[00:00:00] Narrator: WordPress has been having a rough year. Many devs are now asking, is Drupal a better alternative? And today it's time to find out.
[00:00:19] Maciek: Many years ago, they had almost a similar market share. Hmm. Question is.
[00:00:23] Steve: What happened? You were going to just build a whole new website in whatever the new version of Drupal was, and then you were going to migrate all of your content to the new website, and Breeze was comfortable betting on that mode of doing things.
[00:00:39] Steve: It's greatly slowed down. The expansion of of the community around that era.
[00:00:44] Maciek: What is the difference between Drupal CMS and Drupal core?
[00:00:51] Steve: I was recently chatting with an agency and they said something like, yeah, these recipes are taking what otherwise would be four or 10 or 50 hours of clicking, and they're compressing it into just a minute of. Apply a recipe, you can take an existing site and apply a recipe on top of it. Like for my own website, steve hector.com, I'm, I want a better way to, to do YouTube embeds, but with Drupal CMS.
[00:01:16] Steve: There is now a recipe for remote videos.
[00:01:20] Maciek: So tell me what would be the most EDL triple CMS use case?
[00:01:25] Steve: What if you could just type same way you do with chat GPT, can you make me the best calendar? Can agencies really use these conventions that have been built up around the, the focusing point of Drupal CMS?
[00:01:38] Steve: Can they use those tools to do the job they've been doing all along? Faster, more effectively. And, and it looks like, yes.
[00:01:46] Maciek: Imagine there is a developer in front of you who is a bit tired of the current situation and WordPress, and he's looking for a new CMS. What, how, how will you try to sell Drupal to such a developer?
[00:01:59] Steve: Well, all over the tech community compare our, our, our tech work to, to building with Legos. I find that Drupal fulfills that feeling in a way that I don't get with other systems. The way the modules click together, the way the fields click together, I, I find it viscerally enjoyable. And if someone is, is approaching this question on a personal level, I.
[00:02:21] Steve: It's, it's the feelings that will move a person or not. Like I can describe the ways in which I find Drupal can, can be made more performant, more easily. That is nice. But I, I think what, what has the potential to, to move, you know, any single person from one system to another is are, are you going to get enjoyment?
[00:02:41] Steve: From it.
[00:02:47] Maciek: Hi everyone. Welcome to today's webinar where we are going to talk a bit about Drupal. Why Drupal? You might ask, because, uh, we all know that WordPress has the most of the market, but the truth is that there are other CMSs and there are also a lot of cool cms, and Drupal is one of them because let's be honest, Drupal is also open source.
[00:03:10] Maciek: If I remember correctly, it's already 24 years old. It has a huge community. In short, it's a really great CMS, but sadly. Well, it doesn't get all the attention it should get, but lately Drupal released something cool. So it's a great opportunity to talk about it a bit more, and that's why with me, I have Steve Perch who works at Pantheon and he knows really quite a lot about Drupal.
[00:03:39] Maciek: Right, Steve? I
[00:03:40] Steve: do, yes. I've been in the Drupal world for a long time. I, I made my first Drupal websites. In 2007, one year after I started making WordPress websites. So it's been a long time for both. Amazing.
[00:03:54] Maciek: And kind of my first question, we'll start with going back the memory lane. Do you remember the times when WordPress, Drupal, and Jula had almost the same market share?
[00:04:08] Maciek: It was the deal,
[00:04:10] Maciek: and I think that Ju Jula was winning a bit, right? And then it was. Drupal and WordPress fighting for the second place?
[00:04:18] Steve: Yes, and I, and I think to some degree it depends on where in the world you are. Like there, there's differences in, in the, the regional adoption. But I, I distinctly remember sitting in my apartment at, I guess I would've been 22, maybe 23 years old, having all three running on my, my, was it called a power book, whatever the, the Mac laptop was in, in 2007.
[00:04:41] Steve: I had all three running in my local map. Installation because I had, I'd gotten a few sites launched with WordPress. I felt like I knew what I could do with WordPress, but I had heard people were telling me at meetups and and whatnot that for certain types of sites, I'd be better off with Drupal or Jula.
[00:04:58] Steve: And I, I wanted to see, so I was playing with all three and I felt like I, I could pretty quickly understand how to use Drupal and what to use. Uh, it for the, the combination of Drupal five. The content construction kit, which is pretty closely analogous to the a CF ecosystem and, and WordPress and the views module, which is like a query builder, and then it displays the, the results of the query, so you don't have to worry so much about writing SQL directly.
[00:05:28] Steve: I, I understood pretty quickly how to combine all of those. For whatever reason, Jula never clicked in my brain like I could, I could kind of figure out how to put webpages together. But it never clicked for me, so I never used it deeply.
[00:05:46] Maciek: I
[00:05:46] Maciek: mean, similar here, although I kind of went the WordPress way, but mm-hmm.
[00:05:52] Maciek: What's interesting that, yeah, many years ago they had almost a similar market share, and right now WordPress has this 40%, and Jula and Drupal have, according to WP three Tech, around 1% ish. Mm-hmm. Mm-hmm. And the question is, what happened? Well,
[00:06:11] Steve: I,
[00:06:11] Maciek: what went wrong?
[00:06:12] Steve: If, if, you know, we could spend this, this whole time on, on memory lane because I, I am big on memory lane sort of stuff.
[00:06:19] Steve: So the first DrupalCon I ever attended, the first like, you know, 3000 person Drupal conference after attending some, some local uh, events was DrupalCon 2010 in San Francisco. And one, I, I remember that DrupalCon for lots of reasons, one of which was. T the benevolent dictator for life of, uh, of Drupal. He gives a, a keynote presentation at every Drupal con similar to what the, the state of the word has been historically for the the WordPress community.
[00:06:52] Steve: And in that presentation, uh, 2010, he talked about. Drupal hitting 1%, uh, of the web and WordPress being something like 8% of the web in 2010. And he emphasized that he, he saw differences in the bets that, that WordPress and Drupal were making, and he was comfortable making the bet in 2010 that Drupal should be, and I may be misremembering some of the phrasing here, but, but basically he was comfortable with.
[00:07:22] Steve: Drupal regularly reinventing itself. At that point, Drupal was on a cadence of doing significant rewrites of Drupal core, such that to move a website from Drupal five to Drupal six, to Drupal seven, to eventually Drupal eight was released in, in 2015 for, for websites passed a certain point of complexity, like if it was a professional grade website for some definition of professional grade, then you really weren't going to use the like.
[00:07:53] Steve: Upgrade techniques that were built into Drupal core, which were viable for very simple websites. You were going to just. Build a whole new website in whatever the new version of Drupal was, and then you were going to migrate all of your content to the new website, and Greece was comfortable betting on that mode of doing things.
[00:08:11] Steve: And it made sense for a while. It's greatly slowed down the expansion of, of the community around that era. And I could, I could spend 10 more minutes talking about why, if you, if you want, but I'll pause there.
[00:08:24] Maciek: Okay. So yeah, it was, it was all connected with those breaking changes that. I kind of understand that users at some point were why waste time in a CMS that I know that in a year or two mm-hmm.
[00:08:39] Maciek: Uh, I won't be able to do anything without it, apart from maintaining and migrating to a new version. Mm-hmm.
[00:08:47] Steve: So I think part of the reason that that strategy was even viable in the first place was that was an. Era where like the devices of the web were radically changing. So it's, uh, it's meaningful that I, I built my first Drupal sites in 2007.
[00:09:06] Steve: The iPhone was released in 2007. The iPad was released in 2010. That, you know, I first went to DrupalCon and in that time is vi viable to think like, oh yeah, I, I now need to make my website run on a device that like. It goes from portrait to landscape and it has a camera and it has a touch screen. This is so different.
[00:09:29] Steve: Upgrading my site built before the iPhone or before the iPad. That's gonna be so time consuming. I'll be better off just starting from scratch and that's, that is probably what made it viable to do a, a whole redesign, relaunch. Not. Not like the new stuff in Drupal six is so amazing. It's worth throwing your whole Drupal five site.
[00:09:52] Steve: Oh wait, no, it's that your Drupal six site, or your Drupal seven site has to squish now. And your Drupal five site was not built to squish. Okay, so
[00:10:04] Maciek: now let's go a bit. What happened few weeks ago? Mm-hmm. After 24 4 years, Drupal CMS 1.0 is released. Um, so there are a few questions. First of all, why, why 0.1 0.0 and second, what is the difference between Drupal CMS and Drupal core?
[00:10:28] Steve: Yes. So that, that is the, the question to ask because the, just hearing Drupal CMS got released in January of 2025. Didn't Drupal get released in January of 20 or just 2001? So yes, the distinction is that there is a new thing called Drupal, CMS. And yes, the naming is confusing, but it's, it's more understandable when you, when you remember that, oh yeah.
[00:10:56] Steve: There is still a thing called Drupal core and there is a new way of. Building on top of Drupal core Drupal in the last few years has added the concept of recipes. So Drupal has always had modules the same way a WordPress has had plugins, and you install a module and then you upgrade the module. And there are modules in core and there are modules, not in course, same way there, plugins, um, I mean a very small number of plugins and in WordPress core and then plugins that you add on to WordPress, that dynamic has always been present in Drupal.
[00:11:26] Steve: But to accelerate the. Maturation of Drupal to make Drupal more approachable to particularly the the marketers and content editors who have to use Drupal. It's beneficial for the Drupal community to invent this, this new construct that can move faster than core because core is, I'll say appropriately cautious about the way it adds and expands functionality the Drupal community takes.
[00:11:53] Steve: Security and stability very, very seriously. And I, I see that as a net positive, but to some degree, it, it can slow down the pace of innovation in a, in a, in a negative way. So by inventing a, a new sort of boundary, the boundary of recipes, as they're called the Drupal community, can agree to focus its energy on this new set of recipes, uh, that's being called Drupal, CMS.
[00:12:21] Steve: And bring into those recipes, contribute modules as they're called. And those modules don't have to, don't necessarily have to go through all of the rigor that would be necessary to bring them into Drupal core. Like moving a module from, from contribute to Drupal core is a years long effort. And that is not necessarily, that's just not worth it in many cases.
[00:12:41] Steve: So part of the, the work of making Drupal CMS is the community deciding. Just what's the best way to do SEO functionality? What's the best way to do? Search functionality. Drupal's greatest strength, its greatest weakness to some degree, is its configurability Drupal. Drupal is massively configurable. You add a module and you get so how many check boxes, especially for something like search or SEO and adding check boxes is easy.
[00:13:10] Steve: Taking check boxes away from anything is, is nearly impossible. And so with recipes, we get this convention of the community for some definition. The community is deciding that this particular combination of modules and configuration is just the best way to do SEO in Drupal right now in January or now February, uh, 2025.
[00:13:37] Steve: And that. That's very beneficial to teams that are, are building on top of Drupal core. And just want, don't wanna have to think too deeply about SEO or search or any number of things that paying clients expect to just be there out of the box. So I was recently chatting with an agency and they said something like, yeah, these recipes are taking what.
[00:13:59] Steve: Otherwise would be four or 10 or 50 hours of clicking, and they're compressing it into just a minute of apply a recipe. So you do get this out of the box experience with Drupal CMS for much of Pantheons ecosystem, which is very much in the, the agency world of the value, will be seen more in the individual recipes that make a Drupal CMS.
[00:14:21] Maciek: Okay, so in short. The triple core will stay as small as possible, but focus on security, on making sure it's working constantly without any problem. Mm-hmm. And the CMS will be this opinionated set of modules and, and default values and configuration. Mm-hmm. Uh, that will make your adventure with Drupal much simpler, especially at the beginning.
[00:14:48] Maciek: Yes. But also when you're even an advanced person. Well. As, as you mentioned with this, uh, agency example, a lot of hours will be saved.
[00:14:56] Steve: Yeah. And, uh, another benefit for, for agencies is it expands the number of. The number of people within the team who can do certain tasks. Like one of the ways we've seen the value of, of Pantheon as a platform that runs Drupal WordPress sites is it expands the number of people inside an agency who can like start a new project.
[00:15:16] Steve: Because if you are doing DIY DevOps, then the number of people who can view the server level or the CI level configuration to start a new project might only be like one or two people at your company. If there are just a few buttons inside of Pantheon that let you spin up a new site, well then practically anyone can like do the steps necessary to kick off the project.
[00:15:37] Steve: The same goes for some of this fine grain configuration. If there's only one person in your two dozen person agency who deeply understands the nuances of. Search API solar module, well then maybe that person is the only one who should be touching those. But if all of that knowledge has been consolidated into a recipe that anyone can apply the recipe and have something functional, and if any individual client project truly needs different sets of check boxes, well then okay.
[00:16:07] Steve: Spend the time to do that. But, but otherwise, just take, take what worked either for your last project or the last 10 projects, or just for the, the whole Drupal community. And apply that.
[00:16:18] Maciek: In short, this really sounds, uh, great. I mean, this, those recipes are like something perfect for, for agencies that, let's be honest, they mostly start in the same way.
[00:16:29] Maciek: Every project starts in a similar way and repeating over and over and clicking the same things. It's just a waste of time.
[00:16:36] Steve: Yes. And it, it sidesteps the, the downsides of inheritance. So I. Previous attempts in the Drupal community. Also going back to DrupalCon San Francisco 2010. Also in that, uh, Dre's keynote, he, he was talking up the idea of distribution sort of products built on top of, of Drupal.
[00:16:57] Steve: So in that time, there was a, a distribution called Open Atrium that was sort of like a, a, a base camp project management type of tool built entirely in Drupal. Like, oh, you installed this thing called up an atrium, and you get a task management tool built in Drupal. Well, when Drupal people get their hands on it, they're like, okay, I'm here because this is Drupal and I love the configurability of Drupal, but the maintainers of Open Atrium are appropriately thinking.
[00:17:23] Steve: For us to maintain this, we gotta lock down a lot of details and well then nobody is, nobody's happy because the Drupal people wanna take anything built in Drupal and configure anything they want, and people who are trying to. Maintain a product in perpetuity, need to lock down some decisions. You in the WordPress parlance decisions not options.
[00:17:45] Steve: So recipe is sidestep that because rather than having a distribution that you install at the beginning of a project and then you know, inherit updates. Forever. You can take an existing site and apply a recipe on top of it. Like for my own website, steve hector.com, I'm, I want a better way to, to do YouTube embeds, and I have known there are too many ways to do YouTube embeds in Drupal, just as there are, uh, in, in WordPress.
[00:18:17] Steve: And so I've just kind of put that on the back burner. But with Drupal CMS, there is now a recipe for remote videos and. I don't have to carve out many hours to do like a side-by-side comparison or how are the, what are the pros and cons? The many different ways I could set up my data structure. Should I use a video node type?
[00:18:39] Steve: Do I use a file? Do I what? The media, what's a media entity? I haven't kept up with all of these details, and I can see, oh, Drupal CMS has a recipe for remote videos. It's built to handle. YouTube videos. How about I just apply that recipe on top of my existing site? It'll bring over the configuration. And yes, there are some modules there that like do update and inherit updates as, as updates come out.
[00:19:08] Steve: But much of it is applying configuration that I could have manually clicked together in who knows how many minutes or hours. Instead, I just apply the recipe, get the configuration. I'm trying it out. I like, I like what I got. I'm, I am seeing, oh, I do need, I should for my purposes, add on a few more things and maybe those get contributed back as additions to the recipe.
[00:19:31] Steve: Maybe not, but it, it kicked me out of sort of an analysis paralysis state.
[00:19:36] Maciek: True. So tell me what will be the most EDL Drupal CMS use case.
[00:19:42] Steve: So the use case that is. In these, the recent DRE notes, the, the keynote presentations from the founder, the situation being focused on is, let's imagine, uh, an ambitious marketer, someone whose job it is to operate the CMS and in the, in the specific, specific examples and, and demos that, that Therese has done.
[00:20:07] Steve: It's, it's someone who is working on a website that offers wine. Tours, like tours of vineyards and they think, I know Drupal is powerful. I know Drupal could put together an event calendar and all this other functionality, but I, the marketer don't have the expertise to click all of the clicks and my it people are stretched too thin and they don't have time to help me.
[00:20:31] Steve: What could I do? So the, the demos that are being done of of Drupal CMS in, in these show shows someone. Who doesn't have preexisting Drupal expertise, like applying recipes and often interacting with an AI agent inside of Drupal. So that's something, not exactly specific to Drupal CMS, but something that could make the, the vision of Drupal CMS succeed, uh, or not.
[00:20:57] Steve: So if the vision is more types of people can actually. Do their jobs and feel empowered by, by Drupal different from the status quo. Where, where ultimately people who have been deep in the weeds and know which clicks to click, uh, are able to, to assemble functionality with Drupal. What if you could just type same way you do with Chad CBT, can you make me an best calendar?
[00:21:17] Steve: The demo, the demos work and we see it working. I, I am also cognizant of the fact that like, we're riding what must be a typical hype cycle like. The demos work, it looks cool. The hype is going up, and then we'll find like, and in some ways this is, this doesn't yet fulfill all the promises, but then I, I do expect we'll start climbing out of the, the trough of disillusionment as it's called on, on the hype cycle.
[00:21:43] Steve: So yeah, the, the ideal use case is empowering the, the kinds of people who haven't been able to really get their hands into Drupal to be seen whether or not the hype will be met there well enough for. For my role at Pantheon, I'm, I'm focused more on can agencies really use these? Conventions that have been built up around the, the focusing point of Drupal CMS.
[00:22:09] Steve: Can they use those recipes and AI agents, which there's a recipe for an AI agent, which probably can then apply more recipes, can they use those tools to do the jobs they've been doing all along faster, more effectively? And, and it looks like, yes,
[00:22:25] Maciek: I must admit that the AI agent was, uh, something. That was, that is really great because, uh, I also decided, yeah, Drup Drupal 1.0 can is here.
[00:22:38] Maciek: What is happening. I have to check it out. Right. And, um, I wasn't using Drupal for, for, for many years, so I didn't felt that, yeah. This is my admin panel that I totally understand. So No, I was mm-hmm. I was totally the opposite of it. But the a. Was something great because I could ask it constantly. Okay?
[00:23:01] Maciek: Mm-hmm. I would like to do something, for example, I would like to create a new post type. What should I do? Mm-hmm. I didn't even ask him to do it for me because I didn't need it, because I. I still see myself as a developer, right? So I should be able to click things on on my own. But, um, I thought that this using of this AI agent is a really great work around of not entirely clear ux, especially the thing that you mentioned, a lot of check boxes, like gazillion of them.
[00:23:33] Maciek: I never saw that many tag boxes, but on the other hand, I was really impressed that you can really configure like everything, whatever you can, whatever you want, you can do it. Problem is that very often you don't know where to find this option, right? But you have this AI agent that will help you. So this was a very clever workaround that I think might help a lot of people who are just starting their, their adventure.
[00:23:58] Maciek: They just installed Drupal and they're like, mm-hmm. Okay, I see check boxes. What now? And then this AI agent was, was really a great help for me. But when I also saw the demo, when this AI agent can do stuff for me, it was like, whoa. That's, that's pretty amazing. Yes. And this hype train, this hype train that you mentioned, it's like what?
[00:24:21] Maciek: And I, I think
[00:24:22] Steve: too, uh, to fulfill the hype we should. Keep many or all of the development best practices that have been maturing in in the CMS community and the PHP community and the DevOps community for the, the last decade plus, like it is still a good idea to do code and configuration changes in different GIT branches, whether or not the configuration changes.
[00:24:49] Steve: Are being manually clicked by a developer, or they're being automagically done all at once by an AI agent. Still, I still want there to be a pull request in which, uh, a dev, a human developer says something like, you know, I had the user story in my sprint to build the, uh, the functionality that brings in, you know.
[00:25:13] Steve: Arbitrary YouTube videos and content editors need to be able to take YouTube URLs, put them in the user interface, hit save, ideally get the title and the description carried over from YouTube by default and possibly edit those like that. User story still exists. I don't think, to my knowledge. AI has not replaced user stories or, or whatever you want to use to, to, um.
[00:25:36] Steve: Track your work yet anyway, so that user story still exists. Somebody's gotta do it in a given sprint. If you use sprints, and it probably still is a good idea to open a poll request that says, okay, here are the changes that bring about the, the YouTube embedding and it, you know, it's still probably a good idea to write automated tests if you're the type of team that likes automated tests.
[00:25:58] Steve: And if the AI agents can help you write the automated tests, all the better. So I see the value of, of AI right now as speeding up the, the amount of time in between developers saying like, okay, I have the user story to, to do the YouTube stuff, and the pull request being opened saying the YouTube stuff is ready.
[00:26:19] Steve: Before that might have taken a larger number of hours. AI agents are shrinking the number of hours still. Human beings need to take accountability for whether or not it works. Like if it doesn't work, your paying client will still be mad at you and maybe fire you or your agency regardless of whether or not an AI agent was involved in it clicking the clicks in the first place.
[00:26:43] Maciek: Yeah. The true blaming the AI agent for your mistakes would be a, a poor actic.
[00:26:48] Steve: Yeah,
[00:26:48] Maciek: but
[00:26:48] Steve: who knows?
[00:26:49] Maciek: Who knows? Yeah. Maybe it'll work.
[00:26:51] Steve: Yeah. To me, to me it's not that different from, like, if, if I had that user story today without ai like. I'd be Googling, I'd be either copying and pasting something from Stack Overflow.
[00:27:01] Steve: I'd be watching a tutorial and simulating the clicks, and then I, I still have to take responsibility for evaluating, did I do a good job? Regardless of did I get guidance from what I read on Google, from documentation from an AI agent? I, as a human being, still need to take responsibility for the pull request that I'm opening.
[00:27:20] Maciek: Yeah, true, true. But still, I must admit really that. Putting those agent inside of Drupal was, uh, was, was a great idea because yeah, I, yeah. I started with, with, with a classical approach. If I did, knew how to find something, I Google, but then sometimes I got, uh, a link to an older version of Drupal or mm-hmm.
[00:27:40] Maciek: There wasn't a documentation for something and. At, at some point. This was the moment, okay, let me try this AI agent, because that was the last thing I was thinking about when I installed, uh, triple CMS and I was, I guess, said, I, I was amazed because like, it, it was like my personal guide and this was something that, like we already mentioned, will make the adoption much easier, faster.
[00:28:05] Maciek: Mm-hmm. And yeah, we can ask AI every stupid question that we have, right? We can, yeah.
[00:28:11] Steve: One of my colleagues, Chris Reynolds, who has got a long history in, in WordPress, and even though he's, he is been working at, at Pantheon for a few years, and we do both a Drupal in WordPress, he still has a lot to learn about the ins and outs of a Drupal.
[00:28:24] Steve: I've, being able to just talk to an AI agent inside of a Drupal installation has been immensely helpful for, for him at that.
[00:28:32] Maciek: So I think that, 'cause right now we were talking just about Drupal, so maybe let's try to compare mm-hmm. Workers and Drupal. Uh, when would you say that someone should give Drupal a try over WordPress?
[00:28:47] Maciek: Where Drupal like really shines and it's, let's use this word, it's better.
[00:28:54] Steve: Sure. So I'll, I'll just say the, I'll describe the thing that brought me into Drupal in the first place, because I, I think this dynamic still holds. So I jumped from WordPress to Drupal. Uh. Around 2007 when I, I went from working on a blog for a theater company and I, I should immediately say like, yes, WordPress can do more than blogs, but in 2006, I had made a blog for a theater company and then they wanted me to replace the, the entirety of their older hand-coded HTML main website with something else.
[00:29:30] Steve: And it needed to be able to track and display information like every theatrical production they've ever done. Uh, dates of every single upcoming performance. Ideally the names of all the actors, and ideally, which roles each actor played in any given performance. And wouldn't it be nice as well if you could click on the actor's name and then see every performance they've ever been in.
[00:29:58] Steve: So building up a, a complex data model like that. Just more normalized in, in the Drupal world. And similar things are, are, are possible with the a CF suite and, and other tools inside of WordPress. Uh, but they're, they're more normalized in Drupal. They've been in Drupal core since Drupal seven, which came out in, in 2011.
[00:30:20] Steve: So if I were working on, on that sort of site where I need to model a lot of content types and fields in, in the Drupal language, I would still. I would gravitate towards Drupal because, uh, the modules are there. I don't need to, I don't need to pay for the pro version. And then a views module is, is a big one that doesn't have a clear WordPress equivalent.
[00:30:46] Steve: So in addition to being able to build out all of this complex data structure inside of Drupal Views, module then gives you the the power to build complex queries around. Those data structures and display the results.
[00:31:02] Maciek: Okay. And now another question, but a bit similar. Mm-hmm. Which cases you can imagine where persons should really go with WordPress?
[00:31:13] Maciek: Never but ever try to use Drop because it won't just work.
[00:31:17] Steve: Mm-hmm. So what One case study I found I found persuasive at Word Camp US this last year was, um. The case study from Fox Media, which had built their own, famously built their own CMS chorus and they decided in the last few years to to stop building and maintaining their own CMS, and they chose WordPress and, and.
[00:31:40] Steve: WordPress in a headless fashion, and they chose it for any number of reasons. I, I recommend going the backend and watching the, that whole conference presentation, but they, they picked it in part because of its ubiquity. Like Fox is a huge publishing organization with multiple different brands. There's fox.com, there's the Verge.
[00:31:59] Steve: For them, the, the ability to onboard new employees and say like, you know, WordPress, right? And practically anyone in the publishing world will be able to say like, yeah, we know WordPress. Okay, here's, here's your WordPress IVA interface. You're, we're publishing multiple news stories a day. Here you go. That, that use case still makes, uh, a lot of sense.
[00:32:19] Maciek: True. Yeah. This is something that I also know that, uh, the fact that workers is so familiar, it changes a lot because. Here we are looking at those CMSs from a bit different perspective. 'cause we are looking at them as, uh, those technical things that we build, that we maintain, that we try to grow while most of people are just using them.
[00:32:41] Maciek: So
[00:32:41] Maciek: mm-hmm. It kind of
[00:32:42] Maciek: don't care about a lot of things that we care of. For example, recipes, amazing thing. But for a person who, who just writes those news, they don't care. Yeah, if
[00:32:54] Steve: they don't care, they, they say, you know, my, my news article needs, uh, needs to be able to display multiple authors in a better way.
[00:33:05] Steve: Just do that thing. And if that thing is done by a recipe or through manual clicking, that person requesting it doesn't really care.
[00:33:14] Maciek: Other, honestly, you kind of surprised me because you went with the example of a huge corporation, right? Because Fox is huge. Yeah, because I thought, I, I, I, I thought that you will go more with an example of, uh, those of, of those beginners who prefer those.
[00:33:29] Steve: Oh, absolutely not. No code. The, the 40 per, the 40% of, of the web that, that uses WordPress has a very diverse set. It covers practically all of all of the types of websites on the internet. And yes, there, there are, uh, there are people. Who don't particularly care about websites at all, who just need to do a thing and they're pursuing whatever seems like the, the lowest friction way to do it.
[00:33:57] Steve: And for some of them, like click, click, click, end up on wordpress.com or, or Bluehost. Like, that's, that's fine. I mean, that's, that's how I started using WordPress. I overheard that artistic director with the theater company say like, we need a blog, and I just followed the path. Of least friction, and that led me to WordPress.
[00:34:13] Steve: So that still exists, but there are, there are people doing incredibly complex things in WordPress and you know, especially talking with, uh, with security minded people, I still hold hope for the composer verification of WordPress, partly because Composer makes it easier to manage patches. I applied a patch to a website recently just by declaring that.
[00:34:38] Steve: Patch at the root of my composer, JSON file. And that's it. That's it. I, I, I felt like I, oh, I need to say more. No, I, I took, I added that little bit of JSO to the root of my, uh, project, the composer JSO file. Like, I need this patch. It hasn't been merged into co yet. And then, I don't know, I guess I ran composer update or composer install, and the, the patch was applied and great, you know, without something like.
[00:35:05] Steve: Composer as a community, as a PHP wide way to manage code teams end up reinventing the wheel. I'm like, how do we track the patches that we've applied that are either functionality fixes or maybe security fixes, but like how do you track those and people end up reinventing all sorts of wheels and just put your patches at the root of your composer file.
[00:35:32] Steve: At the root of your project in your composer, JSON is the cleanest answer I've ever seen, and it works pretty well.
[00:35:37] Maciek: Yeah. And this is kind of my next question, security. Mm-hmm. Because we know that when we talk about WordPress and security, that's a difficult topic, right? And let's, but how does, yeah. Let's, let's end with this.
[00:35:52] Maciek: Let's end with this part. But how does Drupal handle handle security? And so maybe not only dral the whole ecosystem because. It's kind of the same thing like with WordPress. WordPress has a really strong core, but the ecosystem is the weak link. And how, how, how does Look
[00:36:10] Steve: Yeah. At, at Pantheon, we, we need to speak to that all the time because there is a community reputational issue with, with WordPress especially.
[00:36:20] Steve: Enterprises that, uh, that, that have it pros who are concerned about security, they may hear from one corner of the company, oh yeah, we're building that new site and we're building it on WordPress. And that might send those IT folks into a panic because they hear WordPress and they, there's a good chance they have associations from past work experience of WordPress sites getting hacked and all sorts of things.
[00:36:43] Steve: And in, in many cases it's not. WordPress fault per se, like so many of the WordPress vulnerabilities depend on a writeable file system, and that's the WordPress community does cultivate that expectation that the, the whole file system should be writeable. And to some degree there are security benefits from a live website, being able to apply updates immediately in an auto updates kind of fashion.
[00:37:11] Steve: But like at Pantheon, we take the perspective of like. Lighting A PHP application rewrite itself in prod. That is an unacceptable security risk, so we just don't allow that. Like on Pantheon, the live environment, the test environment, any files under version control in Git can't be written changed by anything but git.
[00:37:34] Steve: Like commit your WordPress code to get, push it up dev test live and uh, and there you go. So the, probably the plurality of security vulnerabilities depend on file system exploitation. A lot of them run through, uh, my SQL injection and Pantheon can do things at the edge layer to, to minimize that threat like security is, is not a totally black and white issue.
[00:37:59] Steve: It's, it's about. Adding layers of security, closing off attack vectors as as much as possible. And part of the reason why WordPress has a, a bad reputation for security is it is run, it's run everywhere. It's 40% of the web. So definitionally it is run in places that don't. Bring that defense in depth mindset.
[00:38:23] Maciek: Yeah. And this is, this is something that the, that you just mentioned about Pantheon. Mm-hmm. Because when we look at WordPress security, we see that it's not quite handled in a centralized way if we look at the whole picture. Mm-hmm. Because of course, the core takes care of the core, and they're doing a really good job because WordPress core is.
[00:38:40] Maciek: Let's be honest, it's secure. Most of the problems comes from, from plugins and from the fact of the, this very low entry level mm-hmm. Of so, so it's very easy to start using WordPress so people without any technical knowledge can start self-hosting a CMS without. Mm-hmm. Knowing about a lot of consequences.
[00:39:00] Maciek: On the other hand, we have those third party companies, uh, that try to help, for example, like we like Patch Stack, uh, and also yeah, the hosting companies because they're also doing a lot of great job, uh, making sure that nothing bad happens with it. So we can see that the whole ecosystem is trying to make, uh, WordPress more secure because still.
[00:39:26] Maciek: Mm, there is still a lot of problem. And, uh, how does it look in, in, in Drupal? Is it also kind of divided by this or is it more centralized?
[00:39:36] Steve: Somewhat there? So there's a Drupal security team that oversees core and Contrib as it's called, and so that security team. You can contact that security team. If you discover a vulnerability, there's a, a, a process for, you know, discreetly disclosing SEC security vulnerabilities.
[00:39:55] Steve: I'll say the, and then you know, that team is responsible for overseeing on Wednesdays. It's always on Wednesdays that security I. Fixes are published. So most Wednesdays I get a series of emails, usually early afternoon saying like sometimes core, but it's usually contribute modules. I'll just get an one email per module saying like, this module has a security release and their links to the, the information credits, to the, the people who, who discovered the issue.
[00:40:24] Steve: I'll say the first time I interacted with that team was, um. I, uh, when I found a small vulnerability of sorts in code that had been published by the White House that had been just published by the United States Government. It was just the, it was the theme of White house.gov at the time, and I, I saw that.
[00:40:48] Steve: I heard, oh yeah, the White House is publishing a Drupal theme. I thought, amazing. The White House is publishing. Drupal theme, what are we gonna do? It's on drupal.org. Are people gonna be able to like, use the same theme as the White House? And, and I quickly realized like, no, they like, you can in WordPress, you can in Drupal as well, hard code into your theme.
[00:41:09] Steve: Like you can hard code your footer into the theme. And some people might say like, no, there, there are ways to build out your footer and to use ui. Don't hard code the foot, but like. At the White House, hard coded their footer. So anyway, I discovered in one of the template files, an excess S vulnerability, a cross site scripting vulnerability, just meaning I saw in a template file like, oh, here's, here's a field that is printing its actual value.
[00:41:33] Steve: This printing is not using the escaping techniques that are normalized in Drupal. And so I contacted the security team even though this. Theme was published as a beta, meaning the security team didn't officially have dominion over it. The security team has policies as to, you know, which modules and themes they pay attention to and which they don't.
[00:41:54] Steve: I was like, they might, they might wanna know about this one, and so it, it, it pretty quickly got fixed, but I thought that was illustrative of, of a few things. One, like security is hard and that particular vulnerability was. Representative of why the Drupal community switched to Twig because it was just too darn easy and common to, without realizing it, print the raw un escaped value from a field.
[00:42:25] Steve: And while insecurity discourse, we often imagine like the worst possible case scenario or the the most complex way in which a site might get attacked. But then. The vast majority of Drupal sites that have custom themes have this problem where at least in one template, at least one field is being printed with its un escaped value.
[00:42:53] Steve: Like before Twig came in, in Drupal eight, which to some degree closed that problem, I mostly closed that problem. It was, it was, I think if you had looked at the vast majority of DR five, six, or seven sites. With, with a careful eye, you would've found that problem. And so many of the security risks that are out there in reality are like, uh, the, the security risk isn't coming from an outside hacker.
[00:43:17] Steve: It's being put in by the team that just doesn't, is, isn't thinking about that issue. At the same time, you have to think like, okay, what would be necessary for that vulnerability to actually be exploited on this? There's only one website in the world that runs the theme for White House dot. How would that actually get exploited?
[00:43:35] Steve: Someone who has capacity to add content to White house.gov would either need to maliciously or be tricked into adding like. A JavaScript file into, or a call to a JavaScript file and like, that's probably not gonna happen. Probably the back home checks necessary for some, probably. But anyway, uh, all that to say the, the Drupal security team was on top of that one pretty quickly.
[00:44:01] Maciek: So if I understand correctly there, the Drupal security team kind of not only takes care of the core. But also everything that's in the, in the repository, right? Yeah. Uh, in the whole world. So
[00:44:11] Steve: contribute modules that, that opt in to it. So I, I don't know all the rules off, off the top of my head, uh, but it, it, I think they only cover releases that, that are not labeled as alpha or beta.
[00:44:23] Steve: And then I think individual contributors can opt in or, or opt out of participation with, with the security team, and I should say. I have been on the other side of it as well. I have been a maintainer of a module and gotten reports from a, from someone who discovered a vulnerability in a module that where I was one of the half dozen or so maintainers and I was very impressed at how, how well the.
[00:44:44] Steve: The security team identifies the issue, helps identify what, what would be necessary to remediate the issue and then get the fix out the door.
[00:44:53] Maciek: I mean, that's their job. That's their job then.
[00:44:55] Steve: Yeah. Well, uh, in, and in many cases it is a volunteer job, uh, open source in many cases. It's, yes, it's, it's open source.
[00:45:02] Steve: In some cases it's, it's people who, who, who work for companies like Pantheon. And to some degree, it's, it's their job to, to spend time on, on such things. You know, I, I'm not, uh, on the team, um. Myself and our, our, our co-founder, our co-founders, David Strauss, has, has been deep in the security world for, for a long time.
[00:45:22] Steve: We also contribute to a program called Drupal Stewards where we, by contributing financially to this program, we get advanced notice. Someone there is a significant, for some definition of significant who that's getting results. Uh, a year or two ago I was. I was on the Pantheon side involved because we were notified through the Stewards program that ACO fix was coming.
[00:45:46] Steve: And we saw potential to, uh, make tweaks at our edge layer so that, you know, we, we, of course, encourage our customers to apply security fixes to their Drupal sites as soon as they're available. Uh, but we don't make, and we, you know, we, we saw years ago there was a, a security incident that. Colloquially has been referred to as Drupal Getin, meaning Drupal scores, security issues on a 25 point scale, and I, I think this was maybe the only 25 out of, and this I was not working at Pantheon at the time, but what I, what I heard was that from, from our logs, we could see, oh yes, within a few hours of this core issue coming out, somebody in the world is working down an alphabetical list of Drupal sites and attempting to exploit it within a few hours.
[00:46:35] Steve: So. While Pantheon encouraged customers to apply that change, ASAP, uh, for that one as well. I think we, we made changes at the time, our varnish layer, we now run varnish inside the global CDN. So when we hear about these kinds of issues, we can, you know, put, put in mitigations for everybody because often, often these kinds of run through very complex URLs that, that are suspicious where, where a pattern can be.
[00:47:03] Maciek: Okay, so I think that we can slowly, very slowly start to wrap up. So imagine there is a developer in front of you who is a bit tired of the current situation and WordPress, and he's looking for a new CMS. And he heard some great things about Drupal actually isn't entirely sure if he or she should give it a try.
[00:47:29] Maciek: What, how, how would you try to sell Drupal to such a developer? Why he, he or she should try
[00:47:36] Steve: find? You can see in my background, I, I like Legos and one of the, one of the things that has, has drawn me to Drupal is, is the way I, I feel that it fulfills the Lego mindset that, you know, people all over the tech community compare our, our, our tech work to, to building with Legos.
[00:47:54] Steve: I find that Drupal. Fulfill that feeling in a way that I don't get with other systems. The way the modules click together, the way the fields click together, I, I find it viscerally enjoyable. And if someone is, is approaching this question on a personal level, it's, it's the feelings that will move a person or not.
[00:48:16] Steve: Like I can describe the ways in which I find Drupal can, can be made more performant, more easily. That is nice the way Drupal does. Caching fine-grained caching. Bubbling up cash contexts is incredibly impressive. It's, it's been an amazing feature since Drupal eight. It enables all sorts of, um, performance optimizations.
[00:48:41] Steve: I find that fun, uh, as well, and, you know, it, it makes for, for a good end result. But I, I think what, what has the potential to, to move, you know, any single person from one system to another is are, are you going to get enjoyment? From it. And I, I enjoy, uh, building with Composer Drupal for, for years, even before Composer had the concept of dependencies.
[00:49:05] Steve: And while in my time at Pantheon, I've, I've mostly been seeing like, oh, Drupal and WordPress are not nearly as different as they've been made out to be. Like that. Each community thinks the other one is weighed. It's different than it, it like they're, they're closely related siblings. I, I wouldn't even say cousins like they're siblings that somehow got separated so on.
[00:49:27] Steve: One of the stark differences though is that with Drupal, you get the expectation that you install a module like search API and then that gets extended by search API solar, and then that gets extended by search API Pantheon and these things. Build on one another in a way that I find just satisfying and exciting.
[00:49:45] Steve: The feeling of, I don't, I don't wanna write any more code than I absolutely have to. I find it satisfying that Pantheons solar search module is relatively small, that our caching module is tiny because it's leveraging the functionality that is already there in Drupal core, and all Pantheon needs to do.
[00:50:08] Steve: To make it significantly more value valuable is pass along the caching metadata that is coming out of Drupal core already. We give that to our CDN and then similar to recipes, then you don't have to do a lot of complex clicking that would otherwise be necessary to get the CMS and the CDN talking with one another as well.
[00:50:27] Steve: We do that for you in a shockingly small amount of code.
[00:50:31] Maciek: I must admit that if someone would say, yeah, go with Drupal, because it's like Legos. You bought me, I mean, great
[00:50:39] Maciek: in my case. Alright. And I didn't even probably,
[00:50:41] Maciek: you probably don't see it, but I also have a lot of Legos in the background, so Yeah, it's, yeah.
[00:50:46] Maciek: So yeah,
[00:50:47] Steve: and I didn't even mention single directory components over the years. Where I felt the Lego metaphor breaks down is in theming where it's not so much Legos, like the way, the way developer, the way we've written CSS is more like we're, we're melting our Legos, we're we're drawing with. Permanent marker on top of the Legos to make it look the way it's supposed to.
[00:51:09] Steve: And with the single directory component concept that has risen up in Drupal in the last few years, and it's like, it is not a Drupal CMS specific feature, but it's, uh, one of the, the ideas that is flowing along with Drupal CMS, like we're, we're fulfilling the Lego feeling much better with single directory components as they're called.
[00:51:28] Maciek: Okay. So I'm sure that probably the title of the stock will end up with, uh. Drupal is like Lego. Probably something very good. It sounds good to me. Sounds, sounds good. And what would be the best way to start your adventure with Drupal? Like right now in 2025? You just heard about Drupal. I, you want to give it a try?
[00:51:49] Maciek: What did it?
[00:51:50] Steve: I'd say install Drupal CMS on Pantheon. Because then, then you don't have to worry about the, the, the map details that I had to worry about when I got started in 2007. Like if, if, uh, if you enjoy local development tools, d Dev is a great Docker based option for, for writing things. I must locally, if, if that's your thing, you can install Drupal core or Drupal CMS pretty easily with D Dev.
[00:52:19] Steve: But if you just want to click, click, click. Pantheon has a way to, to spin up a fresh instance of Drupal CMS in a few clicks.
[00:52:28] Maciek: Okay? So think, I think we know enough, at least enough to get started with Drupal. Alright. So, like I said, this, this analogy to Legos really worked for me, for me. So, so definitely I will have to give it another try.
[00:52:44] Maciek: So, all right. I'm happy to hear it. Steve. Thank you. Thank you very much for explaining a lot about, uh, Drupal's history. About how it compares with WordPress, about how security in Drupal works, because that's a very important aspect for for many of us. Yeah. I hope that everyone will at least, at least give Drupal CMSA try because like I admit at the beginning, Drupal doesn't get enough attention that it should because it's a really good CMS.
[00:53:16] Maciek: So with this, I want to say. Steve, thanks once again for, for sharing all your knowledge and see you everyone. Bye.
