fidzu : Drupal

In the first part of a new TDT tutorial series, Jeff Greenberg explains why taxonomy audits belong in the planning phase-not post-migration QA. Using real-world insights from Drupal 7 upgrade projects, he shows how proactive analysis reduces friction, errors, and cost during multilingual or complex site migrations.

19 Nov 2025 4:48pm GMT

18 Nov 2025 3:43pm GMT

drunomics Celebrates Sinduri Winning the Women in Drupal Award

oliver.berndt Tue, 11/18/2025 - 09:50

18 Nov 2025 8:50am GMT

Want a faster Drupal site? Start with your images. In this guide, you'll learn the smartest ways to optimize, compress, and deliver images on your site without losing quality.

18 Nov 2025 6:00am GMT

18 Nov 2025 2:36am GMT

18 Nov 2025 2:36am GMT

DDEV is designed so that most people never have to change the configuration of their local workstation, and that includes not having to edit their hosts file. All the details are in DNS Name Resolution and Wildcards.

However, one particular brand of router, the Fritz!Box, has a different DNS configuration than most other routers, and it includes DNS Rebinding Protection that blocks local development domains.

TL;DR: If you use a Fritz!Box router, add ddev.site to the router's DNS Rebinding Protection exceptions.

The Problem

When you first set up DDEV with a Fritz!Box router, you might encounter a failure to resolve the domain name when trying to access your *.ddev.site project, even though your site is accessible via the 127.0.0.1 direct URL given in ddev describe. This happens because Fritz!Box routers enable DNS Rebinding Protection that suppresses DNS responses pointing to your own network.

What is DNS Rebinding Protection?

DNS Rebinding Protection is a security feature that guards against a sophisticated attack technique. In a DNS rebinding attack, a malicious website tricks your browser into accessing services on your local network (like your computer, router, printer, or other devices) by manipulating DNS responses. Here's how the attack works:

1. You visit a malicious website that includes JavaScript code
2. The website's DNS initially resolves to the attacker's server
3. The attacker then changes the DNS to point to a local IP address like 127.0.0.1 or 192.168.1.1
4. The JavaScript code in your browser can now access local services, potentially extracting sensitive data or changing settings

Fritz!Box routers protect against this by blocking DNS lookups that resolve to local IP addresses like 127.0.0.1, 192.168.x.x, and other private network ranges. While this security feature protects against real attacks, it also blocks legitimate local development domains (like DDEV's ddev.site).

Why DDEV is Safe

DDEV's use of 127.0.0.1 and the ddev.site domain is intentional and safe-it's not a DNS rebinding attack. Here's why:

• You control the configuration: You explicitly install and configure DDEV on your own machine
• Local-only access: DDEV projects only respond to requests from your own computer (127.0.0.1), not from external networks
• Transparent operation: DDEV openly documents exactly how it uses DNS and local networking

The Fritz!Box can't distinguish between a legitimate local development tool like DDEV and a potential DNS rebinding attack-both use domain names that resolve to 127.0.0.1. That's why you need to explicitly allow ddev.site as an exception.

The Solution

Rather than relying on DDEV's hosts file fallback, it's better to solve the underlying DNS problem by configuring your Fritz!Box router to allow the ddev.site domain.

Here's how to fix it:

1. Access your Fritz!Box router settings - the factory defaults are http://fritz.box and http://192.168.178.1
2. Navigate to Home Network (Heimnetz) > Network (Netzwerk) > Network Settings (Netzwerkeinstellungen)
3. Look for the DNS rebinding protection section
4. Add ddev.site to the exceptions list
5. Save your settings

After making this change, DDEV's DNS resolution will work as expected, and you can access your projects using the standard .ddev.site URLs.

Alternative Solutions

If you prefer not to modify your router settings, or you do not have access to them, you have two other options:

1. Configure your computer to use a less restrictive DNS provider such as Cloudflare's public DNS (1.1.1.1)
2. Use DDEV's hosts file fallback (this requires superuser privileges and modifies system files)

The router configuration approach is recommended because it preserves DDEV's design principle of not requiring system file modifications.

Additional Resources

• DDEV Documentation on Restrictive DNS Servers
• German blog post detailing the Fritz!Box issue
• Read all the details about DNS Name Resolution in DNS Name Resolution and Wildcards
• Article in the Fritz! knowledge base (in German) how to access the admin interface of a Fritz!Box

Contacting Fritz!Box Support to Ask for ddev.site to be added to their exceptions

If you want to request that AVM (the makers of Fritz!Box) consider adding ddev.site to their default DNS Rebinding Protection exceptions, consider contacting their support team. A friend of DDEV has already done this, but more requests may help.

Thanks!

Thanks to Ingo Schmitt for investigating and demonstrating the fix. Thanks to npostnik for already having documented this in a German blog post.

Keep in touch!

We'd love to hear your experience. Join us in Discord or open an issue if you have success (or failure 😀). We're always trying to make DDEV better for you.

Assisted in compilation and editing by Claude Code.

18 Nov 2025 12:00am GMT

When you manage a website, one of your biggest priorities is keeping it safe. The challenge is that the web is full of tricks that attackers use every day. Cross-site scripting (XSS), clickjacking, and cross-site request forgery (CSRF) are just some examples of the creepy terms you wish you'd never have to hear. This may result in lost data, malicious links, stolen login sessions, the unfortunate list could go on.

17 Nov 2025 7:41pm GMT

Today we are talking about MCPs, AI Automators, and AI Agents with guest Marcus Johansson. We'll also cover AI Ecosystem Recipe as our module of the week.

For show notes visit: https://www.talkingDrupal.com/529

Topics

• Understanding Model Context Protocol (MCP)
• AI Automators in Drupal
• Creating Complex Workflows with Automators
• Simple and Effective Automator Use Cases
• AI Image Alt Text and Contextual Understanding
• AI Tagging and Content Management
• Introduction to AI Agents in Drupal
• Challenges and Future of AI Agents
• Real-World Applications and Future of AI in Drupal
• Proliferation of Orchestration Tools

Resources

• ai initiative issue queue
• Recipes from 1xInternet
  • https://www.drupal.org/project/ai_recipe_image_classification
  • https://www.drupal.org/project/ai_recipe_llm_optimized_content
  • https://www.drupal.org/project/ai_recipe_seo_optimizer
• MCP
• xkcd
• Tool API
• Slack MCP Server
• Drupal MCP
• MCP Client
• JSON API wrapper
• Tagify
• Views Agent
• Context control center
• Marriage podcast

Guests

Marcus Johansson - workflows-of-ai.com marcus_johansson

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Martin Anderson-Clutz - mandclu.com mandclu

MOTW Correspondent

Martin Anderson-Clutz - mandclu.com mandclu

• Brief description:
  • Have you ever wanted to explore the AI capabilities of Drupal, but didn't know where to start? There's a Drupal recipe for that.
• Module name/project name:
  • AI Ecosystem Recipe
• Brief history
  • How old: created in Oct 2024 by Marcus Johansson (marcus_johansson of FreelyGive.io
• Versions available: 1.0.0-alpha2, which requires Drupal 10.3 or newer
• Maintainership
  • Actively maintained
  • Number of open issues: 2 open issues, both of which are bugs
• Module features and usage
  • When you require and apply this recipe to your Drupal site, you'll be able to start working with a variety of LLMs and specialized AI-based services
  • You'll be able to ingest unstructured content and map it to structured fields automatically. Or generate a detailed SEO analysis of your nodes. There are multiple translation tools, crawlers to help work across entire sites, and more.
  • This recipe is likely something you would apply to a sandbox site, to understand the various ways to achieve something specific with AI and Drupal, and then apply whatever is best for your use case to your actual site build.
  • But it's a useful resource for a Drupalist wanting to start exploring some of the growing list of options for working with AI, or someone familiar with AI tools who wants to start using them with Drupal.

17 Nov 2025 7:00pm GMT

Choosing a theme isn't easy. There are a lot of choices including various free starter kits, non-standard page-builder themes, low cost commercial themes, and higher cost premium themes, such as what we sell.

Below we created a checklist you can use for any theme, regardless of vendor. We've included notes on how Dripyard addresses each topic so you can compare objectively.

Features

Does the theme style the normal Drupal user interface items such as pagers, breadcrumbs, the node preview toolbar, etc?

Like most content management systems, Drupal will expose various patterns on the front-end including items like the node preview toolbar, exposed filters, as well as more standard components like pagers, breadcrumbs, etc.

17 Nov 2025 5:46pm GMT

17 Nov 2025 5:31pm GMT

Composer 2.9 delivered new CLI security improvements this week, but the bigger story for the PHP ecosystem is the work now underway on Packagist.org. With support from the Sovereign Tech Agency, the PHP Foundation, and Private Packagist, the team is building a transparency log aimed at strengthening PHP's supply chain. Given the scale of Packagist today, introducing systematic visibility into package activity has become a practical necessity.

The transparency log will surface security-relevant events through a web interface and an API. That includes changes to package ownership, source URLs, maintainers, version releases or removals, and updates to underlying git tags, along with account security actions such as two-factor authentication status changes and password resets. Making these events publicly accessible gives researchers, companies, and tool builders the data they need to monitor dependency changes, spot suspicious patterns, and investigate incidents more effectively.

Implementation has begun, with features rolling out incrementally. This work aligns with the OpenSSF guidance for secure package repositories and moves the PHP ecosystem closer to stronger, audit-ready supply chain practices. Looking ahead, the team is also preparing a new model for organizational package ownership, set to address long-standing issues with shared accounts and improve security for both companies and open-source projects.

EVENT

• Heading to DrupalCon Asia 2025? Don't Miss the Magic of Nara
• Community, Code, and Columbia Gorge Views: PNW Drupal Summit 2025 Recap
• Drupal in a Day: Scaling Drupal Education from University Classrooms to Global Camps
• Rachael Censuales Debuts as a Speaker at DrupalCamp Italy 2025
• Drupal Association Invites Global Support for DrupalCamp Burkina Faso 2026
• Stanford WebCamp 2026 Seeks Volunteers Ahead of Spring Conference
• DrupalCon Chicago 2026 Sponsorships Now Open with Tiered Packages and Summit Add‑Ons
• Salim Lakhani to Demo Drupal Forge at Fox Valley Drupal Meetup on Nov 19

ORGANIZATION NEWS

• Drupal.org Relaunches Industry Pages to Showcase Sector-Specific Impact
• Dripyard Prepares Premium Themes for Drupal Canvas Ahead of Stable Release

TRAINING

• Drupal Open University Calls for Global Instructors for "Drupal in a Day" Course

DRUPAL COMMUNITY

• DCoE Finds: "The Drupal Economy Is Struggling, But There's Hope"

TUTORIALS

• Connect Drupal with Activepieces: Automate Content Workflows with JSON:API and AI

We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now. To get timely updates, follow us on LinkedIn, Twitter, Bluesky, and Facebook. You can also join us on Drupal Slack at #thedroptimes.

Thank you.

Sincerely,
Alka Elizabeth,
Sub-editor,
The DropTimes.

17 Nov 2025 2:56pm GMT

Explore the key takeaways from DrupalCamp Scotland 2025, highlighting open-source collaboration, community-driven innovation, and practical insights for digital teams.

17 Nov 2025 12:00pm GMT

Ten years ago, Acquia shut down Drupal Gardens, a decision that I still regret.

We had launched Drupal Gardens in 2009 as a SaaS platform that let anyone build Drupal websites without touching code. Long-time readers may remember my various blog posts about it.

It was pretty successful. Within a year, 20,000 sites were running on Drupal Gardens. By the time we shut it down, more than 100,000 sites used the platform.

Looking back, shutting down Drupal Gardens feels like one of the biggest business mistakes we made.

At the time, we were a young company with limited resources, and we faced a classic startup dilemma. Drupal Gardens was a true SaaS platform. Sites launched in minutes, and customers never had to think about updates or infrastructure. Enterprise customers loved that simplicity, but they also needed capabilities we hadn't built yet: custom integrations, fleet management, advanced governance, and more.

For a while, we tried to serve both markets. We kept Drupal Gardens running for simple sites while evolving parts of it into what became Acquia Cloud Site Factory for enterprise customers. But with our limited resources, maintaining both paths wasn't sustainable. We had to choose: continue making Drupal easier for simple use cases, or focus on enterprise customers.

We chose enterprise. Seeing stronger traction with larger organizations, we shut down the original Drupal Gardens and doubled down on Site Factory. By traditional business metrics, we made the right decision. Acquia Cloud Site Factory remains a core part of Acquia's business today and is used by hundreds of customers that run large site fleets with advanced governance requirements, deep custom integrations, and close collaboration with development teams.

But that decision also moved us away from the original Drupal Gardens promise: serving the marketer or site owner who didn't want or need a developer team. Acquia Cloud Site Factory requires technical expertise, whereas Drupal Gardens did not.

For the next ten years, I watched many organizations struggle with the very challenge Drupal Gardens could have solved. Large organizations often want one platform that can support both simple and complex sites. Without a modern Drupal-based SaaS, many turned to WordPress or other SaaS tools for their smaller sites, and kept Drupal only for their most complex properties.

The problem is that a multi-CMS environment comes with a real cost. Teams must learn different systems, juggle different authoring experiences, manage siloed content, and maintain multiple technology stacks. It can slow them down and make digital operations harder than they need to be. Yet many organizations continue to accept this complexity simply because there has not been a better option.

Over the years, I spoke with many customers who ran a mix of Drupal and non-Drupal sites. They echoed these frustrations in conversation after conversation. Those discussions reminded me of what we had left behind with Drupal Gardens: many organizations want to standardize on a single CMS like Drupal, but the market hadn't offered a solution that made that possible.

So, why start a new Drupal SaaS after all these years? Because the customer need never went away, and we finally have the resources. We are no longer the young company forced to choose.

Jeff Bezos famously advised investing in what was true ten years ago, is true today, and will be true ten years from now. His framework applies to two realities here.

First, organizations will always need websites of different sizes and complexity. A twenty-page campaign site launching tomorrow has little in common with a flagship digital experience under continuous development. Second, running multiple, different technology stacks is rarely efficient. These truths have held for decades, and they're not going away.

This is why we've been building Acquia Source for the past eighteen months. We haven't officially launched it yet, although you may have seen us begin to talk about it more openly. For now, we're testing Acquia Source with select customers through a limited availability program.

Acquia Source is more powerful and more customizable than Drupal Gardens ever was. Drupal has changed significantly in the past ten years, and so has what we can deliver.

As with Drupal Gardens, we are building Acquia Source with open principles in mind. It is easy to export your site, including code, configuration, and content.

Just as important, we are building key parts of Acquia Source in the open. A good example is Drupal Canvas. Drupal Canvas is open source, and we are developing it transparently with the community. Acquia Source will be an opinionated SaaS product, yet it will remain rooted in the open Drupal ecosystem and will contribute back to it.

Acquia Source does not replace Acquia Cloud or Acquia Cloud Site Factory. It complements them. Many organizations will use a combination of these products, and some will use all three. Acquia Source helps teams launch sites fast, without updates or maintenance. Acquia Cloud and Site Factory support deeply integrated applications and large, governed site fleets. The common foundation is Drupal, which allows IT and marketing teams to share skills and code across different environments.

For me, Acquia Source is more than a new product. It finally delivers on a vision we've had for fifteen years: one platform that can support everything from simple sites to the most complex ones.

I am excited about what this means for our customers, and I am equally excited about what it could mean for Drupal. It can strengthen Drupal's position in the market, bring more sites back to Drupal, and create even more opportunities for Acquia to contribute to Drupal.

17 Nov 2025 9:51am GMT

17 Nov 2025 4:00am GMT

💕 A Love Letter to DDEV!

As the year winds down, it's time to get serious about 2026 planning 📋. We'll have a meeting in the next few weeks talking about priorities for the new year. See some WIP proposals and contact us any time with your opinions↗ or to get an invitation to the meeting.

What's New

• Claude Code AI-assisted PRs for DDEV Training → Learn how to use Claude Code to create pull requests for DDEV Read more↗

Community Highlights

• A Love Letter to DDEV: Ryan Stubbs shares his appreciation for DDEV and its impact on development workflows Read more↗
• Claude Code Plugins for Drupal/DDEV: Community member Luděk Kvapil has created custom Claude Code commands and plugins for DDEV and Drupal development workflows View on GitHub↗
• Profiling Your Drupal App with New Relic and DDEV: Practical guide session from DrupalCon Vienna 2025 Session details↗ • Watch on YouTube↗

Community Video Tutorials

• Drupal CMS und Core für Projektentwicklung unter Windows 11 von Null installieren (German): Complete guide to installing Drupal CMS and Drupal Core for project development on Windows 11 from scratch Watch on YouTube↗
• Drupal 11 für Entwickler:innen und Sitebuilder:innen (German): Udemy course for Drupal 11 developers and site builders Enroll with coupon↗

DDEV Training Continues

Join us for upcoming training sessions for contributors and users.

• November 20, 2025 at 10:00 US ET / 16:00 CET - Using DDEV on Windows with WSL2 Add to Google Calendar • Download .ics

• January 22, 2026 at 10:00 US ET / 16:00 CET - Mutagen, syncing, problems, upload_dirs for direct bind mounts Add to Google Calendar • Download .ics

• February 26, 2026 at 10:00 US ET / 16:00 CET - Git bisect for fun and profit Add to Google Calendar • Download .ics

• March 26, 2026 at 10:00 US ET / 15:00 CET - Using git worktree with DDEV projects and with DDEV itself Add to Google Calendar • Download .ics

• April 23, 2026 at 10:00 US ET / 16:00 CEST - Creating, maintaining and testing add-ons 2026-updated version of our popular add‑on training. Previous session recording↗ Add to Google Calendar • Download .ics

Zoom Join Info: Link: Join Zoom Meeting Passcode: 12345

Events & Community

• DrupalCon EU in Vienna - Randy hosted multiple Birds-of-a-Feather (BoF) sessions at DrupalCon EU in Vienna↗ thanks to sponsorship from Tag1↗ and Upsun↗. Sessions included DDEV Office Hours, Contributing to DDEV using Claude Code↗, Using DDEV on Windows↗, DDEV new features, and Git Bisect for Fun and Profit. Watch the Git Bisect: Divide and Conquer troubleshooting presentation↗ from Florida DrupalCamp.
• DDEV workshops at TYPO3Camp RheinRuhr 2025 - Randy presented DDEV training at TYPO3Camp RheinRuhr in Germany (Nov 7-9). View training materials↗

Governance: We have a Board!

The DDEV Foundation now has a formal board. Join us for our annual extended advisory group and board meeting (public; all are welcome): Watch for a blog post about the new board members! (Or sneak peak by reading the meeting notes.)

• January 14, 2026 at 8:00 AM US Mountain Time / 4:00 PM CET - DDEV Extended Advisory Group and Board Meeting Annual 2-hour review of 2025 and plans for 2026 Discussion details↗ • Add to Google Calendar • Download .ics

Sponsorship Update

As of today, the monthly sponsorship commitment is up to 70% of our goal, at $8,376. Thank you! That's up from 69% and $8,231 last month. → Become a sponsor↗

Stay in the Loop-Follow Us and Join the Conversation

• Blog↗
• LinkedIn↗
• Mastodon↗
• Bluesky↗
• Discord↗

Compiled and edited with assistance from Claude Code and Copilot.

17 Nov 2025 12:00am GMT