Bryan Ruby

Last week was a very frustrating time for me. For whatever reason, an unusually number of botnets decided to zero in on my Drupal site and created what I call an unintentional  Denial of Service attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of "page not found" and "access denied" error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.

These type of attacks on Drupal sites and numerous other content management systems are nothing new. However, my search at Drupal.org as well as Google didn't really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn't easy to begin with and at first the answers alluded me.

I originally looked at Drupal for the solution to my problems. While I've used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn't exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model Bad Behavior. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an "unofficial" version of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from Project Honey Pot.

As I had already suspected, looking for Drupal to solve this botnet attack wasn't the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering "page not found" error pages and use it to deliver "access denied" error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn't have access to the hardware, I decided it was time to look at my Apache configuration.

A new version of CMS Made Simple was released this past weekend. CMS Made Simple 1.8 offers a number of new features to enhance performance not only of the website itself, but to make doing some mundane tasks faster and easier.

Some of the more significant changes in CMS MadeSimple include:

I continue to hear great things about EPiServer from Blend Interactive's Dean Barker and other folks in the CMS industry. Their accolades for this CMS is one of the reasons I decided to begin focusing on EPiServer here at the site.

Honestly, I don't know enough about EPiServer which is why some of the EPiServer fanboys have promised getting together with me sometime to talk about this platform.  Until my education is complete, I'm going to resort to cheap writing by using press releases and blogs to get some of my information out to you about EPiServer. For instance, lets see if this product announcement by EPiServer's marketing gets you interested to hear more about their products:

EPiServer announces the release of EPiServer Relate+2 , a product package for EPiServer CMS 6, which containsEPiServer Community 4 and EPiServer Mail 5. It also includes a sample website which shows how to combine these three products to build a powerful online community. In today’s conversation economy the ability to get involved in websites where users are free to create, organize and share know-how and experiences in the form of words, pictures and videos is becoming more prevalent and Relate+ makes it a seamless experience for community members, community owners and moderators.

Included is support for Open ID where users can use an existing login ID to sign into multiple websites. The same rich text editor found in EPiServer CMS, TinyMCE, is now used for writing blog posts and the MetaWeblog API is also supported, so users can use their favorite blog applications, such as iBlogger for the iPhone or Live Writer for Windows, when creating or editing blog posts. In combination with blog syndication and ping/ pingbacks, Relate+ is a full-fledged blog engine.

A new version of our favorite Ruby on Rails CMS has been released, Radiant CMS 0.9.0. Obviously, I spoke a little too soon last October when I announced that 0.9.0 was coming soon. Each open source community has their own pace and time-line for releasing the release candidates of their software. In retrospect, I should have noted that Radiant CMS developers like to take their time in making sure the Radiant releases are at a level of quality and stability they're comfortable with before releasing the final versions to the general public.

In case you haven't heard, WordPress 3.0 was released last week. This is probably the first time I've been behind in blogging about the official release of a new major version of WordPress. However, since I told you all about WordPress 3.0 coming soon a couple weeks ago, I felt there wasn't a need to rush and tell you to go get WordPress 3.0 and try out all it's new features including taxonomy and multiuser integration. Instead, I spent this past week seeing how others reacted to WordPress 3.0.

As a fan of open source content management systems, its been rather pleasing to see some of the larger technology publications spend more time talking about applications like Drupal, Joomla, and WordPress. For the tech press, WordPress 3.0 was no exception with some of the major players such as Computerworld, PCWorld, and TechCrunch all making sure they spin out an article reviewing this latest version of WordPress.

What may surprise you though, is that open source CMS is just not an interest of computer geeks. Slowly but surely, open source CMS is the talk of business folks too. For example, both Fast Company and BusinessWeek made sure that they included articles this past week on WordPress 3.0. In the Fast Company article, Francine Hardaway writes some classic things to why business should pay attention to WordPress. Some of my favorite lines from her article, "6 Reasons Small Businesses need WordPress":

• "WordPress can do anything you need it to do, and for a small business, that's a gift usually reserved for expensive sites."
• "Plug-ins for WordPress are the business-to-business version of apps for the iPhone."
• "WordPress no longer looks like a blog. For small businesses who wouldn't know a blog from a bag of potato chips, WordPress is a website, otherwise known as a content management system."

These are all some fantastic words from Hardaway and I think they show that applications such as WordPress are making a significant impact in the business world. I wouldn't call WordPress an ECM, but it most definately walks and talks like a CMS for the small business folks. If you haven't taken a look at WordPress in quite awhile, I'd encourage you to take a new look at this application.

Below is the summary video from the WordPress folks introducing you to WordPress 3.0. Enjoy.

Umbraco, an open source CMS based on Microsoft's ASP.NET, has announced the availability of Umbraco 4.1RC. The Umbraco Core Team of developers calls this version of their CMS as "the biggest update to Umbraco" ever. This release candidate for Umbraco 4.1 is packed with a laundry list of improvements in performance and stability as well as some new features.

New and improved features:

• Enhanced preview. Browse your entire site as it looks in the future, including out-of-the-box support for all XSLT and NodeFactory based macros
• SpellChecker. With support for more than ten languages out of the box!
• LINQ 2 Umbraco. More a .NET Developer than an XSLT guru? You can access data via the all brand new .NET LINQ API
• Examine. Ultra performant and stable index-based search engine. With a fluent API that developers will love
• New XML Schema. Not only more performant, but makes it easier to understand your data and adds future support for Intellisense in Visual Studio!
• Improved DLR support. Faster than ever and with support for Ruby too!
• New Datatypes: Image Cropper for editor friendly image manipulation and Macro Container for easily handling of feature areas. (Needs to be manually created in the data type section in the RC)
• Improved Mediapicker: Preview and advanced dialog with upload is now a part of the default MediaPicker (needs to be activated on the datatype in the RC)
  

As much as I talk about Drupal here at CMS Report, I often don't talk about Drupal point releases that provide solely security and bug fixes and no new features. Every once in awhile though there is a new version of Drupal 6 that has been especially polished by Drupal's developers. Drupal 6.17 is one of those releases which contain significant changes I think are worthy a mention.

I'm probably most excited about the improvements made in Drupal 6 for better PHP 5.3 compatibility. A couple weeks ago I tried upgrading my server to PHP 5.3 and there were just too many annoying errors showing up in the Drupal 6 system logs.  I'm hoping with Drupal 6.17, I have better luck this time around (currently running this Drupal 6 sites with PHP 5.3).

With over 55 patches committed to improve Drupal 6, the following are the highlights of changes included in Drupal 6.17:

• Improvements of session cookie handling
• Better processing of big XML-RPC payload
• Improved PostgreSQL compatibility
• Better PHP 5.3 and PHP 4 compatibility (my fingers are crossed)
• Improved Japanese support in search module
• Better browser compatibility of CSS and JS aggregation
• Improved logging for login failures
• An incompatibility of Drupal 6.16's new lock subsystem with some contributed modules was also resolved

The latest version of Drupal may be downloaded from the project page at Drupal.org. Whether you're new to Drupal or currently maintaining a Drupal site, this latest release of Drupal is a clear indication that there is plenty of life and plenty of development taking place with the Drupal 6 release. Now what other Drupal 6 sites do I have that still need this upgrade to Drupal 6.17.

During the final days of May, the first release candidate for WordPress 3.0 was released to the public. In the world of WordPress, when a version of the popular blogging application becomes a release candidates it means that the official version of WordPress isn't too far behind.

What’s an RC? An RC comes after beta and before the final launch. It means we think we’ve got everything done: all features finished, all bugs squashed, and all potential issues addressed. But, then, with over 20 million people using WordPress with a wide variety of configurations and hosting setups, it’s entirely possible that we’ve missed something.

So what are the new features that will be included in WordPress 3.0. Personally, I'm excited about improvements in custom taxonomy and the merging of standalone WordPress with WordPress Multi-User code which WordPress is calling Multisite. Some of the highlights of WordPress 3.0 include:

• New menu management feature
• New theme "Twenty Ten" is the only theme in the WordPress distribution.
• Improved child theme support; child theme use is highly encouraged and as described in the Child Themes article, very simple to accomplish
• New comment_form() that outputs a complete commenting form for use within a theme template
• Expanded contextual help
• All importers moved to the plugin repository (e.g. WordPress Importer)
• Custom backgrounds for themes
• The Default (Kubrick), and Classic themes, are no longer included in the WordPress distribution, but are available in the Theme repository
• Bulk theme update ability
• Improved custom post types (try the Custom Post Type UI or GD Custom Posts And Taxonomies Tools plugins to see the possibilities)
• Improved custom taxonomies including hierarchical (category-style) support (again, try the Custom Post Type UI or GD Custom Posts And Taxonomies Tools plugins)
• Standalone WordPress and WPMU code merged and is called Multisite (Note: extra domain stuff remains plugin territory for this version)
• Multisite requires wp-config.php file changes to institute

Below the fold I've also included a video from WordPress.TV on WordPress 3.0 multisite.

Perhaps because I like to think of myself as a constant learner, I like to keep keep my eyes open for what is happening with learning/course management systems. CMS Report has been covering Moodle since the early days of our website and I believe it to be one of the more popular open source LMS out there. Moodle 2.0 is currently under development and with an estimated release date of July 20, 2010.

Although Moodle 2.0 hasn't been officially released, the developers did reach important milestones this month with the release of Moodle 2.0 Preview 1 and  Preview 2. These previews give you an idea just how all the new features and improvements are coming together for the next release of Moodle. There are a ton of new features and improvements coming to Moodle to be excited about. Below is a list of major new features we've gleamed of the Moodle 2.0 release notes.

• Community Hubs - Anybody can set up a Community Hub, which is a directory of courses for public use or for private communities. The code is implemented as separate GPL plugin for Moodle.
• Repository Support - Moodle now supports integration with external repositories of content, making it really simple to bring documents and media into Moodle via an AJAX interface that looks like a standard Open dialogue in desktop applications.
• Portfolio Support - Modules can now export their data to external systems, particularly useful for portfolios where snapshots of forums, assignments and other things in Moodle are useful to record in a journal or a portfolio of evidence
• Completion -  Teachers can now specify conditions that define when any activity or course is seen as completed by a student.
• Conditional activities - Access to activities can be restricted based on certain criteria, such as dates, grade obtained, or the completion of another activity.
• Cohorts - Also known as "Site-wide groups", these are site-wide collections of users that can be enrolled into courses in one action, either manually or synchronized automatically
• Web Services Support - Support for standards-based web services across the entire Moodle code base, allowing the admin to expose particular functions of Moodle for use by: 1) Administrative systems such as HR or SIS applications and 2) Mobile clients.
• IMS Common Cartridge - Moodle can now import courses in IMS Common Cartridge format (commonly used by publishers)
• New blocks - Comments block, Private files block, Community block, and Completion block.

Moodle 2.0 Preview 2 can be dowloaded from the Moodle download server.

After two years of spam protection by Mollom people are beginning to proudly show off their ham/spam stats. Davy Van Den Bremt over at Drupal coder writes:

If you're happy about Mollom, just shout it out on Twitter, Facebook, your blog, ... by putting up a screenshot of your stats and saying how many spam has been caught by Mollom. You can find the stats of your site on your Mollom account. If you're using Drupal, you can find them under Administer > Reports > Mollom Statistics.

If you're using Twitter, use the hashtag #mollomstats. I'm looking forward see how much crap content Mollom has spared us from.