the database update script (update.php or drush updb).
39. Reverse Engineering Your Site
● Identifying common Drupal constructs
● How modules work (overview)
● How themes work (overview)
40. Get to know your browser’s developer tools
● Major browsers all have built-in
web inspection tools
● Chrome/Firefox/Safari:
right-click over the HTML element
and select the “Inspect” menu
item (Safari: may need to enable
developer tools first).
● Internet Explorer: hit F12
41. Common Construct: Node
● Most common way to represent content.
● A node is an instance of a content type:
○ Article
○ Page
○ Press Release
○ Video
○ Whatever else you may define
● A node can be represented as a page
● A node can appear in a listing, e.g. a view
44. Common Construct: Block
● Blocks are boxes of content, e.g. a search form or a copyright statement.
● A block is displayed in a selected region on a page, e.g. a sidebar, header, or
footer.
● Modules can define blocks, e.g. the core search module defines a Search block
● A site administrator can also define custom blocks.
46. Common Construct: View
● A view is a list of entities, usually nodes.
● Requires the Views module, a contributed module in Drupal 7 and earlier.
● In Drupal 8, Views is part of core.
● A View might be used for:
○ A list of press releases or blog posts
○ A page that lists the executives of a company
○ A map with several location plotted on it (requires accompanying geocoding and map modules)
○ A slideshow (requires custom theming/javascript or the Views Slideshow module)
● Views documentation: https://www.drupal.org/documentation/modules/views
48. Common Construct: Panels
● Panels is a contributed module (actually a set of modules).
● Makes it easy to layout content within a page.
● A Panel is divided into a set of Panes.
● Related to Panels:
○ Mini-panels
○ Panelizer
● Panels documentation: https://www.drupal.org/node/496278
50. Is a custom module doing this?
● Sometimes a Drupal page is not a node, a view, a panel, or something else
where an administrator configures the URL path.
● You can find out if a custom module (or any other module) is responsible for a
page by seeing if the module implements the URL path as a route:
○ Drupal 6 and 7: Look for implementations of hook_menu: a function named
[modulename_menu].
○ Drupal 8: Look at the [modulename].routing.yml file.
55. Pitfalls, Bad Behavior, and War Stories
● Improperly installed modules
● Questionable, impostor, and abandoned contrib
modules
● Business logic in theme template
● Your war stories?
57. Questionable contrib modules
An Acquia module?
● Acquia is the company founded by Drupal creator
Dries Buytaert.
● But I had never heard of a module called Acquia.
● I couldn’t find a Drupal.org project that matched the
Acquia module or any of its submodules.
● Further research: this module came from an
independent developer in Italy and was sold on Envato.
58. Complex php logic in theme templates
● Theme templates are supposed to be for markup.
● However, since they are PHP files in Drupal 6 and 7, it’s possible to put any
PHP code in them.
● Too much PHP in the template files leads to maintainability problems. (What if
you want to change the theme?)
● Violates the separation of business logic from presentation logic.
60. Remember, Don’t Panic
We covered a lot, but you now have
resources to learn more.
If you need help:
● https://www.drupal.org/community
lists where you can ask questions, e.g
IRC and the drupal.org forums
● You can seek professional support
from a Drupal expert or an agency.