I recently gave a talk atDrupalSouth Wellington 2026covering something a lot of us in the Drupal community have been wrestling with: has the past couple of years been a market correction or something more fundamental? And more importantly - how can Drupal remain competitive in a CMS market that's changing quickly?
The downturn was real - and it was a global phenomenon
When I lastspoke at DrupalCon SingaporeI was very confident about PreviousNext's position after 15 years of stability. What followed was our business contracting through 2025 as clients reduced budgets, so it's been a tough couple of years for many digital agencies.
But here's what gave me some comfort: we're not alone. Global digital holding companies like WPP, Publicis Groupe have seen their businesses shrink by around 30% and their share prices have seen corresponding falls. These aren't small Drupal shops. They employ thousands of developers across dozens of countries. The downturn has been a global phenomenon.
The single biggest reason is now clear. During COVID, organisations pulled forward years of digital transformation budgets to move services online quickly. By 2025, that spend had run dry. Enterprise marketing budgets generally halved and new projects froze. The good news, as of early 2026, is that the freeze is starting to thaw - projects that were put on hold still need to be completed.
Compounding this is AI. Companies have shifted budget toward AI investments, web traffic (Including Google search) is down around one third as people increasingly get information without visiting websites, and clients are questioning the ROI of large digital investments. This is real disruption - not incremental change.
Drupal's competitive position is stronger than the narrative suggests
With that context set, the more interesting question is: where does Drupal actually sit competitively?
When people talk about Drupal's "decline", they tend to cite overall install numbers. At its peak between 2014-2016, Drupal powered around 1.2 million sites. Today it's around 735,000 - a 40% fall on paper. But that framing misses the point entirely.
Drupal 8 made adeliberate strategic choiceto cede the small-site market to SaaS platforms and focus on larger, more complex sites. What happened to those 500,000 sites that moved off older versions? Most were the exact sites Drupal had consciously repositioned away from. In their place, modern Drupal (version 8 and above) hasgrown to over 500,000 sitesconcentrated at the upper end of the enterprise market - exactly where the strategy aimed.
The data from builtwith.com is striking. Across the internet as a whole, Drupal sits in the top ten CMS platforms. Narrow it to the top million sites by traffic and Drupal is a clear second behind WordPress, with four times the presence of Adobe. Narrow further to the top 100,000 and Drupal is still second. In the top 10,000 - the sites that matter most - still second. For a product that critics routinely describe as being in decline, holding second place across every meaningful traffic tier is a remarkable result.
The CMS market itself is also growing, not shrinking. With around 900 CMS products for clients to choose from, it reached $30.9 billion in 2025 and is forecast to hit $45.7 billion by 2030 - 15-20% annual growth. There are still 250,000 websites launched every single day, generating 400 exabytes (400 million terabytes) of data annually for six billion internet users. The world's need to manage content isn't going away.
What about the impact of AI on the CMS market?
It's a fair question to ask whether AI will eventually replace the CMS entirely. The honest answer is: for basic brochureware sites, this is already happening. Tools like static site generators, SaaS website builders, and even WordPress sites at the simpler end of the market are genuinely at risk from AI that can generate and deploy a good-looking site quickly.
But Drupal is more insulated. A university platform with hundreds of content editors, 15 years of content governance, complex workflows, security requirements, and dozens of third-party integrations can't be vibe-coded overnight. The governance and institutional knowledge wrapped around these platforms isn't in the code - it's in the people, the processes, and the content structures that have evolved over time. That's not something AI replaces soon.
The bigger near-term pressure is client expectations. AI will accelerate Drupal development - modules, themes, migrations, custom functionality. Clients will start expecting projects to cost less and move faster. Agencies that adapt to this reality will thrive. Those that don't will find it a hard road.
How Drupal is keeping pace
Drupal competes across three distinct categories. DXP (Digital Experience Platform) competitors like Adobe and Sitecore offer monolithic, all-in-one platforms. Composable/MACH competitors like Contentful offer headless, API-first approaches. And then there's Drupal - which does both, often simultaneously.
When a client needs an enterprise-grade DXP, Acquia's stack, built on Drupal, competes directly with Adobe Experience Manager at substantially lower total cost of ownership. When a client wants API-first composable architecture, Drupal has been doing that since 2015 - not API-only, because you retain all of Drupal's power for user management, content modelling, and workflows while delivering content via headless interfaces. And for organisations that need a hybrid - vast content management capability combined with headless interfaces and third-party integrations - that's Drupal's genuine sweet spot.
Uniquely positioned to serve all three categories is not a weak compromise. It's a unique competitive advantage.
Drupal CMS changes the pitch
Where Drupal has historically struggled is in sales pitches. If you've ever had to spend weeks building a custom demo just to show a prospect what Drupal could do, or watched a client get dazzled by an proprietary CMS demo while yours involved explaining modules, you'll understand the problem. Drupal's out-of-the-box experience was, to be blunt, severely lacking.
The Starshot initiative launched in early 2024 to address exactly this problem. In under a year, Drupal CMS 1.0 shipped in January 2025. A year later, version 2.0. Achieving this in an open source project, coordinating volunteers across working groups while keeping Drupal Core stable, was remarkable to see unfold. If you or your organisation contributed, it deserves to be said: it wouldn't have happened without you.
Drupal CMS changes what's possible in a pitch. You can now install Drupal CMS, launch a polished, fully functional demo in minutes, and show a client exactly what they'll be working with. The days of "trust us, it can do that" are over.
The key feature releases in Drupal CMS 2.0 are worth highlighting:
Canvas- A WYSIWYG page building experience built from scratch, moving beyond the Paragraphs vs Layout Builder debate that's divided the community for years.
Recipes- One-click install for bundled feature sets. Want SEO tools? Find the recipe, click install, done. No more trawling 50,000 modules.
Site Templates- A modernised approach to Distributions, bundling a complete theme and feature set into a single install.
AI integration- Whether it's a chatbot helping users learn Drupal features, AI agents building functionality, or AI enhancing content, it's all available now.
Acquia Sourcealso launched in late 2025, offering Drupal CMS as a SaaS product for organisations that want the power of Drupal without managing infrastructure.
Pamela Barone, the Drupal CMS Product Lead (sponsored by her employer Technocrat), gave a fantastic keynote at DrupalSouth Wellington that provides a much deeper dive into the rapid innovation that's been possible.
Five takeaways from my talk
For agencies and end-user organisations leaving this talk (or reading this post), here's what I'd ask you to take away.
One: The market opportunity is real.The web is still growing. Drupal is still dominant behind Wordpress at every tier that matters. Recent innovations have substantially strengthened the competitive position. There's a bright future ahead for organisations that lean into it.
Two: Leverage the hybrid CMS position.Drupal's ability to function as DXP, composable, or hybrid in a single platform is a genuine differentiator. Use it in client pitches. Most alternatives force a choice between these models.
Three: Drupal CMS changes what's possible.Use it for client demos and smaller projects. You can secure clients by building smaller projects faster while retaining Drupal Core's full power when clients need to scale.
Four: Adapt to AI now.It's the new operational reality. Agencies and organisations that maintain human accountability while using AI to increase speed and reduce cost will win.
Five: Invest in the open source technology your organisation relies on.Drupal is open source, which means there's no single company responsible for its future. TheDrupal Associationmanages the infrastructure, coordinates initiatives, and facilitates the community that keeps it all going. If your agency makes money building on Drupal, or your organisation has saved hundreds of thousands of dollars in licensing fees by using it, supporting the Drupal Association is an investment in your own future - not a donation.
Get involved
A few specific actions worth taking:
If you're an agency that's not already a Drupal Certified Partner, the entry level requirements are minimal, so there really is no excuse. It's becoming a real differentiator in pitches - being able to say "we don't just use Drupal, we actively help build it" carries enormous weight with informed buyers.
The Drupal Marketing Initiativeis actively seeking involvement from Drupal Certified Partners. The DA is doing the top-of-funnel work for the community - helping expose Drupal to enterprise buyers who might not have considered it. That benefits every agency selling Drupal.
The Drupal AI Initiativehas 31 partners and $1.5 million in cash and in-kind contributions committed to defining how AI is integrated ethically and effectively into Drupal. Getting involved now gives you a seat at the table as those decisions are made.
The competitive opportunity is Drupal's to lose
The CMS market is still growing strongly and Drupal holds a unique competitive position. Recent product innovation has addressed legacy weaknesses and the community that builds and sustains Drupal is a benchmark that other open source projects to aspire to. Despite the recent digital market downturn and impact of AI, Drupal's future remains bright for agencies that build projects with it and for organisations that rely on it keeping pace with evolving requirements.
Over half of all web traffic in 2024 was automated. That is the headline number from the Imperva 2025 Bad Bot Report, and it is the first time bots have outnumbered humans in more than a decade. Drupal sites sit squarely in that traffic mix, and the old defensive playbook - block an IP, ban a user agent, drop a robots.txt entry, lean on Fail2ban - does not hold up anymore.
This is the companion post to my DrupalSouth Wellington 2026 talk, Bots, scrapers, and proxies: defending Drupal sites in an automated internet. The talk walked through the defences I actually use at amazee.io and recommend on client sites. The post covers the same ground, with a bit more room to show config and link out to the projects.
What actually changed
The technical context underneath bot defence has shifted in three ways that matter:
Residential proxy networks. Scrapers no longer come from a handful of cloud subnets you can block. They route through real consumer IP addresses, often unwittingly donated by free-VPN users or piggy-backed off shady SDKs in mobile apps.
Headless browsers everywhere. Playwright and Puppeteer have made it trivial to render JavaScript-heavy pages at scale. A page that needed a real human five years ago can be scraped today by anyone with a laptop.
AI-driven scraping. Volume is up sharply because every new LLM needs training data, and there is now a steady drip of new crawlers showing up. Meta's externalagent is one recent example. There will be more.
Mimicry is now the baseline, not the edge case. A modern scraper will rotate IPs, randomise user agents, replay realistic TLS fingerprints, and pace itself slowly enough to look like a real user. You cannot rely on signal that lives in one HTTP header.
The scale of it
If this still sounds like a niche problem, the numbers say otherwise.
51% - share of web traffic that was automated in 2024, per the Imperva 2025 Bad Bot Report.
+96% - year-on-year growth in some popular bot services across Pantheon's hosting fleet in their July 2025 data.
1B+ - unique monthly visitors Pantheon sees across its platform, which is the size of dataset those numbers are coming from.
On the amazee.io platform globally, 13% of incoming requests can be flagged as non-human based on the user agent alone. That is the lazy bots. The actual share of automated traffic is higher once you account for the ones that try to blend in. In absolute terms it adds up to hundreds of millions of requests every month.
The goal is not to block all bots
Before going through the defences, one thing I am careful to say up front, both on stage and here: the goal is not to block all bots. That is unwinnable, and the closer you get to it the more real users you break.
Search crawlers, RSS readers, uptime monitors, link-preview generators in Slack and iMessage, accessibility tooling - all bots, all wanted. The goal is to reduce abuse where it hurts most, on the endpoints that cost you real money or real performance, while leaving everything else alone.
Drupal-native defences
The defences closest to your application are the smartest. They can see the path, the user, the form, the cache state. They are also the most expensive per blocked request, because every block at this layer has already cost you a full PHP bootstrap.
Perimeter
The Perimeter module drops requests matching known-bad patterns: /wp-admin, /.env, xmlrpc.php, all the WordPress scanner noise that hits every Drupal site daily. It is the cheapest win on the list. It will not stop a serious scraper, but it will keep your logs clean and your error rate honest.
CrowdSec and AbuseIPDB
CrowdSec is a local agent plus a community blocklist. Every site running CrowdSec contributes detected attacks back to a shared signal, and pulls down the latest list of bad actors. It is the closest thing the open-source world has to a distributed reputation system.
AbuseIPDB is a reputation lookup service. You query an IP, you get a confidence score. It is most useful on the forms and login flows where you can afford the latency of an external API call. Both are available as Drupal modules.
Facet Bot Blocker
If you run Search API with facets, this is the single cheapest huge win available to you. Faceted search URLs are catnip for scrapers: every combination of filters is a new URL, every URL is uncached, every uncached request hits the database. A bot that crawls a faceted listing can take a site down without trying.
The Facet Bot Blocker module acts as a rate limit on requests that include at least one facet in the URL. Configure it to use Redis or memcache for the counter so you are not making the problem worse by hitting the database to record the request. On one of our hosting customers, this one module cut Search API load by more than half.
Form-side defences
Logins, registrations, password resets and contact forms all need their own treatment, separate from page-level defence:
Honeypot - invisible field plus a time-based check. Cheap, fast, surprisingly effective against the dumb half of form spam.
Antibot - requires JavaScript to submit, blocks the bots that do not run JS.
CAPTCHA, reCAPTCHA, or Cloudflare Turnstile - full challenge. Use the lightest option that works, and ideally only after Honeypot and Antibot have already rejected the easy cases.
Hidden CAPTCHA - bridges the gap when you want a CAPTCHA-style check without the accessibility cost of a visible challenge.
The trade-off the project pages don't mention
Every block at the Drupal layer has already cost you a PHP bootstrap. That is fine when the absolute volume is small. It is not fine when you are eating hundreds of millions of bot requests and bootstrapping PHP for each one. This is why you cannot stop at the application layer.
Web server and infrastructure
One layer out, the web server can drop requests before PHP ever runs. The trade-off flips: you save the bootstrap cost, but you lose access to application context.
Rate limiting and geo blocking
nginx ships with limit_req_zone, Apache has mod_ratelimit. Both are blunt but effective on volume. A starting point for nginx looks roughly like this:
Ten search requests per minute, per IP, with a burst of five. Tune to taste. The $binary_remote_addr key is cheap on memory; a 10MB zone holds around 160,000 IPs.
Geo blocking is the other infrastructure-level lever. It is pragmatic and occasionally controversial. If your audience is the New Zealand public sector, blocking inbound from regions you do not serve is a defensible call. If your audience is global, it is not. Know your traffic before reaching for it.
ModSecurity and the OWASP CRS
ModSecurity with the OWASP Core Rule Set is a proper WAF you can self-host. Once tuned, it is real protection. The tuning is the catch - out of the box it will flag Drupal admin actions, file uploads, anything that looks like SQL in a body or a query string. Expect to spend real time pruning rules and adding exceptions for legitimate site behaviour before you stop generating false positives.
Cache discipline
A request that hits the cache costs you nothing. Whatever else you do, get your cache headers right. Vary on the bits that need to vary, cache aggressively on the bits that do not, and lean on the page cache or the reverse proxy in front of Drupal. The cheapest bot is the one that asks for a page you have already served.
(shamless plug) you can also use my site Caching Score to review your current caching setup, to see if there is anything better you can be doing.
Caching Score
Assess how strong the caching capabilities of any given site is.
Caching Scoresean.hamlinamazee.io
What this layer is bad at
Rate limits, ModSecurity rules and geo blocks are great at volume and bad at quality. They cannot tell a scraper trickling one request per minute apart from a real user. For that you need either the edge or the application.
Edge and paid bot management
The edge is where the big vendors live, and it is where you push the cheapest blocks. A scraper rejected by Cloudflare at the network edge never gets to your origin at all.
Cloudflare
The free tier already includes Bot Fight Mode, basic challenges, and Turnstile. For most small-to-medium Drupal sites, this is a good baseline at zero extra cost. The paid Bot Management product adds custom rule logic, JA3 and JA4 TLS fingerprinting, and machine-learning-based bot scoring you can wire into firewall rules. The jump from free to paid is significant in price; the jump in capability is also significant.
Fastly, Akamai, and the rest
Fastly offers the Next-Gen WAF (originally Signal Sciences) with a Bot Management add-on. Akamai sits at the enterprise tier with the most sophisticated fingerprinting available, and a price tag to match. Beyond those, there is AWS WAF with Bot Control, DataDome, HUMAN, and Imperva - all credible, all paid, all priced for sites where bot abuse is costing real money.
The trade-offs nobody puts on the sales deck
Bot Management at the edge solves real problems. It also comes with real costs that the vendor demos skip past:
Cost. Bot Management is almost always an add-on to the core WAF subscription, and the pricing escalates fast with traffic.
Vendor lock-in. Your rules, your dashboards, your observability all live in the vendor's UI. Migrating off is painful.
Accessibility and SEO. Aggressive challenges break real users, and search bots that fail a challenge will hurt your rankings. Test both before turning anything up.
Rules live outside your application codebase. They drift, they are not versioned alongside the code that depends on them, and a rule change can break a feature without any commit to point to.
False positives are invisible to you. By default, blocked requests do not reach your logs. You will not know which real users were turned away unless you specifically ask for that signal.
Anubis
The newest piece in the picture, and the one that has me genuinely interested.
What Anubis is
Anubis is an open-source reverse proxy (MIT licensed) that sits in front of your site and issues a proof-of-work challenge to clients before letting them through. It was built specifically for the AI scraper era - for the case where the scraper is mimicking a real browser well enough that classifying it on signal alone has stopped working.
Why proof-of-work, not CAPTCHA
The interesting move with Anubis is who pays the cost. A real user pays a few hundred milliseconds of CPU once when they first arrive, and never sees it again for the lifetime of the cookie. A scraper hitting you a million times pays the cost a million times.
That asymmetry is the whole point. CAPTCHAs put the cost on humans (the people who lose patience trying to identify traffic lights). Anubis puts it on whoever is doing the hammering. That is closer to the right shape of the trade.
Where to put it
You do not want Anubis in front of your whole site. You want it in front of the endpoints that are expensive and uncacheable. From the talk, my shortlist:
Search endpoints
Facet and filter URLs
Pagination tails - ?page=2348 is not a real user
Login, register, password reset
Spicy forms (contact, anything that triggers an email)
Authenticated user flows
Anything expensive and uncacheable
Static pages stay fast. The cache stays warm. The PoW cost only applies on the routes where it earns its keep.
But what about Googlebot?
This is the first question every site owner asks, and the answer is good. Anubis ships with allowlists for known good crawlers, matching IP ranges against the published lists from Google, Bing, and the rest. The allowlist is maintained upstream, which means you need to keep Anubis deployed on a reasonable cadence to pull in the latest changes. New legitimate crawlers do show up.
Demo site
You can see Anubis in action with a demo Drupal 11 site I put together, the login form has Anubis in front of it, the homepage does not.
Log in | Drush Site-Install
Drush Site-Install
Putting the layers together
None of these defences is a silver bullet on its own. Each layer is cheap at one thing and bad at another, and the trick is matching the layer to the threat.
Layered defence diagram showing requests flowing from clients through Edge/CDN, Anubis, web server, and Drupal, with cost-to-block increasing as you move closer to the application.
Block the cheap traffic at the edge. Block the lazy bots with rate limits and ModSecurity at the web server. Put Anubis in front of the endpoints that are expensive and uncacheable. Let Drupal-native modules handle the application-aware decisions where you actually need to see the user, the form, or the facet state.
Five things to take away
No single layer is enough. Stack them. The edge handles raw volume, the web server handles patterns, and the application is the only thing that can see real user and form context.
Match the protection to the threat. A login form needs different defence to a faceted search results page.
Measure before you defend. Look at your actual traffic. Find your most-hit uncacheable endpoints. Defend those first.
Watch accessibility and SEO. Every challenge you add is a tax on a real user or a real crawler. The cost of false positives is invisible unless you go looking.
Plan for adversarial improvement. Whatever you deploy today, the scrapers get a turn next. Pick defences you can iterate on.
One last thing
You do not need to win the bot war. You just need to make your site a worse target than the next one.
The slides from the talk are on the DrupalSouth schedule page. The recording will be posted here once the DrupalSouth team have edited and uploaded it - check back in a few weeks.
Mark your calendars. MidCamp is returning April 27-29, 2027!
We are excited to officially announce the dates for the next MidCamp, the Midwest's community-driven event for designers, developers, strategists, content creators, marketers, project managers, and open source enthusiasts.
After another incredible year of learning, collaboration, and community, we are already looking ahead to what comes next. And yes, as announced during closing remarks, MidCamp will be returning to DePaul next year just in time for Norah Schrum's birthday, which feels like the perfect excuse to gather this community again. MidCamp 2027 will once again bring together people from across Chicago, the Midwest, and beyond for several days of connection, practical learning, hallway conversations, contribution, and the kind of idea-sharing that keeps open source communities thriving.
Whether you are a longtime MidCamp regular or considering your first trip, MidCamp is built to be welcoming, approachable, and full of opportunities to learn from one another.
What to expect as planning gets underway:
Engaging sessions from community speakers
Hands-on training and learning opportunities
Contribution and collaboration time
Social events to reconnect with friends and meet new faces
Community-focused experiences that reflect the spirit of MidCamp
Our organizing team is just getting started, and there will be many ways to get involved in the months ahead, from volunteering and sponsoring to submitting sessions and helping shape the event.
As was said during closing remarks: bringing value to others is the best gift, and this community proves that year after year.
For now, the most important thing to do is simple: save the date, bring your friends, and plan to be part of it.
Missing MidCamp already? You can relive this year's sessions by watching the recordings on our MidCamp 2026 YouTube playlist while we get planning underway for next year.
More details will be shared on the MidCamp 2027 event page as planning progresses.
We cannot wait to do it all again with this amazing community.
In this blog post, W3C CEO Seth Dobbs shares his thoughts about age-restrictions and user privacy on the web - a topic that was at the heart of the October W3C/IAB workshop on Age-Based Restrictions on Content, and recent W3C Members conversations.
Breakouts Day 2026 was the third edition of W3C's fully remote community driven information sharing event. In this post we summarize key aspects of the event.
Earlier this month, the W3C Technical Architecture Group (TAG) gathered in London for a multi-day face-to-face meeting. While the TAG meets regularly online, these in-person sessions remain an important part of how the group builds shared understanding, tackles complex architectural questions, and welcomes new members into the work.
On January 14, 2006, John Resig introduced a JavaScript library called jQuery at BarCamp in New York City. Now, 20 years later, the jQuery team is happy to announce the final release of jQuery 4.0.0. After a long development cycle and several pre-releases, jQuery 4.0.0 brings many improvements and modernizations. It is the first major … Continue reading →
It's here! Almost. jQuery 4.0.0-rc.1 is now available. It's our way of saying, "we think this is ready; now poke it with many sticks". If nothing is found that requires a second release candidate, jQuery 4.0.0 final will follow. Please try out this release and let us know if you encounter any issues. A 4.0 … Continue reading →
Last February, we released the first beta of jQuery 4.0.0. We're now ready to release a second, and we expect a release candidate to come soon™. This release comes with a major rewrite to jQuery's testing infrastructure, which removed all deprecated or under-supported dependencies. But the main change that warranted a second beta was a … Continue reading →
When it comes to crafting an article, the headline is crucial for grabbing the reader's attention and enticing them to read further. In this post, I'll explore the 7 types of article headlines and provide examples for each using the subjects of product management, user experience design, and search engine optimization. 1. The Know-it-All The […]
Product management is one of the most exciting and rewarding careers in the tech world. But it's also one of the most misunderstood and misrepresented. There are many myths and misconceptions that cloud the reality of what product managers do, how they do it, and what skills they need to succeed. In this blog post, […]
The role of a product manager is crucial to the success of any product. They are responsible for managing the entire product life cycle, from conceptualization to launch and beyond. A product manager must possess a unique blend of skills and qualities to be effective in their role. Strong strategic thinking A product manager must […]
Last week I helped the folks at ezSystems debug some APC problems they were having. The problems ended up being a 64bit architecture problem (they have uber-fast Opterons) and the bug is now fixed in 2.0.3.
Today I received Python & XML from them (off my Amazon wishlist). Thanks guys!
On a side note, my wishlist seems borked. The list I get when I search on my email address or name is not the same one I can edit when I log into the site.
1st of April 2004 get's to it's end and I guess it's time, to summarize the recent April fools a bit. Not that I think anyone in the world believes in them, but some were quite funny:
1. Changes to case sensitivity in PHP.
Alan Knowles announced that PHP will change to the studlyCase API and therefor will get everything broken by changing established functions.
2. IBM takes over Zend.
Myself hacked a little article about IBM taking over Zend to make PHP a compete of Java.
4. PHP has been overtaken by Micro$oft.
Mhhh... a little bit unreliable, if they had been taken over by IBM this morning... Maybe one should first look, what others wrote...
5. And finally, PHP4 and 5 showed their real faces...
Take a look at a phpinfo() output!
I guess I missed some, so feel free to comment on this entry, if you found another!
Symantec have a report of the virus here. I've yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it. From examining the infected scripts, what's disturbing is once infected, every tim...
