Antonio's blog

It's hard to tell how truly secure your website is. We personally consider Drupal to be very secure in comparisson to other Content Management Systems out there, and it can always be improved. I'm gonna go through a handful of modules that I always keep handy and often install. Know beforehand, some module settings or even modules might not be useful to specific projects, be discrete.

CAPTCHA (Module Page)

Most people already know what a captcha is, this is the primary CAPTCHA module for Drupal. It comes with an image challenge, which is the type of captcha you see all the time with swirling letters and such, and a math challenge, it asks you to solve a simple math problem like "2 + 4 = ___".

You can expand the module to use reCaptcha, I particularly think that the concept behind reCaptcha is pretty awesome.

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows. Check out our paper in Science about it (or read more below).

A strong captcha is good to keep your registration pages and/or anonymous comments relatively safe from spam bots. Spam bots are pretty contrived, they register and post everywhere possible on your page. The best approach to spam is to add different hurdles that would be relatively easy for a human to do but hard for an average spam bot to do, as opposed to the single undefeatable captcha that not even a human can read.

More spam prevention modules

• Spam - numerous tools to auto-detect and deal with spam content
• Antispam - similar to spam but using third party detection systems like Akismet
• Mollom - Provides captchas and spam filtering.

Login Security (Module Page)

This concept of this module is pretty straight forward; stopping anyone from trying to guess a password, either manually or via brute force attack. The settings are very flexible, you can choose to block a user or block a host altogether. You can set it to e-mail you after x amount of failed login attempts. This will keep the guessers abay.

Secure Password Hashes (Module Page)

Passwords are stored in the form of an MD5 hash in Drupal and most CMS'. When a hacker gains access to your database through an exploit or mysql injection. 9 out of 10 times, hackers attempt to view the contents of your user table.

In order to stop them from breaking into user accounts, passwords are encrypted using one way encryption (MD5). This means that if your password is "cool" the md5 hash will look like this b1f4f9a523e36fd969f4573e25af4540. Since it's a one way encryption, you can't decrypt the hash. This stopped hackers only for a little bit of time, the reasoning is that if cool always makes the same hash, you can create hashes out of all possible word combinations and then by comparisson figure out what the hash is conceiling.

phpass uses much more secure encryption methods, besides using stronger encryption methods, it has the ability to randomly "salt" passwords during encrpytion to create a more unique value and making the hash much harder to figure out.

Are there any modules that you know or would like to know about? Share it in the comments!

Did you like this post?
Follow us to get updates!

   

Everyone that has ever worked with a website as an owner or developer knows, Internet Explorer 6 is the worst nightmare in town. Our story is no different; we try our best to drop support for it in hopes of constructing better layouts, easier. However, there's always the haunting charts showing you how "relevant" IE6 still is, regardless of the pandemic of headaches and overhead spending it causes.

We preemptively started dropping support for IE6 in October last year, we make sure our websites work in IE6 but we add "friendly" notifications reminding people that they are ruining someone's day by using that extremely outdated browser.

How was it solved?

It takes someone huge and influential to get things moving, this time around Google Docs is officially dropping support for IE6 on March 1st, Youtube (Owned by Google) will drop support March 13 and many will follow. Web Developers are so happy that there is a party being thrown for the occasion, RSVP at ie6funeral.com

From ie6funeral.com:

Internet Explorer Six, resident of the interwebs for over 8 years, died the morning of March 1, 2010 in Mountain View, California, as a result of a workplace injury sustained at the headquarters of Google, Inc. Internet Explorer Six, known to friends and family as "IE6," is survived by son Internet Explorer Seven, and grand-daughter Internet Explorer Eight.

It is a little distressing to know that this isn't the end of IE6's reign of chaos, but it is a huge step in the right direction. We invite everyone to embrace this movement in order for all of us to have a better web experience. The number of people using IE6 is decreasing rapidly (Currently at about 10%).

How you can help

The main route to take is to suggest all of your IE6 users to upgrade to any modern browser. If you have a drupal website you can use the IE6 Update Module to display a notice on top of the user's viewfinder suggesting that their browser might be getting a little old for this. If you're not using Drupal, you can easily add IE6 Update to any website, find the code at ie6update.com

Some people choose not to care about IE6 and let them look at broken sites out of pragmatism (or spite), some don't even serve pages to people using ie6!

Did you like this post?
Follow us to get updates!

   

Drupal core comes with the Path module included. Path provides readable URL's for your website, this helps your SEO, your image and how memorable a URL can be. This is an excerpt from Path's project page at Drupal.org:

For example, assume you want to post your resume for potential employers. Without the paths module enabled, the URL to view your resume would be something like yourdomain.com/node/view/26. Using this module, you could create a new URL to your resume such as yourdomain.com/my/resume or yourdomain.com/resume.html.

This module is extremely helpful for SEO, as it can include important keywords in the URL of your website. This is very important in order to place well in the search engine listings.

Let's say that you have a post "10 jquery slideshow plugins" and without path it would read yourdomain.com/node/154, nobody wants that, if you thought it didn't matter, now you know. If you're blogging, you want to include those important words in the URL, added to that, you want to include a reference to the date when your article was posted, for example: yourdomain.com/blog/02162010/10-jquery-slideshow-plugins. It can become very tricky to ensure that this pattern is always followed in sites where a lot of content is pushed in, specially by multiple users. Irregular patterns will produce irregular results, so the solution is simple, Pathauto.

Pathauto's nature is almost self-explanatory. You create URL patterns for each content type to ensure that the path for every post is nice and clean. A pattern uses replacement tokens (kindly provided by the token module). This means that when you are editing the pathauto pattern for your "article" content type, you can do articles/[mm][dd][yy]/[title-raw] and each time a post is created, it will fill in the blanks for you.

Did you like this post?
Follow us to get updates!

   

How much is a good idea worth? According to Derek Sivers, not much:

It's so funny when I hear people being so protective of ideas. (People who want me to sign an NDA to tell me the simplest idea.) To me, ideas are worth nothing unless executed. They are just a multiplier. Execution is worth millions.

To make a business, you need to multiply the two. The most brilliant idea, with no execution, is worth $20. The most brilliant idea takes great execution to be worth $20,000,000. That's why I don't want to hear people's ideas. I'm not interested until I see their execution.

Read more [via Coding Horror]

Did you like this post?
Follow us to get updates!

   

Google loves to brag about the amount of websites they have indexed. The part that no one talks about is how relevant 99% of these sites actually are. The timeless rule of "Free always wins" is taking a toll on the development of websites as conglomerates continue to wholesale "plug and play" technologies. There's too many websites that aren't successful.

Don't mistake me for a conservative who is too afraid to lose his job. I develop and support Drupal, a platform that strives to eliminate repetitive work and allows me to charge for what I actually want to do, create.

These 5 steps might seem broad, however they are essential in order to realize the full potential of an idea. I've seen websites stall right after months of development by lack of initiative on the crew/owner. Don't let that happen to your project.

Find the core

Ever heard of an elevator pitch? That's when you explain exactly what your company/project does in 30-60 seconds. It might seem easy at first to think "I can just explain it really fast". That's not going to work. You want the every word uttered to be important and concise. Before this helps anyone else understand your project, it will help you hone in on what the essence of the project is to begin with. If your idea is an already existing idea with a twist, embrace the twist and make that your selling point, otherwise your project is just rehash.

For more ideas watch Pitches at Techcrunch.com

Build a feature, release, repeat

This is called iterative development. A reason many projects get bogged down and abandoned in web development is usually feature overload which causes severe scope creep or sometimes the investor realizes it will take longer than he/she thought.

A way to curb this rate of failure is to develop the core features of your project and release them. Test them against a real audience, get invaluable feedback and then build on top of the existing code to improve it the right way.

A side-effect of this development process is the prevention of feature overload to new users. If your application has a very cluttered UI but your core message is straightforward, your bounce rate will be higher than if you executed your core message successfully. Your users will sign up to use simple and promised core features. Every feature after that will be something suggested by the users, it's win win.

Feedback is priceless

Feedback is golden, specially when it can help you decide what your next move is and not how bad your previous move (or several moves!) was. This is where you can turn the negative critic into a gold mine of ideas. If you gather feedback from users, use it to decide what feature to improve or remove. The key is to always work in "tangible" features, otherwise your application will be too hard to modify and it'll never be able to keep up (it will fail).

Promote

Everyone has a twitter account, it's fantastic, I suppose. The problem with twitter is the analogy of it being a stadium full of people and everyone is talking out loud (Don't forget the thousands of twitter robots that speak too!). A lot of companies can forget twitter as a means of promotion and use it instead as conversation tool for already existing users (like pizza hut, for example). I'm glad I got that off my chest.

If you found the core of your website. You are much closer to finding your keywords, which is what matters for SEO and PPC. Don't be afraid to start a PPC campaign if you are confident with your keywords. You can always hire an expert (like us!) to help you if it's important.

If you're launching an application, one of the sure fire ways to explode into fame is to negotiate your way into blogs like Techcrunch or Lifehacker. You have to figure out which market your website/application falls in, find the hubs and use them to your advantage.

Sell it well

Deliver what you promise and while your at it, throw the house out the window. If you can't give it all for free, give it real cheap. More often than not, the business model on the internet is wholesale, volume. If you have a blog/content website, you need to do your best to focus on quality content and unfortunately (for the lazy ones), lots of quality content.

If you are launching an application, give it away for some time, you need a buzz. Who's gonna talk about your app if no one is signing up? Your bounce rate is high and your ad words money is evaporating. Make it outrageous (at least while you show your worth) for users. Providing volume services is not extremely expensive, you can afford to give away memberships in exchange for some invaluable buzz.

Do you have any rules of your own to make a successful website? Tell us in the comments

Did you like this post?
Follow us to get updates!

   

If you are a blogger that is going for gold and you've gone the path of Drupal, you probably want to know how to deal with a "Digg Spike" which means that when your site hits the frontpage of digg.com, there is a huge traffic surge of about 10k hits in about an hour.

There's a pretty interesting tool to help deal with this problem, this tool is called "Static Caching" and it is pretty simple in concept, it takes the rendered output of a page that is dynamically generated and stores it as an HTML file, next time someone hits that page, Boost will check for a cache file and if it finds it, will serve it up and bypass the database completely.

This is useful, specially in Drupal because it can take at LEAST 90+ queries to generate a page. multiply by the amount of users at any given point and, if you're on a shared host that usually leads to a server meltdown:

Here's a rough example:
Your website requires 100 queries to fully load. If you get 5000 visitors in one hour that is a grand total of 500,000 QUERIES
That might give you an idea as to why sites implode and the server throws up all over the place sometimes, it's too busy serving to serve all the others. On top of all that you have the bootstrapping process for Drupal which is CPU and memory intensive (Running all the PHP scripts - 10mb~ of ram a strap)

You have learned from this experience and you install Boost. This module stores all rendered pages viewed by anonymous users as HTML files and uses a special .htaccess file to check for the cached file and serve it up without ever touching Drupal at ALL. This means 0 queries to the database and 0 php ran. You spend all the memory and CPU power serving up static pages which is DRAMATICALLY lower than bootstrapping Drupal, a serious improvement.

Give the Boost module a try, be nice to your server. Boost Module on Drupal.org

Did you like this post?
Follow us to get updates!

   

An endless amount of conversation can spawn when you realize the magnitude of global communications, more often than not it is awe inducing to get a grasp on how many simultaneous transactions are occurring at any given second.

The growth of social media continues at a staggering rate and some argue about it's direction and lifespan, this counter can give you a very strong idea of the current pace of the web and it's most popular services.

[Via Gary's Social Media Count]

Did you like this post?
Follow us to get updates!

   

A pretty good amount of hosting providers offer cPanel with their hosting accounts. Most users deduce that there's not much you can do in terms of a cron job, but the opposite is true. It is quite easy to set up a cron job on Cpanel. No need to install the useful (but now unnecessary) poormanscron module.

To set up a cron job on your cPanel account, log in at www.example.com/cpanel. Scroll all the way down until you see the Cron Jobs icon. Go in there and select Standard. You'll get a from titled "Entry 1". On the field "Command to run" enter the following:

wget http://www.example.com/cron.php > /dev/null

Replace example.com with your domain of course! To have it run every hour, set the minutes to 0 and set the rest of the options to the first on it's list.

That's it! Save your crontab at the bottom and you're done.

Did you like this post?
Follow us to get updates!

   

It's interesting to see how many sites get taken offline for extended amounts of time, the easiest recipe is to find a search form or something similar, then put it on refresh on 20 different tabs, ask your friends and bring a tiny site down. More "advanced" techniques involve using software that will exponentially increase the amount of http requests they can make. No one site is safe from a DDoS (Distributed Denial of Service Attack) of enough magnitude, most major sites on the web (amazon, ebay, recently twitter) have suffered at one point or another. The most you can do is exercise some preventive medicine.

Drupal has an awesome tool for implementing flood protection. Two functions that work together in order to keep track of requests and help you deflect them when they become too much. Let's say you have a function that handles a request and could potentially be exploited.   It's not very difficult to tell what's going on here, the two players are flood_is_allowed() and flood_register_event(). flood_is_allowed() checks to see how many flood events have been logged, the integer you pass it is the maximum amount of events you want to allow (400 is just random, use what you think is best). If it's hit the maximum, it will return false (hence the !) and you can deal with it accordingly, otherwise you register the event and move on with the execution. if your project is large enough, a firewall is always better since it does not have to hit your database, however this can be tailored to fit many different scenarios. I will continue blogging about simple ways to protect your site from your code and through module usage, check back soon!

Did you like this post?
Follow us to get updates!