The day got off to a good start with an excellent keynote speech by Dries on The State of Drupal.
After a short break the rest of the day unfolded with some great sessions and here are my highlights from the day. The bangers and mash wasn't one of them so I might try the veggie option tomorrow!
If you're heading to Croydon College for a session it's a bit of a rat run, up 3 levels, turn right and keep walking then it's a right for BOF or a left Business Day sessions. Make sure you sign in at reception or you'll have security on your back.
Doing Drupal Security Right
A must read according to speaker Gábor Hojtsy is the book Cracking Drupal, I don't think he's on commission but he made a good case for buying it!
A list of security risks relevant to Drupal sites:
- Misconfiguration
- Avoid FTP
- Site might be secure but server could be vulnerable, especially shared hosting
- Avoid php input format
- Most vulnerabilities are in themes
The top 2 security worries you should worry about are:
- Injection
- XSS cross site scripting
A good module to test your Drupal security is the security review module and make sure you subscribe to the Drupal security newsletter for the latest updates (info in the right hand column).
Other things highlighted in the session:
- You have a 64% likelihood of a XSS issue
- Drupal 7 passwords better secured than previous versions
- Firesheep Firefox plugin sounds scary! Avoid open networks with no passwords when out and about
- Securepages prevent hijack module
Is open source secure? Well more people are looking at it, finding holes and reporting back issues which is a good thing.
Read more about the session and download the slides.
Performance and Scalability
Jonathan Anthony, former CTO of Bounty delivered a good session on performance with Drupal and also highlighted his switch from .net. One issue with .net being the cost of Search on the particular platform he was using, £4000 to enable search on his .net CMS, Ouch!, Just one of the reasons he moved over to Drupal.
Other tips and tricks from Jonathan:
- Feng office is an Open Source version of Basecamp
- Varnish module to handle lots of anonymous users, not suitable for lots of Authenticated users though
- Put search on a separate box, use Apache Solr or let Acquia take the strain!
- MySQL Query caching turned off by default on most servers but could help speed issues
- DB Maintenance module to analyse/optimise tables
- Block cache alter module
- Boost module
- Cache router module
- Supercron
- Move htaccess code into http.conf
- Loadimpact.com for site load testing
- Newrelic
A nightly task so as not to affect the site during busy times is to set up a script to make a graceful restart of Apache, this keeps sessions intact but frees up memory for the start of a new day.
Some of these were used on the Bounty.com website that gets15 million hits a month but by using Boost and Block Cache modules they survived the onslaught of new visitors.
Please show some appreciation for one of his current projects, the Phone gap module which looks very cool.
Did you attend? What did you think of the sessions you attended? What did you think of the bangers and mash?! More to follow tomorrow :o)
Add new comment