Skip to main content

The Curse of the Haunted Drupal Site, Revisited!

October 31, 2018
Body paragraph

Ten Halloweens ago I shared a story of Drupal haunting. The post survives only in the faint afterlife of's Wayback Machine, having long since disappeared from the site of CivicActions where I was working at the time, so I thought I'd reprise it here. First, the original post. Then some notes on what's changed in the years since--and what remains chillingly accurate.

The Curse of the Haunted Drupal Site!

It's a specter ghastly enough to make the most seasoned Drupal developer quiver with fear.

Yes, it's the dreaded Haunted Drupal Site!

Oh, it may appear innocent enough on the surface. Just a typical business or organizational website that perhaps you've been asked to upgrade or enhance. But don't be fooled--lurking beneath the surface is a host of nasty surprises just waiting for the developer naive or foolish enough to venture in.

By what signs can you recognize the beast? What dreadful acts awakened the accursed spirits that now haunt this site? What mantras or talismans can protect you from inadvertently bringing the curse upon yourself?

Read on to find out.

The Tell Tale Signs of the Haunted Site

The signs may be subtle, even invisible to the casual observer. But to the initiated, there are sure signs by which the Haunted Site can be identified.

As with any case of detection, it's important to watch out for seemingly unimportant details.

Perhaps you find that the site is using a very old release version--Drupal 5.2, even though the current stable release is much later than that. A mere oversight? A mere detail, easily addressed through a routine update? Possibly. But, more likely, it's your first sign that all is not as it appears beneath the tranquil home page.

Or else you're exploring the site and try to do some familiar task, something you've done a thousand times on any number of Drupal sites. You try again and again, incredulous, but every time you get the same mysterious error. Impossible! This can't be true!

Oh, but it can. On the Haunted Drupal Site, all your assumptions are wrong, for nothing is as it appears.

Or perhaps you hear a seemingly casual remark like the following: "The previous developers may have applied a patch or two here and there." A "patch or two"? Don't believe it for a minute. No, you have received almost definitive notice of haunting.

What to do? It's time to reach for the tools that will reveal the worst. Yes, I mean diff. Nothing short of a full diff of the site's codebase will suffice to reveal the full scope of the beast.

How the Haunting Began

The truth is, most hauntings begin with the best of intentions.

Like an Egyptologist, an intrepid developer sets out to delve into secret places--in this case, the mysteries of the Drupal codebase. Perhaps she or he pauses a moment in amazement, dazzled with the complexity brought to light.

But who among us would not feel the temptation at this moment to touch the artifacts, to move them, even to leave our own mark?

Yes, there are professional mores that call for caution, for tedious processes of step by step excavation, for patient consultation, for publishing of results.

But how much quicker and more rewarding it seems simply to reach in and rearrange. In only a moment the change is made. No one need ever know.

Ah, but that moment has been enough--enough to awaken both the first hints of haunting and - more importantly - the thirst for instant treasure.

The next time there's a need for a quick fix, the lure will be harder to resist. What began as "a patch or two, here and there" can soon mushroom into a tangled web of changes--a labyrinthine maze that even the original site developer is quickly lost in.

Protecting Yourself from the Curse

How to ensure you don't get stuck in the Haunted Site?

It's not enough to be able to detect the curse where it exists. Sure, detecting the Haunted Drupal Site can help us avoid taking on a losing struggle with a dangerous foe. But it won't protect us from our own failings, or the dark passages we may ourselves be tempted by.

As with any secret knowledge, one approach is avoidance--look not in the source code and ye shall never be tempted.

But the path of avoidance is fraught with its own perils. No, our surest way is not to avoid the secrets of the codebase, but rather to immerse ourselves in them. Not to hack away and bear off treasures, but to learn, improving our collective knowledge, and restore the artifacts of our predecessors with the same care that went into their original construction.

Then the open, expansive spirit of Drupal will not haunt, but will infuse our work with the energy of creation that flows through all of us.

An energy that will stick with us long after the Trick or Treaters have gone home.

The Curse Revisited!

Okay, that was the state of haunting ten Halloweens ago. What shades still lurk in the Drupal realm?

On the plus side, we now have far more to work with than garlic and wooden stakes. Less than a year after my Halloween musings, Dmitri Gaskin (dmitrig01 on posted the first iteration of Drush Make, a magical system that could conjure an entire code base using spells encoded in a simple text file. For a site or Drupal distribution built and maintained with Drush Make no divination rituals are required--each patch and module version is meticulously documented in the sacred Drush Make File.

At least in theory. In practice? Any number of sites begun with excellent intentions soon diverged from the make file's specification. A contributing factor was that Drush Make was focused on building a code base more than on maintaining one. Efforts like Drush Make Sync to extend Drush Make for ongoing development were valiant but ultimately fated for the graveyard of undead code.

With Drupal 8, focus shifted to a fresh spellbook as Composer promised a new era of certainty in which code demons and hauntings were forever banished. But the transition to a new spellbook was anything but smooth. Even now, years later, Drupal distributions are stuck in the netherworld between a bygone Drush Make and the elusive realm of Composer. And who among us has not had a Composer spell go awry, springing back at us with some cryptic message of censure?

And, sadly, the best spells do nothing if not spoken. Just this month an organization (no sorcery will wrest from me its name!) contacted us to help with a Drupal site that, ostensibly, needed little more than a few simple tweaks. Oh, and--brace yourself for that portentous phrase, here innocuously dangled in a bulleted list: "update site".

Yes, yes, it was just as bad as it sounded. Drupalgeddon 2 may have come and gone, but this site remained suspended in a past state where the creaky gate was off its hinges and demons drifted in and out at will.

Proving once more that times and spellbooks may change but the challenges of keeping up--those continue their frightening reign.