phpstan-drupal 2.1.0 is out. The theme of this release: rules and behaviors that proved themselves as opt-ins are now the defaults. If you run `composer update` and see new errors, that is the release working as intended - everything below includes the configuration to opt back out.
Nine rules are now enabled by default
These rules shipped as opt-ins over the 2.0 cycle. They have had time to bake, and they catch real bugs, so they no longer require configuration:
Join us THURSDAY, July 16 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)
We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!
All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.
This free call is sponsored by NTEN.org and open to everyone.
Boerland links his board candidacy to a question now facing Drupal: how the project can expand institutional support without narrowing the path for contributors, local communities, and site owners.
Got your Drupal website up and running but haven't figured how to maintain it? Read to find out how you can optimize your site and make it future-ready.
Drupal site security rarely stops at core and module updates. Canonical's survey shows why package provenance, Linux maintenance, and patch ownership remain part of delivery risk.
Today we are talking about Content, syndication, and Synchronization between Drupal Sites with guest Thiemo Müller. We'll also cover Drupal core 11.4 as our module of the week.
Are you excited for a feature release of Drupal core that delivers even more performance acceleration, a modernized developer experience, and a slew of administrator and editor improvements? Drupal core 11.4 delivers all that and more
When Drupal 11.3 was released, we talked about what a massive performance jump it represented, the biggest improvement in a decade. 11.4 has done it again! Database queries are reduced by half, across a range of requests due to optimizations in how entity fields are loaded. Overall, that represents a nearly ⅔ improvement for database and cache lookups on a cold cache compared to Drupal 11.0 or 10.6
Entity listing queries have also been refactored to use fewer table joins, reducing slow queries. Additionally, the link field introduces a resolvable_uri property and token, which returns a ready-to-use front-end link (like /#main-content) right out of the API instead of raw internal URIs, which will be a huge benefit for anyone using Drupal for decoupled and JSON:API-based use cases
Applying recipes in Drupal 11.4 is significantly faster, reportedly twice as fast, and that includes installing Drupal CMS
Drupal now supports Brotli compression, which should yield 15-25% better compression of CSS and JS assets
Security
Drupal 11.4 offers a new password hashing algorithm, argon2id, that will become the default in Drupal 12 later this year
Also, the drupal/core-recommended package no longer strictly locks minor versions for critical dependencies like Guzzle, Twig, or Symfony Polyfills, making it easier to immediately receive important security updates
Drupal's default robots.txt now blocks well-behaved search crawlers from indexing search queries, helping to solve a potential source of traffic overload on sites using faceted search
Developer experience
There's been a significant shift towards the adoption of PHP Attributes in recent Drupal releases, and 11.4 is no exception
You can now define application routes directly within your PHP controller and form classes using the Symfony #[Route] attribute. This drastically reduces the need to jump back and forth into *.routing.yml files
The new #[Bundle] attribute allows developers to define bundle classes directly, eliminating the need to write old-school entity_type_info or entity_type_info_alter hook implementations.
All core .theme and .theme-settings.php files have been moved entirely to PHP classes. Support for legacy .theme files will be dropped in Drupal 13. Furthermore, dozens of core .module files have been fully converted into clean PHP classes
Front controllers now leverage the symfony/runtime component to isolate bootstrapping logic from request handling, preparing the Drupal core architecture for advanced environments like FrankenPHP, known for its blazing-fast performance, among other features
Drupal 11.4 introduces a native, extensible command-line tool (./vendor/bin/dr) built in partnership with Drush maintainers. This kicks off a transitional period where Drush commands will gradually be migrated to the core native binary
Also, the new HttpKernelUiHelperTrait for kernel tests lets developers make mock HTTP requests and assertions without running the full Drupal site installer. This allows many traditional browser tests to be rewritten as much faster kernel tests
Editor experience
Drupal 11.4 includes the new Default Admin theme, a version of the popular Gin admin theme, now in core
The Navigation module is now enabled by default, replacing the legacy toolbar
CKEditor once again has a fullscreen button available without a contrib add-on, allowing editors to fully immerse themselves in a WYSIWYG element's content, great for working on long-format pieces
Deprecations
The initial 11.4.0 release actually removed a number of core recipes. They were since restored in an 11.4.1 release, but they are deprecated and will be removed from Drupal 12
Also on their way out are a number of modules, including Ban, Contact, Field Layout, History, Migrate Drupal and its UI, Search, Settings Tray, Shortcut, Telephone, Toolbar, and a flag module called layout_builder_expose_all_field_blocks. For themes, Claro, Stable 9, and Olivero are all deprecated, and will be moved from core. We'll include the meta issue about these deprecation in the show notes, and if any of these are important to you, it's worth tracking where they are on the path of moving to contrib
This is the second and final part of a two-part guide to building a component-based corporate website with Drupal Paragraphs. Turn the bare components from part 1 into a flexible, production-grade library with color variants, responsive layouts, spacing controls, conditional fields, and admin UX.
Add style variants with CSS custom properties and Paragraphs behavior plugins, build mobile-first responsive layouts, give editors margin and padding controls, and polish the admin experience with Gin, conditional fields, and smart defaults.
Recent Drupal news fits inside a wider question Dries Buytaert raised in his blog post, License-only versus Stewarded Open Source: what turns code that is merely available into infrastructure people can depend on? The distinction is useful because this week's updates are not only about individual announcements. They show the work that sits behind dependable open source: governance, maintenance, security response, shared knowledge, and long-term care.
The 2026 Drupal Association at-large board election brings that work into the governance layer. One community-elected seat on the association's board is now moving through its election cycle, giving individual members a direct role in how Drupal's institutional support is represented. In a project where technical decisions and community structures constantly shape each other, governance is not a background process. It is part of how shared infrastructure is kept accountable.
The same distinction between availability and dependability appears in the ten contributed-project security advisories published on 8 July 2026. Four were rated Critical. Three direct site owners to uninstall unsupported projects, while the fourth addresses SQL injection in Location Selector. Unsupported projects may still exist in repositories and production sites, but that does not make them safe to keep using.
For site teams, the response is practical rather than abstract. Affected modules need to be identified, fixed releases need to be applied where available, and unsupported projects without advisory-listed fixes need to be removed. This is the maintenance layer of open source that rarely attracts attention until something breaks.
ECA crossing 20,000 reported Drupal site installations shows the same issue from the maintainer side. The Event-Condition-Action module allows site builders to model workflows through events, conditions, and actions instead of relying on custom glue code. Adoption at that scale is not just a usage milestone; it changes the weight of future commits, API decisions, and compatibility promises.
In a written response to The DropTimes, project co-founder Jürgen Haas said the milestone changes how he thinks about maintenance responsibility. That is the cost of relevance in practical form. Once a module becomes part of thousands of working sites, its maintainers are no longer only improving a tool. They are helping support a piece of shared infrastructure.
The week's event deadlines extend the same theme into community programming. Pacific Northwest Drupal Summit 2026 is accepting proposals ahead of its October event in Vancouver, British Columbia, while DrupalCamp Italy 2026 has extended its Call for Papers to 31 July 2026 for its one-day camp in Bologna. Event programmes are another support structure for the ecosystem because they turn project work, lessons, failures, and experiments into knowledge others can use.
Taken together, these updates make a selected but coherent brief. They are not the whole week in Drupal, and they are not a ranking of every important story. They are a thread through the work that keeps open source dependable after the code is released: electing representatives, closing security gaps, maintaining widely used modules, and making room for contributors to share what they are learning.
This is part 1 of a two-part guide to building a component-based corporate website with Drupal Paragraphs. By the end of the series you'll have a library of 10-12 universal paragraph types with style variants, responsive layouts, and editor-friendly spacing controls.
Plan a reusable component library, set up the Paragraphs module, and build Hero, Text + Image, and Feature Grid paragraph types with Twig templates and CSS.
At DrupalCon Rotterdam 2026, AI takes its place at the heart of how modern Drupal platforms are built, integrated, and scaled. The Development, AI & Agentic Architecture track puts that front and centre-focusing on complex architectures, automation, and intelligent systems in real-world environments.
This is not about hype. It's about what's already changing.
AI is moving from experimentation to everyday use-powering intelligent search, automating workflows, enabling personalization, and supporting content creation. It's reshaping how digital teams operate and how platforms deliver value.
But with that power comes responsibility.
In the Drupal ecosystem, AI is being approached with a clear focus on privacy, transparency, accountability, security, resilience, and human control. This is where the conversation gets real-and where Drupal stands out.
From possibility to practice
At DrupalCon, the key question isn't just what AI can do. It's how to use it effectively in complex, production-ready environments.
Teams are actively exploring:
How to integrate AI without introducing unnecessary complexity
How to protect data while maintaining performance and scalability
How to ensure systems remain transparent, governed, and maintainable over time
These are not theoretical challenges-they're critical decisions shaping the next generation of digital platforms.
Why Drupal leads this conversation
Drupal provides a unique foundation for making AI practical.
Here, AI is not explored in isolation, It's applied within structured content models, complex workflows, deep integrations, and strong governance frameworks-all backed by open-source principles.
For attendees, this makes AI more than a trend. It becomes a tangible, actionable part of modern Drupal delivery.
Be part of what's next
DrupalCon Rotterdam 2026 is where AI moves from idea to implementation.
If you want to understand how intelligent systems are being applied in real Drupal projects-and how to use them responsibly and effectively-this is where the conversation happens.
- Article by Daniela Moreira.
🎟️ Join Us at DrupalCon Rotterdam 2026
Continue the conversation at DrupalCon Rotterdam 2026, where the Development, AI & Agentic Architecture track explores the technologies, strategies, and decisions shaping open digital ecosystems.
Step debugging is one of the first things every developer should master in any language or environment, and it's my opinion that it's just as fundamental as version control. With DDEV, getting Xdebug working with PhpStorm takes less than five minutes and no php.ini fiddling. This screencast shows the whole thing on a TYPO3 project, start to finish.
Setting a breakpoint at the entry point of a TYPO3 project
Telling PhpStorm to listen for PHP debug connections
Enabling Xdebug with ddev xdebug on
Stepping over (F8) and stepping into (F7) code as a page loads
The Steps
Install the DDEV Integration plugin from the PhpStorm marketplace (not required, but it handles most of the setup for you)
Set a breakpoint
Tell PhpStorm to listen for PHP debug connections
ddev xdebug on
Visit the page - PhpStorm stops at your breakpoint automatically
That's it. No manual php.ini changes, no fussing with host.docker.internal, no separate Xdebug install.
Works the Same Everywhere
This screencast uses PhpStorm, but the same setup works identically with VS Code, on Linux, and on Windows with WSL2. If you're setting up a new machine, see:
Xdebug is created and maintained by Derick Rethans. He's been maintaining it for 20+ years. Send money to the Xdebug project!. The DDEV Foundation supports it as an upstream project, you can too.
Learn More
Full details on DDEV's Xdebug integration, including troubleshooting, are in the DDEV documentation.
If you have questions, reach out in any of the support channels.
Accessibility failures often surface after budgets, architecture, and delivery plans are already fixed. Mike Gifford argues that public agencies can reduce that pattern by contributing fixes upstream.
Editors often rely on developers for simple display variations. ERVMS moves those decisions into the editorial workflow without changing Drupal's existing display architecture.
Drupal Anti-Spam: NoBotIQ vs CAPTCHA, Honeypot, CleanTalk, and Other Solutionsadmin
Hi friends! It's been a while since our last article, and you might have been wondering when we'd be back with something new. Thanks for your patience-we're excited to return with a fresh topic that many Drupal site owners, marketers, and developers deal with on a regular basis: spam. Drupal websites can be secure, flexible, and high-performing. But there is one issue that keeps bothering site owners, marketers, and developers again and again. It is spam.
Spam is no longer only about strange messages in a contact form. Today, it can mean fake registrations, low-quality leads, disposable emails, bot-driven submissions, and AI-generated junk content. All of this creates extra moderation work, pollutes your CRM, and wastes your team's time.
That is exactly why Drupal anti-spam protection matters much more now than it did a few years ago.
Near the end of most Open Source licenses, usually in capital letters, sits a clause that disclaims almost everything: no warranty, no liability, use at your own risk.
For an organization that depends on that code, the clause is harsh. If the code fails and takes your data or revenue with it, the license owes you nothing. No fix, no refund, and no one to explain what went wrong.
That is the license doing its job. It makes the code available and protects the people who share it. Without that protection, sharing code could become a gift that backfires: a generous act turned into unlimited legal risk.
But the license can only answer the legal questions: who may use the code, on what terms, and what risk the authors are willing to accept. It cannot tell you what kind of Open Source project you are working with.
Some Open Source is "License-only Open Source": code released under an Open Source license, without active stewardship or any promise of ongoing care. There is no guarantee of updates, fixes, security response, or long-term support.
Other Open Source is "Stewarded Open Source": code cared for as shared infrastructure. Maintainers review contributions, fix bugs, respond to security issues, manage releases, provide long-term support, and much more. Organizations fund maintainers, support core development, donate infrastructure, and absorb costs end users never see.
Both types of projects are Open Source, but they are not the same. A weekend hobby project and business-critical software can ship under the exact same license. Legally, they look identical. Practically, they are worlds apart.
The difference is stewardship. The license makes code available; stewardship makes it dependable. And the more people or organizations depend on a project, the more stewardship it often requires.
Responsibility is the tax on relevance.
Distinguishing license-only from stewarded Open Source gives us the vocabulary to describe two very different realities that the words "Open Source" alone do not capture.
For example, the distinction becomes useful when we talk about contribution. If a company depends on Open Source, should it give back?
For license-only Open Source, the answer can be simple: no one is required to contribute, and that is the point. The code was shared freely, without a promise of care or an expectation of return.
Stewarded Open Source is different. The license may still require nothing, but the work does not happen for free. Someone is paying to keep your code usable, secure, and available. When you depend on that work, the question is not only what the license allows, but who helps carry the responsibilities beyond what the license requires.
The license says use at your own risk. Stewardship is what happens when people decide you should not have to.