Hubbry Logo
DrupalDrupalMain
Open search
Drupal
Community hub
Drupal
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Drupal
Drupal
Drupal
View on Wikipedia
from Wikipedia

Drupal
Original authorDries Buytaert
DeveloperDrupal community
Initial releaseJanuary 15, 2001; 24 years ago (2001-01-15)[1]
Stable release
11.1.7[2] Edit this on Wikidata / 8 May 2025; 5 months ago
RepositoryDrupal Repository
Written inPHP, using Symfony
Operating systemUnix-like, Windows
PlatformWeb platform
Size100 MB
TypeContent management framework
Content management system
Blog software
Open source
Knowledge management
LicenseGPL-2.0-or-later[3]
Websitedrupal.org

Drupal (/ˈdrpəl/)[4] is a free and open-source web content management system (CMS) written in PHP and distributed under the GNU General Public License.[3][5][6] Drupal provides an open-source back-end framework for at least 14% of the top 10,000 websites worldwide[7] and 1.2% of the top 10 million websites[8]—ranging from personal blogs to corporate, political, and government sites.[9] Drupal can also be used for knowledge management and for business collaboration.[10]

As of March 2022, the Drupal community had more than 1.39 million members,[11][12][13] including 124,000 users actively contributing,[14] resulting in more than 50,000 free modules that extend and customize Drupal functionality,[15] over 3,000 free themes that change the look and feel of Drupal,[16] and at least 1,400 free distributions that allow users to quickly and easily set up a complex, use-specific Drupal in fewer steps.[17]

The base of Drupal is known as Drupal core, contains basic features common to content-management systems. These include user account registration and maintenance, menu management, RSS feeds, taxonomy, page layout customization, and system administration. The Drupal core installation can serve as a simple website, a single- or multi-user blog, an Internet forum, or a community website providing for user-generated content.

Drupal also describes itself as a web application framework.[18] When compared with notable frameworks, Drupal meets most of the generally accepted feature requirements for such web frameworks.[19][20]

Although Drupal offers a sophisticated API for developers, basic Web-site installation and administration of the framework require no programming skills.[21]

Drupal runs on any computing platform that supports both a web server capable of running PHP and a database to store content and configuration.

In 2023/2024, Drupal received over 250,000 Euros from Germany's Sovereign Tech Fund.[22][23]

Drupal is officially recognized[24] as a Digital Public Good.[25]

History

[edit]
Latest major and supported releases[26]
Version Release date
Latest version: 11.1.7 8 May 2025[2]
Supported: 10.4.1 6 January 2025[27]
Unsupported: 7.103 4 December 2024[28]
Unsupported: 9.5.11 20 September 2023[29]
Unsupported: 8.9.20 17 December 2021 [30]
Unsupported: 6.38 24 February 2016[31]
Unsupported: 5.23 11 August 2010[32]
Unsupported: 4.7.11 10 January 2008[33]
Unsupported: 3.0 15 September 2001[34]
Unsupported: 2.0 15 March 2001[35]
Unsupported: 1.0 15 January 2001[36]
Legend:
Unsupported
Supported
Legend:
Latest version
Preview version

Drupal was originally written by Dries Buytaert as a message board for his friends to communicate in their dorms while working on his Master's degree at the University of Antwerp.[37][38] After graduation, Buytaert moved the site to the public internet and named it Drop.org.[37] Between 2003 and 2008 Dries Buytaert worked towards a PhD degree at Ghent University.[39]

The name Drupal represents an English rendering of the Dutch word druppel, which means "drop" (as in a water droplet).[40] The name came from the now-defunct Drop.org, whose code slowly evolved into Drupal. Buytaert wanted to call the site "dorp" (Dutch for "village") for its community aspects, but mistyped it when checking the domain name and thought the error sounded better.[41]

Drupal became an open source project in 2001.[41] Interest in Drupal got a significant boost in 2003 when it helped build "DeanSpace" for Howard Dean, one of the candidates in the U.S. Democratic Party's primary campaign for the 2004 U.S. presidential election. DeanSpace used open-source sharing of Drupal to support a decentralized network of approximately 50 disparate, unofficial pro-Dean websites that allowed users to communicate directly with one another as well as with the campaign.[42] After Dean ended his campaign, members of his Web team continued to pursue their interest in developing a Web platform that could aid political activism by launching CivicSpace Labs in July 2004, "...the first company with full-time employees that was developing and distributing Drupal technology."[43] Other companies also began to specialize in Drupal development.[44][45]

By 2013, the Drupal website listed hundreds of vendors that offered Drupal-related services.[46]

As of 2014, Drupal is developed by a community.[47][needs update] From July 2007 to June 2008, the Drupal.org site provided more than 1.4 million downloads of Drupal software, an increase of approximately 125% from the previous year.[48][49]

As of January 2017 more than 1,180,000 sites use Drupal.[50] These include hundreds of well-known organizations,[51] including corporations, media and publishing companies, governments, non-profits,[52] schools,[53] and individuals. Drupal has won several Packt Open Source CMS Awards[54] and won the Webware 100 [clarification needed] three times in a row.[55][56]

Drupal 6 was released on 13 February 2008,[57] on 5 March 2009, Buytaert announced a code freeze for Drupal 7 for 1 September 2009.[58] Drupal 7 was released on 5 January 2011, with release parties in several countries.[59] After that, maintenance on Drupal 5 stopped, with only Drupal 7 and Drupal 6 maintained.[60] Drupal 7's end-of-life was scheduled for November 2021, but given the impact of COVID-19, and the continuing wide usage, the end of life was pushed back until 1 November 2023.[61] This was extended once more as of June 2023 and was finally set for 5 January 2025.[62]

Drupal 8 was first released on 19 November 2015. This was the first to use Symfony for components and Twig as a template engine and it also used the Composer for managing dependencies.[63][64] The last Drupal 8 was version 8.9.20 which was released on 17 December 2021.[30]

Drupal 9 was released in 2020 and was created with easier upgrades and management in mind. The first version was released on 3 June 2020 along with Drupal 8.9.0 with fewer major changes in project structure than in version 8.0, but with some of the old, deprecated code removed.[63][65][66]

In October 2022, Drupal released an open source headless CMS accelerator, allowing the front end to be managed outside of the core system.[67][68]

In April 2023, Drupal was recognized by the United Nations Digital Public Good Alliance as a digital public good.[69]

Drupal Core

[edit]

In the Drupal community, "core" refers to the collaboratively built codebase that can be extended through contributory modules and—for versions prior to Drupal 8—is kept outside of the "sites" folder of a Drupal installation.[70] (Starting with version 8, the core is kept in its own 'core' sub-directory.) Drupal core is the stock element of Drupal. Common Drupal-specific libraries, as well as the bootstrap process, are defined as Drupal core; all other functionality is defined as Drupal modules including the system module itself.

In a Drupal website's default configuration, authors can contribute content as either registered or anonymous users (at the discretion of the administrator). This content is accessible to web visitors through a variety of selectable criteria. As of Drupal 8, Drupal has adopted some Symfony libraries into Drupal core.

Core modules also include a hierarchical taxonomy system, which lets developers categorize content or tag with keywords for easier access.[21]

Core modules

[edit]

Drupal core includes modules that can be enabled by the administrator to extend the functionality of the core website.[71][72]

The core Drupal distribution provides a number of features, including:[71]

  • Access statistics and logging
  • Advanced search
  • Books, comments, and forums
  • Caching, lazy-loading content (using BigPipe) and feature throttling for improved performance
  • Custom content type and fields, and user interface to create, manage, and display lists of content.
  • Descriptive URLs
  • Multi-level menu system
  • Multi-site support[73]
  • Multi-user content creation and editing
  • RSS feed and feed aggregator
  • Security and new release update notification
  • User profiles
  • Various access control restrictions (user roles, IP addresses, email)
  • Workflow tools (triggers and actions)

Core themes

[edit]

Drupal includes core themes, which customize the "look and feel" of Drupal sites,[74] for example, Garland and Bartik.

The Color Module, introduced in Drupal core 5.0, allows administrators to change the color scheme of certain themes via a browser interface.[75]

Drupal CMS

[edit]

At DrupalCon Portland in 2024, Dries Buytaert called for the Drupal Community to create a new, modernized Drupal experience. The project was initially called Starshot[76] and it was an effort to reframe how people think of Drupal. The project aims to deliver a more user-friendly and out-of-the-box version of Drupal, with a focus on ease of use, faster onboarding, and a polished default experience. In 2025, this project was launched as Drupal CMS. This represents a shift toward making Drupal more accessible to non-developers while retaining its powerful, flexible core architecture.[77][78]

Drupal CMS also includes many new [Artificial Intelligence] features.[79] Drupal is now more easily able to create an open source, no code/low code alternative.[80]

Localization

[edit]

As of September 2022, Drupal is available in 100 languages including English (the default).[81][82] Support is included for right-to-left languages such as Arabic, Persian, and Hebrew.[83]

Drupal localization is built on top of gettext, the GNU internationalization and localization (i18n) library.

Auto-update notification

[edit]

Drupal can automatically notify the administrator about new versions of modules, themes, or the Drupal core.[83] It's important to update quickly after security updates are released.

Before updating it is highly recommended to take backup of core, modules, theme, files and database. If there is any error shown after update or if the new update is not compatible with a module, then it can be quickly replaced by a backup. There are several backup modules available in Drupal.

On 15 October 2014, an SQL injection vulnerability was announced and update was released.[84] Two weeks later the Drupal security team released an advisory explaining that everyone should act under the assumption that any site not updated within 7 hours of the announcement was compromised by automated attacks.[85] Thus, it can be extremely important to apply these updates quickly and usage of a tool like drush to make this process easier is highly recommended.

Database abstraction

[edit]

Prior to version 7, Drupal had functions that performed tasks related to databases, such as SQL query cleansing, multi-site table name prefixing, and generating proper SQL queries. In particular, Drupal 6 introduced an abstraction layer that allowed programmers to create SQL queries without writing SQL.

Drupal 9 extends the data abstraction layer so that a programmer no longer needs to write SQL queries as text strings. It uses PHP Data Objects to abstract the database. Microsoft has written a database driver for their SQL Server. Drupal 7 supports the file-based SQLite database engine, which is part of the standard PHP distribution.

Windows development

[edit]

With Drupal 9's new database abstraction layer, and ability to run on the Windows web server IIS, it is now easier for Windows developers to participate in the Drupal community.

A group on Drupal.org is dedicated to Windows issues.[86]

Accessibility

[edit]

Since the release of Drupal 7, Web accessibility has been constantly improving in the Drupal community.[87] Drupal is a good framework for building sites accessible to people with disabilities because many of the best practices have been incorporated into Drupal Core.

Drupal 8 saw many improvements from the Authoring Tool Accessibility Guidelines (ATAG) 2.0 guidelines which support both an accessible authoring environment as well as support for authors to produce more accessible content.

The accessibility team is carrying on the work of identifying and resolving accessibility barriers and raising awareness within the community.

Drupal 8 has good semantic support for rich web applications through WAI-ARIA. There have been many improvements to both the visitor and administrator sides of Drupal, especially:

  • Drag and drop functionality
  • Improved color contrast and intensity
  • Adding skip navigation to core themes
  • Adding labels by default for input forms
  • Fixing CSS display:none with consistent methods for hiding and exposing text on focus
  • Adding support for ARIA Live Regions with Drupal.announce
  • Adding a TabbingManager to support better keyboard navigation[88]

The community also added an accessibility gate for core issues in Drupal 8.[89]

Extending the core

[edit]

Drupal core is modular, defining a system of hooks and callbacks, which are accessed internally via an API.[90] This design allows third-party contributed modules and themes to extend or override Drupal's default behaviors without changing Drupal core's code.

Drupal isolates core files from contributed modules and themes. This increases flexibility and security and allows administrators to cleanly upgrade to new releases without overwriting their site's customizations.[91] The Drupal community has the saying, "Never hack core," a strong recommendation that site developers not change core files.[70]

Modules

[edit]

Contributed modules offer such additional or alternate features as image galleries, custom content types and content listings, WYSIWYG editors, private messaging, third-party integration tools,[92] integrating with BPM portals,[93] and more. As of December 2019 the Drupal website lists more than 44,000 free modules.[15]

Some of the most commonly used contributed modules include:[94]

  • Content Construction Kit (CCK): Allows site administrators to dynamically create content types by extending the database schema. "Content type" describes the kind of information. Content types include, but are not limited to, events, invitations, reviews, articles, and products. The CCK Fields API is in Drupal core in Drupal 7.[95][96]
  • Views: Facilitates the retrieval and presentation, through a database abstraction system, of content to site visitors. Basic views functionality has been added to core of Drupal 8.[97]
  • Panels: Drag and drop layout manager that allows site administrators to visually design their site.
  • Rules: Conditionally executed actions based on recurring events.
  • Features: Enables the capture and management of features (entities, views, fields, configuration, etc.) into custom modules.
  • Context: Allows the definition of sections of site where Drupal features can be conditionally activated
  • Media: Makes photo uploading and media management easier
  • Services: Provides an API for Drupal.

Themes

[edit]

As of December 2019, there are more than 2,800 free community-contributed themes.[16] Themes adapt or replace a Drupal site's default look and feel.

Drupal themes use standardized formats that may be generated by common third-party theme design engines. Many are written in the PHPTemplate engine[98] or, to a lesser extent, the XTemplate engine.[99] Some templates use hard-coded PHP. Drupal 8 and future versions of Drupal integrate the Twig templating engine.[100]

The inclusion of the PHPTemplate and XTemplate engines in Drupal addressed user concerns about flexibility and complexity.[101] The Drupal theming system utilizes a template engine to further separate HTML/CSS from PHP. A popular Drupal contributed module called 'Devel' provides GUI information to developers and themers about the page build.

Community-contributed themes on the Drupal website are released under a free GPL license.[102][103]

Distributions

[edit]

In the past, those wanting a fully customized installation of Drupal had to download a pre-tailored version separately from the official Drupal core. Today, however, a distribution defines a packaged version of Drupal that upon installation, provides a website or application built for a specific purpose.

The distributions offer the benefit of a new Drupal site without having to manually seek out and install third-party contributed modules or adjust configuration settings.[104] They are collections of modules, themes, and associated configuration settings that prepare Drupal for custom operation. For example, a distribution could configure Drupal as a "brochure" site rather than a news site or online store.

Architecture

[edit]

Drupal is based on the Presentation Abstraction Control architecture, or PAC.

The menu system acts as the Controller. It accepts input via a single source (HTTP GET and POST), routes requests to the appropriate helper functions, pulls data out of the Abstraction (nodes and, from Drupal 5 onwards, forms), and then pushes it through a filter to get a Presentation of it (the theme system).

It even has multiple, parallel PAC agents in the form of blocks that push data out to a common canvas (page.tpl.php).[105]

Community

[edit]

Drupal.org has a large community of users and developers who provide active community support by coming up with new updates to help improve the functionality of Drupal.[106] As of January 2017 more than 105,400 users are actively contributing.[14] The semiannual DrupalCon conference alternates between North America, Europe and Asia.[107] Attendance at DrupalCon grew from 500 at Szeged in August 2008, to over 3,700 people at Austin, Texas, in June 2014.

Smaller events, known as "Drupal Camps" or DrupalCamp, occur throughout the year all over the world.[108] The annual Florida DrupalCamp brings users together for Coding for a Cause that benefits a local nonprofit organization, as does the annual GLADCamp (Greater Los Angeles Drupal Camp) event, Coders with a Cause.

The Drupal community also organizes professional and semi-professional gatherings called meetups at numerous venues around the world.

There are over 30 national communities[109] around drupal.org offering language-specific support.

Media

[edit]

There are several Drupal specific forms of Media. The most popular is podcasts. DrupalEasy, TalkingDrupal and the Lullabot Podcast all have hundreds of episodes and thousands of regular listeners.

Recently, The Drop Times[110] has become a Drupal focused media outlet, highlighting stories of relevance to the Drupal community.

Users

[edit]

Notable Drupal users include:

Security

[edit]

Drupal's policy is to announce the nature of each security vulnerability once the fix is released.[118][119]

Administrators of Drupal sites can be automatically notified of these new releases via the Update Status module (Drupal 6) or via the Update Manager (Drupal 7).[120]

Drupal maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed with the most recent security advisories.[121][122][123]

In mid-October 2014, Drupal issued a "highly critical" security advisory regarding an SQL injection bug in Drupal 7, also known as Drupalgeddon.[124][125][126] Downloading and installing an upgrade to Drupal 7.32 fixes the vulnerability, but does not remove any backdoor installed by hackers if the site has already been compromised.[127] Attacks began soon after the vulnerability was announced. According to the Drupal security team, where a site was not patched within hours of the announcement, it should be considered compromised and taken offline by being replaced with a static HTML page while the administrator of its server must be told that other sites on the same server may also have been compromised. To solve the problem, the site must be restored using backups from before 15 October, be patched and manually updated, and anything merged from the site must be audited.[128]

In late March 2018, a patch for vulnerability CVE-2018-7600, also dubbed Drupalgeddon2, was released. The underlying bug allows remote attackers without special roles or permissions to take complete control of Drupal 6, 7, and 8 sites.[129][130] Drupal 6 reached end-of-life on 24 February 2016, and does not get official security updates (extended support is available from two paid Long Term Services Vendors).[131] Starting early April, large scale automated attacks against vulnerable sites were observed, and on 20 April, a high level of penetration of unpatched sites was reported.[132]

On 23 December 2019, Drupal patched an arbitrary file upload flaw. The file-upload flaw affects Drupal 8.8.x before 8.8.1 and 8.7.x before 8.7.11, and the vulnerability is listed as moderately critical by Drupal.[133][134]

In September 2022, Drupal announced two security advisories for a severe vulnerability in Twig for users of Drupal 9.3 and 9.4.[135] That week, Drupal also announced a patch for the S3 File System to fix an access bypass issue.[100]

In January 2023, Drupal announced software updates to resolve four vulnerabilities in Drupal core and three plugins.[136]

See also

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Drupal

View on Grokipedia
from Grokipedia
Drupal is a free, open-source content management system (CMS) and framework written in PHP, distributed under the GNU General Public License, and designed for building customizable websites and digital applications ranging from simple sites to complex, scalable platforms. Originally created by Belgian developer Dries Buytaert in 2000 as a bulletin board system for his university, Drupal's first official release came in January 2001, evolving from a personal project into a collaborative open-source initiative driven by community contributions. Its modular architecture, built on the LAMP stack (Linux, Apache, MySQL, PHP), separates content storage (via nodes in a database) from presentation and functionality, allowing extensive extensibility through over 50,000 modules and 3,000 themes that add features like user authentication, SEO optimization, and e-commerce capabilities. Key strengths include reliable performance, enterprise-grade security with regular updates, multilingual support, and accessibility compliance, making it suitable for high-traffic environments. As of November 2025, the latest stable release is Drupal 11 (version 11.2.8), which emphasizes composable architecture for headless and decoupled experiences, while Drupal 10 remains widely used with security support until late 2026. Drupal powers approximately 1.1% of all known websites globally, with a stronger presence among top-tier sites—used by about 7.2% of the world's top 10,000 websites—and is adopted by notable entities including government agencies (e.g., the U.S. federal government, City of London), media organizations (e.g., BBC, NBC), and institutions (e.g., Amnesty International, University of Oxford). The platform is sustained by a vibrant community of over 1 million contributors, including developers, designers, and content creators, who collaborate through events like DrupalCon and contribute to its ongoing innovation.

Overview

Definition and Purpose

Drupal is a free and open-source content management platform (CMS) and framework designed for building websites, web applications, and digital experiences. It enables users to create and manage online content efficiently, serving as a flexible tool for both simple personal sites and complex enterprise solutions. The primary purposes of Drupal include content authoring, site building, user management, and providing scalability from small blogs to large-scale enterprise websites. Its modular design allows for extensive customization through the addition or removal of features, supporting structured content creation, automated workflows, and seamless integration with external services. Drupal powers approximately 336,000 websites worldwide, representing 1.1% of all known CMS-powered sites and 7.3% of the top 10,000 websites globally, as of November 2025. Notable users include government and corporate entities. In recent versions, Drupal has evolved to adopt an API-first approach, facilitating headless and decoupled architectures where content can be accessed and delivered across multiple front-end platforms via robust APIs.

Licensing and Development

Drupal is distributed under the terms of the GNU General Public License (GPL), version 2 or later, which ensures that users have the freedom to run, study, share, and modify the software without any licensing fees. This open-source license applies to Drupal core as well as all contributed modules, themes, and files hosted on Drupal.org, promoting a collaborative ecosystem where derivatives must also be released under compatible open licenses. The development of Drupal is led by the Drupal Association, a non-profit organization dedicated to fostering the growth of the Drupal community and maintaining key infrastructure like Drupal.org. Contributions come from a global community of users and developers, with thousands of individuals and organizations actively participating through the platform's issue queues and Git repositories. The governance structure includes core committers, who collectively decide on improvements to Drupal core and manage code integration into release branches, alongside initiative leads who oversee specific development areas. Releases are coordinated via Git for version control and the issue queue system on Drupal.org for tracking bugs, features, and patches. To maintain code quality, Drupal enforces strict contribution guidelines, including adherence to coding standards, mandatory peer review for patches, and requirements for automated testing coverage. Contributors submit changes through the issue queue, where they undergo community feedback and testing before potential commitment by core maintainers. The Drupal Association sustains its operations and supports development through various funding sources, including organizational memberships, corporate sponsorships, and revenue from events such as DrupalCon conferences. These resources enable investments in community programs, infrastructure enhancements, and grants that bolster global participation in Drupal's evolution.

History

Origins and Early Development

Drupal was founded in 2000 by Dries Buytaert, a student at the University of Antwerp in Belgium, along with Hans Snijder, to address the need for a reliable internet connection and a simple communication platform among dorm residents. The project began as a basic message board website, initially without a formal name, intended to facilitate sharing updates and discussions within the dormitory. The name "Drupal" originated accidentally; Buytaert intended to register the domain "dorp.org" (Dutch for "village"), but a typo resulted in "drop.org," and later, drawing from the Dutch word "druppel" meaning "drop," the software was named Drupal in January 2001, pronounced "droo-puhl." The initial release, Drupal 1.0, arrived on January 15, 2001, as an open-source content management system built primarily on PHP, functioning as a straightforward bulletin board system with basic features like user roles, caching mechanisms, and initial taxonomy support via the meta.module. Early development progressed rapidly through versions 2.0 (March 15, 2001) and 3.0 (September 15, 2001), which introduced enhancements such as user ratings inspired by Slash, a karma/mojo system drawn from Scoop, forums, blogs, polls, database abstraction for improved portability, and a node-based content structure. By version 4.0, released on June 15, 2002, Drupal had evolved to include content versioning, hierarchical taxonomy, advanced caching for performance optimization, and support for the Blogger API, marking a significant milestone in its maturation as a robust web platform. As contributions from early users increased, Drupal transitioned from Buytaert's personal project to a collaborative open-source effort, with community-driven feature suggestions shaping its growth through the mid-2000s. This shift was exemplified by the first DrupalCon event, held February 24-25, 2005, in Antwerp, Belgium, which brought together around 45 developers for the inaugural Developer Sprint and marked the beginning of formalized community gatherings.

Major Version Milestones

Drupal's major version milestones reflect a progression toward enhanced usability, modern web standards, and developer efficiency, with releases emphasizing incremental improvements in content management and site building capabilities. Since Drupal 5, the project has adopted a structured release cycle featuring major versions every two years and minor feature releases approximately every six months, alongside monthly patch releases for bug fixes and security updates. Drupal 5, released on January 15, 2007, introduced a web-based installer that simplified setup for non-technical users, integrated jQuery for improved JavaScript handling, and standardized module information through .info files, enabling better dependency management and CSS aggregation for performance. Drupal 6, launched on February 13, 2008, built on these foundations by adding an update manager for in-site module and core updates, enhancing theme system flexibility with improved CSS and JavaScript aggregation, and bolstering accessibility through better semantic HTML and keyboard navigation support; its security support ended on February 24, 2016. Drupal 7, released on January 5, 2011, prioritized user experience with a revamped administrative interface featuring overlay windows and contextual links, an entity system that unified content handling across nodes, users, and taxonomy terms, and built-in mobile responsiveness via responsive themes like Seven; security support ended on January 5, 2025. The release of Drupal 8 on November 19, 2015, marked a significant architectural shift, incorporating Symfony framework components for robust routing and dependency injection, introducing configuration management for environment-specific settings via YAML files, and enabling RESTful web services natively to support decoupled and headless architectures; security support concluded on November 2, 2021. Drupal 9, issued on June 3, 2020, served as a direct, backward-compatible evolution from Drupal 8, removing deprecated code and requiring PHP 7.4 or higher to align with contemporary standards, while streamlining upgrade paths through automated tools; its security support ended on November 1, 2023. Drupal 10, released on December 15, 2022, advanced site provisioning with enhanced recipes for automated configuration imports, introduced experimental automatic updates for core and modules, and upgraded to CKEditor 5 for richer text editing with improved accessibility and plugin extensibility; security support extends until December 9, 2026. As of November 2025, Drupal 11, first released on August 2, 2024, with the current stable version at 11.2.8, refines structured content modeling with improved field layouts and reusable components, optimizes for PHP 8.3 and above for better performance and type safety, and enhances governance options like hook implementations as classes for modular extensibility.

Core Components

Modules and Themes

Drupal's core modules serve as built-in extensions that provide essential functionality for site management, content handling, user interactions, and system operations. These modules include key components such as the Node module for managing content entities, the User module for authentication and permissions, the Block module for layout placement, the System module for maintenance tasks, and the Views module for creating customized lists and displays of content. In Drupal 11, there are 65 core modules, enabling a modular architecture where administrators can selectively activate features without altering the core codebase. Core themes define the visual presentation and user interface of Drupal sites, with two primary defaults in recent versions: Claro for administrative interfaces and Olivero for front-end user experiences. Claro offers a clean, accessible design based on the Drupal Design System, emphasizing usability in backend tasks. Olivero, introduced as the default front-end theme starting in Drupal 9.4, supports responsive layouts and modern aesthetics to enhance content display across devices. Both themes leverage the Twig templating engine for secure and flexible HTML rendering. The lifecycle of core modules involves enabling or disabling them through the administrative interface at /admin/modules or via command-line tools like Drush, which allows efficient management with commands such as drush en modulename for enabling and drush dis modulename for disabling. During these processes, modules can implement hooks—predefined functions like hook_form_alter—to modify behaviors, such as altering form structures before rendering, ensuring extensibility without direct code changes. Theme development in Drupal relies on the Twig engine for creating templates that separate presentation from logic, supporting preprocessors like SASS for advanced CSS organization and compilation into efficient stylesheets. Developers can create sub-themes that inherit from base themes like Olivero or Claro, overriding specific elements such as templates or CSS while retaining core styling, which promotes maintainable customizations. Core modules and themes integrate seamlessly, with modules supplying structural and functional elements that themes render visually. For instance, the Layout Builder module enables drag-and-drop arrangement of blocks and sections, allowing site builders to construct dynamic pages whose output is styled by the active theme, such as applying responsive grids in Olivero. This synergy ensures that functional additions from modules are presented coherently without requiring custom coding for display.

Content Management System

Drupal's content management system (CMS) revolves around flexible entities that structure and store site data. Content entities, such as nodes for pages and articles, users for profiles, and taxonomy terms for categorization, form the foundation of content handling. These entities support customizable fields to accommodate diverse data types, including text, images, and media files managed through the File module. Administrators define content types by bundling these entities with specific fields, enabling tailored structures like blog posts or product listings without custom coding. Authoring tools in Drupal facilitate efficient content creation and maintenance. The CKEditor 5 module, integrated into core as stable since Drupal 9.5, provides a modern WYSIWYG rich text editor for formatting content directly in the browser. Revision tracking is enabled by default for nodes, automatically saving new versions upon edits to track changes, log messages, and allow reversion to prior states. Core multilingual support via the Content Translation module allows authors to create and manage translations for entities and fields, sharing the same entity ID across languages for streamlined editing. Editorial workflows enhance content governance with predefined states and transitions. The Content Moderation module, available in core since Drupal 8.4, extends basic published and unpublished states to include draft for in-progress work and archived for storage, managed through role-based permissions. Layout Builder serves as a visual tool for assembling pages, enabling drag-and-drop arrangement of fields, blocks, and sections directly on entity forms or displays. Search functionality is powered by the core Search module, which indexes nodes, users, and taxonomy terms for keyword-based queries supporting AND/OR logic and exclusions. For enhanced performance, it offers integration options with external engines like Apache Solr through contributed modules such as Search API Solr. Scalability is supported by Drupal's Cache API, featuring bins for temporary data storage, tags for invalidation, and contexts for personalized caching, reducing database queries on high-traffic sites. The administration interface centers on a unified dashboard, accessible upon login, which aggregates recent content, top tasks, and customizable widgets for quick navigation. It includes dedicated sections for configuration to adjust site settings, reports for monitoring updates and security, and extend management to install core modules like those enabling content features. This streamlined layout, refined in recent versions including Drupal 11, promotes efficient oversight without requiring advanced technical knowledge.

Localization and Accessibility

Drupal provides robust localization features to adapt its user interface and content for global audiences. The core Interface Translation module enables translation of the administrative interface and site strings using .po (portable object) files, which follow the GNU Gettext standard for handling translatable text. These files allow contributors to translate strings offline or via the web-based interface on localize.drupal.org, supporting over 100 languages out of the box. Additionally, Drupal includes built-in handling for right-to-left (RTL) languages such as Arabic and Hebrew, ensuring proper text direction, layout mirroring, and icon adjustments through language-specific configurations. For more advanced multilingual capabilities, the contributed Internationalization (i18n) module extends core functionality to support translation of content, taxonomies, menus, and blocks. Core modules like Content Translation and Configuration Translation provide foundational support for creating multilingual content entities, translating URLs via path prefixes (e.g., /en/ for English), and enabling domain-based language negotiation for separate sites per language (e.g., en.example.com). The String Translation UI, integrated into core, offers an administrative interface for searching, editing, and importing translation strings, while Configuration Translation allows site-specific settings like block titles and view names to be localized. Drupal emphasizes accessibility to ensure inclusive experiences for users with disabilities, aligning core themes with WCAG 2.2 AA guidelines. Default themes such as Olivero and Claro incorporate semantic HTML5 markup, required alt text fields for images to support screen readers, full keyboard navigation without mouse dependency, and ARIA landmarks for better assistive technology compatibility. These features promote perceivable, operable, understandable, and robust content, with core forms including skip links and focus indicators for efficient traversal. To aid development and maintenance, Drupal includes tools like the core Configuration Translation interface for accessible setup and contributed modules such as Accessibility Toolbar, which adds an on-site toolbar for quick checks on contrast, font sizing, and link validation. In Drupal 11, enhancements include improved semantic HTML output for better screen reader support and integrated contrast evaluation tools within the theme builder, further embedding accessibility into the default experience.

Extending Drupal

Contributed Modules

Contributed modules form the backbone of Drupal's extensibility, allowing users to add functionality beyond the core without custom development. As of November 2025, over 54,000 contributed modules are available on Drupal.org, each developed and maintained by the community to address specific needs such as content querying, form handling, and URL management. Notable examples include Views, a query builder that enables the creation of customizable displays and lists from database content; Pathauto, which automatically generates SEO-friendly URL aliases based on node titles or patterns; and Webform, a robust tool for building complex forms to collect user-submitted data. These modules are hosted in the Drupal project's repository, where they undergo community review before release. Installation of contributed modules can be accomplished through several methods, ensuring flexibility for different user expertise levels. The recommended approach for modern Drupal sites uses Composer, a dependency management tool, via the command composer require drupal/[module_name], which automatically resolves and installs dependencies while adhering to semantic versioning for compatibility. Alternatively, Drush, a command-line interface, allows installation with drush pm:install [module_name], ideal for scripted or server-based workflows. For simpler setups, the administrative user interface at /admin/modules permits direct installation by selecting and enabling modules, though this method is less suitable for projects with complex dependencies. Best practices for adopting contributed modules emphasize security and compatibility to maintain site integrity. Before installation, conduct security reviews using tools like the Security Review module, which scans for common vulnerabilities such as SQL injection or cross-site scripting by implementing checks through classes that extend Drupal\security_review\Check. Compatibility checks are crucial, particularly verifying module support for the target Drupal version; for instance, Drupal 11 mandates PHP 8.3 or higher, requiring modules to align with this and other system prerequisites like PDO and JSON extensions. Administrators should prioritize modules with active maintenance, recent releases, and high adoption rates, as indicated by Drupal.org's usage statistics. Several popular ecosystems built on contributed modules enhance Drupal for specialized use cases. The Commerce suite provides comprehensive e-commerce capabilities, including product management, shopping carts, and payment integrations, powering thousands of online stores. Paragraphs enables flexible content components by allowing reusable bundles of fields within nodes, facilitating advanced layouts without altering core entities. For decoupled architectures, the core JSON:API module—stabilized in Drupal 8.7—serves as a foundation, extended by contributed modules like Commerce API to expose e-commerce resources via RESTful endpoints compliant with the JSON:API specification. Ongoing maintenance of contributed modules involves monitoring for updates and security issues to ensure long-term stability. Drupal's Update Manager module provides automated notifications for available updates through the admin interface at /admin/reports/updates, alerting users to new releases that address bugs or add features. Security advisories, issued by the Drupal Security Team, cover critical vulnerabilities in covered modules (those in stable status) and are accessible via Drupal.org's security portal, with automated feeds enabling proactive patching. Sites should enable maintenance mode during updates to prevent disruptions, followed by running database updates via Drush or the UI.

Themes and Distributions

Drupal's theming system allows for extensive customization of site appearance through contributed themes, which number over 3,000 and are hosted on the official Drupal project repository. These themes enable developers to apply responsive designs and integrate modern front-end frameworks without building from scratch. Base themes, such as Bootstrap, provide foundational structures like responsive grids using CSS frameworks, facilitating sub-theme creation for tailored implementations. Custom theme development leverages Twig templating for rendering HTML, combined with CSS preprocessors like SASS, to override core styles and ensure compatibility with Drupal's rendering pipeline. The evolution of Drupal's theme engines has prioritized security and performance, transitioning from the PHPTemplate engine in earlier versions to Twig as the default starting with Drupal 8. PHPTemplate relied on PHP-embedded templates, which posed risks for code injection, whereas Twig introduces sandboxing, automatic escaping, and stricter separation of logic from presentation to mitigate vulnerabilities. This shift enhances developer productivity by supporting inheritance and macros, while improving site speed through compiled templates. Core themes, such as Stable and Claro, act as starting points for extending these capabilities. Distributions in Drupal offer pre-packaged installations tailored to specific use cases, bundling core, contributed modules, themes, and configurations for rapid deployment. For instance, Commerce Kickstart provides an e-commerce-focused setup with integrated payment and product management tools. Open Social targets social networking and intranet sites, including features for user profiles, activity streams, and community engagement. These distributions serve as starter kits, accelerating development for sectors like nonprofits—where tools for donations and events are pre-configured—or media sites requiring multimedia handling and SEO optimizations. By including ready-to-use themes and settings, they reduce setup time from weeks to hours, allowing customization post-installation. In Drupal 11, the introduction and enhancement of the recipe system further streamlines distribution-like setups through automated scripts that install modules, apply themes, and configure sites programmatically. Recipes enable instant feature additions, such as e-commerce bundles, without full reinstalls, with improvements in Drupal 11.1 focusing on flexibility and integration with Composer for dependency management. This approach modernizes traditional distributions, making them more adaptable to ongoing site evolution.

Technical Architecture

System Requirements and Stack

Drupal is built primarily using PHP, an object-oriented scripting language, with integration of the Symfony framework since Drupal 8 to enhance its architectural components such as routing, dependency injection, and event handling. For the latest version, Drupal 11 requires PHP 8.3 or higher. Compatible web servers include Apache 2.4.7 or higher and Nginx 1.1 or higher, both of which provide the necessary support for PHP execution on UNIX/Linux, macOS, or Windows environments. Dependency management is handled via Composer, with Drupal 11 requiring version 2.7.0 or newer to ensure secure and efficient package handling. Drupal supports multiple database backends through an abstraction layer that promotes portability across systems, including MySQL 8.0 or higher (or equivalents like MariaDB 10.6), PostgreSQL 16 or higher (with the pg_trgm extension), and SQLite 3.45 or higher. Additional prerequisites encompass a minimum PHP memory limit of 64 MB (with 128 MB or 256 MB recommended for production sites featuring multiple modules) and essential PHP extensions such as PDO, XML, GD (for image processing), OpenSSL, JSON, cURL, Mbstring, and zlib. Server operating systems favor Linux for optimal performance and stability, though Windows is supported for development via stacks like WAMP or XAMPP. Overall server RAM should be at least 1 GB to accommodate Composer and site operations effectively. For deployment, Drupal accommodates a range of hosting options from shared servers to dedicated environments, with specialized cloud platforms like Acquia Cloud and Pantheon offering optimized infrastructure, automated scaling, and Drupal-specific tools for enterprise use.

Database Abstraction and Caching

Drupal's database abstraction layer, built upon PHP's PDO (PHP Data Objects), offers a unified query API that enables developers to interact with various underlying database management systems without writing database-specific code. This layer abstracts common database operations such as SELECT, INSERT, UPDATE, and DELETE into a consistent interface, supporting systems like MySQL, PostgreSQL, and SQLite. By leveraging PDO's prepared statements, it enhances security against SQL injection and ensures portability across different database backends. The Schema API complements this abstraction by allowing modules to define database tables, keys, and indexes through a structured PHP array, eliminating the need to write SQL dialect-specific CREATE TABLE statements. During module installation or updates, Drupal automatically generates the appropriate SQL based on the schema definition, handling differences in syntax and data types across supported databases. This approach promotes maintainability and reduces errors in schema management, as changes to the array propagate to the database via hook implementations like hook_schema() and hook_update_N(). For entity storage, the core Entity Field API provides a robust framework for performing CRUD (Create, Read, Update, Delete) operations on content entities, such as nodes, users, and taxonomy terms. This API abstracts the underlying storage details, allowing fields—whether simple text or complex structured data—to be attached to entities and persisted via the database abstraction layer. It handles loading entities with their associated fields, validating data, and saving revisions, all while integrating with the schema for efficient querying and indexing. The API's typed data model ensures consistency in how entity properties are defined, stored, and retrieved, supporting operations like entity queries for filtered retrievals. Drupal's caching system is designed to optimize performance by storing computed results of expensive operations, reducing database queries and rendering time on subsequent requests. The internal Cache API manages granular caching for elements like pages, blocks, render arrays, and configuration data, using cache bins to organize storage by context and invalidation needs. Cache tags and contexts enable precise invalidation: for instance, when content is updated, related cache entries are cleared automatically to maintain data freshness. Developers can extend this with contributed modules to integrate external backends, such as Redis for distributed in-memory caching or Memcached for object caching, which offload storage from the database and improve scalability in high-traffic environments. A key feature for progressive page loading is BigPipe, integrated into Drupal core since version 8.1 and stabilized in 8.3. BigPipe streams the HTML response in chunks, delivering cacheable, static parts of the page first while deferring personalized or dynamic elements—like user-specific blocks—via JavaScript placeholders. This technique, inspired by Facebook's implementation, significantly reduces perceived load times by prioritizing above-the-fold content, with full support for cache metadata to ensure proper invalidation. In Drupal 8 and later, it works seamlessly with the render system, allowing lazy builders to compute non-critical components asynchronously after the initial page skeleton is sent. Configuration management in Drupal relies on YAML (YAML Ain't Markup Language) files to store site settings, such as module configurations, views, and field definitions, in a human-readable, version-control-friendly format. Administrators can export the entire configuration to a directory of YAML files using Drush or the UI, facilitating synchronization across development, staging, and production environments. Import functionality then applies these files, overwriting or merging settings as needed, with tools like Configuration Split allowing environment-specific overrides. This system ensures reproducible deployments and tracks changes via Git, preventing configuration drift in multi-site setups. In Drupal 11, enhancements to query optimization and internal caching further refine performance, particularly for API responses. Improved handling of database queries reduces execution times through better index utilization and query planning in the abstraction layer, while caching mechanisms for JSON:API and other endpoints now include more detailed response headers for cacheability metadata. These updates, such as refined Page Cache and Dynamic Page Cache headers, enable finer-grained control over expiration and variation, minimizing redundant computations in headless and decoupled architectures.

Community and Ecosystem

Contributors and Governance

Drupal's contributor base is vast and diverse, encompassing over 1.3 million registered user accounts on drupal.org as of 2025, which serve as the primary hub for collaboration and resource sharing. Active participation involves thousands of individuals annually, with more than 8,000 unique individual contributors recording efforts in code, documentation, design, and other areas during the 2024 period, representing a broad spectrum of skills and geographies. In 2024, total contributions to the Drupal project reached 203,738. Key roles within this ecosystem include project maintainers, who oversee the development and releases of modules, themes, and core components; reviewers, who evaluate proposed changes through patches and discussions in issue queues; and translators, who adapt interfaces and content into numerous languages to support global adoption. These roles ensure rigorous quality control and accessibility, with maintainers often coordinating multi-person teams to sustain project health. The governance of Drupal operates under a transparent, distributed model designed to maintain the project's stability, independence, and openness, preventing any single entity from exerting unilateral control. This structure includes specialized working groups, such as the Security Team, which handles vulnerability assessments and advisories, and the Release Process team, which coordinates version updates and long-term support cycles. The Drupal Association, a nonprofit organization, oversees non-technical aspects like infrastructure and events through a 12-member Board of Directors; nine members are selected by a nominating committee, two are elected by association members, and one permanent seat is reserved for project founder Dries Buytaert. The board focuses on strategic direction, funding allocation, and community sustainability, while technical governance is managed by core committers and initiative leads. Decision-making in Drupal emphasizes consensus-driven processes facilitated by the issue queues on drupal.org, where volunteers propose, debate, and refine changes through threaded discussions, patches, and peer reviews before integration into core or contributed projects. Major strategic initiatives, such as the API First effort to enhance Drupal's web services for decoupled architectures or the UX Initiative to improve administrative interfaces, are typically spearheaded by volunteer teams with input from the broader community via these queues. This collaborative approach allows for iterative improvements, with final approvals often resting with core committers or maintainers to uphold standards. To foster an inclusive environment, Drupal has implemented diversity efforts including a formal Code of Conduct since 2010, which was updated in 2023 to strengthen commitments to respect, empathy, and harassment prevention across all interactions. The Code of Conduct, enforced by the Community Working Group, promotes participation from individuals of all backgrounds and identities, supported by conflict resolution teams and incident reporting mechanisms. These measures aim to create safe spaces for contribution, addressing barriers to entry for underrepresented groups in open-source development. Prominent figures shape Drupal's trajectory, with Dries Buytaert serving as the project lead since its inception in 2001, providing overarching guidance on vision and trademark stewardship while deferring to community consensus on specifics. Organizational contributions are substantial, exemplified by Acquia, co-founded by Buytaert, which remains a leading sponsor of development efforts through dedicated teams working on core enhancements and ecosystem tools. Other agencies and companies, such as Chapter Three and Specbee, also play pivotal roles by funding maintainers and initiatives that align with enterprise needs.

Events and Resources

The Drupal community organizes a variety of events to foster collaboration, knowledge sharing, and skill development among users and contributors worldwide. The flagship event is DrupalCon, an annual global conference that has been held since 2005, featuring keynotes, sessions on development best practices, and networking opportunities for thousands of attendees. In 2025, DrupalCon Vienna took place from October 14 to 17 in Vienna, Austria, highlighting advancements in Drupal's ecosystem and including specialized summits for sectors like government and enterprise. Complementing these large-scale gatherings, local meetups occur regularly through Drupal user groups, such as the Drupal Cluj Meetup in Romania or Drupal Krakow in Poland, where participants discuss regional projects and troubleshoot issues in informal settings. Additionally, code sprints—intensive collaborative coding sessions—are hosted at events or virtually to accelerate module development and core improvements, often coordinated via the Drupal Groups platform. Comprehensive documentation serves as a cornerstone for Drupal users, with the official Drupal Wiki guide on drupal.org providing detailed handbooks covering installation, administration, site building, and extending functionality through modules and themes. For developers, the API documentation at api.drupal.org offers an exhaustive reference generated from source code comments, detailing interfaces like the Cache API, Entity API, and Plugin API to support custom development. Published resources include books such as the Drupal 11 Development Cookbook by Kevin Quillen and Matt Glaman, which provides practical recipes for building dynamic websites and leveraging Drupal 11's features like improved performance and JavaScript integration. Support channels enable users to seek help and share expertise efficiently. The Drupal.org forums host discussions on general topics, module-specific issues, and site administration, moderated by community volunteers to ensure constructive dialogue. Real-time assistance is available through Slack channels via DrupalChat and legacy IRC networks, where channels like #drupal or #drupal-support facilitate instant queries on topics from configuration to debugging. For structured Q&A, Drupal Answers on Stack Exchange serves as the primary site for technical questions, with over 50,000 posts tagged for specific Drupal versions and components. Training resources include platforms like Drupalize.me, offering video tutorials and guides on site building, theming, and core concepts, developed by experts at Lullabot. Similarly, Lullabot provides in-depth courses on Drupal workflows and best practices through its training library. Media outlets keep the community informed and inspired. The Talking Drupal podcast, hosted by seasoned contributors, explores topics like inclusive hiring, module development, and event recaps in weekly episodes. Newsletters such as those from Drupal.org and Acquia deliver updates on releases, security patches, and ecosystem news directly to subscribers. Case studies showcase real-world applications, such as The Economist's use of Drupal for robust content management and editorial workflows, enabling scalable delivery of global journalism. Newcomers benefit from tailored resources to build foundational skills. The Drupal User Guide on drupal.org introduces core concepts like content types and permissions through step-by-step tutorials suitable for beginners. Interactive sandbox environments, such as those provided in training platforms, allow experimentation without setup overhead. Certification programs, including Acquia's Drupal certification exams, validate proficiency in areas like site building and development, with preparation materials covering approximately six hours of video instruction and practice questions.

Security

Core Security Features

Drupal core incorporates robust access control mechanisms to ensure that users can only perform actions permitted by their assigned roles. Role-based permissions allow administrators to define granular access levels, such as viewing, editing, or administering content, by assigning permissions to predefined or custom roles like authenticated user or administrator. This system extends to node access control, where core provides hooks for modules to implement fine-grained restrictions on individual content items without relying on external contributions. To safeguard against common web vulnerabilities, Drupal emphasizes input validation and output sanitization. User inputs are not filtered upon entry to preserve data integrity but are validated against expected formats using the database abstraction layer to prevent SQL injection. Cross-site request forgery (CSRF) attacks are mitigated through integrated token-based protection in the routing system and Form API, requiring unique tokens for state-changing operations like form submissions or non-GET routes. For cross-site scripting (XSS), core filters outputs contextually: plain text is escaped with functions like check_plain(), while HTML is sanitized to allow safe tags and attributes, preventing malicious script injection. Secure defaults form a foundational layer of protection in Drupal core. The Twig templating engine enables auto-escaping by default, automatically applying HTML escaping to variables unless explicitly marked safe, which significantly reduces XSS risks in themes. Passwords are stored as salted hashes using PHP's password_hash() function with bcrypt by default, incorporating a unique per-password salt to resist rainbow table attacks and comply with modern cryptographic standards. Additionally, core sets essential HTTP security headers, such as X-Frame-Options: SAMEORIGIN to prevent clickjacking, providing out-of-the-box defense without configuration. Update notifications are handled via the built-in Update Status module, which scans for available updates to core, modules, and themes during cron runs and displays them in the administrative status report. This proactive alerting, combined with secure upgrade paths through the Update Manager, enables administrators to apply patches via the user interface or Composer, minimizing exposure to known vulnerabilities. In Drupal 11, core security is further strengthened with enhanced access control via the new Access Policy system for greater flexibility in permission assignments beyond traditional roles. Automatic updates become stable, allowing safer, background application of security patches to core components, while dependency updates like Composer 2.7.7 address upstream vulnerabilities. Session handling benefits from Symfony 7.x integration, improving encryption defaults for stored session data.

Vulnerability Management

Drupal's vulnerability management is primarily handled by the dedicated Drupal Security Team, a group of community volunteers who identify, assess, and resolve security issues in Drupal core and select contributed projects. The team operates under a structured process to ensure vulnerabilities are addressed confidentially and efficiently, minimizing exposure risks while enabling timely patches for users. This approach emphasizes coordinated disclosure, where issues are kept private until fixes are ready, aligning with industry best practices for open-source software security. Vulnerabilities are reported to the Security Team through a confidential submission form on Drupal.org, allowing researchers and users to disclose potential issues without public exposure. Upon receipt, team members assigned to triage duty evaluate the report's validity, severity, and impact, often using criteria such as exploitability and affected components. For Drupal core, triage involves assessing whether the issue affects stable releases, which are supported for two minor versions at a time, while contributed projects must be opted-in with vetted maintainers to receive official coverage. Low-severity issues, such as those requiring administrative privileges or deemed unexploitable, may not result in formal advisories but are still documented privately. Once triaged, the team coordinates with project maintainers to develop patches, providing guidance on secure coding practices outlined in Drupal's documentation. Patches are tested in a private Git repository on drupalcode.org before integration into public releases. Security releases for core occur on the third Wednesday of each month, with advance notice via Public Service Announcements for critical issues, ensuring site administrators can update promptly. For contributed modules, maintainers handle patching with team assistance, and advisories are issued only for stable releases (version X.Y.0 or higher) to avoid alerting potential attackers prematurely. The disclosure process culminates in the publication of security advisories on Drupal.org, which detail the vulnerability, affected versions, resolution steps, and references to patches. Advisories are widely publicized through email lists, RSS feeds, and integration with tools like the Vulnerability Checker module, which scans sites for known issues. This system promotes transparency post-resolution, educating the community on risks and mitigations. The team also maintains ongoing communication via IRC channels and Slack, fostering collaboration among volunteers. As of November 2025, the Security Team continues to evolve its procedures, with recent updates rescheduling release windows to accommodate community feedback.

References

  1. https://www.drupal.org/about
  2. https://www.drupal.org/docs/getting-started/understanding-drupal/overview-of-drupal
  3. https://www.drupal.org/about/history
  4. https://dri.es/about
  5. https://www.drupal.org/project/drupal/releases
  6. https://www.drupal.org/about/core/policies/core-release-cycles/schedule
  7. https://w3techs.com/technologies/breakdown/cm-drupal/ranking
  8. https://w3techs.com/technologies/details/cm-drupal
  9. https://www.globalmediainsight.com/blog/drupal-statistics/
  10. https://www.drupal.org/docs/7/howtos/book-drupal-7-the-essentials/introduction/what-is-drupal
  11. https://www.drupal.org/docs/user_guide/en/understanding-drupal.html
  12. https://www.drupal.org/about/strategic-initiatives/api-first
  13. https://www.drupal.org/docs/user_guide/en/understanding-gpl.html
  14. https://www.drupal.org/association
  15. https://www.acquia.com/landing/drupal-contributors
  16. https://www.drupal.org/community/contributor-guide/role/drupal-core-committer
  17. https://project.pages.drupalcode.org/governance/core/drupal-core/
  18. https://www.drupal.org/community/contributor-guide
  19. https://www.drupal.org/community/contributor-guide/contribution-areas/core
  20. https://www.crunchbase.com/organization/drupal-association
  21. https://www.drupal.org/association/community-cultivation-grants
  22. https://techcrunch.com/2021/01/22/drupals-journey-from-dorm-room-project-to-billion-dollar-exit/
  23. https://www.drupal.org/docs/getting-started/understanding-drupal/understanding-drupal-version-numbers/legacy-drupal-release-history
  24. https://www.drupal.org/association/drupalcon/locations
  25. https://www.drupal.org/about/drupal-7/d7eol
  26. https://www.drupal.org/project/drupal/releases/9.0.0
  27. https://www.drupal.org/project/drupal/releases/10.0.0
  28. https://www.drupal.org/blog/drupal-10-3-0
  29. https://www.drupal.org/project/drupal/releases/11.0.0
  30. https://www.drupal.org/blog/drupal-11-1-0
  31. https://www.drupal.org/docs/develop/core-modules-and-themes/core-modules
  32. https://www.drupal.org/docs/8/core/modules/views
  33. https://www.drupal.org/docs/core-modules-and-themes/core-themes
  34. https://www.drupal.org/docs/core-modules-and-themes/core-themes/claro-theme
  35. https://www.drupal.org/docs/core-modules-and-themes/core-themes/olivero
  36. https://www.drupal.org/docs/develop/theming-drupal/twig-in-drupal
  37. https://www.drupal.org/docs/develop/theming-drupal/creating-sub-themes
  38. https://www.drupal.org/docs/develop/theming-drupal/adding-assets-css-js-to-a-drupal-theme-via-librariesyml
  39. https://www.drupal.org/docs/8/core/modules/layout-builder
  40. https://www.drupal.org/docs/8/core/modules/layout-builder/theming-and-extending
  41. https://www.drupal.org/docs/user_guide/en/planning-data-types.html
  42. https://www.drupal.org/docs/administering-a-drupal-site/managing-content-0/working-with-content-types-and-fields
  43. https://www.drupal.org/node/3308362
  44. https://www.drupal.org/docs/core-modules-and-themes/core-modules/ckeditor-5-module
  45. https://www.drupal.org/docs/administering-a-drupal-site/node-revisions
  46. https://www.drupal.org/docs/multilingual-guide/translating-content
  47. https://www.drupal.org/docs/8/core/modules/content-moderation/overview
  48. https://www.drupal.org/docs/8/core/modules/layout-builder/layout-builder-overview
  49. https://www.drupal.org/docs/8/core/modules/search/overview
  50. https://new.drupal.org/docs/drupal-cms/get-started/get-to-know-drupal-cms/getting-around-drupal-cms
  51. https://new.drupal.org/about/11
  52. https://www.drupal.org/docs/administering-a-drupal-site/multilingual-guide/translating-site-interfaces
  53. https://www.drupal.org/community/contributor-guide/reference-information/localize-drupal-org/working-with-offline/po-and-pot-files
  54. https://www.drupal.org/8/multilingual
  55. https://www.drupal.org/project/drupal/issues/56110
  56. https://www.drupal.org/project/i18n
  57. https://www.drupal.org/docs/administering-a-drupal-site/multilingual-guide/translating-configuration
  58. https://www.drupal.org/about/features/accessibility
  59. https://www.drupal.org/docs/accessibility/drupal-accessibility-features
  60. https://www.drupal.org/project/accessibility_toolbar
  61. https://events.drupal.org/vienna2025/session/accessible-default-how-drupal-11-redefines-inclusive-design
  62. https://www.drupal.org/association/blog/a-new-era-of-digital-accessibility-the-eaa-and-its-implications-for-drupal
  63. https://www.drupal.org/project/project_module
  64. https://www.drupal.org/docs/extending-drupal/installing-modules
  65. https://www.drupal.org/docs/extending-drupal/contributed-modules/contributed-modules-documentation/security-review
  66. https://www.drupal.org/docs/getting-started/system-requirements/overview
  67. https://www.drupal.org/project/drupal/issues/2843147
  68. https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi-module
  69. https://www.drupal.org/docs/user_guide/en/security-update-module.html
  70. https://www.drupal.org/security
  71. https://www.drupal.org/project/project_theme
  72. https://www.drupal.org/docs/extending-drupal/themes/contributed-themes
  73. https://www.drupal.org/docs/extending-drupal/themes/contributed-themes/bs-base
  74. https://www.drupal.org/project/commerce_kickstart
  75. https://www.drupal.org/project/social
  76. https://www.drupal.org/docs/getting-started/drupal-distributions
  77. https://www.drupal.org/docs/extending-drupal/drupal-recipes
  78. https://www.drupal.org/about/core/blog/drupal-110-will-require-php-83-and-mysql-80
  79. https://www.drupal.org/docs/drupal-apis/services-and-dependency-injection/services-and-dependency-injection-in-drupal
  80. https://www.drupal.org/docs/getting-started/system-requirements/web-server-requirements
  81. https://www.drupal.org/docs/getting-started/system-requirements/composer-requirements
  82. https://www.drupal.org/docs/getting-started/system-requirements/database-server-requirements
  83. https://www.drupal.org/docs/getting-started/system-requirements/php-requirements
  84. https://www.drupal.org/docs/develop/local-server-setup/windows-development-environment/using-xampp/quick-install-drupal-with-xampp-on-windows
  85. https://www.drupal.org/hosting
  86. https://www.acquia.com/solutions/drupal-hosting
  87. https://pantheon.io/learning-center/drupal/hosting
  88. https://www.drupal.org/docs/develop/drupal-apis/cache-api
  89. https://www.drupal.org/docs/8/core/modules/big-pipe/overview
  90. https://www.drupal.org/docs/administering-a-drupal-site/configuration-management/managing-your-sites-configuration
  91. https://www.drupal.org/project/drupal/releases/11.1.0
  92. https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or-distribution-project/maintainership/co-maintaining-projects
  93. https://www.drupal.org/community/contributor-guide/contribution-areas/accessibility
  94. https://www.drupal.org/association/blog/governance-in-the-drupal-ecosystem
  95. https://www.drupal.org/association/board
  96. https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/issue-etiquette
  97. https://www.drupal.org/community/blog/introducing-the-updated-drupal-community-code-of-conduct
  98. https://www.drupal.org/dcoc
  99. https://dri.es/who-sponsors-drupal-development-2021
  100. https://events.drupal.org/
  101. https://www.acquia.com/drupalcon
  102. https://groups.drupal.org/
  103. https://groups.drupal.org/sprints
  104. https://www.drupal.org/docs
  105. https://api.drupal.org/
  106. https://www.velir.com/ideas/announcing-the-drupal-11-development-cookbook
  107. https://www.drupal.org/forum/general/general-discussion/2023-09-01/any-tips-for-customizing-the-drupal-10-forums-no-d10-advanced-forums-yet
  108. https://www.drupal.org/community/contributor-guide/reference-information/talk/tools/support-channels
  109. https://drupalize.me/
  110. https://www.lullabot.com/podcasts/drupalizeme-podcast/our-plan-for-learning-drupal-8
  111. https://talkingdrupal.com/418
  112. https://www.augustinfotech.com/blogs/is-drupal-still-the-best-choice-for-enterprise-sites-in-2025/
  113. https://www.drupal.org/docs/user_guide/en/index.html
  114. https://www.drupal.org/training
  115. https://www.drupal.org/docs/develop/security/handle-user-input-with-care
  116. https://www.drupal.org/docs/8/api/routing-system/access-checking-on-routes/csrf-access-checking
  117. https://www.drupal.org/node/2296163
  118. https://www.drupal.org/docs/administering-a-drupal-site/security-in-drupal/us-nist-password-guidelines-review
  119. https://www.drupal.org/forum/support/post-installation/2016-08-09/security-headers
  120. https://www.drupal.org/docs/develop/core-modules-and-themes/core-modules/update-module/update-status-module-overview
  121. https://www.drupal.org/drupal-security-team
  122. https://www.drupal.org/node/101494
  123. https://www.drupal.org/drupal-security-team/security-team-procedures/security-team-member-triage-duty
  124. https://www.drupal.org/drupal-security-team/security-advisory-process-and-permissions-policy
  125. https://www.drupal.org/drupal-security-team/security-team-procedures/creating-a-drupal-core-security-release
  126. https://www.drupal.org/writing-secure-code
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.