Drupal a free and open source content-management framework written in PHP and distributed under the GNU General Public License, provides a back-end framework for at least 2.2% of all Web sites worldwide ranging from personal blogs to corporate, political, and government sites. Systems also use Drupal for knowledge management and for business collaboration.
The standard release of Drupal, known as Drupal core, contains basic features common to content-management systems. These include user account registration and maintenance, menu management, RSS feeds, taxonomy, page layout customization, and system administration. The Drupal core installation can serve as a simple Web site, a single- or multi-user blog, an Internet forum, or a community Web site providing for user-generated content.
“The Drupal Overview”, a feature of the project web site, describes it as a content management framework. Drupal also describes itself as a Web application framework, as it meets the generally accepted feature requirements for such frameworks.
As of November 2016 the Drupal community is composed of more than one million members. Including 104,200 users actively contributing. Resulting in more than 35,800 free modules that extend and customize Drupal functionality, over 2,300 free themes that change the look and feel of Drupal, and at least 1,050 free distributions that allow you to quickly and easily set up a complex, use-specific Drupal in fewer steps.
Although Drupal offers a sophisticated API for developers, basic Web-site installation and administration of the framework require no programming skills.
Drupal runs on any computing platform that supports both a Web server capable of running PHP and a database to store content and configuration.
In the Drupal community, the term “core” refers to the collaboratively built codebase that can be extended through contributory modules and for versions prior to Drupal 8 is kept outside of the “sites” folder of a Drupal installation. (Starting with version 8, core is kept in its own ‘core’ sub-directory.) Drupal core is the stock element of Drupal. Bootstrap and Common libraries are defined as Drupal core and all other functionalities are defined as Drupal modules including the system module itself.
In a Drupal website’s default configuration, content can be contributed by either registered or anonymous users (at the discretion of the administrator) and is made accessible to web visitors by a variety of selectable criteria. As of Drupal 8, Drupal has adopted some Symphony libraries into Drupal core.
Core modules also includes a hierarchical taxonomy system, which allows content to be categorized or tagged with key words for easier access.
Drupal maintains a detailed changelog of core feature updates by version.
Drupal core includes optional modules that can be enabled by the administrator to extend the functionality of the core website. The core Drupal distribution provides a number of features, including
- Access statistics and logging
- Advanced search
- Blogs, books, comments, forums, and polls
- Caching and feature throttling for improved performance
- Descriptive URLs
- Multi-level menu system
- Multi-site support
- Multi-user content creation and editing
- RSS feed and feed aggregator
- Security and new release update notification
- User profiles
- Various access control restrictions (user roles, IP addresses, email)
- Workflow tools (triggers and actions)
Prior to version 7, Drupal had functions that performed tasks related to databases, such as SQL query cleansing, multi-site table name prefixing, and generating proper SQL queries. In particular, Drupal 6 introduced an abstraction layer that allowed programmers to create SQL queries without writing SQL.
Drupal 7 extends the data abstraction layer so that a programmer no longer needs to write SQL queries as text strings. It uses PHP Data Objects to abstract the database. Microsoft has written a database driver for their SQL Server. Drupal 7 supports the file-based SQLite database engine, which is part of the standard PHP distribution.
Contributed modules offer such additional or alternate features as image galleries, custom content types and content listings, WYSIWYG editors, private messaging, third-party integration tools, integrating with enterprise applications, and more. As of November 2016 the Drupal website lists more than 35,800 free modules
Some of the most commonly used contributed modules include
- Content Construction Kit (CCK): allows site administrators to dynamically create content types by extending the database schema. “Content type” describes the kind of information. Content types include, but are not limited to, events, invitations, reviews, articles, and products. The CCK Fields API is in Drupal core in Drupal 7.
- Views: facilitates the retrieval and presentation, through a database abstraction system, of content to site visitors. Basic views functionality has been added to core in Drupal 8.
- Panels: drag and drop layout manager that allows site administrators to visually design their site.
- Rules: conditionally executed actions based on recurring events.
- Features: enables the capture and management of features (entities, views, fields, configuration, etc.) into custom modules.
- Context: allows definition of sections of site where Drupal features can be conditionally activated
- Media: makes photo uploading and media management easier
- Services: provides an API for Drupal.
- Organic Groups Mailing List
Drupal’s policy is to announce the nature of each security vulnerability once the fix is released. Administrators of Drupal sites are automatically notified of these new releases via the Update Status module (Drupal 6) or via the Update Manager (Drupal 7). Drupal maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed with the most recent security advisories. In 2008, eleven security vulnerabilities were reported and fixed in the Drupal core. Security holes were also found and fixed in 64 of the 2243 user-contributed modules.
In mid-October 2014, Drupal issued a “highly critical” security advisory regarding an SQL injection bug in Drupal 7, also known as Drupalgeddon. Downloading and installing an upgrade to Drupal 7.32 fixes the vulnerability, but does not remove any backdoor installed by hackers if the site has already been compromised. Attacks began soon after the vulnerability was announced. According to the Drupal security team, where a site was not patched within hours of the announcement, it should be considered compromised and taken offline by being replaced with a static HTML page while the administrator of its server must be told that other sites on the same server may also have been compromised. To solve the problem, the site must be restored using backups from before October 15, be patched and manually updated, and anything merged from the site must be audited.