Aggregator
Drupal AI Initiative: Welcome to the Drupal AI Initiative: What We Learned from Our June 26 Webinar
The BIG Idea: Open, Safe AI for Everyone
At its core, the Drupal AI Initiative is about helping organisations adopt AI responsibly. As Paul Johnson put it:
“We’re looking to tell the amazing story of how Drupal AI can help organisations that want to adopt AI that is safe and in a way where freedom remains to make their own choices.” - Paul Johnson
The group shared updates on work happening in AI Core, including modules for agents, logging, testing, and a new Experience Builder that aims to make page creation smarter without compromising on security or trust.
“I’m not a programmer myself. Everything we've done with AI we’ve tried to build in a way that analysts, PMs, even content editors can make use of.” - Jamie Abrahams
Key Points From the Q&AAttendees asked important questions, and were answered transparently:
-
Funding: Smaller agencies raised concerns about staying competitive in a rapidly evolving AI space. The group discussed options like the Makers funding program and collaborative approaches to share costs.
-
Safe adoption: Several participants asked how to keep up with AI’s breakneck pace while avoiding dead-ends. The consensus: stick to open standards, contribute upstream, and share what works.
-
Contribution paths: For developers and marketers alike, there are plenty of ways to get involved, from writing documentation to building modules to promoting best practices. Join the Drupal AI Marketing Weekly to pitch in.
“Most important, we are here to listen to your feedback.” - Baddy Breidert
How To Get InvolvedAll the slides from the session are available here. You’ll also find handy links:
-
Watch the recording: Welcome to the Drupal AI Initiative
-
Join the conversation: Hop into the AI issue queue, Slack channels, or reach out to the working group.
-
Stay tuned: More sessions, training, and contribution sprints are on the way, including the Drupal GovCon AI training and hack-a-thon later this year.
This initiative will only succeed if it’s shaped by the whole community. If you care about building a safe, open, and innovative Drupal AI ecosystem. Your input matters.
“Please stay tuned for the upcoming webinars and upcoming news.” - Lenny Moskalyk
And See you next time!
DrupalCon News & Updates: DrupalCon Vienna 2025: A Journey Through Drupal’s Past, Present, and Future
In 2025, Drupal continues to evolve as a powerful, open-source content management framework that balances flexibility, scalability, and extensibility. As we prepare to gather in Vienna a city rich in both culture and innovation, this year's DrupalCon is more than a conference. It's a comprehensive reflection on how Drupal has matured over the years, where it stands today, and where it’s headed next.
Drupal’s Origins: Laying the Foundation for Open Web Platforms
Drupal began as a simple message board over two decades ago, yet its architecture was built on a vision of extensibility and community collaboration. What started as a hobby project grew into a full-fledged CMS adopted by developers, governments, universities, and enterprises around the globe.
From the early introduction of modules and hooks to the groundbreaking adoption of Symfony components and modern PHP standards, Drupal's architecture has consistently prioritized maintainability and reusability. The rise of the Form API, Entity API, and Configuration Management System laid the groundwork for scalable content-driven applications.
Key innovations in the early years:
- Introduction of a modular system enabling rapid extension of core functionality
- The evolution from procedural to object-oriented code structures
- Strong community governance and open contribution models
These early decisions positioned Drupal as a future-ready framework long before terms like "composable DXP" or "headless CMS" entered the mainstream.
Drupal Today: Engineered for Modern Digital Operations
In 2025, Drupal is no longer just a CMS, it's a backend digital experience engine that powers mission-critical applications across sectors. Its flexibility has enabled it to adapt to a changing landscape of decoupled front ends, API integrations, and marketing automation.
Technical highlights of Drupal today:- API-First Design: Drupal 10 and 11 offer robust REST, JSON:API, and GraphQL support out-of-the-box, making integration with JavaScript frameworks and external services seamless.
- Advanced Content Modeling: With custom entities, paragraphs, taxonomy systems, and fieldable content types, teams can represent structured and reusable data at any scale.
- Decoupled and Progressive Decoupling: From fully headless implementations to progressively enhanced Twig-based front ends, Drupal supports a spectrum of architectural patterns.
- Multisite + Multilingual: Multisite capabilities combined with flexible language modules enable the deployment of global, multi-brand, and localized content ecosystems.
- Government: Role-based access control, WCAG compliance, multilingual content management, and enterprise security protocols are supported natively, making Drupal ideal for secure and accessible government portals.
- Enterprise Marketing: Marketers and developers benefit from multisite capabilities, flexible editorial workflows, and seamless integration with CRM, DAM, and analytics tools — all critical for omnichannel delivery.
- Education & eLearning: Institutions leverage Drupal as the core CMS for AI-assisted platforms that recommend content, track learning progress, and personalize student engagement through decoupled UIs and custom APIs.
This modular and composable architecture enables Drupal to function not only as a website builder but also as the integration layer between diverse enterprise systems.
Looking Ahead: Drupal’s Technical Roadmap
As we look beyond Drupal 10 and 11, the project continues to invest in modernization and developer experience. The core roadmap emphasizes:
- Enhanced Admin UI: React-based administrative themes and improved UX for non-technical users
- Automatic Updates: Secure and stable auto-updates for core and contributed modules
- Project Browser: A visual interface to discover, install, and evaluate contributed modules from within the admin UI
- Better Decoupling Support: Continued investment in GraphQL schemas, real-time data synchronization, and rendering decoupled menus/navigation
- Developer Tooling: Improved DX through Composer support, API stabilization, and increased PHP type safety
Community initiatives such as GitLab CI/CD integration, increased test coverage, and standardization around frontend tooling (Webpack, Vite, etc.) are also helping push Drupal closer to being a developer-first platform without sacrificing editorial ease-of-use.
Join the Evolution in Vienna
DrupalCon Vienna 2025 offers a rare opportunity to immerse yourself in the full journey of Drupal from its humble origins to its role in powering complex, enterprise-grade applications. Whether you're a backend architect, frontend engineer, digital strategist, or platform lead, there’s something for everyone.
What to expect:
- Sessions from core maintainers and initiative leads
- Hands-on workshops for developers transitioning to decoupled and API-first builds
- Real-world architecture case studies from large-scale Drupal implementations
- Opportunities to contribute to the Drupal project and shape its future
Why It Matters
In a world where digital transformation is no longer optional, Drupal continues to prove its value by being adaptable, secure, and deeply rooted in the principles of open collaboration. Its future depends not just on the technology, but on the people contributors, builders, and thinkers who continue to push the platform forward.
At DrupalCon Vienna 2025, you won’t just learn about where Drupal has been. You’ll help shape where it’s going next.
Mark Your Calendars🗓️ Dates: October 14–17, 2025
📍 Location: Austria Center Vienna, Vienna, Austria
🌐 Official Website & Registration: https://events.drupal.org/vienna2025/registration-information
🐦 Follow the buzz: #DrupalConVienna #DrupalCon2025
This blog is just the beginning. Over the next few weeks, I’ll be sharing:
- Technical spotlights on Drupal CMS features
- Speaker highlights and session previews
- Tips for first-time technical attendees and contributors
So bookmark this space, and get ready to experience DrupalCon Vienna 2025 like never before.
Are you coming? Let’s connect!
Technical Lead
WSO2
LN Webworks: Custom Marketplace for Your Next Big Project
The ecommerce industry is already undergoing a new revolution with marketplaces helping the customers to discover a variety of sellers which they can access on a single platform.
Approximately 30 percent of the total purchase orders on the internet across the world are made via online market platforms.
And that is the nutshell actually; why not take a chance when your brain child could be the next disruptor!
DDEV Blog: Using FrankenPHP with DDEV
The PHP ecosystem is changing fast, with tools like FrankenPHP improving both performance and developer experience.
FrankenPHP is now officially supported by The PHP Foundation.
This guide explains two ways to integrate FrankenPHP, based on my experience.
You can either run FrankenPHP as a separate service (lets you install extra PHP extensions) or inside DDEV's web container (uses a static binary without support for extra extensions).
Generic web serverThis blog shows examples of the recently added DDEV's generic web server, which supports flexible configurations. It allows you to use any custom web server you want, including Node.js, Python, Ruby, etc.
DDEV FrankenPHP Add-onI created the stasadev/ddev-frankenphp add-on to experiment with FrankenPHP as a separate service with some additional features:
- Ability to install PHP extensions (Redis, Xdebug, SPX, etc.)
- Better resource isolation
To add PHP extensions (see supported extensions here):
ddev dotenv set .ddev/.env.frankenphp --frankenphp-php-extensions="redis pdo_mysql" ddev add-on get stasadev/ddev-frankenphp ddev stop && ddev debug rebuild -s frankenphp && ddev start ⚠️ Limitations:- Standard Linux and DDEV tools are installed in the web container, not in the frankenphp container.
- See the add-on README for adding Xdebug (ddev xdebug does not work here).
- Enabling or disabling Xdebug requires rebuilding the frankenphp container.
- ddev launch does not work because the web server runs in a different container.
If you want to suggest some feature or found a bug, feel free to open an issue.
Running FrankenPHP in the Web ContainerAlternatively, FrankenPHP can be run inside the web container. This example from the DDEV quickstart shows a setup (for a Drupal 11 project) where FrankenPHP is added as an extra daemon.
⚙️ Installation: export FRANKENPHP_SITENAME=my-frankenphp-site mkdir ${FRANKENPHP_SITENAME} && cd ${FRANKENPHP_SITENAME} ddev config --project-type=drupal11 --webserver-type=generic --docroot=web --php-version=8.4 ddev start cat <<'EOF' > .ddev/config.frankenphp.yaml web_extra_daemons: - name: "frankenphp" command: "frankenphp php-server --listen=0.0.0.0:80 --root=\"/var/www/html/${DDEV_DOCROOT:-}\" -v -a" directory: /var/www/html web_extra_exposed_ports: - name: "frankenphp" container_port: 80 http_port: 80 https_port: 443 EOF cat <<'DOCKERFILEEND' >.ddev/web-build/Dockerfile.frankenphp RUN curl -s https://frankenphp.dev/install.sh | sh RUN mv frankenphp /usr/local/bin/ RUN mkdir -p /usr/local/etc && ln -s /etc/php/${DDEV_PHP_VERSION}/fpm /usr/local/etc/php DOCKERFILEEND ddev composer create-project drupal/recommended-project ddev composer require drush/drush ddev restart ddev drush site:install demo_umami --account-name=admin --account-pass=admin -y ddev launch # or automatically log in with ddev launch $(ddev drush uli) ⚠️ Limitations:- It's not possible to install additional PHP extensions (requires ZTS build).
- Limited debugging capabilities, ddev xdebug doesn't work.
- FrankenPHP documentation
- DDEV's generic web server
- FrankenPHP add-on
- FrankenPHP quickstart
- Hola FrankenPHP! Laravel Octane Servers Comparison: Pushing the Boundaries of Performance
Using ddev-frankenphp-benchmark, I compared three setups:
- nginx-fpm: DDEV's nginx-fpm web server with php-fpm
- generic-web: DDEV's generic web server with FrankenPHP inside the web container (static binary)
- generic-addon: DDEV's generic web server with FrankenPHP inside the frankenphp container (with pdo_mysql extension)
Summary:
- All configurations delivered comparable and adequate performance.
- FrankenPHP is a win where there is an upstream hosting environment using FrankenPHP.
- Benchmarks used default DDEV settings, not production-optimized configurations.
- Laravel Octane (FrankenPHP worker mode) was not used and could yield better results.
- CPU and memory usage were not measured.
Software:
DDEV: v1.24.6
Mutagen: disabled
PHP: v8.4
Laravel: v12.19.3
FrankenPHP: v1.7.0
Docker Engine: v28.3.0
Operating System: Manjaro Linux AMD64
Kernel Version: 6.12.35-1-MANJARO
Hardware:
Intel i7 8750H (6 Core/12 Thread, 2.2 Ghz, Turbo 4.1 Ghz)
32 GB DDR4 2667 Mhz
Samsung 870 Evo SSD (530w/560r MB/s)
If you find DDEV (and its add-ons like FrankenPHP) useful, consider supporting its development. Thank you!
joshics.in: Drupal 11 Dev Environments: DDEV, LAMP, and Beyond
Exploring DDEV, LAMP, and Local Server for Drupal 11
Drupal 11 offers API-first features and enhanced performance, making the choice of development environment critical.
I’ve worked with DDEV, LAMP, and Local Server setups like XAMPP or MAMP to assess their strengths.
This guide delivers a detailed breakdown with setup instructions, configuration options, practical examples, and a comparison table, serving as a resource to match your project needs.
Understanding Your OptionsA solid development environment is essential for Drupal 11 projects. The sections below provide in-depth details on DDEV, LAMP, and Local Server, based on my hands-on experience.
DDEVDDEV is the official local development tool for Drupal, built on Docker and supported by the community, with documentation at https://www.drupal.org/docs/official_docs/local-development-guide.
- Setup Process: Install Docker from docker.com following OS-specific instructions (download and CLI setup), create a Drupal project with composer create-project drupal/recommended-project my-site navigate to the directory with cd my-site initialize with ddev config (set docroot to "web" and PHP version, e.g., 8.1), start with ddev start.
- Configuration Options: Edit .ddev/config.yaml to add custom domains, multiple databases, or integrate tools like MailHog for email testing, adjust PHP versions or enable extensions via the YAML file.
- Practical Applications: Used on a 12-site project, configuring custom domains and databases in the YAML file, added SSL for local development to mirror production.
- Considerations: Requires learning Docker basics (a few hours), needs 4GB RAM minimum (8GB recommended), configuration changes may need community forum support.
Try tweaking config.yaml to set PHP versions, enable Xdebug for debugging, or add services like Redis based on your project requirements.
LAMPLAMP, made up of Linux, Apache, MySQL, and PHP, is a traditional stack offering detailed control, widely used for Drupal development.
- Setup Process: Use a Linux distro like Ubuntu, update the system and install Apache with sudo apt update && sudo apt install apache2, install MySQL with sudo apt install mysql-server and secure it with mysql_secure_installation install PHP 8.1+ and modules with sudo apt install php8.1 php8.1-mysql php8.1-cli php8.1-mbstring.
- Configuration Options: Create a virtual host file (e.g., /etc/apache2/sites-available/drupal.conf) with DocumentRoot set to your Drupal directory, enable it with sudo a2ensite drupal.conf restart Apache with sudo systemctl restart apache2 tweak .htaccess or MySQL settings for performance.
- Practical Applications: Built a small news site, optimizing .htaccess for caching and MySQL queries, required manual load balancing as traffic hit 600 users daily.
- Considerations: Setup can take a day due to dependency issues, updates and security patches are manual, scaling needs additional infrastructure like reverse proxies.
Consider adding phpMyAdmin for database management and Drush 12 for automating tasks like cache clears or module updates.
Local Server (XAMPP, MAMP)XAMPP and MAMP provide a pre-configured bundle of Apache, MySQL, and PHP, ideal for quick local development, especially for beginners.
- Setup Process: Download XAMPP from xampp.org or MAMP from mamp.info, run the installer for your OS (Windows, macOS, Linux), start Apache and MySQL via the control panel, place Drupal 11 files in htdocs (XAMPP) or htdocs (MAMP) and access at http://localhost (15-20 minutes total).
- Configuration Options: Adjust ports (e.g., Apache to 8080) in the control panel if conflicts occur, enable PHP extensions like mysqli or gd through the configuration interface.
- Practical Applications: Prototyped a client portfolio site in under an hour, required port changes for a second site, showing limits with multiple projects.
- Considerations: Not suited for large sites (lag with 50+ pages), port conflicts possible with other apps, requires at least 2GB RAM, with older hardware struggling over time.
Check the control panel for port adjustments and review PHP error logs (in htdocs/logs) to troubleshoot setup issues.
Comparison OverviewThis table compares DDEV, LAMP, and Local Server across key development factors based on observed performance.
Aspect DDEV LAMP Local Server (XAMPP/MAMP) Ease of Setup Moderate (Docker required) Complex (manual configuration) Easy (pre-configured) Scalability High (multi-site support) Moderate (requires tuning) Low (best for small projects) Performance High (optimized environment) Variable (depends on tuning) Moderate (basic setup) Community Support Strong (open-source community) Good (widely documented) Limited (vendor support) Resource Requirements High (Docker overhead) Low (minimal base setup) Medium (bundled components) Key Considerations- Ensure PHP 8.1+ is active—verify with php -v.
- Keep Composer current—run composer update regularly.
- Always back up before changes—use drush archive-dump to save your work.
DDEV, LAMP, and Local Server each bring unique capabilities to Drupal 11 development, from community-driven consistency to hands-on control or rapid setup. This guide aims to equip you with the knowledge to choose what fits your goals. Take your time to assess your project’s scale, team needs, and resource availability—your decision will shape the foundation of your work.
Drupal 11 DDEV LAMP Drupal Planet Share this Copied to clipboard Add new commentSpecbee: Is your SEO strategy missing AEO and GEO? Here’s how to keep up
joshics.in: Escape the Drupal 7 Trap: Your Clear Path to Drupal 11 Migration
Your website is at risk. Drupal 7’s end-of-life is looming, leaving sites open to attacks, while CMSs like WordPress or Joomla struggle with bloat or scalability limits.
These outdated systems drive users away—think single-page visits from Drupal Planet—costing you engagement and revenue. Migrating to Drupal 11 is your escape plan, offering top-notch security, blazing performance, and modern features.
This no-nonsense guide gives businesses, developers, and individuals the clear steps to transition from Drupal 7 or another CMS, fast and hassle-free.
Clinging to an outdated platform is like ignoring a check-engine light—disaster’s coming. Drupal 11 delivers faster load times, a sleek Claro admin theme, and API-first flexibility, keeping users hooked and your site secure.
- Drupal 7 Users: With legacy Drupal 7 support ending, unpatched vulnerabilities threaten your site. Drupal 11 offers robust security and modern UX.
- Other CMS Users: WordPress’s plugin chaos or Joomla’s rigid structure can’t match Drupal 11’s power for dynamic content or headless setups.
- Real Impact: A retailer migrated from Drupal 7 to Drupal 11, cutting load times by 25% and boosting conversions by 18%.
Quick Action: Audit your site with Security Review (Drupal 7) or WPScan (WordPress) to spot risks. Visit our Migration Resource Centre for more.
Your Drupal 11 Migration PlaybookThis playbook breaks down the migration process into five clear steps using Drupal’s Migrate API and community tools. No fluff, just results.
Step 1: Prep Like a ProAvoid data loss and compatibility issues with solid preparation.
- Drupal 7: Install Upgrade Status module to check module compatibility. Backup with Backup and Migrate: drush bam-backup.
- Other CMSs: Export content via WordPress’s Tools > Export or Joomla’s Akeeba Backup. Map content (e.g., WordPress posts to Drupal articles).
- Outcome: A news site cut migration risks by 50% with thorough backups.
- Beginner Tip: Use our Drupal Migration Guide for a prep checklist.
- Pro Tip: Document custom fields for smoother mapping.
Create a clean Drupal 11 environment to receive your content.
- Install Drupal 11: composer create-project drupal/recommended-project my-site.
- Enable Migrate modules: drush en migrate migrate_drupal migrate_tools -y.
- Outcome: A developer saved 20% setup time with Composer.
- Beginner Tip: Choose a Drupal-ready host for quick setup.
- Pro Tip: Test on a staging environment first.
Move your Drupal 7 content seamlessly.
- Use Migrate Drupal UI: Go to Structure > Migrations to import content, users, and taxonomy.
-
Custom fields: Create a module for complex data (e.g., paragraphs).
# my_migration.migration.node.yml id: custom_node source: plugin: d7_node node_type: article destination: plugin: entity:node process: title: title body: body - Test: Run drush migrate:import custom_node --update.
- Outcome: A university migrated 10,000 nodes in 48 hours, no data lost.
- Beginner Tip: Use Migrate Drupal UI for no-code migrations.
- Pro Tip: Monitor progress with drush migrate:status.
Switch from WordPress, Joomla, or others with ease.
- Install WordPress Migrate: composer require drupal/migrate_wordpress.
- Map fields: WordPress posts to Drupal articles, categories to taxonomy.
- Outcome: A blog moved from WordPress to Drupal 11, boosting SEO by 15%.
- Beginner Tip: Use Feeds module’s UI for drag-and-drop imports.
- Pro Tip: Validate imports with a small dataset first.
Make your site fast, SEO-friendly, and engaging.
-
Rebuild URLs with Pathauto:
# pathauto.pattern.article.yml type: canonical pattern: '[node:content-type]/[node:title]' - Enable caching: Configuration > Performance > Enable Page Cache and BigPipe.
- Audit content: Use Content Moderation for review workflows.
- Outcome: An e-commerce site cut bounce rates by 20% with optimized URLs.
- Beginner Tip: Install Pathauto via admin UI for easy setup.
- Pro Tip: Track engagement with Google Analytics Reports module.
Migration isn’t just about survival—it’s about thriving.
- Business: A retailer migrated from Drupal 7, gaining 30% faster load times and 18% more conversions. See our EXARC case study.
- Developer: A Joomla site moved to Drupal 11, saving 40% in build time. Explore our blog for optimization tips.
- Blogger: A WordPress user switched to Drupal 11 with Feeds, growing engagement by 25%. Visit our Migration Resource Centre.
Avoid these common mistakes to ensure a smooth migration:
- Data Loss: Backup with Backup and Migrate before starting.
- Incompatibility: Check module compatibility on Drupal.org.
- Performance: Optimize database: drush sql:optimize.
Quick Action: Download our Drupal Migration Guide to dodge these pitfalls with a full checklist.
Escape to Drupal 11 TodayDon’t let an outdated site hold you back. Drupal 11 offers the security, speed, and flexibility to keep users engaged. Start with our Drupal Migration Guide or learn more about managing legacy Drupal 7 sites. Need tailored help? Contact us or check our blog for more Drupal tips. Nonprofits can explore our discounts.
Explore More- Migration Resource Centre
- Managing Legacy Drupal 7 Sites
- EXARC Case Study
- Drupal Tips on Our Blog
- Nonprofit Discounts
The Drop Times: Using Automated Testing Kit in Your Project - Part 2
joshics.in: Fortifying Your Drupal Site: Best Practices for Security with a Real-World Example
As cyber threats evolve, securing Drupal sites demands advanced strategies beyond basic best practices. This post explores cutting-edge techniques for fortifying Drupal platforms, focusing on emerging trends like zero-trust workflows and performance-security integration. Through the lens of Education Above All’s global platform, we demonstrate how these methods ensure robust protection.
Drupal’s security framework, supported by a vigilant community, is robust, but modern threats like advanced persistent threats (APTs) and supply chain attacks require next-level defenses. Protecting sensitive data, ensuring compliance, and maintaining uptime are critical for high-traffic or mission-critical sites. This post outlines advanced strategies to address these challenges, illustrated by a real-world implementation.
Advanced Security Strategies for DrupalTo counter sophisticated threats, Drupal administrators can adopt these advanced techniques:
1. Zero-Trust Authentication WorkflowsImplementing zero-trust security ensures no user is trusted by default. Modules like Two-Factor Authentication (TFA) and integration with external identity providers (e.g., Okta via OAuth) enforce continuous verification. Role-based access control with the principle of least privilege (POLP) further minimizes risks by limiting permissions to essential functions only.
2. Hardened Server ConfigurationsBeyond basic file permissions (644 for files, 755 for directories), securing the server environment is crucial. Use .htaccess to block unauthorized access to sensitive directories and implement HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks. Regular server hardening, including disabling unused PHP modules and enabling intrusion detection, adds an extra layer of protection.
3. Real-Time Threat Intelligence and MonitoringAdvanced monitoring goes beyond Drupal’s “Recent Log Messages.” The Security Kit (SecKit) module mitigates XSS and clickjacking, while custom scripts can integrate with external threat intelligence feeds to detect anomalies in real time. For example, monitoring IP-based login attempts can block coordinated attacks during traffic spikes.
4. Robust Disaster Recovery PlanningThe Backup and Migrate module enables automated, encrypted backups to off-site storage like AWS S3. Regular disaster recovery drills, simulating ransomware or server failures, ensure rapid restoration. Encrypting backups with AES-256 and testing recovery workflows quarterly can reduce downtime to minutes.
5. Performance-Security SynergyHigh-performance sites are less vulnerable to denial-of-service attacks. Tools like Varnish or Redis optimize caching, reducing server load. Hosting providers with built-in DDoS protection and updated PHP/MySQL versions enhance both speed and security, ensuring sites remain accessible under attack.
Case Study: Securing Education Above All’s Drupal PlatformThe Drupal site for Education Above All (EAA), a Qatar-based non-profit, showcases these advanced strategies in action.
- Challenge: EAA needed a scalable, secure platform to handle millions of visitors, multilingual content, and sensitive donor data, with zero tolerance for breaches or downtime.
- Solution: The following measures were implemented:
- Zero-Trust Authentication: Deployed TFA for admins and OAuth-based SSO for editors, ensuring secure access control.
- Server Hardening: Configured HSTS headers and Let’s Encrypt HTTPS, with strict file permissions for multilingual uploads.
- Monitoring: Used SecKit and custom scripts to detect and block suspicious login attempts during campaign peaks.
- Backups: Set up AES-256 encrypted daily backups to AWS S3, with quarterly recovery tests to ensure resilience.
- Hosting: Selected a provider with DDoS protection and PHP 8.2, optimizing performance and security.
- Outcome: EAA’s site handles millions of users without incidents, supports seamless API integrations, and maintains trust, advancing its global education mission.
- Adopt Zero-Trust: Use TFA and SSO for continuous authentication.
- Harden Servers: Implement HSTS and strict permissions.
- Monitor Proactively: Combine SecKit with threat intelligence.
- Plan Recovery: Automate encrypted backups and test regularly.
- Optimize Performance: Use caching and secure hosting to enhance resilience.
Dive deeper into Drupal security at Drupal.org or discuss advanced security solutions
Security Drupal Planet Drupal Share this Copied to clipboard Add new commentPreviousNext: Navigating Drupal AI
The Drupal AI initiative is a hive of activity. There’s a lot to keep up with, so we’ve put together an overview of Drupal and AI, along with our position on these advancements, to help you cut through the noise.
by kim.pepper / 1 July 2025The current state of Drupal AIDrupal CMS launched in January 2025 with Drupal AI.
Since then, there has been considerable innovation in the contributed AI module ecosystem, along with numerous blog posts, videos, and conference talks on the topic.
Introduction to the Drupal AI Module - FreelyGive - June '24
Meet the AI Automators in Drupal CMS - Marcus Johansson @ DrupalCon Atlanta - March '25
Overview of the Drupal AI Initiative - The Modern Web Architect - June '25
More recently, Drupal announced the official Drupal AI initiative, which provides vision and direction for the Drupal community, directing efforts towards product innovation in Drupal core and Drupal CMS, as well as the contribution module ecosystem.
Notably, the initiative provides:
- An open framework to encourage innovation
- Open governance and leadership
- Funded work initiatives
Across the board, there is a strong focus on responsible AI, including:
- Flexible integrations without vendor lock-in
- Human oversight, such as approval processes and audit logs
This represents a solid path for future innovation and the maturation of a governance model not found in other products.
Areas of focusContent Editor ImprovementsWe’ve been using AI to support coding development over the past few years and have witnessed the productivity improvements it brings. That’s why we see the potential for enhancing content editor productivity with AI features.
AI-assisted content generation provides:- Content summaries - automatically generating a summary of a long-form article.
- Image alt-text generation - which analyses the content of an image and creates alt-text to meet accessibility standards.
- Content tag suggestions to facilitate categorisation and content organisation.
- Content rewrites to match different tones of voice.
It’s worth noting that these automated features require human governance and control, as well as review and approval, but they can also speed up laborious tasks.
Areas of future growth to watch include:- AI-assisted SEO optimisation, which provides suggestions for SEO content improvements
- AI-enhanced page building and component generation
We’re very excited about the Experience Builder initiative the next step in evolution for Layout Builder, that several PNXers, including Lee Rowland’s are actively contributing to.
Experience Builder will introduce a powerful, modern drag-and-drop page-building tool that shifts how we build sites in Drupal. The first beta release is due in July and will include direct integration with Drupal AI.
End User ImprovementsUsers have become accustomed to interacting with websites and applications using natural language and conversational modes. AI-enhanced features that will meet these expectations in Drupal include:
- Semantic search for better results - where the meaning and intent of the query are understood
- Search result summaries that provide AI-generated overviews of a search query, similar to those offered by Google.
- Conversational search, facilitated by an interactive chatbot-style search for site information.
Keep an eye out for future growth in AI personalisation, where content suggestions will be provided based on user preferences and viewing history.
Skpr platform supportWe’re also looking at how the Skpr hosting platform supports AI integration. Two areas that are already of interest are AWS Bedrock and OpenSearch.
- AWS Bedrock can be used as a Drupal AI provider to keep your data private, with Skpr providing the service endpoints and flexible customisations.
- Using OpenSearch enables semantic search through the vector database and AI model integrations via configurable plugins (or hosted with AWS Bedrock).
We plan to use and implement AI for our clients in a way that boosts productivity, enhances the user and editorial experience, while remaining open, flexible and responsibly governed.
We are already integrating AI into the digital experiences we create. We embrace its potential to enhance everyone’s capabilities and will always guide it towards the best outcomes for you, your customers and our people. Coupled with our deep knowledge, expertise and involvement in Drupal Core, our approach to AI ensures that your sites will outpace and outperform the competition.
Talk to us about how we can use AI to enhance your next website project.
Further reading- Bringing Drupal AI into your DNA - How to Learn, Use and Contribute to the Drupal AI Ecosystem - FreelyGive - YouTube
- Accelerating AI innovation in Drupal - Dries Buytaert
- Drupal AI Strategy Document - Drupal Association
- Drupal AI Academy - Training and upskilling resources to get going with Drupal AI
- Workflows of AI - A collection of various workflows with Drupal AI
Talking Drupal: Talking Drupal #509 - A WordPresser @ DrupalCon
Today we are talking about DrupalCon, Wordpress, and what a wordpress guy can learn at a Drupal Event with guest Chris Reynolds. We’ll also cover Shortcode as our module of the week.
For show notes visit: https://www.talkingDrupal.com/509
Topics- The Pros and Cons of Short Codes
- Chris Reynolds' Journey to DrupalCon
- Comparing DrupalCon and WordCamp
- Funding and Organization of WordPress Events
- The Collaborative Spirit of the Drupal Community
- Wishlist for WordPress Features
- Composer Support in WordPress and Drupal
- Backward Compatibility in WordPress
- Challenges with Composer in Drupal
- Config Management in WordPress vs. Drupal
- Responsive Image Management
- User Experience in Drupal
- Community Collaboration Between WordPress and Drupal
- A Wordpresser Goes To DrupalCon Atlanta 2025
- wpcfm
- Longhorn PHP Conference Oct 23-25 in Austin, TX
- Call for proposals through July 18
- Join #texas-camp in Drupal Slack if you’re interested in organizing a mini Texas Camp to pair with Longhorn PHP
- WP community collective
Chris Reynolds - jazzsequence.com jazzsequence
HostsNic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi JD Leonard - jdleonard
MOTW CorrespondentMartin Anderson-Clutz - mandclu.com mandclu
- Brief description:
- Have you ever wanted your Drupal site to support WordPress-style shortcodes, macros to be used within content? There’s a module for that.
- Module name/project name:
- Brief history
- How old: created in Sep 2010 by Dénes Szabó (denes.szabo) of Tag1
- Versions available: 2.0.3, which supports ^9.3 ^10 ^11
- Maintainership
- Security coverage
- Test coverage
- Number of open issues: 30 open issues, 3 of which are bugs against the current branch
- Usage stats:
- 13,260 sites (almost 70% are D7 however)
- Module features and usage
- For anyone not familiar with WordPress short codes, the documentation describes them as macros, and most often they are used for inserting elements into content such as image galleries, videos, playlists, and more. Shortcodes can also wrap content, however, and it’s possible to nest shortcodes as well.
- Drupal typically solves the problems addressed by shortcodes using custom HTML elements, as implemented in the media ecosystem, or with the Entity Embed module. I think that shortcodes may also be useful in places where Drupal might also rely on tokens, albeit with an additional module like Token Filter.
- Gutenberg includes a Shortcode block that can be used as a flexible way to add a variety of elements into a post’s content.
- I think Shortcodes are an interesting paradigm because they’re really a tool for power users. Instead of providing a UI to browse and choose elements for something like an image gallery, they allow a savvy editor to quickly write a tag that will construct a gallery using numerical ID values.
- I don’t think this is a tool that most Drupal sites will need, but it could be a really good way for experienced WordPress teams to feel more at home when starting to work with Drupal.
DevCollaborative: Protecting Nonprofit Websites from a Hostile Government
The Trump administration and its supporters are attacking dissenting views on a terrifying scale. Here are steps to protect your website from censorship.
The Drop Times: Belonging by Design
Dear Readers,
Drupal’s strength rests on more than code quality or feature sets. The project’s true resilience comes from the choices it makes about who belongs. As Pride Month closes, the maxim “what you permit, you promote” takes on new urgency. By embedding inclusion into every pull request review, event guideline and policy decision, Drupal lays the groundwork for a community where diverse voices shape its future.
Concrete steps turn that principle into reality. Fei Lauren recalls that “seeing people like me and feeling seen felt so transformative,” a shift driven by initiatives such as hidden-disability sunflower lanyards, family-friendly meet-ups and dedicated channels for neurodivergent contributors. These grassroots practices have sparked regional working groups in Latin America and Africa and transformed the Drupal Diversity and Inclusion Slack space into a hub of shared resources and real-time support.
Sustaining momentum beyond a single month requires ongoing action. Community members can audit site accessibility, propose new support channels and volunteer to host meet-ups that center diverse needs. As Fei urges, “find your people,” because every inclusive choice today becomes the culture Drupal promotes tomorrow.
INTERVIEW- “What You Permit, You Promote” - Fei Lauren on Drupal Inclusion
- GitLab Co-Create Program Decoded by Nick Veenhof
- Why Use Automated Testing Kit? - Part 1
- Want to try out the new Agentic structure inside Drupal?
- Drupal CMS Launches SaaS Site Template for B2B Expense Management
- DrupalX Now Powered by Drupal 11: Major Upgrade for Standard and Decoupled Versions
- James Williams Releases Autocreate Access: A Drupal Module for Smarter Tagging Permissions
- Promet Source Opens Registration for Live Drupal Training Courses
- Adaptive Launches AX+ Toolkit to Streamline Drupal Admin Experience
- Developer Portal of the Dutch Gov Launches Rest-Only, OpenAPI-First API Registry
- CampusDrop Enters Prototype Testing as Open-Source Backdrop CMS Platform for Higher Education
- InfoBeans Hosts Drupal Pune Meetup to Support Open Source
- DrupalCon Chicago 2026 Introduces Lower Ticket Prices, New Policies, and Stronger Community Focus
- Apply for Sponsorship at DrupalCon Vienna 2025
We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.
To get timely updates, follow us on LinkedIn, Twitter and Facebook. You can also join us on Drupal Slack at #thedroptimes.
Thank you,
Sincerely
Alka Elizabeth
Sub-editor, The DropTimes.
The Drop Times: TDT's Chinju Prakash Wins Kerala Sahitya Akademi Award for Translation
DDEV Blog: How to Downgrade Terminus in DDEV's Web Container and Customize Other Bundled Tools
This guest post is by DDEV community member and Drupal contributor Bill Seremetis and sponsored by Annertech.
DDEV comes bundled with a predefined set of tools, Pantheon's terminus being one of them. The latest releases of terminus are not compatible with older PHP versions like PHP 8.1, though, so we needed to downgrade it inside DDEV's ddev-webserver Docker image.
This guide covers how to downgrade terminus and will also explain how to use the same technique to install additional custom tools.
Please note there are many ways to install packages in a container. We will cover extra Dockerfiles here, but also check webimage_extra_packages and dbimage_extra_packages in your config.yamlfor more details).
Case study: Manually Downgrading TerminusTerminus dropped support for PHP 8.1 in recent versions, but some of our projects still use PHP 8.1. We had to downgrade the DDEV-bundled version of terminus for those projects by using a custom Dockerfile:
# .ddev/web-build/Dockerfile.terminus # Terminus 4 drops support for PHP 8.1 which we still need ARG TERMINUS_VERSION="3.6.2" RUN curl -L --fail -o /usr/local/bin/terminus https://github.com/pantheon-systems/terminus/releases/download/${TERMINUS_VERSION}/terminus.phar && chmod +x /usr/local/bin/terminusterminus is just an example here, it could be any command you wish, either because you are running an older PHP version or the bundled version has a bug that ruins things for you.
Installing custom toolsYou can obviously use the same techniques to install a variety of custom tools:
# .ddev/web-build/Dockerfile.fzf # fooscript relies on fzf # fooscript lists all your Pantheon projects using a fuzzy finder list ARG FZF_VERSION="0.62.0" RUN curl -s -L https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_amd64.tar.gz | tar xvz -C /usr/local/bin/ && chmod +x /usr/local/bin/fzf Resources- DDEV Pantheon integration documentation
- Adding extra Dockerfiles for webimage and dbimage
- Adding extra Debian packages in DDEV
- Customizing DDEV images with a custom Dockerfile
If you like DDEV then you are welcome to contribute! You can join the Discord channel, create a new DDEV Add-on, or blog about how you use DDEV in your daily workflow. We’re always happy to hear from you on any of our support channels.
Drupal Starshot blog: Marketplace Share Out #7: The MVP Proposal Is Here - What We’re Testing and How to Shape It
The Drupal Site Template Marketplace MVP proposal is now live for community review through 13 July 2025 in the Innovation Issue Queue.
After hundreds of community voices contributed through surveys, Slack, and Real-Time Collaboration sessions, this MVP reflects what we’ve heard: a trusted, flexible, and contributor-friendly ecosystem is possible—if we design it thoughtfully.
What’s in the MVP?This Minimum Valuable Product (MVP) is a structured experiment targeted for launch at DrupalCon Chicago 2026. Key features include:
- Up to 15 curated DrupalCMS Site Templates (free and paid), listed on Drupal.org
- Initial participation limited to Drupal Certified Partners (DCPs) to streamline quality and feedback (expansion beyond DCPs may occur post-MVP)
- Makers set their own prices and sell directly to users (off-platform)
- A 10% revenue share from paid template sales and upsell services is directed to the Drupal Association
- Submission fee: $395 per new listing, with a $250 annual review fee
- Baseline standards for all templates include:
- Accessibility (WCAG 2.2 AA)
- Security and licensing compliance
- Self-certified GDPR readiness (if applicable)
- Documentation, maintenance commitments, and user support expectations
- Regular feedback collection
- Discoverability features including tags, badges, and demo previews
- Templates must be built for DrupalCMS, using the Recipes schema, demo content, and XB-compatible themes
- Templates will undergo automated and manual reviews, conducted by DA Staff (or contractors), with badges and trust indicators displayed where applicable
- Governance and policy oversight by Drupal Association staff during the MVP; future transitions to community-hybrid models are planned
This isn’t just a launch—it’s a test-and-learn cycle designed to validate whether a Site Template Marketplace is desirable, feasible, and sustainable. The MVP will help us understand:
- What types of templates people adopt—and what makes them valuable
- Whether direct sales by makers are viable, and what pricing models emerge
- What kinds of support, trust signals, and governance policies matter most
- Whether the DA can sustainably operate and review templates at scale
- How to balance monetization with fairness, contributor credit, and open source values
We’ll use this data to decide whether to expand, adapt, or stop the Marketplace after a 3-6 month MVP.
Submission Fee and Revenue ModelTo help fund reviews and platform operations, the MVP includes:
- $395 USD per new site template listing
- $250 USD for annual review and revalidation
Site Template Makers:
- Set their own pricing for paid templates
- Transact directly with users (outside of Drupal.org infrastructure)
- Report anonymized data quarterly (downloads, revenue, support volumes)
- Keep 90% of revenue, while contributing 10% to the Drupal Association based on completed transactions quarterly
We’ve heard the same call again and again: make it easier to get started with Drupal—without compromising quality or community values. This MVP is a first attempt to meet that need, grounded in clear standards, shared incentives, and real-world feedback.
Let’s test it together—with care, clarity, and Drupal’s best interests at heart.
What’s Next?- Public comment period is open through 13 July 2025
- Marketplace Working Group meets 15 July 2025 to review input and finalize its recommendation
- The Drupal Association Board will vote 24 July on whether to move forward with implementation
Your voice is essential to shaping a Marketplace that works for the community. Here’s how to get involved:
- Read the full MVP proposal
- Give feedback in #drupal-cms-marketplace on Slack, anonymously through the Feedback Form or via the public issue queue
- Share this with your team or clients—especially those who create or use starter templates
Let’s build something that’s good for contributors, great for users, and unmistakably Drupal.
Drupal life hack's: Drupal 11.2 Hook Migration Guide: Modernize Your Module’s Hooks with Attributes
Drupal Starshot blog: Share Out #6: Preparing for the MVP Proposal
We’re excited to announce that a draft Drupal Site Template MVP Marketplace proposal will be released next week for public comment. This version outlines a clear Minimum Valuable Product (MVP) focused on early value, sustainability, and trust.
But first — here’s a look at what’s been shaping the direction of this proposal.
The Business Model Canvas: A SnapshotTo help align on strategy and priorities for the Site Template Marketplace, the Working Group created a Business Model Canvas—a simple tool that breaks down the core elements of how the Marketplace can deliver value and remain sustainable. The Working Group landed on an MVP model that centers:
- Primary Users: Low-code/no-code marketers and freelancer agencies
- Key Value: Trusted, flexible site templates that reduce time-to-launch and lower adoption barriers
- Revenue Stream: application and referral fees on sales and upsell opportunities to support Drupal Association infrastructure
- Cost Structure: Low-overhead pilot with both automated and staff-supported review
More than 500 people have shared their perspectives across four surveys—and others have weighed in through Slack discussions, real-time collaboration, and open conversations.
This community and end-user input has been honest, nuanced, and incredibly generous. It has revealed clear patterns, thoughtful tensions, and strong signals of where the community wants to go. So as in advance of the MVP proposal’s release, let’s reflect back what we’ve heard so far.
1. Trust Starts with Quality, Transparency, and PreviewsBoth in survey responses and in Slack, the message was the same: don’t launch unless people can trust what they’re getting.
Top trust signals:
- A live demo or preview (most consistently requested signal across all channels)
- Clear documentation of dependencies and limitations
- Visible signals of quality (badges, reviews, contributor reputation)
In Slack, people emphasized that even a great theme becomes untrustworthy if it’s hardcoded, inaccessible, or unclear about what it installs.
Show me a demo. Let me see the code. If it’s a mystery box, I won’t touch it.”
2. People Want a Marketplace That Reflects Drupal’s Open Source ValuesFrom contributors and module maintainers to end users and evaluators, we heard a common theme: this effort should feel like Drupal.
- Governance should be fair, transparent, and enforceable—not performative.
- Monetization is okay—but must support the whole ecosystem, not just those selling templates.
- Attribution matters. Contributors want to be credited, not cloned.
If someone else is profiting off my work, I need to at least be recognized.”
Slack also raised the importance of review pathways that aren’t vulnerable to sabotage or bias—suggesting a need for a mix of automation and paid staff to ensure fairness.
3. There’s Real Enthusiasm—for the Right Version of ThisEnd users want this. Freelancers want this. Agencies want this.
- 85% of end-user survey respondents said vetted templates would increase their likelihood of recommending Drupal.
- Agencies see templates as a powerful tool for demos, pre-sales, and fast-start projects.
- Contributors are eager to participate—if it’s worth their time.
- Users: Many want free or low-cost templates, especially smaller orgs and nonprofits.
- Contributors: Cite $300–$1,000 as reasonable price points for a complete, maintained, accessible, and documented product.
Slack conversations added nuance: Some contributors are fine with lower prices if the marketplace generates leads or recognition. Others say without fair compensation, they simply won’t participate.
Certification: Signal or Gate?- Users want badges that help them sort and trust.
- Contributors fear certification could slow things down or create an unfair playing field.
Slack participants suggested offering optional badges or tiers, not mandatory certification at launch. A common theme: start lightweight, evolve with real usage.
Monetization: Supportive or Distracting?There’s broad support for monetization—but only if it’s done with intention.
- Contributors want clear, fair revenue splits—and protection against cloned or stripped-down copies.
- Users don’t want to encounter bait-and-switch upsells or gated features.
- Slack conversations reinforced a desire to avoid WordPress-style chaos, emphasizing community moderation, ranking hygiene, and a meaningful DA role.
This has to feel like Drupal, not like a spammy plugin store.”
What’s Next: Your TurnThe Community public comment period will be open from 27 June 2025 through 13 July 2025. The Marketplace Working Group will meet on 15 July 2025 to review feedback and draft its final recommendation to the board for their go/no-go decision on 24 July 2025.
You will be able to share your thoughts by:
- Anonymous feedback form
- Issue queue
- In Drupal Slack in #drupal-cms-marketplace
Thank you to everyone who contributed through surveys, Slack, working sessions, and feedback. Your ideas, critiques, hopes, and flags are shaping this from the inside out. All of this feedback has resulted in a proposal that’s practical, community-aligned, and intentionally minimal.
This Marketplace effort is grounded in community—not just as a value, but as a working method. We’re exploring the Marketplace potential together — ideally, to create something not just to reduce friction for new users, but to grow a stronger, more sustainable Drupal ecosystem for all.
Stay tuned.
Drupal AI Initiative: A Coordinated Leap Forward: Introducing the Drupal AI Strategic Initiative
Filmed at the AI Summit at London Tech Week 2025, this two-minute video captures the passion and purpose behind the newly-launched Drupal AI Strategic Initiative.
Join Baddý and Jamie as they explain why this work is important and why we need the Drupal community to rally behind it.
“In order to get fast innovation in Drupal AI, we need people to work on the project—and we’re doing that by getting funding and full-time contributors from participating companies.”
— Baddý Sonja Breidert
“I’ve never seen something quite like this in the Drupal community… It’s coordinated innovation not for one company, but for the whole open source community.”
— Jamie Abrahams