From SI410
Jump to: navigation, search
Back • ↑Topics • ↑Categories
Drupal Official Website [ ]
Type Web Content Management System
Launch Date 2001 [1]
Status Active
Product Line Drupal
Platform Cross Platform, PHP
Website www.drupal.org

Drupal is a free online Open Source web content management system platform (CMS) started by Dries Buytaert. Drupal can be used to create a wide array of webpages, from personal blogs to enterprise applications. The nature of the open source community surrounding the Drupal CMS allows users to access extra CMS features (called modules) that were created by developers in the Drupal community, as well as contribute to the array of features themselves by utilizing a Drupal developer account.[2] Each module provides a specific functionality to the web interface. Each content item is a node, and each node is a specific content type. [3]

As of March 2019, there were 42,650 modules and 1.37 million users worldwide using Drupal to power their sites [1].


Drupal was started in 2000 at the University of Antwerp in Belgium. Dries Buytaert and Hans Snijder had set up a wireless internet connection to Snijder's ADSL modem, and were sharing it with 8 other students in the dormitory. Buytaert made a small news site with a built-in posting board for the students to share announcements and news over Snijder's modem. The software didn't become public until the day after Buytaert's college graduation, when he put it on the web so students at Antwerp could all stay in contact with each other.[4]

The original domain name for the site was drop.org, due to a typo when checking to see if dorp.org was available (dorp is the word for 'village' in Dutch). Upon its release to the public, the audience and members of drop.org changed. Members began exploring new web technologies, and experimenting with these technologies in the software running in the back-end of the site. In January of 2001 Buytaert released the software the site was using under the name "Drupal," a twist on the Dutch word for "drop." Users have been contributing new features to the site ever since [4].

Technical Details

The Drupal software bundle includes the Drupal Core, which contains all the basic Drupal functions that come standard with a Drupal account. The software bundle also includes other developer-contributed modules that extend the functionality of the Drupal CMS but are not included in the Core. The standard Drupal Core comes with built in features such as blogging, forums, and contact forms. These features can then be supplemented by contributed modules within the Drupal open source development community.[5]

Drupal is written in PHP, a server-side scripting language. Drupal is compatible with any platform that supports a PHP-running web server and a database for data storage. Although Drupal does contain a complex set of programming features for web developers, no programming knowledge is needed to set up and administrate a basic web page [6]. With over 18,000 modules available to all users, developers are allowed to dedicate their efforts into feature integration and user experience rather than having to create and code these features on their own.[6]


Drupal's administration system is split into give main parts: Content, People, Structure, Configuration, and people. With each of these sections, administrators can easily modify site content, update users permissions, create menus, and enable new themes. The command line tool for Drupal called "Drush" can automatically update outdated modules and clear the cache with a single command instead of spending hours trying to change elements through the command prompt.[7]


The Drupal system doesn't need custom programming. It easily builds both internal and external websites, and options of using a multi-site configuration or choosing a Drupal distribution can give first-time users pre-made configurations for every site's purpose. In Drupal, a "Action module" exists to automate tasts like sending email blasts to promote events or causes. Moreover, the "Workflow module" and "Rules module" should be further explore to extend the functionality of the Action module. Another module that can be used is the "Panels module", which gives site administrators a easier way to create a customized layout that is right for them. It has a drag and drop interface for adding views, fields, and nodes.[8]


Through the Workflow module, administrators can have strict control over user's abilities so administrators have the ability to control what content is private what is published on the site. With the Organic Groups module, it gives users the ability to create groups on the site and with certain distributions like Open Atrium and Drupal Commons it can help make a site collaborative. Drupal also has a Facebook Connect module to utilize user's Facebook login information to contribute to the site.[9]

The Drupal Team

Drupal's core content is managed by an array of developers and a security team. The founder and lead developer is Dries Buytaert, who maintains chief control over additions and other changes to the software. Core committers are a small team of developers who review and maintain code and inspect changes submitted. They are the only members with write access to the core repository. As of October 12, 2012, Buytaert himself is the only permanent core committer. Branch maintainers are appointed by Buytaert and are informally charged with oversight of a specific portion of the core, such as a particular module or set of modules. Core contributors are any developers who submit patches or documentation for the core source code. They are peer-reviewed and then decided upon by Buytaert to be invited to be core committers.[10]

Drupal also has a substantial security team to test for and resolve any security issues with the core, as well as assist the Drupal developer community in the security of their own features. This includes, but is not limited to, helping resolve security issues with module maintainers' code, distributing documentation on writing secure code, and providing documentation on securing your own site. When security issues are found, the security team follows a policy of "Responsible Disclosure." The team only goes public with the issue after the issue has been fixed or it has become apparent that the core maintainer in charge of the code is not responding in a timely manner.[11]


The Drupal community has a variety of resources and places to receive guidance and support for the software. These resources include face-to-face meetups, IRC channels, Planet Drupal (an online service that aggregates blog posts about Drupal), commercial support (private companies posting to the Marketplace where users can receive professional assistance), the Drupal Forum, mailing lists, and more.[12]

Ethical Concerns

There are a few ethical concerns with the usage of Drupal. These range from potential vulnerabilities inherent in some versions of the software (wherein the software is seen as the moral agent) to the open source software (OSS) model which Drupal's community of developers act as moral agents in.

Security Ethics

First, is the ethical concern of security with the use of Drupal, especially on secure websites such as whitehouse.gov, etc. While Drupal is a secure system, there are four common configuration issues that are often overlooked when developing a Drupal site. These issues are:

  1. Leaving Drupal Version Information Text Files on Server, allowing potential malicious users to know which exact version of Drupal the site uses. This would let the potential hacker exploit version-specific vulnerabilities to the Drupal site.
  2. Cross Site Scripting (widely accepted as the most common vulnerability used to exploit web applications[13]). This can be prevented by barring users from inserting functioning scripts into text boxes, either by not allowing HTML insertion or filtering the HTML.
  3. Exposing Apache/Server Tokens, which inform potential malicious users which Apache/PHP version the site uses. This could potentially expose version-specific vulnerabilities.
  4. Allowing Users to Create Accounts on a Private Content Site. If the site is intended to be private/corporate, the administrators should be the only ones who can approve of new users.

By following a few short steps, one can make a Drupal site much less vulnerable to security threats and breaches.

On April 17, 2019, The Cybersecurity and Infrastructure Security Agency (CISA) announced that, “Drupal has released security updates to address multiple vulnerabilities in Drupal Core. A remote attacker could exploit some of these vulnerabilities to take control of an affected website. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal’s security advisories SA-CORE-2019-005 and SA-CORE-2019-006 and apply the necessary updates.” [14]

Open-Source Ethics

The development and expansion of Open Source Software options in the field of web app development has come with its own set of moral and ethical issues. These range from issues covered under Drupal's extensive Licensing Policy, to the GPL (GNU General Public License), to ethical concerns outside of the law and Drupal's licensing policies.

  • Accountability and Responsibility: this is a central theme to a great majority of ethical discussions about OSS. Some concerns may be:
    1. Who is responsible in the event that a vulnerability is exploited and private data is leaked?
    2. Does exposing source code to potentially malicious public observers reveal vulnerabilities in the application?
    3. Are morally questionable outcomes more likely when collaborators may not have any personal connection to each other? Moreover:
    4. Should collaborators trust one another?

The project coordinator or manager is the main 'risk-taker' in this situation, as it is his/her own personal code being put online to be scrutinized by his/her peers en masse, and it is his/her code that could possibly be re-appropriated and opportunistically sold by a would-be intellectual property thief. However, the latter issue is covered by the GPL and is ethically less intriguing than the question of motive. Why should a developer open him/herself to criticism, and for what benefits? Does the developer lose control of his/her own project in doing so? To this end, Paul B. de Laat argues in his paper "Trusting virtual trust" that using a structured hierarchy of roles (observer-contributor-manager) and collaborative technologies common to proprietary projects, collaborators can overcome the so-called "anarchy" of the task. De Laat posits these techniques display an air of professionalism and more importantly that these collaborators have learned from the mistakes of past OSS projects.[15]

  • Motivation: why would a company use open source as opposed to its own proprietary software? Why would a developer make content that can't be sold, or can be sold but for potentially less profit than if he/she were to produce it under a private license? Bernd Carsten Stahl comments in his article "Social issues in computer ethics" in Chapter 7 of Lucian Floridi's Cambridge Handbook of Information and Computer Ethics that it would seem the prevalence of OSS development points to motivations for software development beyond "remuneration."[16]

Notable Websites using Drupal

See Also


  1. 1.0 1.1 “Drupal.” Wikipedia, Wikimedia Foundation, 24 Apr. 2019, https://en.wikipedia.org/wiki/Drupal
  2. “Drupal - Open Source CMS.” Drupal.org, 23 Apr. 2019, https://www.drupal.org/
  3. Devarakonda, R., Shanafield, H. (2011). Drupal: Collaborative framework for science research. Proceedings 2011 International Conference on Collaboration Technologies and Systems, pp. 643.
  4. 4.0 4.1 “Our History.” Drupal.org, 24 Feb. 2018, https://www.drupal.org/about/history/
  5. “Drupal Core.” Drupal.org, 23 Mar. 2019, https://www.drupal.org/project/drupal/
  6. 6.0 6.1 “Drupal 8 Is Here.” Drupal.org, 28 Nov. 2018, https://www.drupal.org/features.
  7. “Drupal 8 Is Here.” Drupal.org, 28 Nov. 2018, https://www.drupal.org/features/administer/.
  8. “Drupal 8 Is Here.” Drupal.org, 28 Nov. 2018, https://www.drupal.org/features/build/.
  9. “Drupal 8 Is Here.” Drupal.org, 28 Nov. 2018, https://www.drupal.org/features/collaborate/.
  10. “Develop.” Drupal.org, 2 Oct. 2018, https://www.drupal.org/docs/develop.
  11. “Drupal Security Team.” Drupal.org, 30 Mar. 2017, http://www.drupal.org/security-team/.
  12. “Community.” Drupal.org, 6 Apr. 2019, http://www.drupal.org/community/.
  13. Symantec Internet Security Threat Report Trends for July–December 07. symantec.com. April 2008. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
  14. Current Activity | US-CERT. (n.d.). Retrieved from https://www.us-cert.gov/ncas/current-activity
  15. de Laat, Paul B. “Trusting Virtual Trust.” PhilPapers, 1 Jan. 1970, https://www.philpapers.org/rec/DELTVT.
  16. Floridi, Luciano, et al. “Cambridge Handbook Information and Computer Ethics | Philosophy: General Interest.” Cambridge University Press, Cambridge University Press, 24 May 2010, https://www.cambridge.org/aus/catalogue/catalogue.asp?isbn=9780521888981.

(Back to index)