You are here

Drupal 8 security, scalability, performance: What devs need to know

public://pictures/Darryl.png
Darryl Norris, Engineer, TechBeacon

After almost five years, the Drupal community has finally issued Drupal 8, the next major release of its popular web content management system. As with any software, news of the latest release has been met with enthusiasm, and some trepidation. The good news is that Drupal 8 offers the improvements that matter most for enterprise users: a more secure, more scalable, and in some cases faster platform.

For starters, Drupal 8 does away with the Drupal-specific framework and supports the industry-standard Symfony PHP Framework. That's good news, because it opens the door for more developers to work with Drupal and incorporates industry best practices. By using Symfony PHP, Drupal 8 also leverages object-oriented programming. The use of Twig instead of Drupal-specific code also makes it more secure.

Security: Hit me with your best hack

The introduction of Symfony PHP and Twig lets developers render markup and sanitize input, says Lucas Hedding, owner of M-Tech LLC and a core maintainer for Drupal 8. For developers working with sites that use open commenting systems, it strips out code that could harvest passwords or deface the site. "You might still get some advertising or spamming, but that will stop [hackers] from introducing some type of bad hack," Hedden says. It also prevents attackers from abusing the theme layer to get into an enterprise database or enable widgets to deface the site.

In general, Drupal 8 had a lot of code refactoring and now has new code, says Cathy Theys, Drupal 8 core developer and mentor, as well as Drupal community liaison at Drupal web hosting firm Blackmesh. Because Symfony is also open source, for example, a Symfony routing expert could find a bug and work with the Drupal community to patch an insecurity. It brings more people into the security mix, although it does burden the Drupal community with the need to monitor the Symfony community for security announcements, she says.

Drupal also wanted to be smart about security, so it ran a security bounty program, paying developers to find security problems within the new code. As of the Nov. 18 release date, 13 security issues had been found and fixed through the security bounty program, and 62 security improvements had been made in Drupal 8, Theys says.

A scalable, global platform

Drupal 8's scalability comes from the addition of new features and the focus on making Drupal a central API. Out of the box, it's easier to connect to other applications, which is very appealing at the enterprise level. RESTful API is now part of its core and lets developers serve HTML or JSON code. Developers can install Drupal 8, create content, and send it via JSON to an application, which can use the data as needed.

Additionally, Drupal 8 excels with out-of-the-box multilingual capabilities on the back end. It enables developers to build sites in a variety of languages easily, vetted by 112 translation groups. And developers can translate entire sites to different languages very quickly.

Potential for high performance

Drupal 8 may also be faster than Drupal 7 in some instances. Drupal 8 recently turned on dynamic caching and has six-week page caching turned on for anonymous users. This makes Drupal 8 serving anonymous users very fast, and even logged-in users can benefit from performance improvements. "We're expecting this new dynamic page caching to make Drupal 8 much more scalable for logged-in and anonymous users, but we don't have a lot of real-world sites yet doing giant things with Drupal 8," Theys says. "So we're expecting it's going to be better, but we're excited to see what the real-world experience ends up being like."

Another reason why Drupal 8 may perform better than Drupal 7 is that it doesn't send JavaScript on every page, unless you need to use it, Theys says. The idea is to send smaller bits of information and code, and only what's needed.

The one place where Drupal 8 will be slower is in cold caching. If a user is the first visitor to a website in Drupal 8, it will be slower than Drupal 7, Theys says. But because of cache improvements, the next time that website is hit, it will be faster in Drupal 8. "The cache granularity is really small," she says, noting that being the first person to view a page is very rare, so overall performance shouldn't be affected much.

Another thing that will have an impact on performance is the site itself and its configuration, according to Hedding. While there will be an improvement for customized sites, developers that are working on non-custom sites, such as static brochureware pages, won't see a noticeable performance improvement.

A future enhancement, PHP 7, will boost Drupal 8's performance, Theys says. Drupal 8 is the only version of Drupal that supports PHP 7, and while the release date has been pushed back, PHP 7 should be available soon.

Theys says Drupal 8 has the best automated testing ever, which contributes to its performance and security boosts. The community built automated tests for every bug that was fixed in Drupal 8, and fixes are committed only if the automated test is run, to make sure that the bug doesn't come back. Drupal 8 uses simple tests, PHP unit tests, and integration tests, and any changes in Drupal 8 are run against these tests, she says.

Easier to use

Developers will find Drupal 8 easier to work with than its predecessor. Site Builder and Administrator, for example, are now more user-friendly, as well as mobile-responsive right out of the box. Drupal 8 also has a built-in WSYWIG editor and CKEditor, and it's possible to conduct in-line editing simply by clicking the text on a page that you want to edit.

In the enterprise, the new configuration management feature will make life easier for developers. They can use it to create all their configurations, which can then be exported and deployed in other locations. In this way, it will be easier and faster to sync environments and import configurations into new sites. Drupal 8 makes it easier to move through the test, QA, and production deployments.

For developers, Drupal 8 represents a drastic change. There are 260 changes noted in the Drupal 8 change log, and those are just the ones that are written down. But by default, it's going to be easier to build secure sites, and for the most part, it will be faster. Developers will have a much easier time building sites, with a better user interface. However, Drupal 8 will also require developers to learn new things, such as brushing up on Symfony PHP and Twig best practices. Yes, Drupal 8 is different, but it's also more modern and has a lower learning curve than did Drupal 7. In the end, it offers a better experience for both developers and site builders.