I'm a big fan of Piwik, an open source analytics suite. Think Google Analytics, StatCounter, Sitemeter, etc. … only self-hosted an open source. There are many benefits of using it:
Drupal 8 uses Composer for package management. You can still install a Drupal 8 site by downloading a tarball, but we're all encouraged to use Composer to download Drupal core and other dependencies and to keep things up to date.
I'm just starting to get my head around how Drupal 8 works, so that I can reach the point where I can build new sites in 8.x rather than 7.x, and in time migrate existing sites over. Composer is part of the learning curve for this.
Yesterday, at 7.13pm, the Drupal Security Team issued a public service announcement: Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001.
This needs a bit of background to understand.
How Drupal Core Updates Normally Work
Updates to Drupal Core fall into one of new kinds.
I'll put this here, in case it helps anyone else.
I'm owning up to Drupal Schoolboy Error #1.
I was writing a very simple module. It did so little, that I wanted to keep things as simple as possible — just a .info file, and a .module file.
OK - I'll hold my hands up. The title of this post is misleading. I'm not going to give you an ABC on how to secure a Drupal site (maybe another day). I'm responding to a post on the Reseller Club blog entitled How to Secure Your Client's Drupal Website.
There is some good advice in that article, but it's mixed in with some bad advice, and in other parts it's just plain confused. In the hope that it helps people, I'm going to try and untangle things.
The Drupal Security team has just released a public security announcement, PSA 2016-001.
There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25).
If you run any Drupal sites, please be prepared, and be ready to update your site as soon as this is released.
Drupal 7 and below came with an optional module you can use in your input formats - the "PHP Filter". This allows you to put PHP code into the content of your webpages, and Drupal will process the PHP before rendering the page.
Last week, to appropriate fanfares, Drupal 8 reached Release Candidate stage. That means Drupal 8 tagged releases now have an upgrade path between them, and it also means (very nearly) complete API / hook stability - which means this is the cue for some serious testing and development of contrib themes and modules.
However I made one schoolboy error: I was still using Drush 7.
It's actually quite an understandable mistake - all you had to do was follow the development of Drupal Next, and Drush, but not quite follow it closely enough.