OPTASY: What Does It Take to Develop a Mobile-First Content Strategy for Your Drupal Website?

Planet Drupal - 11 June 2018 - 7:47am
What Does It Take to Develop a Mobile-First Content Strategy for Your Drupal Website? adriana.cacoveanu Mon, 06/11/2018 - 14:47

There's definitely no way around it, not anymore: with Google's index now mobile-first, adopting a mobile-first approach when building a new Drupal site (or redesigning a legacy one) is… a must! It no longer depends on a specific project's needs or on the used technology. The need to develop a mobile-first content strategy has gone from particular to universal.

And facing the challenge of:

  1. (re)creating
  2. optimizing
  3. structuring

… content on your Drupal website means conforming to those specific patterns that mobile users have developed for reading content on their smartphones.

Categories: Drupal

Custom elements

New Drupal Modules - 11 June 2018 - 7:38am

WIP - stay tuned

Categories: Drupal

Android NetRunner Coming to an End

Tabletop Gaming News - 11 June 2018 - 7:00am
I know we don’t do much in terms of Living Card Games here on TGN. Or not-stand-alone card games, of any form, but still, I wanted to post this one up, as I did when the game was announced. Fantasy Flight Games is closing down their Android: NetRunner game. I’m saddened by this, as NetRunner […]
Categories: Game Theory & Design Rebranding ComputerMinds - Part 6: Migration

Planet Drupal - 11 June 2018 - 6:03am

I volunteered to carry out the migration for the new ComputerMinds site as migration was one of the very few areas of Drupal that I hadn’t delved into thus far. With Drupal 8 becoming more and more popular, now was a great opportunity to learn the migration ropes. Luckily, Drupal 8’s migration has greatly improved since Drupal 7 so my life was made somewhat a little “easier”!

This article will be aimed at some of my finds and processes, rather than a “How to do a D8 migration”.

Since our new site was very different to our old one in terms of content, we had to be quite choosey in exactly what was needed. We decided that we only really needed the articles; pretty much everything else was a fresh start. We would be manually carrying over users; as that would be too little work to warrant writing a migration for.

In order for us to get our articles over from the old site, we would need to migrate the current taxonomy terms, URL aliases (this would come back to bite me hard!), files and last but not least, the article nodes themselves. Migrating just a node seemed simple enough, but you quickly forget that it is more than just a node. All the stuff attached to the node has to be carried over.

Modules like Migrate plus and Migrate tools are great additions to the migration family and I can highly recommend them; they make life so much easier! Migrate plus “basically” writes the migration for you :)

With Migrate plus doing the bulk of the work for me, the only PHP code I needed to write was to map our old User ID’s to the new ones, so original authors would be retained. Otherwise I could take all the credit for every single article ComputerMinds has ever written in the past (mwahah!). This can be easily achieved using a simple process plugin.

/** * This plugin will tie a piece of content with an existing user. * * @migrateProcessPlugin( * id = "user_id_mapper" * ) */ class UserIdMapper extends ProcessPluginBase { /** * {@inheritdoc} */ public function transform($value, MigrateExecutableInterface $migrate_executable, Row $row, $destination_property) { $mapping = [ 'oldID' => 'newID', ]; if (!empty($value)) { $value = $mapping[$value]; } return $value; } }

We had some term reference fields, and like Drupal 7, Drupal 8 will reduce your potential workload - it creates taxonomy terms for you if those terms are missing from your new site. Nice and easy.

The biggest remaining hitch was extracting the three components from a body field. These are value, summary and format. Summary and format were fairly straight forward, but attaining the value component was a real pain (the code below will show you otherwise). Straight away you’ll notice inconsistencies with the “keys”. I would have expected the format to have been body/value, body/summary and body/format, but alas this was not the case.

body: body body/summary: source: teaser body/0/format: plugin: static_map source: body/0/format map: markdown: markdown full_html: basic_html filtered_html: restricted_html

This took a few painful hours to debug and figure out, to this day I still do not know why! At least this being documented here can save others some pain and time.

With all migration finished and the site ready to be shipped out, what came apparent is that (as mentioned very briefly earlier) I had not accounted for some URL aliases (I had used a process plugin to pinch only the aliases we needed). I’d assumed, yes assumed (naughty developer), that ALL articles had the SAME URL path auto pattern. Big, big boo boo. What I didn’t know was that some articles on our old side had been migrated from an even older site and these article URLs came in all shapes and sizes; shapes and sizes that do not match our current path auto pattern. I’ve been fixing redirects and 404’s since :)

Lesson of the day

Do not ASSUME everything is the same. Do go check everything is how you expect it to be before migrating content.

Categories: Drupal

Games Workshop Taking Orders For Armiger Warglaives

Tabletop Gaming News - 11 June 2018 - 6:00am
*Whoop!**Whoop!**Whoop!**Whoop!* Giant robot alert! We’ve got giant robot alert! Let’s go to the visual. Hmm… it’s looking like a new one from Games Workshop. Makes sense with their Titans book they just released. Check out and maybe order an Armiger Warglaive. From the post: Nimble and responsive, Armiger Warglaives lope towards the enemy with purposeful […]
Categories: Game Theory & Design


New Drupal Modules - 11 June 2018 - 5:57am

This module is used to split the amount between the users of system. This module provides the split form where user can split amount between users. Users can also see the logs at statistics link.

Categories: Drupal

John Svensson: How to dynamically create image styles derivatives - Part 1

Planet Drupal - 11 June 2018 - 5:45am

Three months ago I wrote an article on how to Create Image Styles and Effects programmatically and today we're following up on that article but introducing on how we can do that dynamically.

So, essentially what we would like to do is that we display an image, where we can adjust the way the image is outputted, given a height, width or aspect ratio etc.

Please bear in mind that all code provided in this article are experimental and does not yet cover things like access control, etc in this part.

Let's take a look at the service Its basically a free image bank with high quality images submitted by awesome freelancers and professionals that you can use for free.

Image by Eric Ward

The URL for the image above is the following:

The parts we're actually interested in are: &auto=format&fit=crop&w=500&q=60 we can adjust them as we like and the image is displayed differently, i.e. changing the width of the earlier image to a smaller one:

Alright, that's what we would like to do in Drupal 8. This article will be very iteratively, we'll rewrite the same code over and over until we get what we want. We'll notice issues and problems that we will deal with through out the article.

Prepare an environment to work in

We'll use a fresh Drupal 8.6.x installation.

To quickly scaffold some boilerplate code I'm going to use Drupal Console.

First let's create a custom module where we can put our code and logic in:

$ vendor/bin/drupal generate:module

I'll name the module dynamic_image_viewer

name: 'Dynamic Image Viewer' type: module description: 'View an image dynamically' core: 8.x package: 'Custom'

Next we need some images to work with, we'll use the core Media module for that. So let's enable that module:

vendor/bin/drupal module:install media

Now we can add some images. Go to Content >> Media >> Add media.

Implementing a Controller to display the image

The first step is to create a controller that will render the Media image to the browser. Again we'll use Drupal Console for a controller scaffold: vendor/bin/drupal generate:controller

We'll create a route on /image/{media} where Media will accept an media ID that due to Drupals parameter upcasting will give us a media instance in the controller method arguments. Doing this, if a invalid media ID is passed in the URL a 404 page is shown for us. Neat!

So we'll modify the generated controller slightly to this:


<?php namespace Drupal\dynamic_image_viewer\Controller; use Drupal\Core\Controller\ControllerBase; use Drupal\media\MediaInterface; /** * Class ImageController. */ class ImageController extends ControllerBase { /** * Show an image. * * @param MediaInterface $media * * @return array */ public function show(MediaInterface $media) { return [ '#type' => 'markup', '#markup' => $media->id(), ]; } }

And the routing file looks like this: dynamic_image_viewer.routing.yml

dynamic_image_viewer.image_controller_show: path: '/image/{media}' defaults: _controller: '\Drupal\dynamic_image_viewer\Controller\ImageController::show' _title: 'show' requirements: _permission: 'access content'

If we install the module, vendor/bin/drupal module:install dynamic_image_viewer and hit the URL /image/1 we should see a page with the ID being outputted.

Render the original image

Ok. Currently nothing is rendered, so what we'll do is that we render the uploaded original image first.

To serve the file we'll use BinaryFileResponse. So let's update the ImageController::show method.

We'll also import the class in the top of the file:

use Symfony\Component\HttpFoundation\BinaryFileResponse;

/** * Show an image. * * @param MediaInterface $media * * @return BinaryFileResponse */ public function show(MediaInterface $media) { $file = $media->field_media_image->entity; $uri = $file->getFileUri(); $headers = file_get_content_headers($file); $response = new BinaryFileResponse($uri, 200, $headers); return $response; }

So what we do here is that we grab the File entity from the field_media_image field on the Media image bundle. We get the URI and, using the file_get_content_headers we get the proper headers. Finally we serve the file back with the proper headers to the viewer.

And if we hit the URL again:

Before we continue, we should note some things that we'll get back to later:

  • What if the media ID is not a Media image?
  • The user can still access the media even if its unpublished.
  • What about cache?
Let's make a hard-coded image derivative

To modify the image, we'll create a new instance of ImageStyle and add an image effect.

Let's update the ImageController::show method again:

/** * Show an image. * * @param MediaInterface $media * * @return BinaryFileResponse */ public function show(MediaInterface $media) { $file = $media->field_media_image->entity; $image_uri = $file->getFileUri(); $image_style = ImageStyle::create([ 'name' => uniqid(), // @TODO This will create a new image derivative on each request. ]); $image_style->addImageEffect([ 'id' => 'image_scale_and_crop', 'weight' => 0, 'data' => [ 'width' => 600, 'height' => 500, ], ]); $derivative_uri = $image_style->buildUri($image_uri); $success = file_exists($derivative_uri) || $image_style->createDerivative($image_uri, $derivative_uri); $response = new BinaryFileResponse($derivative_uri, 200); return $response; }

So what we do here is that we create a new ImageStyle entity, but we don't save it. We give it a unique name (but we'll change that soon) and then add we add an image effect that scale and crops the image to a width of 600 and height 500.
And then we build the derivate uri and if the file exists already, we'll serve it and if not we'll create a derivative of it.

There is one big problem here. Since we use a unique id as name of the image style we'll generate a new derivative on each request which means that the same image will be re-generated over and over. To solve it for now, we could just change the

$image_style = ImageStyle::create([ 'name' => uniqid(), // @TODO This will create a new image derivative on each request.

to a constant value, but I left it for that reason intentionally. The reason is that I want to explicitily tell us that we need to do something about that and here is how:

If we look back at the URI from Unsplash earlier &auto=format&fit=crop&w=500&q=60, these different keys are telling the code to derive the image in a certain way.

We'll use the provided keys and combine them some how in to a fitting name for the image style. For instance, we could just take the values and join them with a underscore.

Like so:

format_crop_500_60 and we'll have a unique string. If the user enters the same URL with the same parameters we'll be able to find the already existing derivative or if its another image, we'll create a derivative for it.

You'll also notice that I removed the $headers = file_get_content_headers($file); it is because those headers are not the correct ones for ur derivatives, we'll add them back soon.

Dynamic width and height values

On our second iteration of the code we'll now add the width and height parameters, and we'll also change the name of the image style to be dynamic.

Again, we'll update ImageController::show

We'll also import a class by adding use Symfony\Component\HttpFoundation\Request; in the top of the file.

/** * Show an image. * * @param Request $request * @param MediaInterface $media * * @return BinaryFileResponse */ public function show(Request $request, MediaInterface $media) { $query = $request->query; $width = (int) $query->get('width', 500); $height = (int) $query->get('height', 500); // We'll create the image style name from the provided values. $image_style_id = sprintf('%d_%d', $width, $height); $file = $media->field_media_image->entity; $image_uri = $file->getFileUri(); $image_style = ImageStyle::create([ 'name' => $image_style_id, ]); $image_style->addImageEffect([ 'id' => 'image_scale_and_crop', 'weight' => 0, 'data' => [ 'width' => $width, 'height' => $height, ], ]); // ... Rest of code

First we updated the method signature and injected the current request. Next, we'll get the width and height parameters if they exist and if not we fallback to something. We'll build an image style name of these dynamic values. With this we updated the name of the ImageStyle instance we create which makes sure that we can load the same derivative if the user hits the same URL. Finally we updated the width and height in the image effect.

Let's add the proper headers back

Here is the updated ImageController::show and current file:


<?php namespace Drupal\dynamic_image_viewer\Controller; use Drupal\Core\Controller\ControllerBase; use Drupal\media\MediaInterface; use Symfony\Component\HttpFoundation\BinaryFileResponse; use Drupal\image\Entity\ImageStyle; use Symfony\Component\HttpFoundation\Request; use Drupal\Core\Image\ImageFactory; use Symfony\Component\DependencyInjection\ContainerInterface; /** * Class ImageController. */ class ImageController extends ControllerBase { /** * The image factory. * * @var \Drupal\Core\Image\ImageFactory */ protected $imageFactory; /** * Constructs a ImageController object. * * @param \Drupal\Core\Image\ImageFactory $image_factory * The image factory. */ public function __construct(ImageFactory $image_factory) { $this->imageFactory = $image_factory; } /** * {@inheritdoc} */ public static function create(ContainerInterface $container) { return new static( $container->get('image.factory') ); } /** * Show an image. * * @param Request $request * @param MediaInterface $media * * @return BinaryFileResponse */ public function show(Request $request, MediaInterface $media) { $query = $request->query; $width = (int) $query->get('width', 500); $height = (int) $query->get('height', 500); $image_style_id = sprintf('%d_%d', $width, $height); $file = $media->field_media_image->entity; $image_uri = $file->getFileUri(); $image_style = ImageStyle::create([ 'name' => $image_style_id, ]); $image_style->addImageEffect([ 'id' => 'image_scale_and_crop', 'weight' => 0, 'data' => [ 'width' => $width, 'height' => $height, ], ]); $derivative_uri = $image_style->buildUri($image_uri); $success = file_exists($derivative_uri) || $image_style->createDerivative($image_uri, $derivative_uri); $headers = []; $image = $this->imageFactory->get($derivative_uri); $uri = $image->getSource(); $headers += [ 'Content-Type' => $image->getMimeType(), 'Content-Length' => $image->getFileSize(), ]; $response = new BinaryFileResponse($uri, 200, $headers); return $response; } }

First we added a new dependency to our controller \Drupal\Core\Image\ImageFactory which allows us to construct an Image instance, where we can get meta data from the image, but also gives us a unified interface to apply things to our image. For instance, we could desaturate the image by doing $image->desaturate(); and then resave the file. Fow now we're only using it to retrieve the meta data. We'll take advantage of that in the next part, when we refactor some of the written code and add more flexibility to what we can dynamically output.

If we hit the url and add both the width and height parameters we'll get something like this:

In the up coming article we'll take a better look at what we have, what we miss (access control, what if a user hits the same URL at the same time), adding more effects, and exploring the use of the Image and toolkit APIs more in depth.

We'll most likely remove adding image effects through ImageStyles and only use the image style for creating derivates that we can we can later apply changes with the toolkit API.

If you want to continue on your own, take a look at ImageStyleDownloadController.php file in core which contains a lot of code that we can re-use.

Categories: Drupal

Commerce eGHL

New Drupal Modules - 11 June 2018 - 5:29am

This module is a payment gateway for Drupal Commerce. It provides an off-site
redirect payment method to eGHL: . The payment transaction
workflow was inspired by .


* PHP 5.6 or higher
* Drupal Commerce

Categories: Drupal

Gnome Stew Notables – Avery Alder

Gnome Stew - 11 June 2018 - 5:12am

Welcome to the next installment of our Gnome Spotlight: Notables series. The notables series is a look at game developers in the gaming industry doing good work. The series will focus on female game creators and game creators of color primarily, and each entry will be a short bio and interview. We’ve currently got a group of authors and guest authors interviewing game creators and hope to bring you many more entries in the series as it continues on. If you’ve got a suggestion for someone we should be doing a notables article on, send us a note at – Head Gnome John

Meet Avery

Avery is an experienced game designer interested in bringing meaningful and easy-to-learn games to a wider audience. Emphasizing collaboration and games where players decide ‘what is possible’, Avery’s games work to realize the potential for roleplaying games to challenge our politics, transform our lives, and bring about social change. Her works include: Monsterhearts, The Quiet Year, Ribbon Drive.

Talking with Avery 1.) You have a new game out! Tell us about your latest game on Kickstarter. It’s called Dream Askew?

Yes! My latest project is on Kickstarter now! It is actually a split book with two games that are sort of companion games. I wrote Dream Askew, which is about a queer community amid the collapse of civilization, where the characters are influential people and explore what they would do with all the potential and scarcity that they now have. It is explicitly about a marginalized community banding together, and acknowledges that the apocalypse won’t reach everyone at the same time. I like that all of that possibility could be really hopeful… Benjamin Rosenbaum’s game Dream Apart is about being members of a Jewish shtetl in 19th century Eastern Europe. Both are designed as diceless and gm-less games that are good for seasoned players but are also beginner-friendly.

softcover, full colour, half-letter (5.5 x 8.5), approx. 100-180 pages

2.) Tell us a little bit about yourself and your work.

I have been designing games since high school and have explored a lot of different themes and approaches, but I keep coming back to themes of self-doubt, troubled communities—with conflicts like ideological differences—and relationships, queer community, and the post-apocalypse or exploring what would happen after the collapse of civilization. My games don’t focus on despair and suffering though. They focus on finding out where hope survives in that process.

I am really proud of my game Ribbon Drive, which was a freeform game that used songs from music playlists brought by the players to inspire the scenes and framing that players responded to in the game. For me, this game was about players coming in with a vision of the future—the places the game would go—and learning how to re-examine, and eventually let go of, that vision.

In 2012 I released probably my most popular game, Monsterhearts, where players are teenage monsters—both literally and metaphorically. They are teens making sense of their changing bodies and social worlds, while being monstrous creatures with their associated behavioral traits. This game had a lot of queer themes, with monstrosity standing in as a metaphor for a lot of things, but especially queerness. Sexuality and its confusing ambiguities are core mechanic for the game.

I also designed The Quiet Year, which is a map drawing game about a community that has survived the collapse of civilization and is trying to rebuild. It is sort of a combination of board game, world building, and abstract poetry exercise!

3.) Can you tell me a little bit more about how you make those thematic choices? Are these intentional and goal oriented? More personal?

I think it’s a mixture of personal interest and goal. I have lots of ideas and start working on lots of games and then abandon most of them…so the ones that have a burning need to be created are the ones that make it through. They are the games with themes I find really compelling, and that do mechanical things that push back against prevailing design trends…or build on those trends. There was a period in the indie design community when every design revolved around scene-level conflict resolution mechanics, and play pushed toward these conflicts in every scene. Ribbon Drive was designed as a game where you didn’t have conflict, and even when there were obstacles you could take a detour. You couldn’t use traits in the same scene that you introduced them. I think it’s important to have games about learning humility and self-reflection, not just conflict. One factor in choosing these elements is that they feel like a timely contribution to the community at a meta- level. Play can serve to promote belonging to a world working towards revolution and looking really critically at our own goals and actions. The games I design that make it to production really further that…it’s not coincidental.

4.) How did you get into games? Was there a memorable or meaningful gaming (or design) experience that encouraged you to get involved?

I have always been excited about games. D&D 3.5 was my first RPG experience. I was in a logging town where there weren’t a lot of opportunities, but with D&D I was able to imagine a world bigger than my small town. I was playing with a group of boys who were all smarmy know-it-alls, and would argue that the one GM-ing was wrong or could have done better. The games would always fizzle. From the get go I could see the potential in the medium and see us all having trouble accessing that potential, and with all our play styles wanting really different things. So I started designing my own games pretty quickly to try to see how to make the play experience better. I released my first game a month after I graduated high school.

5.) Who did you look up to when you got started in the industry? Or who do you look up to now?

Paul Czege wrote My Life With Master, the first indie role playing game I ever ordered, and it was the game that introduced me to tight minimal design. In that game, you play as a minion to an intimidating master—a figure like Dracula or Frankenstein. There was the tension of wanting to do something for your master while also knowing you can’t escape them, but slowly developing curiosity about the townsfolk and the bravery and competence to overthrow the master. Your character was represented by only a few stats: Self-Loathing, Weariness, and Love for the townsfolk was all the definition that you needed. Czege’s focused, minimal, tight, thematic mechanics really informed the kind of designer I became.

6.) Are there any important changes you see (or would like to see) occurring in the industry?

I have seen more games by and about women, which is really exciting. I see women designers getting a spotlight more often and also more queer themes being included in stories—both by queer designers and by designers working to exclude fewer people from their stories. I also see a push for diversity generally, and more conventions thinking about diversity of guests they bring out…but I see most of that push for diversity in ways that focus on gender and sexuality and not on race. I’ve seen panels on bringing diversity to the games industry that are all white, so I’d want more designers of color to be given guest spots at conventions and to get their work spotlighted more often. And maybe more attention on decolonization led by indigenous people in the community. From a design perspective, the thing I’d really want to see are games accessible to new players and that play in a few hours (ex. Jason Morningstar’s games point a way forward). I work to design games that are mechanically simple, but they still typically require a lot of high concept thinking and take 3-4 hours. There aren’t many games that play in just one or two hours.

7.) I’m glad you mentioned the time commitment that many RPGs take. Are there other ways these games could be more beginner-friendly?

In terms of a way that a book presents its concepts, not using acronyms is huge! Acronyms make it really imposing. In terms of design, games that require less math and that explain the concepts in the same place that you find them on the character sheet make them more accessible, so new players aren’t just looking down and seeing all these numbers. For play, thinking about making spaces accessible to new parents since many people have young children. In terms of themes, I think that as designers and storytellers we need to be really mindful about what themes will make sense to a general audience, and which are recursive tropes and memes that gamers have developed that are inscrutable to the outside world…like the progression of rat killing in sewers to becoming a demi-god doesn’t make sense to people who don’t already know it. If you are going to tell those stories and want them to be welcoming to new players, you really have to spell it out for new players…and what else might they know that looks similar. We like to think that these stories are like Lord of the Rings, but they really aren’t. The model for a D&D character arc is outside the usual.

I think a thing that comes up with my work is that people who are long time gamers have more trouble connecting thematically with what I’m writing than people who haven’t played RPGs before. For example, with Ribbon Drive, if you are coming in from D&D and Pathfinder as a point of reference to this game you are going to stumble more because really obvious cultural touchstones for some aren’t necessarily gamer touchstones, so people stumble over them.

8.) I am very excited for your new project. Can you tell me a little more about it before I let you go?

One of the really cool things about this Kickstarter project is the way Dream Askew & Dream Apart are in dialogue. They both are about marginalized communities that have created this place of belonging and possibility, while at the fringes of society. They build off the same themes but take them to really different places; in one case taking those themes in the context of a group that really existed, while the other is about a more fantastic range of possibilities. One asks you to build upon and explore your relationship to history, and the other asks you to imagine and build a world together. I’m interested in ways these games are both very similar and very divergent, and compliment each other and tease out the themes and possibilities of each. With Benjamin, thinking that if this project is about them both being a type of game, we’ve included a chapter on designing this type of game—encouraging people to continue exploring community, development, and juggling tensions and choices though game design. The book is not just a manual for how to play a game but is a manual for how to play a particular kind of game, as well as a piece that encourages you to design and explore further on your own.

I think it is really important to say that, in addition to Dream Askew & Dream Apart being rich games with powerful themes, I think they are really fun. Fun games that are for anyone. The first time I played Dream Apart we were high-fiving and laughing…it was just so fun to play!

Thanks for joining us for this entry in the notables series.  You can find more in the series here: and please feel free to drop us any suggestions for people we should interview at
Categories: Game Theory & Design

OpenSense Labs: Best Drupal 8 Security Practices to Follow

Planet Drupal - 11 June 2018 - 4:38am
Best Drupal 8 Security Practices to Follow Akshita Mon, 06/11/2018 - 17:08

Even though security remains one of the major concerns for an organization, the implication of new technologies has at the same time broadened and complicated the understanding of the term. 

Security is no more about working in isolation. 

Recent events such as Drupalgeddon 2 in March and other subsequent security releases in April – marked critical – have once again brought the question ‘Is Drupal Secure?’ to the center-table. Drupal is among those few open source projects popular for their security with a dedicated team working on to improve it. However, there are still sometimes when the security of your Drupal website is under the impression of threat. 

Security is a vast area of expertise and it is quickly changing with time. No more is it about one person working in isolation or an expert who can understand all the aspects. 

While the list of do’s and don'ts is extensive and exhaustive to keep up with the threats, vulnerabilities and mitigation strategies, here are the top seven Drupal security practices to follow in order to keep up the health of your website. 

And Aristotle once said...

The aim of the wise is not to secure pleasure but, to avoid pain. Seven Drupal 8 Security Practices Securing the Server-side Hosting Environment

Before starting off with the general security hacks and tips, you need to secure your server-side hosting environment. Here are some points to keep in mind before moving to securing your core. 

  1. Protect the server: Only a limited number of users must be allowed to access your server. One of the key points is to add a basic layer by restricting the access to server login details. Once the authentication is set up, it is easier to monitor server access and restricting file access usage. This can help you detect unusual activities.
  2. Hide the server signature: Server Signature needs to be hidden as it reveals an important piece of information about the server and operating system. It can let a hacker know if you are using Apache or Linux - information which can be utilized as a vulnerability used to hack the server. In order to keep the server secure from possible vulnerabilities, you need to hide the server signature. 
  3. Enable port wise security - Since the applications use the port numbers, it is important to keep certain port numbers hidden from general access. 
Securing the Drupal Core
  • Keep your Core Updated
    A key practice, keeping the core updated will always be the first when listing healthy security practices. And this was the first lesson we learned from the Drupalgeddon2. Always look out for core updates (include the minor releases as well) unless security is not on your agenda. In all of its advisories, the Drupal Security Team asks for updating the core version of the system. 

    If you fall a long ways behind the latest update, you are opening yourself to vulnerabilities. Since history tells us that hackers target the older versions.

    Look out for core updates. Follow the Drupal security team @drupalsecurity on Twitter. Get quick updates and announcements from the team through the emails and security newsletter. You can also follow Security Group in order to contribute and stay part of the security discussions. 

    Another important point to note here is when updating the core - ALWAYS keep a backup of your site's database and codebase. We will discuss this security practice later in the article. 
  • Security by Design
    As a matter of fact, every stakeholder wants security to be a simple concept, sadly it isn’t. One of the biggest misconceptions here would be that investing a hefty sum post development would ensure a secure system. However, it is never the case. 

    The best practice to follow is at the architectural level when the website is being designed. 

    Security by Design ensures that designing the software up by the ground to be secured in order to minimize the impact of a vulnerability when discovered. Pacing up your security from the foundation - is the key. It implies following the best security practices at the architectural level instead after building the website. 

    When the foundation of the design remains secure regardless of a reasonable approach adopted later, you can tackle the issues easily. A uniform methodology needs to be adopted to protect the assets from the threats. 

    Once the requirements have been collected, the architecture can be laid out and other elements can be discussed later like trusted execution environment, secure boot, secure software update among others.
"The key to security is eternal vigilance"
  • Use Additional Security Module
    When covering security, there is nothing as better than equipping yourself with more and more. To keep the walls up high, you can use the additional security modules like security kit, captcha, and paranoia. Drupal Security Review can be used as a checklist to test and check for many of the easy-to-make mistakes making your site vulnerable.  

    You can also look out for a List of Must Have Security Modules to prevent you from becoming the next victim of a potential cyber attack. 
    • Security kit
      SecKit provides Drupal with various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities such as cross-site scripting (XSS), Cross-site request forgery, SSL, Clickjacking and other. 
    • Captcha
      A CAPTCHA is a reaction test put in the web structures to eliminate entry by robots. It helps in protecting your website’s contact and sign up forms asking you to prove your credibility as a human with a bizarre sequence of characters, symbols, numbers and sometimes images.

      Often they thwart you from accessing the content. Quite the irony, their purpose is contrary to what we reckon about them.

    • Paranoia 
      Paranoia helps you identify all the vulnerable issues/ places from where a potential leak is possible. It alerts the admin when an attacker tries to evaluate the PHP script via the website interface. 

      It helps in blocking the permission for the user to grant PHP visibility and creation of input formats that use PHP filter.

      It also prevents the website to grant risky permission, mostly the ones that involve leaking the script information.  

    • But Use only Security Team Approved Modules 
      Your site probably uses a number of contributed modules, although that’s not an issue. Using the stable and approved modules is where the key lies. This is especially worth noting for contrib modules which are more susceptible to vulnerability. 

      Always look out for the green batch when downloading a contrib module. Rest, as the advisory reads, Use it at your own risk! An example of security team approved module with a green batch An example of a vulnerable module
    Backing Up - In Case of a Mishappening
    • Keep Up your Backup
      Catastrophes never come invited. While all seems perfect, you might wake up to find out that your website has been taken down by some psychotic hacker. Although it is an unforeseen event, you can definitely arm up yourself.

      As an administrator, you have to be prepared for all of such uninvited events. They can be controlled and the damage minimized by strengthening security, frequent backups, installing updates in a timely manner.  

      We cannot stop disasters but we can arm ourselves with better security and backups. Hosting by Acquia cloud or Pantheon provide automated daily backups of your site’s database, files, and code plus single-click restoration if something goes wrong. 

      You can also use the Backup and Migrate Module or Demo Module because unlike life your Drupal website has the option to go back for some changes. 
    User-Side Security
    • Follow a Standard Practice with a Strong Password Policy
      Passwords are used at both admin and user level, therefore strong and secure passwords are important for your website. When I say strong password should be used I have nothing against short and easy passwords. Easy should never imply less efficient

       A string like Mypassword123 will prove acceptable but is obviously weak and can easily be brute-forced.

      The best practice? Your password should provide realistic strength in terms of measurement and complexity. A password must only be allowed as long as it proves to be of high enough entropy with a combination of characters, alphabets - uppercase and lowercase, symbols, and numbers.

      Start checking passwords on explicit rules and amount of varying character types to be used (symbols, numbers, uppercase letters, etc). 

      Password Strength - a Drupal module - classifies the expected brute-force time for the summed entropy of common underlying patterns in the password. Patterns that can be detected in passwords include words that are found in a dictionary of common words, common first and last names or common passwords. 
    Your password can make the difference between a vulnerable and a hard-to-hack Drupal site.

    While there will always be some new thing to add to the list, you can be sure that this list comprises of the core practices which need to follow. The protocol for communication needs to be clear and well documented. Properly documented procedures are important, as third-party services can often be manipulated.

    In need of a security update or services? Drop a mail at and let us help you out. 

    Site builders and developers need to keep an eye open for the possible when security releases are announced and apply them quickly, to ensure the site is not compromised. It is good to be consistent and have your reasoning documented so that it is clearly understood.

    blog banner blog image Blog Type Articles Is it a good read ? On
    Categories: Drupal


    New Drupal Modules - 11 June 2018 - 3:52am

    OH is an alternative office hours / opening hours solution.

    Categories: Drupal

    Valuebound: How to highlight search results in Search API Solr View in Drupal 8

    Planet Drupal - 11 June 2018 - 2:15am

    In Search API, there is a field for a search excerpt that you can use on field views to highlight search results. In this article, I’m going to show you how to enable excerpt and set it using views. Here I’m assuming that you have already set the Search API module and has a Search API Solr view.

    Follow the steps:

    Go to Manage -> Configuration -> Search and Metadata -> Search API.

    In your search API index ‘processors’ tab, enable Highlight Processor as shown below.

    Categories: Drupal

    The RPGnet Interview: James Shields, Choose Your Own Sci-Fi Stock Art

    RPGNet - 11 June 2018 - 12:00am
    A discussion with the popular artist.
    Categories: Game Theory & Design

    Fuzzy Thinking: The Armor Munchkin

    RPGNet - 11 June 2018 - 12:00am
    Fuzzy armor
    Categories: Game Theory & Design

    Bethesda working on new sci-fi property, Starfield

    Social/Online Games - Gamasutra - 10 June 2018 - 10:57pm

    At E3 in Los Angeles Sunday evening, Bethesda unveiled the upcoming game Starfield, its first new property in 25 years. ...

    Categories: Game Theory & Design

    Video Game Deep Cuts: Diggin' In Bethesda's Carts

    Social/Online Games - Gamasutra - 10 June 2018 - 4:40pm

    This week's highlights include a retrospective of the Diggin' In The Carts game music album, a unique video on the history of Bethesda, and many more besides. ...

    Categories: Game Theory & Design

    Roy Scholten: Implementing IndieWeb on your personal Drupal site, part 1

    Planet Drupal - 10 June 2018 - 2:53pm
    Sub title

    Laying the foundations for POSSE


    This is my version of the steps you need to take to make your site part of the indie web community. Swentel helped me getting it all setup on this here Drupal site using his indieweb module. It’s all a bit complicated still, so this is mostly me trying to retroactively understand what’s going on.

    As it says on the site, the IndieWeb is a people-focused alternative to the corporate web. Its main tenets:

    1. Ownership – your content is yours, it should not belong to a corporation.
    2. Connection – starting from your own site you can share your content to all other services.
    3. Control – post what you want, in the format you prefer, using your own URLs that you keep permanent.

    While 1 and 3 are essential and relatively easy to achieve (use your own domain and post your content there), it’s number 2 that is the most alluring.

    Owning your stuff and being able to share it across multiple platforms combines ownershop with reach. This is what “POSSE” is all about: Publish (on your) Own Site, Syndicate Elsewhere. Drupal lead Dries Buytaert has written several posts outlining his POSSE plan.

    Getting started

    This “Connection” part of indieweb publishing is also the most complicated. There are quite a few moving parts to getting it all up and running.

    For Drupal sites, the setup for the community/sharing/syndication parts of indieweb publishing has gotten much more accessible with the release of the IndieWeb module created by swentel. It doesn’t necessarily reduce the number of things to set up, but it provides a centralized UI for all of them: Webmentions, Microformats, Feeds, Micropub, IndieAuth and Microsub.

    Before going over the details of configuring the indieweb module itself, we have to take care of some basics first.

    Introduce yourself (right on)

    To own your content on the web, you have to establish that you are in fact, you. That’s why IndieWeb starts with having your own domain and posting some initial content there. Important part of this initial content is a specific bit of HTML that establishes you as the author and owner of things published on this particular domain:

    Roy Scholten

    The specific part here is that “h-card” class added to the anchor tag. This “h-card” is one of a collection of so-called microformats. With microformats you give more structure and semantics to information presented in HTML. In this case, h-card is the microformat to use for publishing information about people or organisations. We’ll need to add other microformats to (blog) posts you publish on the site, but that’s for later.

    To do in Drupal

    The indieweb module does not (yet?) handle adding this information to your site. Add your version of the HTML snippet above to a (new or existing) Drupal block. Place that block to be visible on your homepage. The site footer or maybe a sidebar are obvious places you can put it. Mine’s in the footer below.

    You can check if all is fine with Enter your domain name there and it will report back with what it found and suggest additional elements you could add to enhance your h-card.

    Even without posting any other content to your own site, you now have your own space on the indie web and setup your identity in a way that you own and control.

    Next: add links to your existing social media accounts

    You’ve seen those signup forms that let you create an account by using your existing Google, Facebook or Twitter account details. In this step, you configure your own domain to be your IndieAuth identity. This lets you use your own domain to sign in to other sites and services.

    There are not many sites outside the indieweb circles itself that offer this, I think. It’s still useful to do this though. You’ll likely want to use some of these indieweb services, especially to automatically share (links to) your content on other platforms like Twitter or Facebook.

    To do in Drupal

    Detailed instructions are here. In short:

    Add links to your other profiles and add the rel="me" attribute. Might as well add this to that h-card block you created in the first step. For example:

    @royscholten on Twitter

    If you have a Github account, that’s also a good one to add.

    To do on the external sites you link to

    Link back to your homepage from your profile page on these services. The indieweb wiki has direct links to edit your Twitter and Github profile.

    Then, try logging in to to see if it all works.

    So far, so good,

    So what? By establishing your identity on your own domain you stake out your own spot on the internet that you control. With this set up, you have created an environment for publishing on your own site and syndicating elsewhere.

    Next time: configuring the indieweb module to start sending and receiving webmentions, the indieweb catch-all term for comments, likes, reposts and the like.

    Tags indieweb posse drupalplanet
    Categories: Drupal

    Video Game Deep Cuts: Diggin&#039; In Bethesda&#039;s Carts - by Simon Carless Blogs - 10 June 2018 - 4:36am
    This week's highlights include a retrospective of the Diggin' In The Carts game music album, a unique video on the history of Bethesda, and many more besides.
    Categories: Game Theory & Design

    JSON API Include

    New Drupal Modules - 10 June 2018 - 3:58am

    Add include data to relationship of JSON API output.

    Categories: Drupal

    Clarion Date

    New Drupal Modules - 9 June 2018 - 2:34pm

    This package provides a service for dealing with SoftVelocity's Clarion standard dates. A Clarion standard date is the number of days that have elapsed since December 28, 1800.

    Categories: Drupal


    Subscribe to As If Productions aggregator