re: Drupal is a pretty big deal 🎙 VIEW POST

FULL DISCUSSION
 

We also learned just how awesome the Drupal community is

This might be a good moment to remind the DEV community how totally not awesome the Drupal security is. I recommend to not choose your software based on criteria like "the people are nice though".

 

As for any technology, security is highly dependent on how it's implemented.

 

I have a number of Drupal sites upgrade automatically with a cron script (using composer & drush). In discussion with some Drupal administrators they seem
to prioritize stability over security. They to forget that a compromised system is very unstable.

 

Drupal is way more secure than it used to be. The problem with Drupal IMO is the learning curve, people not updating their sites when security releases come out, etc.

Drupal is way more secure than it used to be.

Russian roulette with 526 empty bullets is more secure than with only one. :-)

I did not mean to imply that Drupal is generally bad and nobody should use it. I just thought it might be relevant that Drupal - like Joomla and WordPress - has had an awful security record over the past decade.

It's probably helpful context to know that I've worked with Drupal the past 6 years. I've seen the good, the bad and the ugly. I think PHP, in general, gets a lot of bad reps because of how awful it was at once point. I'm also a front-end dev, so I hardly do PHP since now that Drupal is mostly object-oriented, I don't need to write it for basic things like templating.

But like you said "over the past decade".... the troublesome part is technology that lasts as long as PHP has will have some reallllly dark times haha. I'm really happy to see how Drupal has evolved, and the security team works SUPER hard to find bugs and release patches. The edge WordPress has is they automatically update for people (I think, I don't do WP). Drupal doesn't do that yet, and so if you don't patch something immediately because of lack of budget, your org could be screwed.

BTW I am not saying you're wrong here, and I wanted to clarify that because the internet can misconstrue things easily. Just discussing.

I really like the Drupal Community. If I were to ever leave, that is where I would miss it the most. I also work with really intelligent people, many of whom are on the security team, and they do great work.

The edge WordPress has is they automatically update for people (I think, I don't do WP).

WordPress finally has automatic security updates now (which can be turned off) - but that only affects minor updates. And they won't maintain multiple versions in parallel. WordPress 4.9.x to 4.9.y will be updated (= security-fixed) automatically - but none of the plugins will. And once WordPress 5.0 has been released, 4.9 users are doomed without manually updating (which can be an annoying task for more complicated setups, like multi-site WordPresses).

lol, don't get me started on Gutenberg....I have so many accessibility rants regarding that.

Yup. I can't even right-align a thumbnail with that thing.

 

I came to make the similar comment, but then I remembered how Wordpress' security history is swiss cheese. Maybe not as colossal in comparison to Drupal, but definitely not bulletproof 🤔

In the last year or so we had a SaaS company in the cannabis industry get hacked have a huge data leak 🔥 and downtime 📉 because they were using an immensely outdated version of Drupal.

It could have been an old version of Wordpress too, but I feel like WP encourages upgrading more (even pushing more stable PHP versions with newer releases).

code of conduct - report abuse