Monday December 2, 2013
Hello CMS fans! Welcome to my 101st post here on
cms.about.com! For over 100 posts now, we've been exploring
the labyrinthine and surprisingly compelling world of the
humble content management system. Thanks so much for
I considered celebrating in my last post, #100, but a
critical Drupal security update
seemed both more urgent and more fitting. I talk a lot about
security and upgrades
cms.about.com, because although CMSs are a truly
amazing invention, they can totally collapse if you don't
keep them secure. (If you haven't upgraded your
Drupal sites yet, make sure you do.)
In the previous post, I'd posed the question of whether a
CMS can be "antifragile",
that is, where a CMS can actually thrive on change,
rather than tending to break in the face of the new and
Antifragile: Things That Gain From Disorder,
by Nassim Nicholas Taleb.)
Now I've just posted a
new article exploring
why a few major CMSs, like WordPress
and Drupal, are indeed antifragile--but
most of them aren't. Find out why most CMSs make poor
Read more: Choose A CMS As An "Antifragile" Major Investment
Related Articles: Can a CMS be "Antifragile"? | Drupal Security: Upgrade NOW to 6.29 or 7.24
Thursday November 21, 2013
A new Drupal security upgrade, for both
6.x and 7.x, seems a bit more urgent than usual.
Keeping your CMS secure means you'll
always have to do security upgrades, and if you're running Drupal, now is one of those times.
To keep your Drupal sites secure, upgrade now to
6.29 or 7.24. These releases fix critical security
Read the release announcement on Drupal.org
Read the full security release (SA-CORE-2013-003.
Critical Security Holes Fixed
Some security releases fix minor issues, but this
core update fixes several critical,
remotely exploitable holes, including:
Cross-site request forgery (CSRF)
Weakness in generating security related strings
Possible code execution (on poorly configured Apache servers)
Cross-site scripting (XSS)
Seriously, go upgrade your Drupal sites. All the awesome
benefits of using Drupal will evaporate if your sites aren't
Related Articles: Securing Your CMS | Follow Drupal Security Advisories With @drupalsecurity
Thursday November 14, 2013
Web sites are fragile, aren't they? They need to be
upgraded forever to stay secure, but those
upgrades can also break things. Every extra
module or plugin you install
adds another moving part that might break down the road. Sometimes
they seem more like
Rube Goldberg machines
then usable tools.
And yet, in some ways, the right CMS can be antifragile.
I've been reading (actually, listening to)
Antifragile: Things That Gain From Disorder,
by Nassim Nicholas Taleb, whom you may remember as the author of
The Black Swan. It's a writhing jumble of paradigm busters, bold assertions, and general bellicosity that will take me a long time to untangle. But among many interesting thoughts it's provoked,
I've realized that I use the "antifragile" concept all the time when building CMS websites.
Taleb sets up a spectrum: the fragile suffers from stressors,
the robust or resilient resists stressors, but the antifragile
actually benefits from stressors. Things can be fragile in some ways,
but antifragile in others.
According to Taleb, we're used to thinking in terms of robust. If I build
a new website, my default goal might be that I don't want it to break
or get compromised.
But if I use a major, open source CMS like WordPress
or Drupal, I tap into antifragility,
because these projects keep improving through their
exposure to hundreds of thousands of tinkering developers.
What do you think? Do you think the major open source CMSs
are more fragile than the closed source, pay-by-the-month
corporate alternatives? Or does their openness make them
more robust, even antifragile?
And how do the few major open source CMSs compare to the
hundreds or thousands of medium-to-tiny CMS projects that
only specialists seem to hear about?
More to come.
Related articles: Choose WordPress or Drupal for Your CMS | Choosing a CMS Should Be Easy | Too Many CMSs?
Saturday November 9, 2013
Drupal 8, the next major version of
Drupal, is "coming soon", according to the official
Drupal 8 landing page on
when will Drupal 8 actually release?
Back in September 2012, Drupal founder Dries Buytaert
predicted a release in September 2013.
And in this
you can read a charming discussion back in March and April over
whether someone should learn Drupal 7 or wait "four months for Drupal
In real life, it's now November 2013, and not only has Drupal 8 still
not come out, but
drupal.org itself didn't
upgrade to Drupal 7 until Halloween.
On the official
Drupal core release cycle
page, Drupal 8 is now at the last stage before release: "API
completion phase." The end date for this phase is currently listed as
TBD--to be determined.
Since this phase began in July, and
drupal.org is now safely on
Drupal 7, we could assume (or hope) that Drupal 8 will be out in a
But in this
recent blog post,
module maintainer Larry Garfield confidently states that Drupal 8
won't release until at least March 2014.
And if one looks carefully at the official Drupal 8 page, they
actually recommend that module maintainers wait to port to Drupal 8
"until API changes are closer to final." That sounds like it could be
Of course, you can already download and try out Drupal 8 dev right
now. Just don't build any live sites with it.
And if you have a complex Drupal 6 site,
you should probably upgrade it to Drupal 7 now.
The more modules you use, the higher the probability that one or more
will not have a Drupal 8 version until several months after the Drupal
True, you can wait, hoping that every module will be ready in time,
and you'll be able to jump directly from Drupal 6 to Drupal 8 with the
new Import API. It's a complex decision,
based on your budget, how many modules your site is using, and your
tolerance for risk.
The problem is that if you're stuck with Drupal 6 when Drupal 8 comes
out, your site will be unsupported and insecure. You'll have to drop
everything and scramble to get it onto Drupal 7 or Drupal 8. Or pay
extra for a rush job.
So although we don't know when Drupal 8 will release, we know that
it's already here. You can already find tutorials and discussions of
Drupal 8, you can already download a dev copy, and it's already
inevitable that Drupal 6 sites will have to upgrade sooner than later.
(Drupal 7 sites, on the other hand, will be safe for awhile.)
Complex Drupal 6 Site? Upgrade to Drupal 7 SOON, Before It's Too Late | When Does Support for a Major Drupal Version End?