'You're updated!' Drupal says, with fingers crossed behind back

Drupal

Is a fucking dog

DrupLOL!

I am a PHP fan and I have to say Drupal is an embarrassment really. I have always avoided it but as an operations bod it has been dumped on me a few times.

Baseline performance is average at best but if you actually want it to work as a CMS then you need 100+ modules. Then you quickly end up with 10,000+ file includes and 500+ database queries per page.

Anyone who says they are using Drupal for a high-traffic site is lying. It's most likely Varnish/nginx/a CDN serving the requests with Drupal running as a static content generator behind.

In my experience a reasonably customised Drupal site is not capable of serving more than 10-20 req/s alone. It doesn't even work without APC/OpCache and Drupal's built-in cache enabled (which is stored in the database... seriously). Throw in memcached/redis to replace the database cache handler and you might get 20 req/s on a not-very-complicated site. Want any interactivity and per-user content on any pages then forget it.

No doubt people have pushed Drupal performance higher than that. But factor in the time, expense and server resources required to hit higher levels of traffic and Drupal just is not worth it.

Never again …

Worked on one Drupal project which is two too many.

Hopelessly complex PHP & Database structure. Dependence on innumerable plugins which are poorly documented, poorly understood and of unknown security. Cumbersome update process. Even more cumbersome to backup and redeploy.

The problem with most of these CMS packages is that they appeal to the amateur who does not have the advanced skills required to maintain them and to customise them safely.

As far as I can work out, Drupal is only loved by the handful of masochists who can handle setting it up without going mad - because if you can set it up you've got guaranteed return custom from the client who can't work out how to manage their own site.

I left a job once because the client demanded we start using Drupal...

Why am I not surprised?

I've learned to really, really hate Drupal.

Everyone knows the worst part of software (and by extension web) development is having to maintain someone else's code.

Drupal Core - such as it is - isn't terrible. The trouble is the core doesn't really do anything except provide a horrifically complicated framework for writing extensions. By the time you've added enough modules to do what you wanted (which are frequently buggy, terribly documented, and not quite a match for what you wanted anyway) the whole thing has become a creaking pile of hacks-upon-hacks which are just waiting for an opportunity to fall over, so you end up writing even more modules to try and patch it all up.

This inevitably leads to having to read the source for all the modules you're trying to make play nice with one another, and by the time you're done with that and have written half a dozen "glue" modules to keep it all together (which you now have to maintain because there's a decent chance that some future update will break them) it's taken longer to get everything working than it would have done to write the entire site from scratch because everything you've written has had to be contorted around all the other crap that you didn't write and don't really understand.

What you're left with is something that's not only frighteningly fragile because it's made from 300 different components by 200 different authors, at least half of which haven't updated them in 2 years and probably never will, but also dog slow because the chain from "request" to "render" has to pass through every single one of those things.

</rant>

Lots of hate here...

And I understand the hate. However Drupal itself is very flexible and can be very good.

Unfortunately there are some serious problems, a lot stemming from the core developers who can often be politely termed "asshats" who in the past have been so blinkered and elitist that they didn't care for suggestions or improvements unless they came from within. This has improved but there's still far too much of it...

Documentation - the general response is "go read the source code". Erm, if I wanted to do that I wouldn't be looking for documentation would I? While there is some good documentation, unfortunately most of it is utterly appalling and you're left having to a global source search to find usage of the methods/functions and guess from there. And that's if the method/function is actually used in the source you have, or hasn't been obfuscated through the module system. Basically unless you're an expert in PHP then you'll find the documentation mostly useless but you'll be left admiring where all the CPU cycles have gone to perform very little of real benefit (Drupal 8 is an improvement on this front).

Without turning this into a rant, I've found that the best way to work with Drupal is:

1) Try to do everything "the Drupal way" - even if it's not quite the way you'd like to do it, it will save you a huge waste of time fighting it. Working out what "the Drupal way" is in a given situation is not always easy though given the pathetic documentation but often it does come with a lot of benefits.

2) Use as few modules as possible. It should be very obvious that the more modules you drop in the worse site performance will be but this doesn't stop some folk from doing this. As posted above, it's often that you find a module does 90% of what you need but lets you down on the other 10%. Sometimes this isn't a problem, others you may need to put some custom functionality in and a moderately experienced PHP developer shouldn't have a problem with this. This doesn't help hopeful end users though but in reality this isn't any difference to WorkPress modules except it's slightly easier to resolve with a PHP developer.

Perhaps I'm mad? I really like Drupal and what it can do for me!

Just to balance the haters a bit. Yes, Drupal is a complex beast, I reckon it takes three to four years of building sites with it to really get to know it properly. The main tasks being to learn "the Drupal way" and to learn which contributed modules are worth using, and how they work.

However, if you're willing to invest time getting to know Drupal then it can be a very powerful tool to build quite complicated database-driven web applications. I started with Drupal 5, which was not nice and which required lots of custom code to be written. Now with Drupal 7 I find I can build pretty comprehensive sites with hardly any custom code at all.

Oh, and I run Drupal on a VPS with SSD storage and find that it runs plenty fast enough even with many dozens on enabled modules (I will agree that with spinning rust storage it can be a little slow, you do need a half-decent server). There are lots of caching possibilities in core and with external caches if you really need them, and Drupal 8 (not yet ready for complex sites, several useful modules are not yet fully updated for 8) has big improvements in how content can be cached efficiently. Drupal works fine for governments, universities, and record labels, so there are plenty of big users who find the performance is not a problem.

As with any software, it's horses for courses. Creating a blog with Drupal is quite a lot of work, WordPress does that sort of task much better out-of-the-box. But for more database-like sites Drupal beats WordPress easily. You can of course resort to a basic framework, or write all your code from scratch. Drupal is simply a powerful high-level system for building database-driven web applications, where all the standard boilerplate stuff is already done for you.

I suspect the haters here might be people with Computer Science degrees. Mine's a Mechanical Engineering one - I'm more of a systems analyst than a coder. I don't care so much about the clean aesthetics of algorithms, I just like stuff to work as a useful tool to get the job done.

Unintuitive? Yes. Not a good option? No.

Drupal does require either a significant time investment, or a lot of hand-holding to learn "the Drupal way" of doing things. But once you've mastered it, you're able to build robust applications, while benefiting from upstream improvements and a security team that is on the look out for potential exploits (all software has bugs.)

I've seen both sides of the coin, self-taught and trained.

I am a self-taught Drupal developer, who only picked it up for the sake of a job interview. Before that I was building websites from scratch in PHP/etc, or working on applications in Java.. or C#. Point is, I taught myself Drupal for a job interview, and I sat there thinking "why would anybody use this?" Weeks into the job, I still thought that. It took a few years for me to wrap my head around all of the Drupal-isms and to really enjoy building with it.

Since then I've founded DebugAcademy.com , through it I teach people to become Drupal developers. Applicants can be completely new to web development, or seasoned programmers looking to switch to enterprise web development. After the 3 month part-time course, students' reactions are rarely ever "Drupal is hard". Generally, they're really excited with what they've built (live client sites), and eager to become full time Drupal devs. That wasn't my reaction when I first picked up Drupal because I didn't have anyone walking me through all of the pitfalls.

On the point of 'Drupal is slow, varnish/etc is really serving the pages'. Caching is not something that is slapped on top of Drupal via Varnish. It took me time to accept it, but caching should be looked at as part of Drupal's architecture, because that's what it is. Drupal 8 turns caching into an art. It's not "Drupal is slow, caching hides that." No - granular cache control is a strength of Drupal, and (especially) large websites will benefit from the fact that they have native (D8) granular cache control for their complex websites.

Here is a post from the Drupal Security Team (who do not seem to have been contacted for this article) regarding these issues: https://groups.drupal.org/node/506128

Note that the specific issue (out of the three) which this article focuses most of its attention on in fact seems to be relatively minor. As stated there: "The impact is limited to only one page of the Drupal administrative interface. All other pages in the admin interface warn about failures correctly."