Drupal 6 in 2019? Yes, really :-)

by David Snopek on April 25, 2017 - 7:35pm

When we originally announced that we'd be providing Drupal 6 Long-Term Support, we committed to supporting our customers until February 2017. The assumption was that people would be excited about migrating straight to Drupal 8 to get the awesome new features, or ready to upgrade to Drupal 7 so they could have a fully supported site.

We've definitely seen some people retire their Drupal 6 sites - we're probably past our peak of being responsible for 424 sites - but far more people have stayed on Drupal 6 than expected, and so, last year, we already announced that we'd be doing Long-Term Support until February 2018.

While I'm sure there will come a time, when it no longer makes business sense to pour resources into Drupal 6 for the few remaining sites...

It's already clear to us that there's enough demand to extend Long-Term Support again, until February 2019.

That's the short version. ;-) Read on to find out more!

Want to maintain your Drupal sites better? Some sessions to watch at DrupalCon Baltimore!

by Elliot Christenson on April 18, 2017 - 7:13pm

DrupalCon is on my mind. It's coming up next week April, 24-28th! I've never been to Baltimore, so it should be particularly interesting for me. Many - in fact most - Drupalers can't make it to the major "DrupalCon" events. So, I thought it might be interesting to call out some sessions that seem like they might be beneficial for site-owners, site-builders, and other Drupalers that are similar to our clients.

Drupal 6 security update for CCK

by David Snopek on April 18, 2017 - 1:05pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the CCK module to fix an Access Bypass vulnerability.

CCK allows you to add custom fields to any content type.

The Node Reference sub-module had a bug where it could list the node titles of nodes that the user doesn't have access to.

(A note about the timing of this release: per our agreement with the Drupal Security Team, we were unable to release this patch until the same vulnerability was fixed for the Drupal 7 References module, or two weeks went by after that module was unsupported. The fix for References was released today.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the CCK module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Don't have an in-house webmaster? 4 ways to get by!

by Elliot Christenson on April 11, 2017 - 6:45pm

We've recently been scheduling interviews with many of our clients to help fine-tune our service offerings at myDropWizard. Some interesting questions and perspectives have bubbled up in our discussions. This idea of an "in-house webmaster" is one of those. We deal with organizations ranging from literal mom-and-pop businesses to brand names that you recognize.

Most common Drupal site building pitfalls and how to avoid them! (Part 3 of 3)

by David Snopek on March 28, 2017 - 9:58am

This is the third in a series of articles, in which I'd like to share the most common pitfalls we've seen, so that you can avoid making the same mistakes when building your sites!

myDropWizard offers support and maintenance for Drupal sites that we didn't build initially. We've learned the hard way which site building mistakes have the greatest potential for creating issues later.

And we've seen a lot of sites! Besides our clients, we also do a FREE in-depth site audit as the first step when talking to a potential client, so we've seen loads of additional sites that didn't become customers.

In the first article, we looked at security updates, badly installed module code and challenges ith "patching" modules and themes, as well as specific strategies for addressing each of those problems. In the second article, we looked at how to do the most common Drupal customizations without patching.

In this article, we're going to look at some common misconfigurations that make a site less secure, and how to avoid them!

NOTE: even though they might take a slightly different form depending on the version, most of these same pitfalls apply equally to Drupal 6, 7 and 8! It turns out that bad practices are quite compatible with multiple Drupal versions ;-)

Most common Drupal site building pitfalls and how to avoid them! (Part 2 of 3)

by David Snopek on March 21, 2017 - 11:24am

This is the second in a series of articles, in which I'd like to share the most common pitfalls we've seen, so that you can avoid making the same mistakes when building your sites!

myDropWizard offers support and maintenance for Drupal sites that we didn't build initially. We've learned the hard way which site building mistakes have the greatest potential for creating issues later.

And we've seen a lot of sites! Besides our clients, we also do a FREE in-depth site audit as the first step when talking to a potential client, so we've seen loads of additional sites that didn't become customers.

In the last article, we looked at security updates, badly installed module code and challenges ith "patching" modules and themes, as well as specific strategies for addressing each of those problems. In this article, we'll look at how to do the most common Drupal customizations without patching!

NOTE: even though they might take a slightly different form depending on the version, most of these same pitfalls apply equally to Drupal 6, 7 and 8! It turns out that bad practices are quite compatible with multiple Drupal versions ;-)

Most common Drupal site building pitfalls and how to avoid them! (Part 1 of 3)

by David Snopek on March 14, 2017 - 3:44pm

myDropWizard offers support and maintenance for Drupal sites that we didn't build initially. We've learned the hard way which site building mistakes have the greatest potential for creating issues later.

Before taking on a new client, we do an in-depth site audit looking for security issues and checking if the site follows best practices or has any problems that would make it harder to maintain the site going forward.

In 2016 alone, we did 64 site audits!

Looking at that many sites has taught us A TON about the most common mistakes that people make when building Drupal sites. Some of them were very surprising to us as experienced Drupal site builders!

This is the first in a series of articles, in which I'd like to share the most common pitfalls we've seen, so that you can avoid making the same mistakes when building your sites!

NOTE: even though they might take a slightly different form depending on the version, most of these same pitfalls apply equally to Drupal 6, 7 and 8! It turns out that bad practices are quite compatible with multiple Drupal versions ;-)

Drupal 6 security update for Services

by David Snopek on March 8, 2017 - 12:41pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Highly Critical security release for the Services module to fix a Remote Code Execution (RCE) vulnerability.

The Services module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

NOTE: there's a pre-existing, unfixed security issue in the Drupal 6 version of Services from 2013 (see SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)), so using Services in Drupal 6 isn't recommended in general, however, that issue is much less critical than the one announced today.

If you have a Drupal 6 site using the Services module, we recommend you update immediately, or disable the Services module entirely.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

It's NOT Amazon's fault the internet broke yesterday - it's OURS!

by David Snopek on March 1, 2017 - 10:26am

You probably noticed that many sites and apps were having serious problems yesterday due to an Amazon AWS outage.

Some sites/apps were completely down, and others had partial or reduced functionality. In the Drupal world, Pantheon was affected: sites didn't go down (huzzah for Pantheon!), but everything was in read-only mode for several hours, so users couldn't upload files to their sites and many dashboard functions didn't work.

Already, many are talking about how this outage is proof that the public cloud is a bad idea. Or, that Amazon messed up big time and maybe we should look at other cloud providers.

However, I'm going to argue that it wasn't Amazon's fault that this outage took down so many sites and apps.

And by extension, this isn't proof that the cloud is a bad idea, or that we should look to providers other than Amazon. The cloud is great, and so is Amazon AWS.

I'm going to argue that it's OUR fault -- the web developers who make all these great apps and sites -- that this outage broke the internet.

Please read more to find out why!

Put Drupal 7 on MDW Life Support

by Elliot Christenson on February 28, 2017 - 6:57pm

Drupal 7? What About Drupal 6 & 8?

Drupal 8 is the future of Drupal. No doubt. It's awesome.

Drupal 6 is still a reality for a large number of critical websites.

At myDropWizard, we spent a lot of time focusing on Drupal 6 over the past almost 2 years. We love the service we are able to provide to our Drupal 6 clients - I think most of them love our service too!

We've also spent a lot of time thinking about the future of Drupal 8 - just like you probably have.