drupal
Talking Drupal: TD Cafe #010 - Steve Wirt & John Jameson
Join John and Steve as they delve into the intricacies and challenges of maintaining Drupal modules, comparing experiences with WordPress, and sharing their journey in making web development more accessible. They discuss their personal stories, the learning curve in module development, balancing user experience, and the importance of contributing back to the community. Learn about their current projects, thoughts on AI's role in accessibility, and get inspired by their dedication to improving the web for all users.
For show notes visit: https://www.talkingDrupal.com/cafe010
Topics- Drupal Beginnings: Personal Stories
- Journey into Module Development
- Accessibility in Web Development
- Navigating the Learning Curve in Development
- The Importance of Community and Collaboration
- Challenges in Module Maintenance
- Comparing Drupal and WordPress
- Innovative Approaches to Development
- Pet Peeves and Frustrations
- Future Directions and AI Integration
- The Story Behind the Shovel Avatar
Being a Developer and Tech Lead at CivicActions has exposed him to the experience of working on some of the largest government websites in the United States. A passion for opensourcing as much as possible has lead him to develop a growing number of modules, with two addressing accessibility Alt Text Validation & Node Link Report)
John JamesonAs the Digital Accessibility Developer at Princeton University, John has come to believe that the biggest barrier to accessible content is the idea that training can compensate for unintuitive authoring interfaces. So far his work to fix the authoring interfaces, to make workflows intuitive and accessible by default, has resulted in the Editoria11y Accessibility Checker and Link Purpose Icons JS libraries and Drupal modules.
GuestsSteve Wirt - swirt John Jameson - itmaybejj
ResourcesModules
- Editoria11y Accessibility Checker https://www.drupal.org/project/editoria11y
- Link Purpose Icons https://www.drupal.org/project/linkpurpose
- Alt Text Validation https://www.drupal.org/project/alt_text_validation
- Node Link Report https://www.drupal.org/project/node_link_report
Talking Drupal #490 Contrib First https://talkingdrupal.com/490 Contrib First https://guidebook.civicactions.com/en/latest/common-practices-tools/contribution/contrib-first/
The Drop Times: “Drupal’s Complexity Is Being Used to Make Things Simpler” — Jorge Tutor on Smart Scaling
Gábor Hojtsy: All the deep dives about Drupal's future at DrupalCon Vienna
In the past month or so I had the opportunity to record videos featuring key DrupalCon Vienna sessions where you can learn about where Drupal is going. With only a couple days left to buy regular tickets, I think it is a good time to review my suggestions.
Gábor Hojtsy Wed, 09/10/2025 - 18:03LakeDrops Drupal Consulting, Development and Hosting: Embrace ECA: The Future Beyond Classic Module Development
If you've been building Drupal sites for a while, you know the pattern: a new requirement comes in, you reach for a custom or dust off an aging contributed module, and before long your code base is a patchwork of narrowly-focused solutions. Over time, maintenance becomes a chore.
There's a better way.
The Drop Times: Seed EM Launches Drup & Drop: Production-Ready Drupal CMS Platform for Faster Digital Implementation
Drupal Association blog: Beyond Patching: Drupal Association and CrowdSec Team Up to Protect the Open Web
Keeping your site up to date is essential, but it is only the beginning when it comes to web security. For Drupal site maintainers, this comes naturally thanks to a long-standing culture of best practices, code quality, and the dedicated work of the Drupal Security Team. But today’s threat landscape doesn’t just target vulnerabilities in code. It exploits infrastructure, automation, and scale.
This is where the Drupal Association and CrowdSec collaboration comes in. It combines deep application-layer awareness with a community-powered defense system to offer broader, more adaptive protection for the modern web.
Drupal’s Internal Security Culture
Drupal has earned a reputation for prioritizing security from the ground up. Core security practices, frequent updates, and responsible disclosure processes form the baseline. Modules like CAPTCHA, Honeypot, TFA, OAuth, and header hardening tools are widely used across websites to harden attack surfaces.
“We’ve always used a layered security model,” explains Jürgen Haas, a long-time Drupal contributor and maintainer of the CrowdSec Drupal module. “Before using CrowdSec, the Drupal Ban module helped us manually block problematic IPs, and we combined that with host-level tools like Fail2Ban or Apache’s security plugin.”
But that model has limits. For many Drupal sites, especially those with interactive features such as logins, registrations, and comment sections, malicious behavior can’t always be spotted at the infrastructure level. As traffic becomes more dynamic and attackers more sophisticated, another layer of protection is needed.
The Growing Challenge: Spam and Bots
Brute-force logins, spam submissions, scraping bots, and SEO manipulation are not new, but their sophistication is evolving. AI-generated content can now bypass traditional filters. CAPTCHA-bypass tools are widely available. And attacks are no longer personal. They are automated and global.
One Drupal community member running a high-traffic political forum suffered frequent spam attacks that rendered the site nearly unusable. Implementing CrowdSec almost immediately resolved the issue. However, it also revealed new challenges around legitimate traffic coming from sources like Tor. It is a reminder that today’s security work is not only technical but also must be ethical and nuanced.
CrowdSec: A Community Approach to Protection
CrowdSec is a free and open source security engine that detects aggressive behaviors and shares signals with a global network. If a malicious IP is attacking other sites, CrowdSec users benefit from that real-time threat intelligence. The Drupal module brings this collaborative protection directly into the CMS layer.
Initially, Jürgen was skeptical. “I used to think you should block threats early, at the server level,” he admits. “But I came to understand that some patterns of abuse, like brute force or spam, only emerge over time within the application. Drupal is in a unique position to spot them.”
That is where the Drupal integration shines. It enables behavior-driven detection that contributes to our global reputation network, without tracking personal data. The result is smarter, faster protection, especially when combined with traditional host-level defenses.
Why CrowdSec and Why Now
“We were already researching CrowdSec as a potential replacement for Fail2Ban,” Jürgen explains. “It’s easier to configure, and the crowd-sourced decision-making is what really convinced us. The idea that we all benefit from what others observe is a very open source way of thinking.”
The Drupal module allows CrowdSec to gather rich behavioral context from inside the CMS, something not possible from logs alone. Current efforts are focused on building APIs to allow other Drupal modules to contribute signals, from spam protection to user activity patterns.
“There are a dozen modules already doing great work spotting bad behavior,” says Jürgen. “Imagine if they could all contribute signals. The insights we could gain and share would be huge.”
Real-World Use and Future Evolution
Today, the CrowdSec module is running on dozens of Drupal sites, protecting everything from portals to customer platforms and content-rich applications. The roadmap includes:
- Richer behavioral context to improve upstream signals
- A signal-sharing API that enables other modules to contribute
- Enhanced reporting in the Drupal backend to show impact
- Improved documentation to help users understand and build on the module
On the infrastructure side, most deployments run on LAMP stacks, with a gradual shift toward Docker-based hosting. Regardless of setup, the goal is the same: stop threats efficiently, collaboratively, and without compromising the openness of the web.
Rooted in Open Source Ethics
What sets this partnership apart is not just the technology. It is the shared values. Drupal Association and CrowdSec are both rooted in transparency, collaboration, and community-driven improvement.
“CrowdSec's approach feels intuitive to people from open source communities,” says Jürgen. “You contribute data, benefit from what others share, and improve things together.”
Security is often treated as a premium feature, locked behind proprietary platforms. This partnership challenges that idea. It shows how powerful, scalable security can be built in the open, shared freely, and improved collectively.
Together, We Can Build a Safer Web
Security is not a static checklist. It is a living, evolving effort. As attackers innovate, so must defenders. That is why this partnership invites not just users, but contributors.
Here’s how to get involved:
- Try the CrowdSec Drupal module and explore what it can do
- Share your experience with others in the CrowdSec community and Drupal Security Team
- Contribute your story to help others improve their defenses
Security is not just about stopping bad actors. It is about protecting the values that make open source and the open web possible. Through this partnership, the Drupal Association and CrowdSec are helping build a more resilient internet. One where collective action protects everyone.
Safer together.
Drupal blog: Beyond Patching: Drupal Association and CrowdSec Team Up to Protect the Open Web
Keeping your site up to date is essential, but it is only the beginning when it comes to web security. For Drupal site maintainers, this comes naturally thanks to a long-standing culture of best practices, code quality, and the dedicated work of the Drupal Security Team. But today’s threat landscape doesn’t just target vulnerabilities in code. It exploits infrastructure, automation, and scale.
This is where the Drupal Association and CrowdSec collaboration comes in. It combines deep application-layer awareness with a community-powered defense system to offer broader, more adaptive protection for the modern web.
Drupal’s Internal Security Culture
Drupal has earned a reputation for prioritizing security from the ground up. Core security practices, frequent updates, and responsible disclosure processes form the baseline. Modules like CAPTCHA, Honeypot, TFA, OAuth, and header hardening tools are widely used across websites to harden attack surfaces.
“We’ve always used a layered security model,” explains Jürgen Haas, a long-time Drupal contributor and maintainer of the CrowdSec Drupal module. “Before using CrowdSec, the Drupal Ban module helped us manually block problematic IPs, and we combined that with host-level tools like Fail2Ban or Apache’s security plugin.”
But that model has limits. For many Drupal sites, especially those with interactive features such as logins, registrations, and comment sections, malicious behavior can’t always be spotted at the infrastructure level. As traffic becomes more dynamic and attackers more sophisticated, another layer of protection is needed.
The Growing Challenge: Spam and Bots
Brute-force logins, spam submissions, scraping bots, and SEO manipulation are not new, but their sophistication is evolving. AI-generated content can now bypass traditional filters. CAPTCHA-bypass tools are widely available. And attacks are no longer personal. They are automated and global.
One Drupal community member running a high-traffic political forum suffered frequent spam attacks that rendered the site nearly unusable. Implementing CrowdSec almost immediately resolved the issue. However, it also revealed new challenges around legitimate traffic coming from sources like Tor. It is a reminder that today’s security work is not only technical but also must be ethical and nuanced.
CrowdSec: A Community Approach to Protection
CrowdSec is a free and open source security engine that detects aggressive behaviors and shares signals with a global network. If a malicious IP is attacking other sites, CrowdSec users benefit from that real-time threat intelligence. The Drupal module brings this collaborative protection directly into the CMS layer.
Initially, Jürgen was skeptical. “I used to think you should block threats early, at the server level,” he admits. “But I came to understand that some patterns of abuse, like brute force or spam, only emerge over time within the application. Drupal is in a unique position to spot them.”
That is where the Drupal integration shines. It enables behavior-driven detection that contributes to our global reputation network, without tracking personal data. The result is smarter, faster protection, especially when combined with traditional host-level defenses.
Why CrowdSec and Why Now
“We were already researching CrowdSec as a potential replacement for Fail2Ban,” Jürgen explains. “It’s easier to configure, and the crowd-sourced decision-making is what really convinced us. The idea that we all benefit from what others observe is a very open source way of thinking.”
The Drupal module allows CrowdSec to gather rich behavioral context from inside the CMS, something not possible from logs alone. Current efforts are focused on building APIs to allow other Drupal modules to contribute signals, from spam protection to user activity patterns.
“There are a dozen modules already doing great work spotting bad behavior,” says Jürgen. “Imagine if they could all contribute signals. The insights we could gain and share would be huge.”
Real-World Use and Future Evolution
Today, the CrowdSec module is running on dozens of Drupal sites, protecting everything from portals to customer platforms and content-rich applications. The roadmap includes:
- Richer behavioral context to improve upstream signals
- A signal-sharing API that enables other modules to contribute
- Enhanced reporting in the Drupal backend to show impact
- Improved documentation to help users understand and build on the module
On the infrastructure side, most deployments run on LAMP stacks, with a gradual shift toward Docker-based hosting. Regardless of setup, the goal is the same: stop threats efficiently, collaboratively, and without compromising the openness of the web.
Rooted in Open Source Ethics
What sets this partnership apart is not just the technology. It is the shared values. Drupal Association and CrowdSec are both rooted in transparency, collaboration, and community-driven improvement.
“CrowdSec's approach feels intuitive to people from open source communities,” says Jürgen. “You contribute data, benefit from what others share, and improve things together.”
Security is often treated as a premium feature, locked behind proprietary platforms. This partnership challenges that idea. It shows how powerful, scalable security can be built in the open, shared freely, and improved collectively.
Together, We Can Build a Safer Web
Security is not a static checklist. It is a living, evolving effort. As attackers innovate, so must defenders. That is why this partnership invites not just users, but contributors.
Here’s how to get involved:
- Try the CrowdSec Drupal module and explore what it can do
- Share your experience with others in the CrowdSec community and Drupal Security Team
- Contribute your story to help others improve their defenses
Security is not just about stopping bad actors. It is about protecting the values that make open source and the open web possible. Through this partnership, the Drupal Association and CrowdSec are helping build a more resilient internet. One where collective action protects everyone.
Safer together.
Metadrop: Solr9 upgrade on Acquia
Since late August, Acquia has been gradually upgrading from Solr 8 to Solr 9, a process that will culminate with the migration of production environments in the second half of September. This upgrade brings significant improvements and changes that require the attention of development teams.
Choosing the self-service path gives you more control over the timing of the upgrade and the ability to verify your custom configuration before the date scheduled by Acquia. This proactive approach ensures a smooth transition and guarantees that your website's search functions stably in production.
This article details the process for performing a self-service Solr 9 upgrade in Acquia environments, focusing on key configuration aspects in Drupal and the management of custom configsets.
What does the change to Solr 9.8 entail?
Solr 9 represents a significant evolution, built on Lucene 9, bringing improvements in index management, query efficiency, and a more modern and secure foundation. Among the most notable innovations is native capability for vector search (KNN and embeddings), opening the door to semantic and AI-driven search functionalities.
Key aspects to consider for configuration primarily revolve around changes in format and module management.…
DDEV Blog: Contributor Training: Using Claude Code for a DDEV PR
Here's our August 21, 2025 Contributor Training on using Claude Code AI for a DDEV PR:
Big Picture
- The most amazing thing about Claude Code as an agent is that it can do things and respond to them, on your machine, and using the internet, with your permission. That puts it way ahead of any other AI I've used. It can run tests and respond to the results (and fix things). It can create a commit or a PR.
- Used with respect, AI can be really powerful, a whole new level of abstraction in software development, maybe a bit like having an IDE when you were previously using just a line editor.
- AI excels at repetitive tasks, but only you have judgment. It's phenomenal at repeating patterns that it's been trained on, and often good at imitating patterns that you point out to it.
- It's a pretty good collaborator for those of us who work mostly alone.
- When I don't have the energy to approach a problem from scratch, sometimes just explaining it to Claude Code and asking for a plan gets me started. I've taken on quite a number of DDEV bugs/features this way and got to them instead of procrastinating another year or two.
Guardrails
- Your code is your code. Build it with guardrails that will help keep it under control. Tests and static analysis are great guardrails. (DDEV has hundreds of automated tests and
make staticrequired
for static analysis.) - Control, read, and manually test the code yourself.
- Consider getting a different AI to do a review.
- Always try to get another human to do a review.
- AI is fantastic at creating new tests, but don't let it touch the existing tests.
Structure and Strategy
- For complex initiatives, explain the entire goal in detail to Claude and then get it to write a PRD, then commit the PRD into the repository. That way you'll have a high-quality set of context to use.
- Put all your general directives in a
CLAUDE.md
file like DDEV's CLAUDE.md. Their docs claim that directives like this will be used properly to guide Claude's behavior, and it does help, but Claude does not seem to be strictly obedient and I often have to remind it of basic DDEV precepts. - TaskMaster AI is a pretty good structural tool. You can give it a PRD and have it create a task list, then Claude can use it to navigate that task list. This would have been a great tool long before AI, but I rarely used that much structure in my coding before using this tool and AI.
- Every time you accomplish a bit of something, make a commit or have Claude make a commit. That way you can roll it back, or review just one item. (This works for you as a human also.) Thanks @shaal.
Capabilities
- I was amazed to find that Claude could create an issue or PR for me, and certainly do commits. It can also comment on an issue or PR. I don't let it do those things without permission. (It seems to know how to use the
gh
utility to do these things; you need to have that installed and configured.) - I have definitely learned some things from Claude. It has used the Go
t.Run()
much more effectively for clearer subtests than I had ever done before. And it seems to use a bit more modern Go in general, so that's a plus.
Problems
- The current billing situation for Claude is confusing. It's based on the number of tokens you're using, but it doesn't give you feedback until you've almost used it all up. Then (on the $20/month plan) you're not able to use it for a number of hours, which seems to be arbitrary. You can spend more for a higher monthly plan, and you can also pay-as-you-go for tokens. I haven't done either of those. Clear context (
/clear
) at key points to limit the amount of context you're carrying forward and limit the number of tokens you're using. - Claude can get stuck and go in circles, like other AI. Clear context to try to get around that. Have an overall plan to get around it.
- I'm annoyed by how verbose and flowery the commit/issue/PR language is sometimes, but have tried to calm it down using directives in the
CLAUDE.md
file, but without success. It also is complimenting me all the time and always agreeing with what I say. I haven't been able to calm that down either. - I find that the amount of code I can create quickly for a significant feature is amazing. But then I have to understand it. And since I didn't create it at the micro level, it can be exhausting to work with.
Demonstration
In this demonstration (see screencast) we asked Claude to work on this issue about ddev launch
and we asked it to create a PR for us. It generated this PR to resolve the problem. It was a trivial issue with a trivial solution, but the path to create it was similar to the path for a more complex situation.
Responsible AI Usage and Disclosure
This isn't an adequate place to discuss responsible AI, but:
- Acknowledge the use of AI. Claude is happy to add a tag onto every commit or comment.
- Take responsibility for what you build.
Resources
- Claude Code AI
- TaskMaster AI
- Slides and supporting repository built on reveal.js, created using Claude.
- Coursera Claude Code Course: I took this as a free course; it didn't take too long and I learned a lot that I would not have known otherwise.
Conclusions
Yes, AI can make us really lazy. And it can make us stupid. Those valid concerns were also leveled against the calculator and the computer, of course. People thought that using the C
language instead of assembler was giving up control. It was. We have to learn how to use this technology, use it right, and grow with it.
Build guardrails. Pay attention. Know what your code does. Enjoy the ride!
Contributions welcome!
Your suggestions to improve this blog are welcome. You can do a PR to this blog adding your techniques. Info and a training session on how to do a PR to anything in ddev.com is at DDEV Website For Contributors.
Join us for the next DDEV Live Contributor Training.
Edited with assistance from Claude Code and Codex; banner image generated by Claude.
Pagination
- Previous page
- Page 4
- Next page