back to article 'You're updated!' Drupal says, with fingers crossed behind back

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current. The popular content management system is used by more than a million sites making it a significant target for hackers. Indeed, in October 2014 attackers took mere hours to compromise untold …

  1. wolfetone Silver badge
    Thumb Down

    Ah Drupal

    I remember, as one of my first development jobs, was to build a website using Drupal as the CMS. Back then it was Drupal 5, Drupal 6 was just about to be released. It was the only site I built with it, and I'd never do it again.

    Why? Because it was a crock of sugar honey ice tea then, and it still is today. Politicians would do a better job of dealing with the problems the platform has compared to the clowns who are in charge of it today.

  2. Anonymous Coward
    Anonymous Coward


    Is a fucking dog

  3. batfastad


    I am a PHP fan and I have to say Drupal is an embarrassment really. I have always avoided it but as an operations bod it has been dumped on me a few times.

    Baseline performance is average at best but if you actually want it to work as a CMS then you need 100+ modules. Then you quickly end up with 10,000+ file includes and 500+ database queries per page.

    Anyone who says they are using Drupal for a high-traffic site is lying. It's most likely Varnish/nginx/a CDN serving the requests with Drupal running as a static content generator behind.

    In my experience a reasonably customised Drupal site is not capable of serving more than 10-20 req/s alone. It doesn't even work without APC/OpCache and Drupal's built-in cache enabled (which is stored in the database... seriously). Throw in memcached/redis to replace the database cache handler and you might get 20 req/s on a not-very-complicated site. Want any interactivity and per-user content on any pages then forget it.

    No doubt people have pushed Drupal performance higher than that. But factor in the time, expense and server resources required to hit higher levels of traffic and Drupal just is not worth it.

    1. Frederic Bloggs

      Re: DrupLOL!

      For me, this is very timely advice. So what would one use?

      1. wolfetone Silver badge

        Re: DrupLOL!

        Pick a PHP framework, and build a website with it. Even better, just build a website with static HTML pages.

        If you're building for a client, then provide them WordPress and charge them to keep WP up to date, or offer them the option of you managing the site for them. If they agree to the latter, repeat step one.

      2. batfastad

        Re: DrupLOL!

        > Pick a PHP framework, and build a website with it. Even better, just build a website with static HTML pages.

        100% this! Go bespoke if you're a bigger client and needing to managing many sites off a single interface/codebase. Get a Laravel/Symfony dev team together, use Composer libraries when possible. You'll be able to get a decent result in a couple of months

        I'd always advise that than try and wrangle Joomla/Wordpress/Drupal into what you want with hundreds of modules, addons, customisations and dependencies.

        1. cycas

          Re: DrupLOL!

          Maybe because that's what you know?

          Personally I like Drupal and have been using it for years with no great difficulty. In fact, one framework site I inherited I replaced with Drupal, because the developers of the framework site had apparently not read the documentation for their preferred framework, nor had they written their own.

          All systems have their strengths and weaknesses, and not least of that is the way that the people working on the project like to work. From the customer's point of view, the tools used to do the job should not be that important, as long as the person using them is happy with them and can do the job excellently with them.

  4. Mark Simon

    Never again …

    Worked on one Drupal project which is two too many.

    Hopelessly complex PHP & Database structure. Dependence on innumerable plugins which are poorly documented, poorly understood and of unknown security. Cumbersome update process. Even more cumbersome to backup and redeploy.

    The problem with most of these CMS packages is that they appeal to the amateur who does not have the advanced skills required to maintain them and to customise them safely.

  5. caffeine addict

    As far as I can work out, Drupal is only loved by the handful of masochists who can handle setting it up without going mad - because if you can set it up you've got guaranteed return custom from the client who can't work out how to manage their own site.

    I left a job once because the client demanded we start using Drupal...

    1. roytrubshaw

      ... Drupal is only loved by the handful of masochists ...

      They must be pretty prolific masochists then, each of them being responsible for 200K+ sites each. (Assuming handful = 5)

      I'm not sure why the rabid anti-Drupal sentiment, I've worked with Wordpress (, Drupal ( and some home-brewed MVC frameworks ( - though there is Drupal there as well) they all have their advantages and disadvantages.

      A million or more sites can't all be wrong surely?

      All large sites will use CDN/Varnish/nginx as a matter of course and why on earth would you run PHP without opcode caching?

      1. roytrubshaw

        My main problem is with the article itself, there's no real detail behind "borked update process" and following the link to the blog item leads to a piece apparently predicated on the success of a CSRF attack based on "http://yoursite/?q=admin/reports/updates/check".

        I've just tried this on a couple of drupal sites, and in each case I get the "Access denied" error in some guise or other. (As I would expect as I'm not logged in with admin privileges.)

        It's been some time since I've seen a Drupal URL that includes "?q=..." so thanks for the trip down memory lane anyway!

        1. jpat14

          The vulnerability is with the web interface accessing an xml file pointing to the update url over an unsecure connection, opening the door for a man-in-the-middle attack or similar. You would need to intercept the request and return a different url.

      2. caffeine addict

        Oh the wit of assuming "a handful" was a small and absolute number!

        A million drupal sites. And each developer is likely to have knocked out a few sites each. Lets say that's 5 each (just because, why not) then 200k developers. Out of how many people in the world with at least one website to their CV?

      3. batfastad


        > All large sites will use CDN/Varnish/nginx as a matter of course and why on earth would you run PHP without opcode caching?

        Of course, any big site would and should be using those.

        But you need all that even for a basic noddy Drupal site. An impressive achievement in a way I suppose!

  6. theOtherJT

    Why am I not surprised?

    I've learned to really, really hate Drupal.

    Everyone knows the worst part of software (and by extension web) development is having to maintain someone else's code.

    Drupal Core - such as it is - isn't terrible. The trouble is the core doesn't really do anything except provide a horrifically complicated framework for writing extensions. By the time you've added enough modules to do what you wanted (which are frequently buggy, terribly documented, and not quite a match for what you wanted anyway) the whole thing has become a creaking pile of hacks-upon-hacks which are just waiting for an opportunity to fall over, so you end up writing even more modules to try and patch it all up.

    This inevitably leads to having to read the source for all the modules you're trying to make play nice with one another, and by the time you're done with that and have written half a dozen "glue" modules to keep it all together (which you now have to maintain because there's a decent chance that some future update will break them) it's taken longer to get everything working than it would have done to write the entire site from scratch because everything you've written has had to be contorted around all the other crap that you didn't write and don't really understand.

    What you're left with is something that's not only frighteningly fragile because it's made from 300 different components by 200 different authors, at least half of which haven't updated them in 2 years and probably never will, but also dog slow because the chain from "request" to "render" has to pass through every single one of those things.


    1. batfastad

      Re: Why am I not surprised?

      Agree with every word of this.

      My favourite is the database schema. A separate database table for each combination of content type and field, inevitably leading to thousands of database tables thanks to point-n-click web designers, installing all manner of modules. Which leads me on to...

      A close second is the module overhead of 3+ DB queries per page. A multi-site Drupal environment I saw was using 4 different modules to trim the output length of different page elements. Genius.

  7. Nick Ryan Silver badge

    Lots of hate here...

    And I understand the hate. However Drupal itself is very flexible and can be very good.

    Unfortunately there are some serious problems, a lot stemming from the core developers who can often be politely termed "asshats" who in the past have been so blinkered and elitist that they didn't care for suggestions or improvements unless they came from within. This has improved but there's still far too much of it...

    Documentation - the general response is "go read the source code". Erm, if I wanted to do that I wouldn't be looking for documentation would I? While there is some good documentation, unfortunately most of it is utterly appalling and you're left having to a global source search to find usage of the methods/functions and guess from there. And that's if the method/function is actually used in the source you have, or hasn't been obfuscated through the module system. Basically unless you're an expert in PHP then you'll find the documentation mostly useless but you'll be left admiring where all the CPU cycles have gone to perform very little of real benefit (Drupal 8 is an improvement on this front).

    Without turning this into a rant, I've found that the best way to work with Drupal is:

    1) Try to do everything "the Drupal way" - even if it's not quite the way you'd like to do it, it will save you a huge waste of time fighting it. Working out what "the Drupal way" is in a given situation is not always easy though given the pathetic documentation but often it does come with a lot of benefits.

    2) Use as few modules as possible. It should be very obvious that the more modules you drop in the worse site performance will be but this doesn't stop some folk from doing this. As posted above, it's often that you find a module does 90% of what you need but lets you down on the other 10%. Sometimes this isn't a problem, others you may need to put some custom functionality in and a moderately experienced PHP developer shouldn't have a problem with this. This doesn't help hopeful end users though but in reality this isn't any difference to WorkPress modules except it's slightly easier to resolve with a PHP developer.

  8. Fonant

    Perhaps I'm mad? I really like Drupal and what it can do for me!

    Just to balance the haters a bit. Yes, Drupal is a complex beast, I reckon it takes three to four years of building sites with it to really get to know it properly. The main tasks being to learn "the Drupal way" and to learn which contributed modules are worth using, and how they work.

    However, if you're willing to invest time getting to know Drupal then it can be a very powerful tool to build quite complicated database-driven web applications. I started with Drupal 5, which was not nice and which required lots of custom code to be written. Now with Drupal 7 I find I can build pretty comprehensive sites with hardly any custom code at all.

    Oh, and I run Drupal on a VPS with SSD storage and find that it runs plenty fast enough even with many dozens on enabled modules (I will agree that with spinning rust storage it can be a little slow, you do need a half-decent server). There are lots of caching possibilities in core and with external caches if you really need them, and Drupal 8 (not yet ready for complex sites, several useful modules are not yet fully updated for 8) has big improvements in how content can be cached efficiently. Drupal works fine for governments, universities, and record labels, so there are plenty of big users who find the performance is not a problem.

    As with any software, it's horses for courses. Creating a blog with Drupal is quite a lot of work, WordPress does that sort of task much better out-of-the-box. But for more database-like sites Drupal beats WordPress easily. You can of course resort to a basic framework, or write all your code from scratch. Drupal is simply a powerful high-level system for building database-driven web applications, where all the standard boilerplate stuff is already done for you.

    I suspect the haters here might be people with Computer Science degrees. Mine's a Mechanical Engineering one - I'm more of a systems analyst than a coder. I don't care so much about the clean aesthetics of algorithms, I just like stuff to work as a useful tool to get the job done.

  9. ashrafabed

    Unintuitive? Yes. Not a good option? No.

    Drupal does require either a significant time investment, or a lot of hand-holding to learn "the Drupal way" of doing things. But once you've mastered it, you're able to build robust applications, while benefiting from upstream improvements and a security team that is on the look out for potential exploits (all software has bugs.)

    I've seen both sides of the coin, self-taught and trained.

    I am a self-taught Drupal developer, who only picked it up for the sake of a job interview. Before that I was building websites from scratch in PHP/etc, or working on applications in Java.. or C#. Point is, I taught myself Drupal for a job interview, and I sat there thinking "why would anybody use this?" Weeks into the job, I still thought that. It took a few years for me to wrap my head around all of the Drupal-isms and to really enjoy building with it.

    Since then I've founded , through it I teach people to become Drupal developers. Applicants can be completely new to web development, or seasoned programmers looking to switch to enterprise web development. After the 3 month part-time course, students' reactions are rarely ever "Drupal is hard". Generally, they're really excited with what they've built (live client sites), and eager to become full time Drupal devs. That wasn't my reaction when I first picked up Drupal because I didn't have anyone walking me through all of the pitfalls.

    On the point of 'Drupal is slow, varnish/etc is really serving the pages'. Caching is not something that is slapped on top of Drupal via Varnish. It took me time to accept it, but caching should be looked at as part of Drupal's architecture, because that's what it is. Drupal 8 turns caching into an art. It's not "Drupal is slow, caching hides that." No - granular cache control is a strength of Drupal, and (especially) large websites will benefit from the fact that they have native (D8) granular cache control for their complex websites.

    1. Vic

      Re: Unintuitive? Yes. Not a good option? No.

      After the 3 month part-time course, students' reactions are rarely ever "Drupal is hard".

      Well, I can't claim to be a manistream Drupal guru, but I've never seen the above reaction; Drupal isn't hard.

      Drupal is slow, unless you know a lot about the internals. And then it's merely fairly slow.


  10. David Rothstein

    Here is a post from the Drupal Security Team (who do not seem to have been contacted for this article) regarding these issues:

    Note that the specific issue (out of the three) which this article focuses most of its attention on in fact seems to be relatively minor. As stated there: "The impact is limited to only one page of the Drupal administrative interface. All other pages in the admin interface warn about failures correctly."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022