Turning complexity into clarity.

[Request] Looking for plugin to make photowall gallery with specific thumbnails categories

Talk about plugins - Wed, 08/08/2018 - 20:35


I want to use some plugin to make specific photo wall gallery with lightbox.

My purpose is responsive gallery with thumbnails of categories, and after click on one of them opening lightbox with all photos from this concrete category.

Similiar to this page: goo.gl/g8W37u

Do You know some plugins to do that? :)

submitted by /u/ahleap
[link] [comments]

Drupal Association blog: 2018 Q1 & Q2 Financials Statement Summary

News from Planet Drupal - Wed, 08/08/2018 - 19:15

Our board of directors is responsible for the Drupal Association’s financial health and as part of their duty, they review and then vote to approve monthly financial statements. The board met virtually on July 25, 2018 and voted to approve the Q1 & Q2 2018 financial statements, which can be found here.

Each month we compare our results against the financial KPIs we have set with the advice of our virtual CFO, Summit CPA. These KPIs were set to help us focus on increasing our net income so we can build a stronger cash reserve to ensure the organization’s sustainability.  

Our 2018 Financial KPIs are:

  • Cash Reserve: have a cash balance of 15% of Total Revenue
  • Net Income Profit Margin: end 2018 with a net income profit of 4%
  • Increase our Non-Event Revenue to $1.6M
  • DrupalCon Profit Margin of 27%

As of our June financial statement, which was approved by the board, the organization is tracking well against these KPIs.

KPI analysis through June 30 is looking positive for money in the bank, net income, non-event revenue, and event profit margin.

You can see that April was lower than the ideal target, due to missing revenue in a couple of areas. One with DrupalCon Nashville, where ticket sales came in lower than expected, and the second was some hosting contracts coming in later. These contracts will be reflected in future months.

We will monitor all KPIs through the year to ensure we are on track. However, one KPI is now complete: Nashville profit margin. DrupalCon Nashville was forecasted to come in at a net profit of $445K at the close of the conference in April, 2018, or 22%. While training tickets under-performed, resulting in a lower than expected ticket revenue, we still exceeded our net profit goal due to a decrease in expenses and an increase in sponsorship revenue. The final net profit was $481K or 25% which is 2% under the set KPI.  

Details for the DrupalCon Nashville forecast and actual income

While we did exceed our net profit forecast, it should be noted that this event did not generate as much for the project as past DrupalCons. This is because Nashville’s cost per attendee was higher than usual due to the location. However, at the time of selecting the venue, it was the best option compared to the other available cities. The Drupal Association continues to seek ways to diversify revenue so we are not so reliant on one event to fund the project.

The overall trend shows Nashville coming in lower than recent DrupalCon North America net income margins

Drupalcon is evolving and we are making changes.  While the programming, speakers, sessions make up the core of DrupalCon, our event staff is retooling and creating more value to serve everyone in the Drupal ecosystem.

We would not be able to do our mission-driven work without the support and contributions of our community. Contributions come in many forms, through the purchase of DrupalCon tickets and event sponsorships, through our Supporters and Members, Drupal.org sponsors, recruiters who post jobs on Drupal Jobs and many other fantastic ways our community supports the Drupal ecosystem. We are deeply grateful for everyone who contributes time, talent, and treasure to move Drupal forward.

Thank you!

Categories: Drupal

Immediate hire - Wordpress Developer - Upwork

WordPress Work From UpWork - Wed, 08/08/2018 - 15:03
Looking for someone to finish developing our Wordpress website.

A qualified person should:

- Be able to convert sketch / marvel / zeplin designs to Wordpress page, using our theme back end developer and custom code where needed.

- Transfer content from sales sheets to landing page.

- Have elements move as the viewer scrolls down the page

- Work closely with our UI/UX developer to make final edit on the website so it looks great.

- Be able to develop mobile friendly UI

- Experience with Hubspot is a huge plus

Skils Needed:

- Zeplin / Marvel or Sketch
- Excellent communication
- Excellent Adherence to Deadlines

This can become an ongoing contract

Posted On: August 10, 2018 20:11 UTC
Category: Web, Mobile & Software Dev > Web Development
Skills: CSS, HTML, HTML5, JavaScript, PHP, Website Development, WordPress
Country: United States
click to apply

[Help] carousel summary box or carousel content box plugin.

Talk about plugins - Wed, 08/08/2018 - 14:44

Hello everyone!

I was looking for some help. I am in the process of creating a website and was looking for a carousel summary box or a carousel content box. In general I want three content boxes (one circular image per column/box, with a small summary below. I want these boxes to scroll horizontally.

Does anyone have a good plugin that they could suggest? I am using the Avada theme if that helps at all.

If I am in the wrong place, could someone point me in the right direction?


submitted by /u/RealCaptainHindsight
[link] [comments]

InternetDevels: Mail in Drupal 8: the built-in system and useful modules

News from Planet Drupal - Wed, 08/08/2018 - 14:00

The dream of many website owners is to have email sending opportunities on their websites. Of course, it’s possible with Drupal 8, because it has infinite powers.

Read more
Categories: Drupal

TEN7 Blog's Drupal Posts: Episode 036: Matthew Tift

News from Planet Drupal - Wed, 08/08/2018 - 13:54
Dr. Matthew Tift, Senior Drupal Developer at Lullabot, musicologist, podcast host and educator, sits down with Ivan Stegic to discuss his fascinating career and passion for those things open source. Discussing: Matthew's midwest ties, Walking meetings, The advantage of working at home, Working with Wisconsin Public Radio, Sea Grant Non-Indigenous Species Project. Dogpile and Metacrawler, Automate that process, C#, ColdFusion, VB6 Discovering Drupal, TTBOOK (To The Best of Our Knowledge), Accessible public information, Teaching kids to code, Finch Robots, Tonka Coder Dojo, "The Open School House", Live coding, Algorithmic Music, Algoraves, Toplap.org, Syncthing.
Categories: Drupal

Wordpress website help - Edits, adding pages & content and links - Upwork

WordPress Work From UpWork - Wed, 08/08/2018 - 13:32
I've created a basic website with a  web developer (that was newly starting out), but he is unable to complete requests as he tied up with his full time job, family and event planning. I am now looking for another web developer to tweak the site. And possibly continue editing the site a few times in the future, when needed.

My requests for now are as follows:
1. I created an FAQ page but I am unable to see it on the site. Please add the page. Also would like the page name: FAQ's to show on the line bar - please help adding it right after "Contact Us".
2. Need an additional page (right after services and Pricing) to show "Packages". Looking for ideas on how to promote package below. Maybe using a deck of cards - like "Jack of hearts" but renaming the card "Go-Jack's" instead. Then adding the package details inside the card
a. Go Jack’s – 5 hours of services per month $125 (+taxes & additional incurred charges)
b. Go Queen’s - 10 hours of services per month $248 (+taxes & additional incurred charges)
c. Go King’s - 15 hours of services per month $370 (+taxes & additional incurred charges)
d. Go Ace’s – 20 hour per month $ 485 (+ taxes & additional incurred charges
e. Go – My way! Create your very own package to suit your specific needs

2. Want to remove current profile picture with attached picture:
Please remove boarder around picture and like a plain white or black background.

3. Below the picture shows Facebook and Instagram icons - please move them to the Main page (on top left corner) or on the "Contact Us" page. Where you feel it will be best placed. Please also link the appropriate pages to the Facebook and Instagram icons as well.

4. Please indicate how long it will take you to complete. What would you require on my end?

Thank you and looking forward to hearing from you!

Posted On: August 10, 2018 01:11 UTC
Category: Web, Mobile & Software Dev > Web Development
Skills: Web Design, Website Development, WordPress
Country: Canada
click to apply

Mediacurrent: Marketer’s Guide to Drupal 8: Healthcare Marketing Q&A

News from Planet Drupal - Wed, 08/08/2018 - 13:09

Alan Onnen is the Associate Director of Marketing for the Shirley Ryan AbilityLab. Recognized as #1 in rehabilitation for 27 years in a row. AbilityLab introduces its revolutionary care through 5 Innovation Centers - state-of-the-art hospital facilities and equipment for exceptional patient care provided by the best medical and nursing support.

With 15 years of experience in the marketing industry, the past 5 being with SRA and being a part of the team that helped adopt Drupal, Onnen has seen firsthand how Drupal 8 powers digital strategy. 

Mediacurrent Interview with Alan Onnen 

Mediacurrent: What does “digital transformation” mean for you? 

Alan Onnen: Digital transformation means a constant evolution. There’s no single transformation; it’s a constant state of change, staying on top of trends at once. As a digital marketer, you need to know a little bit about everything, UI, UX, nerdy stuff, best practices, changes in the digital environment, what people expect from websites in your vertical, etc. Some people think transformation is a binary term - something new - but it's not.

Mediacurrent: How does open source fit into the equation?

AO: Open source is something that’s not new but it’s getting so mainstream its part of that digital transformation. It’s about adjusting to the new worlds where open source doesn't mean unsecure - it means that it’s open and honest. We had to get buy-in from stakeholders. They dismissed it at the beginning of the RFP bc they thought you needed a Sitecore or an AEM. It took a long time and a lot of agency people to show how safe it is to help make them believe that open source isn’t a dirty word.

Mediacurrent: What current challenges are you trying to solve for?

AO: It is a constant struggle to keep up with Google - making sure our content is optimized for search algorithms. Our overall challenge is to keep our content fresh, navigating innovative best practices for our website while keeping up with legal and social constructs.

Mediacurrent: How are you using Drupal 8 to solve those problems? 

AO: One of the big reasons we chose Drupal was because of its customization ability. Our knowledge base is spread across so many people so Drupal’s ability to customize the backend experience and offer the fields and plain English way we need to talk about things is really important. Even just the simple need for content creators to be able to edit things and be able to customize that experience.

Another big reason was the fact that its open source and the community surrounding Drupal. If you have an idea you can find someone who has half baked or full-baked into that particular module or idea to help give your devs a headstart solution. With Drupal, you don’t have to start from scratch when you need something new to move the website forward. Chances are, someone has had a similar idea you can pull from.

Mediacurrent: Has this been your first experience with Drupal or have you worked with previous versions of Drupal in the past? What did Drupal 8 give you from a marketers/content editors perspective?

AO: I came to SRA on a proprietary healthcare based CMS. It was designed to serve mid to small hospital systems and we didn’t have access to the backend part of the site before. SRA put out an RFP for a replatforming and redesign of our website . We talked to different agencies, and Drupal kept coming up - there were no licensing fees with open source. The spin up on Drupal is more robust than most paid CMS experiences. The cost point of view is having it be free and open was very appetizing and Drupal had other features that appealed to us. 

Mediacurrent: Since launching on Drupal 8 have you noticed an increase in website conversions?  What would you attribute to that success (or lack of success)? By use of marketing automation strategies? Bc of easy integration?

AO: Drupal can be leveraged any which way you want it to be. We take advantage of the extensive list of modules. We have seen nice conversions off the YAML module & the webform module. It’s true of the module philosophy to be able to build how you want them too. 

With Drupal, our web traffic has been up. We have 3 very different facets of our site - rehab measures database, research educational platform, home site - and Drupal can support them all very well. It’s a testament to Drupal - with a flexible CMS, reporting, user interfaces, and a back end that can be robust enough to bring things together in an organic and seamless way. 

Mediacurrent: What are 3 factors you look at when evaluating an agency? Cost? Reputation? Their own web design? Logos they've sold? 

AO: With our RFP out, we began evaluating the superficial - books, examples, case studies, white papers, if their leadership had given talks and what they had talked about, the look and feel for brand consciousness, - exploring that space of ability. We didn’t want someone who was making cookie cutter websites and we didn’t want to stay looking just in the healthcare vertical. Our list was narrowed down to those whose work we respected and admired. 

In the RFP, the CMS wasn’t a consideration. We didn’t tell people which platform you needed to be on. We asked for the cost, their preferred CMS and why, and we never cared about where the agency was located. It’s important to know the the people are the agency - communication is critical. For instance, in their responses to those RFP’s are there timelines? Are they realistic? Do they make sense? It’s easy to see how much effort they did.

No one else did research like you guys [Mediacurrent] did before they got there for a face to face meeting. Your team said “oh, well we’ve already talked to discharge managers, nurses, planners.” They went through example personas, guessing on journeys, patients - and they were smart with how they handled it and took the initiative that early in the process. That showed us a lot about them. It wasn’t a giant new business budget and they didn’t ask for money up front. 

In all, the RFP process was about 4 months.

Mediacurrent: As a marketer using Drupal, what are some of the hot topics you'd like to know more about today? Personalization, marketing automation, etc.

AO: I’d like to know more about:

  • Integrations with personalization
  • Integrating with Google Analytics, tracking to AEM, adwords, & api that moves page data to backend sites
  • Marketing Automation capabilities

Mediacurrent: What advice would you give other CMO’s/VP’s/Director’s who are hesitant to move to Drupal 8?

AO: I would say it depends on what their hesitation is. You have to be committed to the build of your site. You need to be able to really understand your content creators, the users of your CMS, the scope of what they want to be doing, and understand what they could be doing on the front end. It’s important to know the ingredients - you can muck up Drupal and waste dev hours if you don’t know how the workflows to go and to know your taxonomy and pathing modules. 

Drupal requires a Digital Marketer to have a vision for what they want it to be before they start developing - or else they risk having to go back and retrofit into their CMS environment that they could have efficiently put in the first time.

The journey of CMS and Drupal needs to be a thoughtful one.


We want to extend a big THANK YOU to Alan for participating in this interview. In the next part of the blog series, we will dig into the top reasons for Drupal 8 and why enterprise marketers choose Drupal.

Categories: Drupal

Design of monthly letter to investors - creating a timeplate for the investment team - Upwork

WordPress Work From UpWork - Wed, 08/08/2018 - 12:57
The investment team produces a monthly letter to investors. We use Microsoft Word as tool and copy several charts, Excel-tables etc. into the report. The report starts with a summary paragraph, followed by performance comparisons, some content and ends with a conclusion section.
The report is max 4 pages long. We look to redesign that report to have a catchy design, that makes the reader interested in reading the report. We're looking for a fresh design that comes in a user friendly word template. A sample of our last month report is attached. Content comes from us, the company logo should be used, hover otherwise, we're open to any design suggestions, but the theme of a financial newsletter has to be met. It's not a drinks-menu or a pop-up bar.

Posted On: August 14, 2018 07:43 UTC
Category: Web, Mobile & Software Dev > Web & Mobile Design
Skills: Graphic Design, Web Design, WordPress
Country: United States
click to apply

Mediacurrent: Break it Down For Me, Shrop: Tackling Drupal Security Update SA-CORE-2018-005

News from Planet Drupal - Wed, 08/08/2018 - 12:29

Security maintenance — and the ability to apply security updates quickly — is part and parcel to open source project success. 

Updating is typically done as part of the normal software release cycle, however, there are times when a security advisory needs to be released ASAP. A strong incident response plan builds a first defense line to mitigate and patch vulnerabilities. 

But what does a successful security response look like in action?

On the heels of a recent Drupal security update on August 1, 2018, Mediacurrent’s Senior Project Manager Christine Flynn had the same question. To find out, she interviewed our Open Source Security Lead, Mark “shrop” Shropshire, to get a layperson’s perspective on the security team’s approach.


“An off-cycle Drupal security advisory dropped on August 1, 2018. What does that mean for folks who aren’t developers?”

Flynn: I was watching the Slack channel as our team fixed sites, and I got some idea of what was happening. I’m not going to jiggle anybody’s elbows while they’re applying a security update, but I’m really curious now that the fixes are all in. 

Shrop: The official Drupal Security Advisory came out late in the day, after Symphony published their announcement in the morning. There was also one from Zend.

Flynn: I read all of those links while the team was applying the security update, but I feel like I didn’t totally understand the implications. I’d love to get a better picture from you of what they mean.

Shrop: You bet! I hope you can hear me, I’m at a coffee shop right now.

Flynn: Are you on their unsecured WiFi?

Shrop: Nope! I’m on a hotspot and on VPN. It’s funny, the more you know about security, the more it changes what you do. Other people think you’re paranoid. But you’re not! You just understand the realities. 

Flynn: Ha! Why am I not surprised? All right, let’s dig in.

“What was the security update for?”

Shrop: Drupal Core was updated because there were some security releases for Symfony. We call those “upstream” in the biz, which means that Drupal depends on them, and they are actively worked on outside of Drupal. I understand the Symfony project worked closely with the Drupal Security Team to make sure Symfony and Drupal were both updated and ready to be announced publicly at the same time. Drupal version 8.5.6 pulls in the Symfony updates as part of the Drupal update process. 

Flynn: Was that the only update?

Shrop: No, at the same time, there was also an update to Zend Framework, but that was only an issue for users who were making use of modules or sites that used Zend Feed or Daictoros. There is a core issue to update the related Zend libraries for those who require or need the updates. 

“If not updated, what could a malicious user do to a site?”

Shrop: This is a hard one to answer this soon after the release of the security advisory. I’m going to do some checking to see if I can get more information on this for academic purposes, but the Drupal Security Team is not going to make any statements that could help someone attack a site. It is up to security teams and researchers to dig into the code and determine more about the risks involved.

Based on the Symfony project’s blog post, it appears that a specially crafted request could allow a user access to a URL they do not have access to, bypassing access control provided by web servers and caching mechanisms. That’s a fancy-pants way of saying that a website visitor could gain access to pages you don’t want them to see.

“When will we know more?”

Shrop: Within days - sometimes hours - we might start to see exploit methods posted on the Internet. Taking security seriously and responding quickly once a drupal.org security advisory is announced is a way to stay ahead of these concerns.

Mediacurrent doesn’t want to fearmonger, but it is better to be safe than sorry. That’s why I always push to update as soon as possible while weighing in on mitigating factors that may lessen the severity of the issue for a particular application. But I will keep digging. I’m curious! 

“If you had to tell a CEO or CFO the value that implementing this security update swiftly provided, what would you say? Let’s say this CEO does not have a strong background in technology or security.”

Flynn: I could see an executive with a strong public safety or physical security background being pretty understanding of why you want to apply a security update for a potential vulnerability quickly, but what if it’s someone who doesn’t have that experience, and isn’t a technologist?

Shrop: Check out this link from Acquia about the security update. This helped me so much. They published this shortly after the PSA came out, and although they’ve updated the text since then, they said at the time, “It is advised that customers set aside time for a core upgrade immediately following.” When I read, “immediately,” I knew that we had to get the update out within hours. If I was asked to get on a call with the executives from any company, at that point, I am confident. If Acquia is saying it, we need to do it. That’s enough to stand on with anybody. I’m not saying that the Acquia team has more information, but they have a very robust security team. They always dig in quickly. They have to, to know if they can mitigate the issue by adding web application firewall rules.

Flynn: Firewall rules? How does that work? 

Shrop: The last few core updates, Pantheon and Acquia put mitigations into their WAF - that’s Web Application Firewall. Pantheon confirmed the night of the security advisory release that they were blocking attempts on their platform, and Acquia did the same thing. So if someone tried to exploit a site that was hosted there before Drupal was updated, they were there, helping to prevent that site from being attacked successfully. It’s a great extra layer of protection. Now, me and Acquia and Pantheon will always still want to update Core on each site, because WAF-level mitigation might not catch everything. But I am super happy when I see it because there’s a good chance that it will catch anything that happens while a team is still implementing a security update.

Security is all risk assessment and mitigation. You want to layer defenses. And something like this, we are going to make sure we deal with this problem. That’s why Acquia, Pantheon, Platform.sh, and others in the community immediately add those extra mitigations to their firewalls. It’s to buy time so that people can get their updates in. That’s not where mitigation ends, but it helps. 

“What type of sites were affected by this? Does everyone use Symfony?”

Flynn: When I first read about the upcoming security advisory, I saw that it affected “third party libraries.” That made me think that some of our clients might not be affected because it would only affect certain modules. Can you tell me what types of sites were affected?

Shrop: Got a link for you, but basically, anything on Drupal 8 was affected. Drupal 8 uses components from the Symfony project. The Drupal community made the decision to use Symfony so that we didn’t have to maintain everything ourselves. So this is a great example of the power of open source, with the Symfony and Drupal security teams working together to release this fix. We all end up benefiting from having a larger community to fix issues. There’s no way an internal team working by themselves can write as secure applications on their own compared to open source software, in my opinion. It has nothing to do with how good you are, it’s the nature of development. With open source, you have a greater team with Drupal and then again, with Symfony, an even greater team to lean on. With each community that is included you are expanding your team and your ability to detect and prevent threats. 

“How was the security vulnerability discovered?”

Shrop: That’s generally never disclosed because you never want to tell malicious users how you found an opening. 

But we do have a few people to thank: Michael Cullum and @chaosversum were thanked by Symfony for separately reporting the two issues addressed in Symfony security releases. They also thanked Nicolas Grekas for implementing the fix. I would also give a huge thanks to Symfony and the Drupal Security Team for coming together to implement the fix and for coordinating the announcements. It’s hard work, and it shows the community at its best.

“So when we have an off-cycle security release, first the PSA comes out. Can you tell me a bit about what Mediacurrent does from the time the PSA comes out to just before the security advisory drops?”

Flynn: As someone on the team at Mediacurrent, I can see some of the things you do. But I’m wondering what else happens behind the scenes? 

Shrop: The first thing that happens is that I’m notified about the PSA coming out. I’m signed up for updates via email, Twitter, and RSS feeds from https://www.drupal.org/security, and so are a lot of other folks at Mediacurrent. Internally, we have some processes that we have standardized over time for how to deal with security updates that we follow across the company. We centralize information we have on the security PSA/advisory, recommend client communications, and talk about how to prepare as a team. We have multiple communication threads internally, as well, so no one can miss it. I send an email to the staff and I post in our Slack in a few places to get us ready.

Flynn: I know that we often clear time in advance for the team to implement the security updates.

Shrop: Yep. All of us share more information as a team as official information is released or as our own investigations reveal information. For example, early on the day the security advisory was released, our DevOps Lead, Joe Stewart, noticed that Symfony had put out a notice that they were also going to be releasing a security update that day, so that gave us a heads up that it might be related. We couldn’t know for sure until the security advisory actually came out, though. No one can do it by themselves, which is why we have a whole team working on it - it’s the only way to handle these things. ​​​​​​

“So then the security advisory drops. How did we go about fixing the issue?” 

Shrop: First, we reviewed the advisory to assess risk and for any mitigations that help determine how quickly we need to perform updates. With this advisory, it was needed pretty much immediately, so we started to update Drupal core for our clients and pushed to test environments. Our QA team performed regression testing related to the update. Once QA approved each update for each client, we worked with folks to approve the updates and release them to the live environments. 

The important points are to line everyone and everything up in advance, have the talent in-house who can work on clients of all shapes and sizes and needs, and then to work as a team to resolve the issue on every client site as quickly as possible. 

“Were there any sites that were trickier to update? Why?”

Shrop: Clients that were on older versions of Drupal Core, who had delayed upgrading, were harder to update. Every site was updated within a short time, regardless, but even though they started at the same time, those clients did not finish first, because there was more development and testing needed on each site.

Flynn: What was different about the process to update those sites? 

Shrop: If a client wasn’t on version 8.5.x, the lead technologist on the project had to work on an alternative update to secure the site or application, since there wasn’t a security update released for it. Figuring out an alternative process on the fly always introduces risk. It’s part of the value that we bring, that we have team members that have the expertise to evaluate that sort of thing. For example, we had one new client that was on an older version of Drupal 8 core. So one of our Senior Drupal Developers, Ryan Gibson, had to go in and determine what to do. He ended up updating Symfony itself to mitigate the risk. 

Flynn: I’m guessing that we are going to recommend to that client that we update Drupal core for them very soon?

Shrop: Yes. The big takeaway is you’re lowering your risk of problems by staying on the most recent, up-to-date minor version of Drupal 8. Version 8.5.x is current and stable right now, so you should be on that.

Flynn: Why would a client not update?

Shrop: There are always dynamics. I hear lots of good excuses, and I’m not exaggerating, they are good, real reasons! The client is busy, the client has multiple workstreams, it’s hard - but it is getting to a point where I want to recommend even more strongly to clients that it is more expensive to not upgrade. It is going to cost them more when there is an update because we have these additional evaluation and update tasks. The whole point of Drupal 8’s release cycle is to spread the maintenance cost over years rather than getting hit all at once. 

Flynn: And it introduces greater risk. A security breach is an order of magnitude more expensive than extra mitigation steps.

Shrop: Definitely.

“When is the next version of Drupal Core coming out?”

Shrop: Version 8.6.0 will be released in September. Our teams are already starting to test the early versions of this release on some of our projects. If a security update comes out in September, we want all of our clients to be prepared by being on the currently supported version of Drupal core. That way, they will receive security updates.

Flynn: One of the nice things about the Drupal development community is that they provide the betas of the next version of Drupal core so you can get ahead of the next release, right?

Shrop: Yes. When the community starts releasing betas or release candidates, especially release candidates, you want to start testing ahead of time. If you have a Drupal site, you can get your developers to test. If you find a problem, it may not be with your site, it might be an issue with Drupal core and this is a great opportunity to contribute your findings back to drupal.org and help the greater community. There might be a security release weeks after a version comes out and you want to be prepared to implement it.

Flynn: It goes back to risk mitigation.

Shrop: If you are on, say, an 8.2 site right now, you’re on the higher risk side, unfortunately. We advise our clients that it is in their best interest to be on the current, stable version. It costs our clients more in the long run if they don’t update on a steady basis.

Flynn: So if you’re on an older version of Drupal Core, you might not get an easy-to-implement security update when a vulnerability is discovered?

Shrop: The quotes from the Drupal Security team I really want to emphasize are, “Previous minor releases will become unsupported when a new minor release is published,” and, “Any additional security updates for officially unsupported branches are at the sole discretion of the security team.” This is important to understand. For the SA Core 2018-002 fix earlier this year they provided release updates for older versions of Drupal… but they didn’t have to. In the case of the fix last week, they did not.

“What was the best gif exchange of the Drupal core security update process?”

Flynn: I nominate this one, from mid-afternoon:

Shrop: Definitely! 

“What story didn’t we tell yet?”

Shrop: I think we covered most of it. The last thing I’d put out there is for the technical folks reading this. You need to read the security advisories, join Drupal Slack, read what Acquia, Pantheon, and others are saying about each announcement. Then, you take all of that in and make your assessment of what actions you are going to recommend your organization take. This should lead your organization to a documented security plan that you follow. But, you know… 

Flynn: “Update all the things”?

Shrop: Exactly!

Other Resources
7 Ways to Evaluate the Security and Stability of Drupal Contrib Modules | Mediacurrent Pantheon Guest Blog 
Security by Design: An Introduction to Drupal Security | Mediacurrent Webinar

Categories: Drupal

PreviousNext: Encrypted Drupal Database Connections with Amazon RDS

News from Planet Drupal - Wed, 08/08/2018 - 07:46

Malicious users can intercept or monitor plaintext data transmitting across unencrypted networks, jeopardising the confidentiality of sensitive data in Drupal applications. This tutorial will show you how to mitigate this type of attack by encrypting your database queries in transit.

by Nick Santamaria / 8 August 2018

With attackers and data breaches becoming more sophisticated every day, it is imperative that we take as many steps as practical to protect sensitive data in our Drupal apps. PreviousNext use Amazon RDS for our MariaDB and MySQL database instances. RDS supports SSL encryption for data in transit, and it is extremely simple to configure your Drupal app to connect in this manner.

1. RDS PEM Bundle

The first step is ensuring your Drupal application has access to the RDS public certificate chain to initiate the handshake. How you achieve this will depend on your particular deployment methodology - we have opted to bake these certificates into our standard container images. Below are the lines we've added to our PHP Dockerfile.

# Add Amazon RDS TLS public certificate. ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /etc/ssl/certs/rds-combined-ca-bundle.pem RUN chmod 755 /etc/ssl/certs/rds-combined-ca-bundle.pem

If you use a configuration management tool like ansible or puppet, the same principal applies - download that .pem file to a known location on the app server.

If you have limited control of your hosting environment, you can also commit this file to your codebase and have it deployed alongside your application.

2. Drupal Database Configuration

Next you need to configure Drupal to use this certificate chain if it is available. The PDO extension makes light work of this. This snippet is compatible with Drupal 7 and 8.

$rds_cert_path = "/etc/ssl/certs/rds-combined-ca-bundle.pem"; if (is_readable($rds_cert_path)) { $databases['default']['default']['pdo'][PDO::MYSQL_ATTR_SSL_CA] = $rds_cert_path; } 3. Confirmation

The hard work is done, you'll now want to confirm that the connections are actually encrypted.

Use drush to smoke check the PDO options are being picked up correctly. Running drush sql-connect should give you a new flag: --ssl-ca.

$ drush sql-connect mysql ... --ssl-ca=/etc/ssl/certs/rds-combined-ca-bundle.pem

If that looks OK, you can take it a step further and sniff the TCP connection between Drupal and the RDS server.

This requires root access to your server, and the tcpflow package installed - this tool will stream the data being transmitted over port 3306. You are wanting to see illegible garbled data - definitely not content that looks like a SQL queries or responses!

Run this command, and click around your site while logged in (to ensure minimal cache hits).

$ tcpflow -i any -C -g port 3306

This is the type of output which indicates the connection is encrypted.

tcpflow: listening on any x1c "|{mOXU{7-rd 0E W$Q{C3uQ1g3&#a]9o1K*z:yPTqxqSvcCH#Zq2Hf8Fy>5iWlyz$A>jtfV9pdazdP7 tpQ= i\R[dRa+Rk4)P5mR_h9S;lO&/=lnCF4P&!Y5_*f^1bvy)Nmga4jQ3"W0[I=[3=3\NLB0|8TGo0>I%^Q^~jL L*HhsM5%7dXh6w`;B;;|kHTt[_'CDm:PJbs$`/fTv'M .p2JP' Ok&erw W")wLLi1%l5#lDV85nj>R~7Nj%*\I!zFt?w$u >;5~#)/tJbzwS~3$0u'/hK /99.X?F{2DNrpdHw{Yf!fLv ` KTWiWFagS.@XEw?AsmczC2*`-/R rA-0(}DXDKC9KVnRro}m#IP*2]ftyPU3A#.?~+MDE}|l~uPi5E&hzfgp02!lXnPJLfMyFOIrcq36s90Nz3RX~n?'}ZX 'Kl[k{#fBa4B\D-H`;c/~O,{DWrltYDbu cB&H\hVaZIDYTP|JpTw0 |(ElJo{vC@#5#TnA4d@#{f)ux(EES'Ur]N!P[cp`8+Z-$vh%Hnk=K^%-[KQF'2NzTfjSgxG'/p HYMxgfOGx1"'SEQ1yY&)DC*|z{')=u`TS0u0{xp-(zi6zp3uZ'~E*ncrGPD,oW\m`2^ Hn0`h{G=zohi6H[d>^BJ~ W"c+JxhIu [{d&s*LFh/?&r8>$x{CG4(72pwr*MRVQf.g"dZU\9f$ h*5%nV9[:60:23K Q`8:Cysg%8q?iX_`Q"'Oj :OS^aTO.OO&O|c`p*%1TeV}"X*rHl=m!cD2D^)Xp$hj-N^pMb7x[Jck"P$Mp41NNv`5x4!k1Z/Y|ZH,k)W*Y(>f6sZRpYm 8Ph42K)}.%g%M]`1R^'qh/$3|]]y"zEh0xG(A]-I`MJGU7rKO~oi+K:4M(nyOXnvaWP4xV?d4Y^$8)2WOK,2s]gyny:-)@D*F%}ICT Tu>ofc)P[DQ>Qn3=0^fuefIm1]-YHq5rx|W(S3:~2&*6!O|DAZWB:#n9|09`I`A3bq@\E\$=/L5VHm)[#|tI"lkuK.u|!2MT/@u7u(S{"H.H'Fh/4kF_2{)Jc9NQ%jA_rI1lH;k'$n~M_%t%y)t!C_4FO?idwMB]t^M::S!a=*Jee<3sgX@)L;zAuTN2}v#K4AX.(`X1<{#


Tagged MySQL, TLS
Categories: Drupal

Zhilevan Blog: Fix Drupal Files/Directories permissions by PHP after hacked

News from Planet Drupal - Wed, 08/08/2018 - 04:18
Last night one of our former company's customer called me and need help to recover their hacked website,  First of all, I install the Hacked module, and check the changed files and recover them, then looking and cleansing some backdoor files which their job is to inject codes for external codes(most of the time, js files to traffic hijacking) to the website.  
Categories: Drupal

Reliable Writer Needed To Make Blog Posts And YouTube Descriptions From Video Scripts - Ongoing Work - Upwork

WordPress Work From UpWork - Tue, 08/07/2018 - 21:41
I'm looking for a reliable Upworker to help me streamline my content creation process and free up time to work on my business more.

I run a site that helps bass guitarists improve their playing. I write the scripts and shoot the videos and for this job, you would read at the script, and create 2 things:

#1 - An engaging blog post to accompany the video on the site (300-500 words)

#2 - A YouTube description that makes it clear what the video is about, but doesn't reveal too much of the actual content

I would give you templates for both and ideally, you'd write in my voice.

There can be some overlap in both, but they shouldn't be exactly the same. Again, I can provide examples of what I'm expecting.

Since you're not writing from a script and not a blank page, the actual 'creation' process should be fairly straightforward.

For the right person, this would be an ongoing source of work, with the ability to gain more responsibilities over time - things like creating and editing posts directly on Wordpress, scheduling posts, etc. I would be more than happy to pay for the extra time these tasks take.

The content is all music-based, so if you have a background in music, this job will probably be slightly easier for you, however, this isn't essential.

If you have experience in Wordpress, YouTube, or are familiar with SEO, that would be an advantage, but again -it's not essential, especially at the start.

Posted On: August 09, 2018 04:11 UTC
Category: Writing > Article & Blog Writing
Skills: Article Writing, YouTube Marketing
Country: Australia
click to apply

[Help] How do I add an extra button to The event calendar (Images attached )

Talk about plugins - Tue, 08/07/2018 - 20:35

Hi there thank you for reading my post. I have The Event Calendar installed on my Wordpress website which right now with one button view link https://imgur.com/a/B5xkFsq

and I would like to add another button to it like the image in the link below


Any help would greatly be appreciated. Thank you.

submitted by /u/Andreboy
[link] [comments]

Drupal.org blog: What's new on Drupal.org? - July 2018

News from Planet Drupal - Tue, 08/07/2018 - 20:23

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Announcements Git remote URL changes for full projects and sandboxes

Git authentication methods for Drupal.org hosted projects are changing as we approach upgrading our developer tooling stack.

In particular we are:

We have updated the version control instructions for Drupal.org projects, and put a message in our Git server for any user who makes a push using the deprecated format.

For more information, please review: https://drupal.org/gitauth

Reminder: Drupal Europe is coming up soon

Drupal Europe is coming up in less than 40 days! Drupal Europe will be the largest gathering of the Drupal community in Europe and is a reimagining of this important community event as both technical conference and family reunion. The Drupal Association engineering team will be attending to connect with the community, provide updates on Drupal.org, and listen to some of the incredible speakers who will be in attendance.

Join the community in Darmstadt, Germany, from September 10-14, 2018. Make sure to register, book your travel, and secure accommodation: http://drupaleurope.org/

We want your feedback on ideas for Drupal Core

The Drupal Association has proposed several initiatives for Drupal Core - but before they can be officially adopted they need feedback from stakeholders in the community (even if it's just a "+1") and to reach community RTBC. Here are the proposals:

Drupal.org Updates Staff retreat

In July the Drupal Association gathered together in Portland Oregon for our bi-annual staff retreat. At these retreats we discuss the progress made in the last six months, and our prioritization as an organization going into the next six month period.

Hightech industry page launched

Drupal is the CMS of choice for a variety of companies in the high tech space, including organizations like Redhat, Cisco, and Tesla. Whether it is used in a front-facing application, as a decoupled back-end, or for an internal intranet experts in hightech defer to Drupal's example for their needs.

We launched a new industry page featuring these stories from high tech in July.

Drupal.org API updated for security advisories

To improve the automated toolchains built by organizations and individuals in the community to watch for new security advisories, we've updated the Security Advisory API. One of these changes ensures that the full canonical identifier for each advisory is included in the API data, which is a small but valuable change for anyone monitoring the API for advisory information.

Social Media Sharing for Events News

The DrupalCon news feed now includes social media sharing icons, so that you can better promote DrupalCon news and announcements to your networks. Word of mouth has always been a critical part of Drupal's success - so we hope that as featured speakers are announced, early bird registration begins, or the schedule is published, you will help us get the word out!

DrupalCon Seattle is coming up from April 8-12 2019, and we're featuring some bold new changes to support a variety of audiences from our traditional core of those people who build Drupal, to marketers and content editors, and to the agency sales forces that sell Drupal to the world.


As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who make it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Drupal

marketing for a new product : water savor - Upwork

WordPress Work From UpWork - Tue, 08/07/2018 - 18:52
We need to promote a new product: Water Saver by email marketing, post on Facebook, blog on our website.

I would like the page to have a couple of graphics, less words, eye-catching.

We need:
1. Blog page on wordpress web site (link removed)
2. one email on mailchimp, using our existing template or create a new template, whichever is better
3. Image file to post on facebook
4. Image file (with Chinese words, I will provide them) to post on WeChat

Here are information about this product:

Save Home Owner 35000 Liters water 1 Year or $126

Regular price $200 plus taxincluding installation

Promotions  $140 plus tax for home owners in the following city :
Aug 13 - Aug 18   Markham,
Aug  20 - Aug 25  Mississauga
Aug 27 - Sept 1   Richmond Hill

Posted On: August 07, 2018 20:11 UTC
Category: Sales & Marketing > Marketing Strategy
Skills: Content Writing, Email Marketing, Marketing Strategy, Sales, Social Media Marketing
Country: Canada
click to apply

[HELP] What would be some good plugins to create an "artist collective" page with a few dozen artists?

Talk about plugins - Tue, 08/07/2018 - 18:31

Basic functionality needed:

  1. each user needs an "artist page" where they can edit their own content. That content would be some images, artist statement, resume, social media links, possibly a gallery or galleries of images...but this is not an infinite scrolling thing like a Facebook feed.
  2. would be great to be able to just create a new artist page through the admin dashboard and it's all ready to do everything in bulletpoint 1. I would need to set permissions so only the artist alone can edit his page.
  3. would be even better if new users could register and automatically create their new artist page.

I know about Buddypress and Peepso but both of them look wrong by default and seem like a lot of hacking to get simple, clean pages. Is there a way to just do this from scratch that's not too complex? I don't know if it's really possible with just ACF plugin. I was looking at Toolset but I'm not familiar with that.

Any other themes or plugins I don't know about that would help, please recommend! Thanks!

submitted by /u/NoMuddyFeet
[link] [comments]

[REVIEW] WP Frontend - Frontend Posting and Profile Builder plugin, need your feedback

Talk about plugins - Tue, 08/07/2018 - 17:53

Hi everyone,

My team CyberCraft, has recently released a brand new plugin, WP Frontend. It has some excellent features to draw your attention for sure. Some of those are

  • User can have their own dashboard in front
  • User can create post from frontend
  • Create post as guest
  • User can be restricted on accessing the admin panel
  • Admin can chose roles whom he wants to give access to admin panel whom he does not.
  • Unlimited forms
  • You can build form to create post of any post type
  • Numerous fields
  • Drag and drop. No coding required
  • Visual form builder. You will see the output in realtime
  • Blazing fast admin panel
  • Ajax form submission. Form can be submitted without page refresh
  • Schedule form submission
  • Set redirection after successful post submission
  • Customizable message on post submission
  • Limit post submission
  • Suitable to any theme
  • Responsive
  • 24 grids support

But it's not the end. You can have more features unlocked by purchasing the Pro version which will include the following features.

  • Premium support.
  • Automatic and regular update.
  • Role based permission. You can define the roles that you want to have access for the form
  • Multistep functionality.
  • Different form presets
  • 14 New and complex fields unlocked.
  • Conditional fields. You can set field to be dependable on other fields when rendering.
  • Advanced settings.
  • And more...

You can learn more from

https://wordpress.org/plugins/wp-frontend/and, https://cybercraftit.com/wp-frontend-pro/

Expecting you all to let me know what and how you think about this plugin. Any query is welcome for that :)

submitted by /u/mithublue
[link] [comments]

[REVIEW] WonderPlugin PDF Embed

Talk about plugins - Tue, 08/07/2018 - 17:10

I was just trying to embed a couple PDFs. Because reviews are supposed to give you a good idea of the quality of a product, I tried the top rated, most downloaded plugins first. Every single one failed to perform on mobile devices. The ones I tried were PDF Embedder, Embed Any Document, and Google Doc Embedder.

I finally decided to take a chance with WonderPlugin PDF Embed, which is far from the most downloaded plugin for embedding PDFs. My headache is gone. I can relax now. If the ones I tried didn't work for you, definitely check this one out too. It works like a dream on mobile devices.

And if any of the developers of WonderPlugin PDF Embed read this, PLEASE do NOT do that thing where you make the product awesome for the first few months and then once it gains popularity you let it slide. We need your best work! I would actually pay for it if that's what you need to keep it functioning well in the long term.

submitted by /u/csstudent70834
[link] [comments]

[Request] Booking/Appointment system for multiple online counsellors

Talk about plugins - Tue, 08/07/2018 - 16:20

Any plugin recommendations for booking online appointments with multiple people to choose from?

Needs to support multiple workflow streams:

1. Search/filter

a. Filter counsellors by several different taxonomies.


b. Filter by date/timeslot

2. View profile of counsellor(s) and choose a counsellor

3. Make appointment -> email to counsellor

4. Counsellor reviewed and confirms -> email to client

5. Email notification to both 1hr before the chosen event.

I have found a couple that support search option A, but not both A and B.

Thanks in advance for any help!

submitted by /u/robrob883
[link] [comments]