mcdruid.co.uk: A persistent Drupal 7 exploit using a pluggable variable

A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system.

The APM traces we were looking at included a __lamda_func under which was a class called Ratel. Under those were some apparent external calls to some dodgy looking domains.

One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess.

They had also come across a github gist which looked relevant – it had the PHP source code for a Ratel class which appears to be an SEO spam injection tool:

https://gist.github.com/isholgueras/b373c73fa1fba1e604124d48a7559436

This gist included encoded versions of the dodgy URLs we’d seen when trying to analyse what was slowing the site down.

However it wasn’t immediately obvious how this code was running within the infected Drupal site.

We’d grepped the file system and not found any signs of this compromise. One trick that’s sometimes useful is to search a recent database dump.

Doing so turned up a reference to the Ratel class within the cache tables, but when we took a closer look inside the cache there wasn’t much more info to go on:

$ drush ev 'print_r(cache_get("lookup_cache", "cache_bootstrap"));'
stdClass Object
(
    [cid] => lookup_cache
    [data] => Array
        (
 
[...snip...]
 
            [cRatel] => 
            [iRatel] => 
            [tRatel] => 

So this was more evidence that the malicious code had been injected into Drupal, but didn’t tell us how.

I took a closer look at the malicious source code and noticed something it was doing to try and hide from logged in users:

  if (function_exists('is_user_logged_in')) {
    if (is_user_logged_in()) {
      return FALSE;
    }
  }

Being so used to reading Drupal code, I think I’d initially thought this was a Drupal API call.

However, on closer inspection I realised it’s actually a very similarly named WordPress function.

That meant that the function almost certainly would not exist in this Drupal site, and that gave me a way to hook into the malicious code and find out more about how it had got into this site.

I temporarily added a definition for this function to the site’s settings.php within which I output some backtrace information to a static file – something like this:

function is_user_logged_in() {
  $debug = debug_backtrace();
  file_put_contents('/tmp/debug.txt', print_r($debug, TRUE), FILE_APPEND);
  return FALSE;
}

This quickly yielded some useful info – along the lines of:

$ cat debug.txt 
Array
(
    [0] => Array
        (
            [file] => /path/to/drupal/sites/default/files/a.jpg(9) : runtime-created function
            [line] => 1
            [function] => is_user_logged_in
            [args] => Array
                (
                )
 
        )
 
    [1] => Array
        (
            [file] => /path/to/drupal/sites/default/files/a.jpg
            [line] => 10
            [function] => __lambda_func
            [args] => Array
                (
                )
 
        )
 
    [2] => Array
        (
            [file] => /path/to/drupal/includes/bootstrap.inc
            [line] => 2524
            [args] => Array
                (
                    [0] => /path/to/drupal/sites/default/files/a.jpg
                )
 
            [function] => require_once
        )

Wow, so it looked like the malicious code was hiding inside a fake jpg file in the site’s files directory.

Having a look at the fake image, it did indeed contain a copy of the code we’d been looking at in the gist, albeit one that was further wrapped in obfuscation.

$ file sites/default/files/a.jpg    
sites/default/files/a.jpg: PHP script, ASCII text, with very long lines, with CRLF line terminators

The malicious Ratel code had been encoded and serialized, and the fake image file was turning that obfuscated string back into executable code and creating a dynamic function from it:

$serialized = '** LONG STRING OF OBFUSCATED CODE **';
$rawData = array_map("base64_decode", unserialize($serialized));
$rawData = implode($rawData);
$outputData = create_function(false, $rawData);
call_user_func($outputData);

That’s where the lamda function we’d been seeing had come from.

The final piece of the puzzle was how this fake image file was actually being executed during the Drupal bootstrap.

The backtrace we’d extracted gave us the answer; the require_once call on line 2524 of bootstrap.inc was this:

2523         case DRUPAL_BOOTSTRAP_SESSION:
2524           require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc');
2525           drupal_session_initialize();
2526           break;

So the attacker had managed to inject the path to their fake image into the session_inc Drupal variable.

This was further confirmed by the fact that the malicious code in the fake image actually included the real Drupal session code itself, so as not to interfere with Drupal’s normal operation.

require_once('includes/session.inc');

So although the Ratel class had perhaps initially been put together with WordPress in mind, the attacker had tailored the exploit very specifically to Drupal 7.

Drupal has a mechanism to disallow uploaded files from being executed as PHP but that didn’t help in this case as the code was being included from within Drupal itself.

At some point there must have been something like a Remote Code Execution or SQL Injection vulnerability on this site which allowed the attacker to inject their variable into the database.

It’s possible that was one of the notorious Drupal vulnerabilities often referred to as Drupalgeddon 1 and 2, but we don’t know for sure. We believe that the site was most likely infected while at a previous host.

This technique doesn’t represent a vulnerability in itself, as the attacker needed to be able to upload the fake image and (most importantly) inject their malicious variable into the site.

It was, however, quite an interesting technique for achieving persistence within the Drupal site.

Once we’d uncovered all of these details, cleaning up the infection was as simple as deleting the injected variable and removing the malicious fake image file.

What could the site have done to defend itself against this attack?

Well the injection of variable was mostly likely done via an exploit of an unpatched vulnerability on the site. Keeping up-to-date with patches from the Drupal Security Team is always advisable.

Other than that, something like the mimedetect module might have been able to prevent the upload of the fake image file. Note that newer versions of Drupal have this capability built-in.

A manual review of the variables in the site’s database could have caught this; there are a handful of variables that provide “pluggability” in D7 but session_inc is probably one of the most attractive from an attacker’s point of view as it’s typically invoked on most bootstraps unlike some of the others:

drupal-7.x$ grep -orh "variable_get.*.inc')" includes modules | sort | uniq
 
variable_get('lock_inc', 'includes/lock.inc')
variable_get('menu_inc', 'includes/menu.inc')
variable_get('password_inc', 'includes/password.inc')
variable_get('path_inc', 'includes/path.inc')
variable_get('session_inc', 'includes/session.inc')

A simple drush command can show whether any of these variables are set:

$ drush vget _inc
No matching variable found.

Once we knew what had happened to the site we found a couple of references online to similar exploits:


Go to Source
Author:

Sooper Drupal Themes: What is Drupal used for?

What is Drupal user for?
As the world goes digital, marketers and entrepreneurs are searching for ways to increase their online presence.  One of the best ways to go about this is having a website that stands out from the crowd.  After all, it is the first thing that visitors notice about your brand before doing business with you. 

Even though you can never run out of options whenever you want to build and maintain websites, not many outdo Drupal.  Open-source software made available under the GNU Public License, Drupal will come in handy when looking forward to building and maintaining your website globally.

There is a huge chance you have used Drupal before without your knowledge. That is because many top businesses, Fortune 500 companies, nonprofits, and government organizations leverage Drupal.  But before you join the bandwagon and give it a try, it is in your best interest that you know what Drupal is and why you should give it a try. 

Fortunately, that is what this guide will help you unearth today. Continue reading to find out more about Drupal and why you should consider giving it a try!

What is Drupal?

First things first, what is Drupal?  This is one of the questions you need to ask yourself to understand the system and unleash its potential.  In a nutshell, Drupal is a free and Open Source Content Management System (CMS) that allows users to create and manage content over one or multiple websites. 

Being open-source software, anyone can download Drupal, work on it, and share it with others hassle-free.  Furthermore, it boasts of numerous inherent benefits including, accountability, security, and flexibility. No wonder it is among the most popular CMS’ currently available at your disposal.

You might wonder what makes Drupal way more superior compared to other content management systems out there.  In a nutshell, many users find Drupal easy to use when creating a more customized website, unlike other free CMS systems like WordPress.  Better, Drupal tends to be versatile, giving you the freedom you need to build and maintain your website.

What makes Drupal worth leveraging as opposed to other CMS’ is that almost anyone can contribute to the site with no HTML experience. Things are not any different for editors, writers, and website administrators without any coding experience.  That is possible thanks to the What You See is What You Get (WYSIWYG) feature that enables writing, editing, and adding content without the hassle. 

Why Drupal Shines as CMS

Now that you know what it entails, you need to understand what is Drupal used for and what makes it shine as a CMS.  With Drupal, you no longer have to go through a lot to create and publish your content. That’s because it allows users the chance of pulling this off without the hassle. 

But how is this even possible in the first place?  The CMS platform is popular for accommodating unlimited content types.  Some of the most popular ones include media and text available in highly customizable forms.  To ensure users have a remarkable digital experience, Drupal retrieves, filters, and presents the content in powerful, but simple-to-use tools. 

Furthermore, Drupal contains intuitive content creation tools and powerful in-place editing tools that ensure you get things done without the hassle. To give you the tip of the iceberg, Drupal is full of features and highly customizable, unlike other CMS systems out there.  Either way, you should be aware of what is Drupal used for before you finally give it a try.  

Top Advantages of Drupal over Other Content Management Systems


Before we dive deeper into what does Drupal do, it is essential that you know about the advantages it boasts over other Content Management Systems. After all, this is the only way you stand a good chance of reaping maximum benefits from the system.  With that in mind, below are some of the most notable benefits Drupal brings to your business or organization.

Flexible Integration  

One of the biggest selling points of Drupal is the ability to help users create and manage a host of content types.  Some of the most popular content types include statistics, podcasts, blogs, videos, and many more. For this reason, you will have an easy ride when looking forward to creating content-rich websites for different markets such as commerce and media. 

Security 

CMS security is something that you can’t risk skimping at any given time. Drupal does not disappoint in this regard as it offers unshakable security to all users.  To guarantee maximum user satisfaction, Drupal is highly secure and provides regular patches.  That explains why it works wonders for enterprise clients.

However, you need to implement and maintain it properly to serve you as the most secure CMS. The good news is that Drupal happens to have the best security team you can count on, not forgetting advanced hosting providers.  For this reason, it is common to come across large organizations that leverage Drupal as the main CMS for powering their web applications or websites. 

Scalability 

Scalability is undeniably one of the tremendous strengths of Drupal over other Content Management Systems out there. As long as you have an idea of what does Drupal do, you will have an easy time growing the number of your web pages without the need to change anything.  Better, it serves you perfectly whenever you want to alternate between periods of high traffic spikes. 
Current Version Features 

Drupal 9 provides a host of features that make it way easier to use than was the case with its predecessors.  For instance, users can now take advantage of the new field locations and new fields.  If this is not enough, it relies on the CKeditor to make posting content similar to editing a document on Word.  Other popular features that will make you fall in love with Drupal 9 include the Quick Edit feature, helpful Tour button, and additional four key modules. 

Ways Marketers Can Leverage Drupal

Drupal 9 has undeniably turned into a marketer’s dream thanks to the new features and core enhancements it offers. And this doesn’t come as a surprise as it allows marketers the chance of personalizing content based on their target audience, device type, and language.  Keep in mind content is king when looking forward to improving SEO, driving organic traffic to your website, and creating leads.

If you have done your homework on what is Drupal used for, you probably know that it draws on the innovations of thousands of marketers, designers, and developers.  With that in mind, below are some of the ways marketers can leverage Drupal to their advantage.

Mobile Responsiveness  

The responsiveness of your website or web applications on mobile devices speaks volumes on whether or not you’ll attain your digital marketing goals.  Not only does it impact Google rankings, but it also helps drive immense traffic to your website. That does not come as a surprise since more and more people now use smartphones for almost everything in their personal lives. 

Fortunately, this is something that won’t give you sleepless nights since Drupal takes mobile seriously.  You might be wondering what does Drupal do when it comes to mobile responsiveness?  In a nutshell, Drupal comes with built-in themes that are mobile responsive together with web services built into the core. Thanks to these new features, users can access content from any device of choice. 

Creative Freedom 

Business competition will always exist regardless of the industry you choose.  To win over a huge share of the market and drive business growth, you must make an effort to stand out from the crowd.  And this not only implies how you do business, but it also refers to the way you run your marketing campaigns.

With Drupal, you won’t worry about giving your competition a run for their money.  That is because it seamlessly incorporates the existing marketing and sales technologies of your venture.  That’s possible since the cutting-edge Drupal modules give your marketing team creative freedom to handle tasks at their desired pace and convenience. 

As long as you have a good understanding of Drupal’s architecture, you can launch your website with ease when compared to other CMS’ out there.  That’s what your marketing team needs to lay the foundation of a strong digital marketing strategy. Before you know it, your business is a force to be reckoned with in the industry.

Makes Your Website Faster 

The vast majority of businesses lose visitors to their website due to speed. Keep in mind many web users expect your website to load in 2 seconds. If your website takes longer than this to load, be rest assured you will lose conversions from visitors to your website. In short, faster pages make money for your business. 

That’s where Drupal proves beneficial to marketers as it makes websites faster. Of course, this is without the need to bring in a lot of technical expertise.  If you only know what is Drupal but have no idea about its working mechanism, then it might prove difficult to understand this. 

To help clear some of the doubts in your mind, Drupal makes use of Cache Tags to make caching way more efficient. Furthermore, it allows for context-based caching thanks to its Cache Content API feature.  For this reason, your website will load faster while making sure visitors only make do with the latest version of your site. 

Cost of Drupal

Now that you know what does Drupal do and the numerous benefits it will bring to your organization, it is time to give it a try.  But before you make the switch, it is also essential that you find out the average cost of the structure. After all, you don’t want to take a toll on your business finances just because you want to use Drupal.

The good news is that you don’t have to break the bank to take advantage of Drupal. Either way, it depends on the type and size of the business you’re running.  For large enterprise sites, you will have to spend way more when compared to medium-sized websites.  Remember, the average cost structure of a Drupal build include strategy, design, and implementation. 

The Bottom Line 

There you have it; some of the things that touch on what is Drupal used for.  Keep in mind there is more to Drupal than meets the eye. That’s why you should never make the mistake of creating a Drupal website without having the slightest idea of what it entails. Most business leaders and marketers who do that end up regretting their decision in the long run. 

But what if you’re struggling to build pages on your Drupal Site? In this case, there is nothing to worry about since you’re not alone. Most marketers have no idea on whether to wait for a developer to help them out or try to build with Drupal single-handedly. Luckily, you don’t have to assign that webpage to a busy designer since some service providers allow users to unleash their creativity instantly.

Before you build whatever you want, ensure you know what is Drupal and how it can help change your company or organization for the better. That way, you can build sites faster and easier without leaving any room for mistakes. So, what are you waiting for before you finally leverage Drupal!
 


Go to Source
Author:

Drupal Association blog: Meet one of our 2021 Discover Drupal Students, Devon Ek

Throughout our pilot Discover Drupal program year, we introduce our students to the Drupal community; this month, we welcome Devon Ek!

Devon was referred to the program by Genesys Works and is entirely new to Drupal. He currently lives in the Twin Cities, in Minnesota.

Tell us a little about you.  What are your hobbies and interests?

My hobbies are shooting videos and taking photographs in my free time. I also am into building PCs and mechanical keyboards.

What is your ultimate goal in learning Drupal?

My ultimate goal in learning Drupal is to develop a knowledge base of its front-end and back-end side and build useful web experiences.

What are you most excited about regarding this program?

I am most excited to connect with my peers and mentors along with working on projects. I’m hoping to eventually land a job in Drupal back-end development. I aspire to become a web developer someday and also give back to the community and empower others to explore their journey into technology as well. I want to help create digital experiences that are relevant and reflective of people who come from underrepresented backgrounds. Being accepted into Discover Drupal would greatly help me explore my interest in web technologies and connect me to a community of people who also come from underrepresented groups.

If you see Devon online in Drupal Slack or at any upcoming Drupal events, please give him a warm welcome.  His Slack user name is Devon Ek.

Our Discover Drupal sponsors will have access to directly recruit the students for internships or other employment near the completion of the program.

Thank you to our Partners and Volunteers
We are grateful to AmyJune Hineline and Mike Herchel, who has led our team of mentors and provided valuable insight into improving the program. Thank you.

We want to thank our founding partner, Kanopi Studios, and especially Allison Manley for her continued hard work and dedication to the program.  We also want to thank our platinum sponsors: Lullabot and Elevated Third, for the financial support that has been instrumental in launching this program.  Finally, thank you to our excellent training partners, Drupal Easy, Evolving Web, Mediacurrent, and Drupalize.me .

If you’d like more information about the program or would like to become a supporting donor, please reach out to us a drupaltalent@association.drupal.org.


Go to Source
Author:

Evolving Web: What I Learned at Acquia Engage 2021

Earlier this week, I attended the 8th edition of Acquia Engage, a two-day event full of learnings and connection opportunities by Acquia, one of the largest contributors to the Drupal open source. We at Evolving Web are proud to be Acquia Silver Partners, allowing us to support our clients with Acquia’s enterprise cloud and marketing solutions, which complement Drupal’s open source content management tools.

This was my first time at Acquia Engage. It gave me excellent insights into how organizations are leveraging Drupal to drive digital transformation, be more relevant to their audiences, and generate impact in their communities. It was truly exciting to see so many success stories, so here I’ll share my main takeaways from the event. Let’s get to it!

Drupal-based Business Solutions

Drupal is a powerful tool for businesses—and at Acquia Engage, I got to hear from end-users who pointed out how they’re driving innovation and efficiency in their organizations with Drupal. Those case studies involved more than 40 clients from many industries and sectors, such as house financing (Fannie Mae), food (King Arthur Baking Company), healthcare (WSIB), higher education (Penn State University, EAB), publicly funded media (PBS), and more.

 

King Arthur Baking Company’s CMO Bill Tine tells Acquia’s Lynne Capozzi what’s cooking with digital transformation.
King Arthur Baking Company’s CMO Bill Tine tells Acquia’s Lynne Capozzi what’s cooking with digital transformation.

Many of the case studies had a marketing focus:

  • PennState University is using headless Drupal and Gatsby to scale news delivery to partner websites and readers within the university community.
  • Fannie Mae implemented the Acquia platform to create content that is easier to find and share by audiences looking for house financing.
  • EAB (a US-based company that provides operational support to educational institutions) used Acquia’s Drupal-based tools to centralize their marketing resources and streamline content publishing processes for their distributed teams.

Others were about digital transformation and using Acquia’s platform to create richer experiences for users. Like King Arthur Baking, which went through a Drupal-powered journey from conventional food industry players to high-value content creators. In the end, they all were clear evidence that you can leverage Drupal as a complete digital experience platform (DXP) and not just as a flexible CMS—as we’ll be discussing in an upcoming webinar in November.

👩‍💻 [Webinar] Register to learn about the future of Drupal as a digital experience platform

One thing I found interesting was the emphasis on low-code and no-code digital platforms, such as Acquia’s Site Studio or Drupal’s Layout Builder and Paragraphs modules. These solutions are uniquely tailored for marketers, editors, and business leaders who want to save time and focus on “real work,” not worrying about technicalities.

Take SoCalGas, for example, the main provider of natural gas to Southern California. Their case study showed how their internal content team previously lacked the flexibility to publish and update content, needing constant technical support due to their unsupported legacy systems. By adopting Drupal 9, they incorporated a low-code approach to their content delivery workflows, helping them become a more customer-centric utility provider.

Human Connections, Moving Stories

Acquia Engage 2021 was not only about business, though. It was also about doing good through technology and awakening a sense of purpose. One example was Mick Eberling’s eye-opening note about his work at Not Impossible Labs. Mick and his organization are committed to tackling issues such as food insecurity and accessible healthcare by taking direct action. In the cases he presented, technology was a powerful means for change, like setting up a 3-D printing prosthetic lab based in Sudan.

Not Impossible Labs’s Mick Eberling gave one of the event’s best keynotes.
Not Impossible Labs’s Mick Eberling gave one of the event’s best keynotes.

Mick’s talk made me think about how our work in the digital industry has the power to make people’s lives better, for real. Like Evolving Web‘s recent work with Looking Forward, a mobile-first, bilingual website that provides information for patients recovering from all types of cancer, actively helping them rebuild their lives after completing their treatment.

I also saw some compelling talks about diversity at Acquia Engage. This is one of Evolving Web’s values and crucial in making the Drupal community more plural and innovative.

The Women in Martech panel, for example, mediated by Acquia’s CMO Lynne Capozzi, was an engaging talk about women’s roles in the digital industry. The panellists—Maria Greene, Senior Web Developer at Insulet Corporation, Barbara Von Euw, Director, Business Process – Consumer Data & Insights at PVH, and Hannah Smith, Senior Manager, Global CRM Solutions at MCM—discussed issues like gender equality, career options vs. parenting, and self-esteem, sharing some inspiring success stories and insights.

“Don’t compromise what you want because of expectations. One of the things that being a feminist is about is choosing your own path regardless of what society wants to push you towards.”
— Maria Greene, Senior Web Developer at Insulet Corporation

Acquia Engage’s Women in Martech panel brought relevant perspectives about gender equality in tech.
Acquia Engage’s Women in Martech panel presented relevant perspectives about gender equality in tech.

Watching this panel, it was clear to me that, while many women still have to hurdle the barriers of traditional gender roles, especially in a historically male-dominated industry such as ours, success is up for grabs for women in tech, as long as we promote inclusion. That’s why we at Evolving Web firmly believe that initiatives such as Drupal Diversity & Inclusion (DDI)—a team of Drupalists that provides a safe space to discuss and share resources about diversity, supporting people who feel underrepresented in the tech industry.

An Event Not to Be Missed

For a first-time attendee like myself, Acquia Engage 2021 was a display of innovation, inspiration, and human connection. It’s clear that Acquia not only offers secure, fully supported Drupal-based solutions, but they also know how to put up a fantastic event.

I can’t wait for the next Acquia Engage. See you next year, partners!

 

>> Register in our webinar about how Drupal fits into the landscape of DXPs

Evolving Web's webinar on the future of content management
+ more awesome articles by Evolving Web


Go to Source
Author:

Specbee: Top 11 Tips and Tricks to Optimize Content for People and Search Engines

Top 11 Tips and Tricks to Optimize Content for People and Search Engines
Suganthi
03 Nov, 2021

As you know, content is one of the most important ranking factors of your website, but it’s the unique and well optimized content that ranks higher on Search Engine Results Pages (SERPs). We’ll get into optimizing, but we’d be skipping a step if we didn’t note that before you get started writing and optimizing your content, the first thing to do is to identify the purpose of it. Some examples might be to gain more backlinks, rank in SERPs, educate your users, drive social engagement or generate leads. Once you’ve identified your purpose, you can move on to content optimization which is, luckily, one of the easiest ways to improve your SEO ranking. In this article, you will learn about our top 11 tips and tricks on writing optimized content for your audience and search engines. 
Content Optimization 

1. Target Keywords Steal the Spotlight

  • Keyword Research 
  • Determine the keywords related to your content
  • Understand about supporting content
  • Target content to specific keywords

When you plan on writing an article or piece of content, the first thing to do is thorough keyword research. Keyword research will help you determine the set of keywords being searched about your topic. Once you find the keywords you’ll be targeting, you will have to define what kind of content you are going to write. Is it pillar content (content you will use to establish authority) or supporting copy based on other content? With the content type decided, you can map the keywords. 

For keyword research there are multiple tools available online like Google Keyword planner, Moz keyword explorer, etc. If you target your content to a specific keyword from the start it will help your rank. Use those tools for keyword research and decide what works as supporting content and what could work as main cornerstone content.

2. Keywords for your Key Tags

  • Use target keywords
  • Main keyword at the start of the title
  • Description – Main keyword and informative

Your key tags are the Title and the Meta description tags. They’re one of the best places to target your keyword. Add your targeted keyword in the first half of the title. In the second half of the title you can use different variants to increase the click through rate.

Meta description is an important element for a well optimized page. Your meta description can help increase the click through rate by making it clear to the visitor what your content is about. You’ll also want to make sure to include your target keyword in the description. It’s a tricky balance, but it should be written in a way that encourages users to click on your page as well as drive the users intent with a call to action. Remember to keep the meta description under 160 characters and title tag under 60 characters to avoid truncation.

3. Writing Friendly URLs

  • Search engine friendly and Understandable URL structure
  • Avoid complex & confusing structure
  • Use short & keyword optimized URL

URLs should be understandable for humans as well as for search engines. Use clean, search engine friendly URL structure with the target keyword(s) included in the URL. The URL must be short and, just by glancing at the URL, your visitors and search engines should understand what your content is about. Try to use 3 to 5 words in the URL. If it’s longer than that, you likely won’t get much credit with Google’s algorithm.

4. The Importance of Header Tags & Content

  • Title in H1 tag
  • Subheadings in H2, H3,…..H6
  • Use target keyword in the first paragraph
  • Use bullet points

In most Content Management Systems (CMS) like Drupal, WordPress, etc. H1 tags are used as the main title of the page. To write a good optimized title, use the target keyword in a title that describes your content in a way that encourages users to read it.

Now that you have used the H1 tag for your title, use the H2 tag for subheadings and H3 to H6 tags for other subheadings.

It is extremely important to use the main target keywords within the content and it’s good practice to have it in the first paragraph. Here’s the hardest part – placing your target keywords naturally within the content flow. Never force it by writing hard-to-read content for the sake of including the keyword. One thing to consider is using bullet points to make important things readable and understandable for the visitor.

5. Use Optimized Visual Content

  • Make content easier to read – Use Infographics
  • Use optimized images
  • Embed videos from youtube, vimeo and other video streaming platforms.

It probably goes without saying that images and videos are a great way to make your content consumable. Visual content also engages the audience and helps increase the visit time. Specifically, infographic images or videos in your content will have the biggest impact.

The downside to this is that visual content can make your website heavy. Try to compress the images before uploading and give proper and relevant alternate text for the images and videos. Embedding videos from Youtube, Vimeo or any other streaming platforms instead of uploading video to your server will help reduce page load time. A well optimized video and image will help improve the site performance and load the page faster.

6. Link It

  • Link to relevant source
  • Link to anything that adds value to the user
  • Use keywords in the anchor text

Internal linking is one of the most important factors in creating content. Internal links will help users and search engines navigate to relevant subtopics. In most cases, you’ll want to use relevant target keywords in the anchor text to interlink the pages within your site.

That said, don’t be afraid of linking to external sources. You should link to any external sources that provide value to your content. For example, if you are using a statistic, it is always a good idea to link back to the source. In fact, linking external sources will help search engines to understand the relevancy of your content and thus boost your SEO ranking.

7. Responsive Designs

Since Google has moved to mobile first indexing, it’s critical that your content is responsive on mobile devices. If your site is already responsive or has a mobile version then make sure to test out how your content is getting displayed across mobile devices. In most cases it’s more important for your content to look correct there than on a desktop.

8. Accelerated Page Speed

As you may already know, page speed is one of the important ranking factors for mobile search. To put it simply, your page needs to load fast. Keep in mind that images and videos play a major role in page speed, so try to optimize all your visual content on the page.

You can use GTmetrix and Google’s page speed insight tools to check your page speed. They also give suggestions for improvement.

9. Content Quality or Quantity?

  • Enough depth to properly cover the topic
  • Unique & educational content
  • Conclusion/Final thoughts

When it comes to how many words your content should contain there’s no right or wrong answer. The reality is you shouldn’t worry about the length of the content. Just try to cover your topic in depth and always focus on quality rather than quantity. 

Hopefully it doesn’t need to be said, but publish unique content that educates your users and serves the users intent for visiting. At the end of your writing, add a conclusion or final thoughts which helps support that the content is structured properly.

10. Make them Click

Though it is not considered as a ranking factor, it’s important to have a call to action in the content. For example, if your goal is to get visitors to want to know more about you or to work with your organization, the ability for them to do so should be extremely obvious and easy. You can provide a contact form, email id, phone number or a subscribe form near the top or wherever is easily viewable in the page. Even if you’re doing well on your SEO, poor call to action can waste all that good traffic.

11. Socially Shareable

Adding social share buttons in the content will give your users the option to directly share the content with their social network. Most of the CMSes like Drupal provide an option to have social share buttons once you publish the content. If not, you can get it added to your website. A couple things you’ll need to make sure to include are optimized social meta tags with OpenGraph and Twitter card tags. Always test that the correct image and descriptions are shown in social media while sharing the content.

 


Go to Source
Author:

Gábor Hojtsy: Drupal 8 is end of life today: the compendium

It is hard to believe that almost 6 years passed since Drupal 8.0.0’s release on November 19th 2015. What feels like it was just yesterday, Drupal 8 brought lots of amazing new things to the platform. Near and dear to my heart was full multilingual support that I worked on with over 1600 people for several years. Also stars of the Drupal 8 show were the vastly improved configuration management system, Views in core, built-in web service support, more semantic markup, in-place editing, PHPUnit integration, better caching, improved accessibility, even aural announcements for page changes, and so on and on. Drupal 8 embraced collaboration within the PHP ecosystem and beyond with our use of Symfony, Twig, Guzzle and gradually embraced application of Composer.

But I think even more profound was the change of innovation models, where Drupal 8 started to allow feature additions in a backwards compatible manner and thus the inclusion of amazing new features like Layout Builder, Media Library, BigPipe, Settings Tray, Content Moderation, Inline form errors, JSON:API and even the Umami demo all after Drupal 8.0.0 shipped. Some of these were developed in stages thanks to the possibility to include experimental projects in core as well. This allowed us to make Drupal 8 itself much better without needing to do a new major version. In fact the major version bump turned to be a technicality where being on Drupal 8.9 or 9.0 was not giving you shiny benefits anymore, other than keeping you on the train of innovation.

So today Drupal 8’s life ends as innovation continues on the Drupal 9 train.

In the past 8 days I did a countdown post series to give short tips for dealing with this end of life. I suggest you look back if you did not read them yet:

  1. Adoption drive to get projects new maintainers that did not yet update to Drupal 9. If you can adopt a project or two, that would be greatly appreciated!
  2. Use composer to at least check for Drupal 9 compatibility, ideally convert your site to it. If you did not try composer recently, version 2 is leaps and bounds ahead of version 1 and its worth a try!
  3. For modules that are not compatible you still need to use workarounds. The recently introduced lenient composer endpoint provides the most consistent solution for all projects.
  4. For your own code and your drupal.org projects, automated code fixes are the way to go towards Drupal 9. No need to find and fix problems manually when you can automate most of it.
  5. If you need to use an older MySQL/Percona/MariaDB database, there is a way. This should make it easier to adopt Drupal 9 if you were holding off updating your database backend.
  6. If you are on Drupal 8.8 or before, you are already on end of life software. The key to a fast Drupal 8 to 9 upgrade is to keep your Drupal 8 site up to date.
  7. How soon do you need to do this update again? Drupal 9 end of life is in 2023. And Drupal 10 end of life will depend on its componens’ end of lives as well.
  8. So you are still on Drupal 8, what happens now? Nothing will break immediately, but its best to keep moving forward on your upgrade plans.

I hope this series of tips were useful to read. It was certainly an eventful 8 days to write and post them. See you on Drupal 9!


Go to Source
Author:

Gábor Hojtsy: One day to go until Drupal 8 EOL: what if you stay on Drupal 8?

With one day to go until Drupal 8’s end of life (on November 2, 2021), now is a good time to take stock of your Drupal 8 sites’ modules. Use Upgrade Status to check for environment and module compatibility with Drupal 9.

Given that there is only one day left, you will highly likely not be on Drupal 9 tomorrow. So what happens to your Drupal 8 site once the core software is end of life? As I wrote two days ago, unless you are on Drupal 8.9.x you are already running on end of life software. As prior versions of Drupal 8 don’t stop running, Drupal 8.9.x will also not stop running tomorrow. There is no expiring license key that will stop the site from functioning. There will not be a banner at the bottom of the page that the site is insecure. In fact the site will not even be insecure immediately. However, there will not be security fixes to Drupal 8 anymore. So the next time a fix comes out for Drupal 9 that may be applicable to Drupal 8, that fix will not be made anymore to Drupal 8. Depending on the nature of that security problem, you site may be in no trouble or big trouble, but the distinction will be left to you to decide.

Using Upgrade Status and Drupal Rector automated code fixes, the upgrade from Drupal 8 to 9 is still the easiest in the last decade (assuming you are already on Drupal 8.9), so I would highly suggest to plan to do the upgrade soon and don’t risk staying on Drupal 8 for too long.

There are also various changes to drupal.org projects and issues. These will likely not happen immediately tomorrow, but will be done soon. For contributed project maintainers on Drupal.org, releases that are only compatible with Drupal 8 will be marked unsupported as well, much like the same process that happened to Drupal 6 last time. Testing setups that are against Drupal 8 will be removed. Issues submitted against Drupal 8 will automatically be moved to Drupal 9.2.x (where bugfixes are still possible). If they are not applicable to Drupal 9 anymore, the issues will later be closed by people.


Go to Source
Author:

Gábor Hojtsy: Four days to go until Drupal 8 EOL: use Drupal 9 on older MySQL/Percona/MariaDB versions

With four days to go until Drupal 8’s end of life (on November 2, 2021), now is a good time to take stock of your Drupal 8 sites’ modules. Use Upgrade Status to check for environment and module compatibility with Drupal 9.

One of the benefits of using Upgrade Status is it will tell you about environment compatibility alongside extension compatibility. It will note if your PHP or Apache or database versions are out of date. Of particular note are Drupal 9’s MySQL/Percona and MariaDB version requirements. The MySQL/Percona/MariaDB driver that’s included in Drupal 9 core requires MySQL/Percona 5.7+ or MariaDB 10.3.7+. The intention with raising the bar from Drupal 8’s requirement of MySQL/Percona 5.6 and MariaDB 10.0 was to utilise some of the newer features in these database versions. There was also the risk of a dependency starting to require the new versions, given the end of life nature of the older database versions at this point. Neither happened yet but we did not know that ahead of time of course.

MySQL 5.6 and MariaDB 10.0 database driver for Drupal 9 to the rescue! If you are on a long term supported operating system and receive security coverage for your database, you might not need to update to MySQL/Percona 5.7 or MariaDB 10.3 immediately after all. Only a few contributed projects utilise the new capabilities, for example the JSON/JSONB field module. If you are certain that none of your modules require the newer versions, keep in mind that core itself can actually run fine with older database versions still. Follow the instructions on the project page to install this driver for Drupal 9. I would still suggest you plan an upgrade of your database, but now it can be decoupled from your Drupal major upgrade.

Looking ahead, some of the Drupal 10 platform requirements are already defined, and MySQL/Percona/MariaDB requirements will not be raised further from Drupal 9’s minimum versions. However there are no guarantees that the new features will not be actually utilised then.


Go to Source
Author:

Drupal Association blog: Drupal Business Survey 2021: Drupal business is flourishing

Posted on behalf of One Shoe and Exove

What are the thoughts of Drupal Business leaders about 2021? For the sixth consecutive time, Drupal agencies One Shoe and Exove, together with the Drupal Association, took a deep dive into how Drupal business leaders experience the current state of Drupal business. We are still living in a time where there is constant change in our society. Year two of the pandemic has seen significant and most likely long-term growth in Drupal business for the second year in a row. Now it is time to look forward in order to see what we can do to keep this growth going for years to come.

Characteristics of the participants

77 people participated in this year’s edition of the Drupal Business Survey. 61,1% of the participants have a CEO/CTO/COO role in their company and 20,8% of the respondents are founders.

A majority of the Drupal-centric businesses that participated in the survey have relevant business in Europe (61,1%) and North America (57,2%). The rest are (also) operational in:

  • South America (6,5%)
  • Australia (6,5%)
  • Asia (5,2%)
  • Africa (2,6%)
  • The Middle East (3,9%)


A big part of this year’s respondents run a digital agency (42,9%), followed by consulting agencies (19,5%) and software companies (18,2%) respectively.

Looking at the chart below, it is clear that small and mid-sized companies are well represented in this year’s survey. While the Drupal Business Survey does see quite a growth in the number of companies having 51-100 employees compared to last year, we also see a significant dip in the number of companies that have 101-500 employees this year. The reason for this change is hard to pinpoint and could very well be a coincidence in the composition of participants. Since Drupal business is doing very well in 2021, lay-offs are highly unlikely and not mentioned amongst the respondents in the survey.

Growth is continuing during and most likely after the pandemic

As the title of this article and last year’s survey showed, Drupal business is doing very well during the pandemic. Based on The Drupal Business Survey, we are happy to note that this year is no different in that regard. When asked what has been the biggest success during the last 12 months, 36% of participants said that their business grew. One respondent says in the survey: ”We have landed some large stable accounts across a wide spectrum of verticals giving us stability.” and “We eclipsed our targeted growth”. suggesting that this growth is bigger than usual and also looks like it is not a short-term ordeal.

Quite interesting is the positive change in pipeline development as seen in the graphic below:

This major increase in business and deal size is possibly happening because of the way clients have been forced into the digital space more in the past two years. As one participant states: “Digitalization is speeding up, and the demand for services like ours is increasing”. By looking at the numbers, this may certainly be the case. This is also reflected in the participants’ expectations for the next 12 months.

Compared to last year’s survey, the outlook on the pipeline expectation is a lot more positive.

How to sustain growth in a post-pandemic landscape

The current situation of Drupal business is very strong. But with restrictions being lifted in most countries, things could change once more. How do we make sure to sustain the growth that we achieved in the past 12 months?

1. Pricing

To sustain growth, good margins on Drupal-related services are needed. That is why in the coming period, Drupal agencies need to upsell their services and Drupal itself. It is clear that for a lot of organizations, the need for digitization took a big leap in priority. This means that there are plenty of projects waiting to be picked up. It is essential that we are engaging in projects where Drupal has a good fit for customer needs in order to price projects with healthy margins.

2. Salaries

Growing your business means expanding your workforce. As you will read in this article and what you probably experienced first hand this year, is that Drupal talent is scarce. If you want to attract ample talent to take on the increased workload, you need to offer competitive salaries. Stagnating your growth in your workforce will lead to an overload of work and a halt in growth.

3. Being able to handle too much work

If you however still find yourself in a situation where you can no longer deal with the amount of work, don’t hesitate to act accordingly. You can easily decrease the amount of work without your revenue stream taking a hit by raising the prices of your Drupal services. This will of course attract fewer clients, but the clients that will request your services will pay more.

Most popular Drupal industries

Drupal business is thriving in 2021. But what industries are the most lucrative for the Drupal companies? Each year the Drupal Business Survey asks participants in which industries their company operates. This is the top 10 of 2021:

The most popular industry for Drupal projects is the Charities and Non-profit sector with 68,8% of the Drupal companies having clients from this sector. This is a big change from last year, where the Charities and Non-profit sector was served by only 55.4% of the respondents.

The runners-up are Education (59,7%) and Healthcare and Medicine (51,9%) finishing our top three.

While serving the Charities and Non-profit sector is a noble effort, it should be noted that this sector focuses heavily on reducing operating costs to ensure most of the money flowing to the charitable or non-profit cause. Drupal can, of course, help them to reduce costs at other areas of their operations – but at the end of the day also Drupal agency costs will be on the line.

The Education sector and Government & Public Administration – fourth most popular – are known for investing heavily in digitalization, especially now due to pandemic and public subsidies given to digital transformation. Prices in these sectors are typically lower than in private sectors. This is however balanced with long contracts, a steady flow of work, and certainty that the invoices are paid.

Besides the top industry being different from last year’s edition, we do see a significant drop in the Media sector. This is a trend that requires attention because this is an industry that is usually good for some interesting contracts.

Promising industries

This year, the Drupal Business Survey also asked participants what industries they think are the most promising moving forward. This is what they had to say:

The answers to this question are in line with the current most popular industries except for one major difference. The current number one, Non-Profit, only scores 5% of the answers here. This might be due to the high number of companies already working on it, or low-profit expectations. Another curious thing is that most people (19%) do not see any particular industry standing out. People elaborate with: “I think this is more a question of the size of projects not of their industry.” and “Drupal is pretty ubiquitous these days.” It is true that Drupal can be used in all industries, as all of them require communication platforms, and in smaller markets companies cannot be industry-specific. Going forward, industry focus is relevant to keep Drupal on the growth trajectory, as the harder to penetrate industries require attentive work within the industry to gain an understanding of the business and references to win new clients.

Lack of Drupal talent is an ongoing struggle

Like we mentioned above, the lack of Drupal talent is still one of the biggest challenges the Drupal business community is facing. When asked what the biggest challenges have been in the past 12 months, 27% claimed that recruiting has been their main concern. “We’ve been on a growth path so it feels like we’re forever recruiting” clearly states the case at hand and what this lack of talent means for the growth of Drupal businesses.

Hardships in finding and hiring Drupal talent has been an ongoing theme in the past Drupal Business Surveys. The last 12 months have also shown us a new challenge in recruitment: employee churn.

Employee churn fueled by the pandemic

As one participant states: “Several long-term staff members have been enticed by other job offers. This appears to be a global issue of staff re-assessing their personal priorities.” and “It’s getting harder and harder to find and retain talent”. Looking at these answers, it seems that the pandemic has triggered people to rethink their situations and values, and take actions. For Drupal companies, it perhaps broke the normal cycle of daily work and started a period of employee churn.

Beware of the vicious cycle

The danger of an understaffed workforce can be the start of a vicious cycle that is tough to break. By not having a big enough workforce in a growing company, there will be too much work per individual. This overload in work, combined with the toll the pandemic took on people, could cause more people to develop mental health issues and burn-outs – a concern among 8% of the survey’s participants. This will leave you with an even smaller workforce thus the cycle begins anew.

Take good care of your employees

Based on the survey findings, a priority going forward is to invest properly in your workforce. The companies should do their utmost to make sure that their staff is healthy, happy, feel safe, and can handle their workload. This will help with stability, make it more attractive for new hires to stay and will prevent a lot of concerns cascading through your organization down the line. One participant stated that “Give raises through the pandemic.” has been their biggest success as it lays a great foundation for stability.

Challenges regarding Drupal’s popularity

One thing that stood out to us while viewing this year’s results was the number of participants being worried about Drupal’s popularity decreasing in the coming 12 months. When asked: “What are you most worried about regarding Drupal business in the coming year?”, 28% responded that Drupal’s popularity decreasing is their biggest worry. Leaving ‘Nothing’ (23%) and ‘Recruitment’ (19%) as a respective 2nd and 3rd place.

The Drupal Business Survey dove deeper into the major reasons, and we found out that the competition from cloud CMS platforms is a big factor. “Competing products and content as a service CMS platforms are slowly gaining ground and eating into areas where Drupal was traditionally dominant such as sites/platforms that needed more than basic customization.” and “Clients currently on Drupal 7 choosing a different platform rather than migrating to Drupal 9” are clearly showing how people experience the current perception on Drupal in their day-to-day activities.

How to overcome these challenges

Drupal is naturally still a very strong option in a lot of situations, and it has its own edges, such as high flexibility and configurability to cope in different situations. So, it is up to Drupal business owners to make sure we play to Drupal’s strengths and market Drupal in a way that attracts the best kind of projects. The SaaS CMS platforms are getting better and are attractive to a lot of people, and their development should be followed closely to maintain Drupal’s competitive edge. We need to make sure that we are not competing with these new platforms – or WordPress for that matter – in fields where Drupal has additional challenges to overcome. It is also extremely crucial to compete with value and not with prices, as the race to the bottom will erode companies’ ability to develop themselves and their offering further.

That is why it is very important to take a close look at what the client is looking after, and check whether Drupal would be a good fit. It is also good to know whether people are enticed by the open-source ecosystem or would rather work with something else.

Reasons for clients to (not) choose Drupal

What makes clients pick Drupal? The Drupal Business Survey is happy to report that ‘having used Drupal before’ is no longer the number one reason for working with it. This means that people have other motives to choose Drupal and it’s not just out of habit. Drupal being open source is the number one reason with 63,6%. Another great development is the fact that more companies use Drupal because it is the best fit for their business requirements, and that it is no longer picked because of low costs. This again plays well into the narrative of upselling your services and Drupal to the right organizations.

The main reasons for clients not choosing Drupal are still playing a part in the well-known points of improvement. The top three reasons are:

  1. Price. Prices can increase significantly compared to competitors because Drupal is on the higher end and more time-consuming to develop. As one respondent said “Prizes and the amount of necessary efforts to drive drupal projects.”
  2. Inferior UX. Competitors like WordPress and SaaS CMSes are seen as a lot more user-friendly.
  3. Maintenance costs. Again a cost-related challenge where maintaining a Drupal site is usually more expensive than with its competitors.

It is important to know why companies choose Drupal for projects and why they choose other CMSes. With this knowledge, it is possible to reassess Drupal’s position in the market and adjust the proposition if needed.

Contribution

Drupal’s strength has always been an active development community that builds the product further. Drupal companies play a major role in the contribution, as they pay the salaries for most of the people contributing back to the platform.

The Drupal Business Survey researched how and why companies contribute. The diagram below shows the amount of companies contributing to the certain facets of the project.

Almost all companies (80-85%) contribute documentation and code changes, and around half of them help to fund the community with donations and sponsoring events. The share of companies contributing has stayed roughly the same compared to the previous year. Major drops are in organizing events, which is natural due to pandemic, and donations, which is explained by a bigger funding drive that took place in spring 2020.

The main reason for not contributing is lack of time, mentioned by several companies that do not give back to the community. This resonates well with the overall situation with finding and hiring Drupal talent.

Fortunately, these companies are a small minority and the company support towards open source Drupal project continues to stay on a high level.

Conclusion

As said multiple times already, Drupal business is at a high. But it is now up to all of us to keep it that way. Pick your learnings from this past year and make sure you market your services and Drupal to the right organizations. This will help you increase your pricing, keep a close eye on your workload and attract more talent with interesting salaries.


Go to Source
Author: