Join John and Steve as they delve into the intricacies and challenges of maintaining Drupal modules, comparing experiences with WordPress, and sharing their journey in making web development more accessible. They discuss their personal stories, the learning curve in module development, balancing user experience, and the importance of contributing back to the community. Learn about their current projects, thoughts on AI's role in accessibility, and get inspired by their dedication to improving the web for all users.
For show notes visit: https://www.talkingDrupal.com/cafe010
TopicsBeing a Developer and Tech Lead at CivicActions has exposed him to the experience of working on some of the largest government websites in the United States. A passion for opensourcing as much as possible has lead him to develop a growing number of modules, with two addressing accessibility Alt Text Validation & Node Link Report)
John JamesonAs the Digital Accessibility Developer at Princeton University, John has come to believe that the biggest barrier to accessible content is the idea that training can compensate for unintuitive authoring interfaces. So far his work to fix the authoring interfaces, to make workflows intuitive and accessible by default, has resulted in the Editoria11y Accessibility Checker and Link Purpose Icons JS libraries and Drupal modules.
GuestsSteve Wirt - swirt John Jameson - itmaybejj
ResourcesModules
Talking Drupal #490 Contrib First https://talkingdrupal.com/490 Contrib First https://guidebook.civicactions.com/en/latest/common-practices-tools/contribution/contrib-first/
In the past month or so I had the opportunity to record videos featuring key DrupalCon Vienna sessions where you can learn about where Drupal is going. With only a couple days left to buy regular tickets, I think it is a good time to review my suggestions.
Gábor Hojtsy Wed, 09/10/2025 - 18:03If you've been building Drupal sites for a while, you know the pattern: a new requirement comes in, you reach for a custom or dust off an aging contributed module, and before long your code base is a patchwork of narrowly-focused solutions. Over time, maintenance becomes a chore.
There's a better way.
Keeping your site up to date is essential, but it is only the beginning when it comes to web security. For Drupal site maintainers, this comes naturally thanks to a long-standing culture of best practices, code quality, and the dedicated work of the Drupal Security Team. But today’s threat landscape doesn’t just target vulnerabilities in code. It exploits infrastructure, automation, and scale.
This is where the Drupal Association and CrowdSec collaboration comes in. It combines deep application-layer awareness with a community-powered defense system to offer broader, more adaptive protection for the modern web.
Drupal’s Internal Security CultureDrupal has earned a reputation for prioritizing security from the ground up. Core security practices, frequent updates, and responsible disclosure processes form the baseline. Modules like CAPTCHA, Honeypot, TFA, OAuth, and header hardening tools are widely used across websites to harden attack surfaces.
“We’ve always used a layered security model,” explains Jürgen Haas, a long-time Drupal contributor and maintainer of the CrowdSec Drupal module. “Before using CrowdSec, the Drupal Ban module helped us manually block problematic IPs, and we combined that with host-level tools like Fail2Ban or Apache’s security plugin.”
But that model has limits. For many Drupal sites, especially those with interactive features such as logins, registrations, and comment sections, malicious behavior can’t always be spotted at the infrastructure level. As traffic becomes more dynamic and attackers more sophisticated, another layer of protection is needed.
The Growing Challenge: Spam and BotsBrute-force logins, spam submissions, scraping bots, and SEO manipulation are not new, but their sophistication is evolving. AI-generated content can now bypass traditional filters. CAPTCHA-bypass tools are widely available. And attacks are no longer personal. They are automated and global.
One Drupal community member running a high-traffic political forum suffered frequent spam attacks that rendered the site nearly unusable. Implementing CrowdSec almost immediately resolved the issue. However, it also revealed new challenges around legitimate traffic coming from sources like Tor. It is a reminder that today’s security work is not only technical but also must be ethical and nuanced.
CrowdSec: A Community Approach to ProtectionCrowdSec is a free and open source security engine that detects aggressive behaviors and shares signals with a global network. If a malicious IP is attacking other sites, CrowdSec users benefit from that real-time threat intelligence. The Drupal module brings this collaborative protection directly into the CMS layer.
Initially, Jürgen was skeptical. “I used to think you should block threats early, at the server level,” he admits. “But I came to understand that some patterns of abuse, like brute force or spam, only emerge over time within the application. Drupal is in a unique position to spot them.”
That is where the Drupal integration shines. It enables behavior-driven detection that contributes to our global reputation network, without tracking personal data. The result is smarter, faster protection, especially when combined with traditional host-level defenses.
Why CrowdSec and Why Now“We were already researching CrowdSec as a potential replacement for Fail2Ban,” Jürgen explains. “It’s easier to configure, and the crowd-sourced decision-making is what really convinced us. The idea that we all benefit from what others observe is a very open source way of thinking.”
The Drupal module allows CrowdSec to gather rich behavioral context from inside the CMS, something not possible from logs alone. Current efforts are focused on building APIs to allow other Drupal modules to contribute signals, from spam protection to user activity patterns.
“There are a dozen modules already doing great work spotting bad behavior,” says Jürgen. “Imagine if they could all contribute signals. The insights we could gain and share would be huge.”
Real-World Use and Future EvolutionToday, the CrowdSec module is running on dozens of Drupal sites, protecting everything from portals to customer platforms and content-rich applications. The roadmap includes:
On the infrastructure side, most deployments run on LAMP stacks, with a gradual shift toward Docker-based hosting. Regardless of setup, the goal is the same: stop threats efficiently, collaboratively, and without compromising the openness of the web.
Rooted in Open Source EthicsWhat sets this partnership apart is not just the technology. It is the shared values. Drupal Association and CrowdSec are both rooted in transparency, collaboration, and community-driven improvement.
“CrowdSec's approach feels intuitive to people from open source communities,” says Jürgen. “You contribute data, benefit from what others share, and improve things together.”
Security is often treated as a premium feature, locked behind proprietary platforms. This partnership challenges that idea. It shows how powerful, scalable security can be built in the open, shared freely, and improved collectively.
Together, We Can Build a Safer WebSecurity is not a static checklist. It is a living, evolving effort. As attackers innovate, so must defenders. That is why this partnership invites not just users, but contributors.
Here’s how to get involved:
Security is not just about stopping bad actors. It is about protecting the values that make open source and the open web possible. Through this partnership, the Drupal Association and CrowdSec are helping build a more resilient internet. One where collective action protects everyone.
Safer together.
Keeping your site up to date is essential, but it is only the beginning when it comes to web security. For Drupal site maintainers, this comes naturally thanks to a long-standing culture of best practices, code quality, and the dedicated work of the Drupal Security Team. But today’s threat landscape doesn’t just target vulnerabilities in code. It exploits infrastructure, automation, and scale.
This is where the Drupal Association and CrowdSec collaboration comes in. It combines deep application-layer awareness with a community-powered defense system to offer broader, more adaptive protection for the modern web.
Drupal’s Internal Security CultureDrupal has earned a reputation for prioritizing security from the ground up. Core security practices, frequent updates, and responsible disclosure processes form the baseline. Modules like CAPTCHA, Honeypot, TFA, OAuth, and header hardening tools are widely used across websites to harden attack surfaces.
“We’ve always used a layered security model,” explains Jürgen Haas, a long-time Drupal contributor and maintainer of the CrowdSec Drupal module. “Before using CrowdSec, the Drupal Ban module helped us manually block problematic IPs, and we combined that with host-level tools like Fail2Ban or Apache’s security plugin.”
But that model has limits. For many Drupal sites, especially those with interactive features such as logins, registrations, and comment sections, malicious behavior can’t always be spotted at the infrastructure level. As traffic becomes more dynamic and attackers more sophisticated, another layer of protection is needed.
The Growing Challenge: Spam and BotsBrute-force logins, spam submissions, scraping bots, and SEO manipulation are not new, but their sophistication is evolving. AI-generated content can now bypass traditional filters. CAPTCHA-bypass tools are widely available. And attacks are no longer personal. They are automated and global.
One Drupal community member running a high-traffic political forum suffered frequent spam attacks that rendered the site nearly unusable. Implementing CrowdSec almost immediately resolved the issue. However, it also revealed new challenges around legitimate traffic coming from sources like Tor. It is a reminder that today’s security work is not only technical but also must be ethical and nuanced.
CrowdSec: A Community Approach to ProtectionCrowdSec is a free and open source security engine that detects aggressive behaviors and shares signals with a global network. If a malicious IP is attacking other sites, CrowdSec users benefit from that real-time threat intelligence. The Drupal module brings this collaborative protection directly into the CMS layer.
Initially, Jürgen was skeptical. “I used to think you should block threats early, at the server level,” he admits. “But I came to understand that some patterns of abuse, like brute force or spam, only emerge over time within the application. Drupal is in a unique position to spot them.”
That is where the Drupal integration shines. It enables behavior-driven detection that contributes to our global reputation network, without tracking personal data. The result is smarter, faster protection, especially when combined with traditional host-level defenses.
Why CrowdSec and Why Now“We were already researching CrowdSec as a potential replacement for Fail2Ban,” Jürgen explains. “It’s easier to configure, and the crowd-sourced decision-making is what really convinced us. The idea that we all benefit from what others observe is a very open source way of thinking.”
The Drupal module allows CrowdSec to gather rich behavioral context from inside the CMS, something not possible from logs alone. Current efforts are focused on building APIs to allow other Drupal modules to contribute signals, from spam protection to user activity patterns.
“There are a dozen modules already doing great work spotting bad behavior,” says Jürgen. “Imagine if they could all contribute signals. The insights we could gain and share would be huge.”
Real-World Use and Future EvolutionToday, the CrowdSec module is running on dozens of Drupal sites, protecting everything from portals to customer platforms and content-rich applications. The roadmap includes:
On the infrastructure side, most deployments run on LAMP stacks, with a gradual shift toward Docker-based hosting. Regardless of setup, the goal is the same: stop threats efficiently, collaboratively, and without compromising the openness of the web.
Rooted in Open Source EthicsWhat sets this partnership apart is not just the technology. It is the shared values. Drupal Association and CrowdSec are both rooted in transparency, collaboration, and community-driven improvement.
“CrowdSec's approach feels intuitive to people from open source communities,” says Jürgen. “You contribute data, benefit from what others share, and improve things together.”
Security is often treated as a premium feature, locked behind proprietary platforms. This partnership challenges that idea. It shows how powerful, scalable security can be built in the open, shared freely, and improved collectively.
Together, We Can Build a Safer WebSecurity is not a static checklist. It is a living, evolving effort. As attackers innovate, so must defenders. That is why this partnership invites not just users, but contributors.
Here’s how to get involved:
Security is not just about stopping bad actors. It is about protecting the values that make open source and the open web possible. Through this partnership, the Drupal Association and CrowdSec are helping build a more resilient internet. One where collective action protects everyone.
Safer together.
Since late August, Acquia has been gradually upgrading from Solr 8 to Solr 9, a process that will culminate with the migration of production environments in the second half of September. This upgrade brings significant improvements and changes that require the attention of development teams.
Choosing the self-service path gives you more control over the timing of the upgrade and the ability to verify your custom configuration before the date scheduled by Acquia. This proactive approach ensures a smooth transition and guarantees that your website's search functions stably in production.
This article details the process for performing a self-service Solr 9 upgrade in Acquia environments, focusing on key configuration aspects in Drupal and the management of custom configsets.
What does the change to Solr 9.8 entail?Solr 9 represents a significant evolution, built on Lucene 9, bringing improvements in index management, query efficiency, and a more modern and secure foundation. Among the most notable innovations is native capability for vector search (KNN and embeddings), opening the door to semantic and AI-driven search functionalities.
Key aspects to consider for configuration primarily revolve around changes in format and module management.…
Following on from my recent article about How To Patch Drupal, this article will explore some more useful commands and additional functionality.
Read moreI've found that DDEV's ddev share command is a great way to quickly share my local development environment. However, since it uses ngrok, it generates a new, random URL every time unless you use a stable domain. As an alternative, I've created the ddev-tailscale-router add-on.
This add-on uses Tailscale, a VPN service that creates a private and secure network between your devices. It is free for personal use!
As a result, you get a stable, human-readable URL for each of your DDEV projects, which you can access from any device on your Tailscale network.
I've found this approach to be particularly useful for:
The ddev-tailscale-router add-on works by running a Tailscale container alongside your DDEV project. This container automatically connects to your Tailscale network and securely proxies requests to your project's web container.
PrerequisitesBefore installing the add-on, you need to set up Tailscale:
To get started, follow these steps:
First, set up your auth key (recommended approach): Add the auth key to your shell environment:
echo 'export TS_AUTHKEY=tskey-auth-your-key-here' >> ~/.bashrc source ~/.bashrcReplace ~/.bashrc with ~/.zshrc if you use Zsh, or your relevant shell configuration file.
Alternatively, you can set it per project (NOT RECOMMENDED, because .ddev/.env.tailscale-router is not intended to store secrets):
ddev dotenv set .ddev/.env.tailscale-router --ts-authkey=tskey-auth-your-key-hereNext, install the add-on:
ddev add-on get atj4me/ddev-tailscale-routerFinally, restart DDEV:
ddev restartOnce installation is complete, you can access your project using these commands:
Launch your project's Tailscale URL in browser:
ddev tailscale launchGet your project's Tailscale URL:
ddev tailscale urlYour project's permanent Tailscale URL will look like: https://<project-name>.<your-tailnet>.ts.net. You can also find it in your Tailscale admin console.
Public vs. Private ModeThe add-on offers two modes for sharing your project:
To switch between modes:
Switch to public mode (accessible to anyone on the internet):
ddev dotenv set .ddev/.env.tailscale-router --ts-privacy=public ddev restartSwitch back to private mode (default):
ddev dotenv set .ddev/.env.tailscale-router --ts-privacy=private ddev restartNote: For public access, you need to configure your Access Control List (ACL) to enable Funnel. See the Tailscale Funnel documentation for details on setting up the required ACL policy.
I hope this add-on helps streamline your development workflow! If you run into any issues or have suggestions for improvements, feel free to open an issue on the GitHub repository.
Additional ResourcesHere are some additional resources that you might find helpful:
This blog post was written with the assistance of Amazon Q and Google Gemini. I used them to help simplify the language, improve the flow, and proofread the text.
Today we are talking about DrupalCon Vienna, what we can expect, and any surprise updates with guests Cristina Chumillas, Antonella Severo, and Catherine Tsiboukas. We’ll also cover Recipe Tracker as our module of the week.
For show notes visit: https://www.talkingDrupal.com/519
TopicsCatherine Tsiboukas - mindcraftgroup.com bletch Antonella Severo - nestle.com antonellasevero Cristina Chumillas - ckrina
HostsNic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi James Sansbury - tugboatqa.com q0rban
MOTW CorrespondentMartin Anderson-Clutz - mandclu.com mandclu
Open source communities often learn from one another. When Laravel introduced "Boost," its new AI coding starter kit, it showed how artificial intelligence can be woven directly into a developer's workflow. Instead of leaving AI as a scattered experiment, Laravel created an official package that gives developers consistent guidance, direct access to framework knowledge, and clear guardrails that make AI support trustworthy. It is a reminder that AI can be more than a novelty if it is shaped carefully.
Ronald te Brake has suggested that Drupal should take a similar step. He points out that Drupal developers are already experimenting with AI, but the tools are fragmented and inconsistent. Some use modules, others write their own rules, and a few rely on external services. The result is promising but messy. Ronald envisions a Drupal starter kit that would bring these efforts together: easy to install, grounded in community standards, and powered by official Drupal knowledge. Instead of duplicating efforts across different tools, developers would share a common foundation that keeps AI aligned with how Drupal is actually built.
The value of this proposal is not in copying Laravel but in asking what a Drupal-native approach could look like. Ronald reminds us that Drupal has always thrived on collaboration, shared standards, and community driven progress. An AI starter kit could be the next step in that tradition, helping developers work faster while staying true to Drupal's principles. The opportunity is now for the community to decide if we are ready to shape this vision together.
DISCOVER DRUPAL
We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now. To get timely updates, follow us on LinkedIn, Twitter, Bluesky, and Facebook. You can also join us on Drupal Slack at #thedroptimes.
Thank you.
Sincerely,
Alka Elizabeth,
Sub-editor, The DropTimes.
We’re thrilled to introduce Maya Schaeffer, one of the newest members elected to the Drupal Association Board, with her term beginning 1 November 2025.
Maya is the lead organizer of EvolveDrupal, where she has been instrumental in rebuilding the in-person side of the community post-pandemic, connecting over 1,000 attendees (40% from outside the traditional Drupal space) across summits in Montreal, Ottawa, Toronto, Atlanta, NYC, and Boston (upcoming June 2025). These events highlight the demand for cross-functional community spaces that showcase Drupal’s relevance across industries.
Beyond events, Maya is passionate about contributing to Promote Drupal and helping shape an Association that champions clear storytelling, accessible entry points, and a strong pipeline for the next generation of users and contributors.
We’re excited to have Maya on the Board. Here are her thoughts as she begins this new chapter:
What are you most excited about when it comes to joining the Drupal Association Board?
I'm excited to bring a fresh perspective that bridges the gap between technical and non-technical communities. I want to help Drupal grow by expanding its reach, telling a more inclusive story, and making it easier for new voices to get involved, especially beyond code.
What do you hope to accomplish during your time on the board?
I want to help Drupal reach new audiences, support more inclusive contribution pathways, and strengthen community engagement beyond the developer space. That includes amplifying Promote Drupal, making it easier for newcomers to get involved, and championing voices from underrepresented regions and roles. I also hope to bring a marketing and events lens to our strategy, helping the project tell a clearer, more compelling story to the world.
What specific skill or perspective do you contribute to the board?
I bring a marketing and community-building lens, shaped by leading EvolveDrupal (and EvolveDigital) and engaging non-technical audiences. My background in event management and my administrative experience as an executive assistant in Germany give me the tools to align stakeholders and turn ideas into action, something I’m especially excited to bring to the Board’s work. I thrive at making vision tangible and creating inclusive spaces where more people can see themselves in Drupal.
How has Drupal impacted your life or career?
When I started at Evolving Web, I didn’t even know what Drupal was. But from my very first event, the community welcomed me in. That sense of openness gave me room to grow, build confidence, and discover a whole new path in tech. I’ve found a place where I can connect with people, contribute in meaningful ways, and keep learning every step of the way.
Tell us something that the Drupal community might not know about you.
I started playing ball hockey after moving to Canada, and just 3.5 years later, I made it onto the United Nations team for the 2024 Ball Hockey World Championship in Switzerland. It was an unforgettable experience and a reminder that it’s never too late to try something new and go all in.
Share a favorite quote or piece of advice that has inspired you.
"You miss 100% of the shots you don’t take." — Wayne Gretzky
This quote has guided so many of my big life decisions. I moved to a new country, stepped into a completely new industry, and said yes to opportunities I didn’t feel fully “ready” for, from organizing summits to playing in a world championship. None of it would’ve happened if I hadn’t taken the shot.
We look forward to the contributions Maya will make during her time on the Drupal Association Board. Thank you, Maya, for sharing your time and expertise with the Drupal community. You can connect with Maya on LinkedIn.
Looking ahead to DrupalCon Vienna 2025With DrupalCon Vienna 2025 on the horizon, join us for the Drupal Association Public Board Meeting. The Board will share updates on upcoming programs, conduct essential business to support the Association’s non-profit mission, and answer questions directly from the community. If you haven’t registered yet, register now and be part of this gathering of the global Drupal community.
About the Drupal Association Board of DirectorsThe Drupal Association Board of Directors comprises 13 members: nine nominated for staggered three-year terms, two elected by Drupal Association members, one seat reserved for the Drupal Project Founder, Dries Buytaert, and one non-voting seat reserved for the immediate past chair. Terms begin on 1 November each year.
The Board meets twice in person for weekend retreats and about five times virtually each year. It provides strategic guidance to the Drupal Association and oversees the Association’s management, policy development, budget, and fundraising efforts.
