Drupal is having another terrible, horrible, no good, very bad time.
Two new security issues, named “Drupalgeddon 2” and “Drupalgeddon 3“, have resulted in widespread problems. These latest issues resulted in cryptocurrency mining hacks to a number of high-profile sites, including several run by US federal agencies.
The core of the problem is that Drupal does not provide an easy way for non-technical people to update their sites.
If you don’t have an easy way to update people’s sites, how do you get their attention? With strong, urgent language. You have to scare them into updating.
Unfortunately, that becomes a problem in itself. Let’s take a couple of examples.
The FAQ page for these security issues says:
How many sites are likely affected? Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.
Well, in the hands of the headline writers, that results in claims like this:
Update Drupal ASAP: Over a million sites can be easily hacked by any visitor
That headline from ZNet is flat-out wrong. This hack was not easily exploited at all. But I’ve seen variations on this claim on many sites. And big-name sites were indeed hacked!
Here’s another statement from the security team:
These patches will only work if your site already has the fix from SA-CORE-2018-002 (the flaw announced on 29 March) applied. (If your site does not have that fix, it may already be compromised.)
That’s a scary-sounding couple of sentences. ITWire respond by saying this was:
an indication of panic among the Drupal team
I think that claim is also mistaken, but that’s only because I spend a lot of time in the Drupal world. For outsiders, it absolutely sounds like panic.
Finally, there’s the name: Drupalgeddon. Like it or not, Drupal’s security issues are now branded, and are becoming one of the best known things about the platform.
Here’s the problem: if you have to scare your users into updating, then users will get scared. And their opinion of Drupal will go down. No-one wants their software to scare them.
This problem is Drupal’s biggest problem
Back in 2014, we wrote a post called “Auto-Update or Die“. That was in response to the original Drupalgeddon. Four years later, and the same headaches keep happening for the same reasons.
At the very least, Drupal needs a one-click update option from the admin area. Auto-updates for security issues would be great, but one-click updates are the absolute minimum acceptable option in 2018. WordPress solved this in 2004! Drupal itself has solved this for modules since 2011.
Easier core updates are on Drupal’s roadmap, but only under “Wishlist”.
Updating a Drupal site can be difficult, time-consuming, and expensive. While implementing an automatic updates system is a difficult problem, and not without its risks, it is a problem that has been solved by other platforms, and that Drupal can address.
Every time this topic is raised, pedants have a long list of objections. The same hair-splitting arguments have been made for years. I fully expect to see them in the comments here. Sorry, pedants – you are wrong on this.
The short version of this is: after Drupalgeddeon 1, 2 and 3, Drupal can’t afford to leave so much of it’s install base unpatched. We’re stressing out users and causing waves of bad publicity.
Nothing is more important to Drupal’s future than ensuring that updates are easy.