In the modernised business world, our digital assets are one of our biggest investments. We need our digital assets to be built for the ultimate user experience: one that performs in usability, find-ability, speed and security, and one that simultaneously provides rich, personalised digital experiences.
In this presentation, Imon Hoque, CTO of Sitback Solutions, discusses key trends for technical marketers in Security and Personalisation of Drupal Websites.
Part 2 of 2.
Read more about this presentation, and find lots more information, over on our blog: https://blog.sitback.com.au/
Part 1: How to Optimise your Drupal Website for SEO and Accessibility
https://www.slideshare.net/Sitback-Solutions/how-to-optimise-your-drupal-website-for-seo-accessibility-part-1/
3. 3
Sitback Solutions
▸Ensuring that your website or open
web application is secure is
critical.
▸Even simple bugs in your code can
result in private information being
leaked
▸Bad people are out there trying to
find ways to steal data
WHY IS SECURITY
IMPORTANT?
8. Hosting
The process of renting or buying
space to house a website on the
internet.
What are the different types of hosting
available, and what are their pros and
cons?
13. Personalisation
Your website is fast, accessible and secure.
Now it's time to tailor the experience for
each individual customer to drive
engagement, conversion and repeat visits
14. 14
Sitback Solutions
“A process that creates a
relevant, individualized
interaction between two
parties designed to enhance
the experience of the
recipient.”
PERSONALISATION
15. 15
Sitback Solutions
“Personalisation is the act of
tailoring an experience or
communication based on the
information you have learned
about the individual.”
PERSONALISATION
16. 16
Sitback Solutions
90%
Of marketers believe
personalisation is the
future
48%
Of consumers spend
more when their
experience is
personalised
74%
Of consumers get
frustrated when
content has nothing
to do with them
https://www.smartinsights.com/ecommerce/web-personalisation/types-ecommerce-personalisation/
17. 17
Sitback Solutions
▸Custom code and modules
to display alternative
content based on user’s
data.
INTERNAL TOOLS
▸Google Optimise
▸Salesforce Experience
Cloud
EXTERNAL TOOLS
21. 21
Sitback Solutions
▸Smart Content
▸Custom code & modules to
display alternative content
based on user’s data.
INTERNAL TOOLS
▸Google Optimise
▸Salesforce Experience
Cloud
EXTERNAL TOOLS
Drupal Acquia Personalisation
22. Get in Touch Imon Hoque
CTO, Sitback Solutions
Imon.hoque@sitback.com.au
www.sitback.com.au
Editor's Notes
Welcome, everyone!! Today, I will discuss and present some topics that are essential to be aware of for anyone involved with the web industry. The content is not tech-heavy, as the presentation is not purely focused on developers. So, I am hoping both technical and non-technical audiences will benefit and take away some helpful information.
Before I get started with the topics, I want to give a quick intro about myself I am Imon, I am currently working at Sitback Solutions as the CTO.
I have been lucky enough to work across multiple platforms for the last 20 years, and half of that was with different Content Management Solutions across .NET and PHP tech stack. Out of all the different CMSs that I have worked with, Drupal is the one that I have used the most and is one of my favourites.
So, I will bring my two passions together in this presentation today – A Quality Web Solution and Drupal!
NEXT SLIDE
On average 30,000 new websites are hacked every day… A report in 2019 found that security breaches had increased by 67% over five years …
In 2021, some major security breaches include big names like Twitch.tv, LinkedIn, Swinburne University, Facebook, Northern Territory Health, Transport NSW
While there are some targeted attempts, in general, computer viruses do not target one site, the hackers have systems running, which are continuously probing for vulnerability to exploit across all sites.
Sometimes you wouldn’t even know when your site has been hacked, and as such becomes impossible to restore it from a safe point in time backup.
Once a site has been attacked, it is very hard to remove the malicious code and be 100% sure that it has been completely fixed.
So, it is very important to be proactive rather than reactive when it comes to Security.
And most importantly if a site has been hacked, it’s not only that the data from the site is stolen, there is also the possibility that the machines your users are using to visit your site will get affected as well. This means your site will be considered unsafe to visit.
NEXT SLIDE
So, the focus of website security is to protect the websites and web applications from being hacked, or any unauthorised access
is a central component of any web-based business. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications and web services such as APIs.
Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can leak private information, and bad people are out there trying to find ways to steal data.
NEXT SLIDE
When thinking of the different aspects of web security, you can categorise them into two sections:
Internal – things that are dependent upon your application’s code… such as access permission, input sanitisation
And External i.e. the infrastructure, which consists of the server, the network devices etc.
NEXT SLIDE
As we are primarily focusing on Drupal today, I am not going to discuss the external items in detail. However, some quick wins from the external perspective are:
Ensure you are using Web Application Firewalls such as Cloudflare or Akamai, as it will act as the first point of defence and more importantly will mitigate the risk of Distributed Denial of Service attack.
Ensure you are using an SSL certificate, and all incoming traffic is redirected from non HTTP to HTTPS
Ensure access to your Database is not open to all, it should be restricted to the server hosting the web application
Disable FTP access as it is not secure enough.
Set up and use an automated deployment process from the code repository directly so that access to the server is restricted and the developers will not need to access it to deploy code update
Basically, try and limit access to your server as much as possible.
Now for the internal aspects, let’s check out what we have on the security front in Drupal.
NEXT SLIDE
First of all, if you are using Drupal, you have already taken one of the first steps of securing your website as you are using one of the more security conscious CMS platforms available!
With Drupal you can keep your site secure with some very basic activities:
First and foremost – always keep your Drupal core and contributed modules up to date. Usually a monthly review of the status and updates should do the trick. When you get a chance, check the Upgrade Status Report in your Drupal admin section, it will provide you with the detailed list of what needs upgrading. Anything in Red means it has a security patch or upgrades, so prioritise that.
One of the benefits of Drupal is the vast library of contributed modules. However, to be secure, you should try and use the modules that have a stable release, and are covered by Drupal’s security advisory policy.
Once every quarter review the permissions to be safe!
NEXT SLIDE
Here are some modules that I would like to recommend
Coder
Coder checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations for you with the phpcbf command from PHP_CodeSniffer,
HackedThis module scans the currently installed Drupal, contributed modules and themes, re-downloads them and determines if they have been changed. Changes are marked clearly and if the diff module is installed then Hacked! will allow you to see the exact lines that have changed.
Password Policy
A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.
Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.
Login Security
Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.
With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms. Enabling this module, a site administrator may limit the number of invalid login attempts before blocking accounts, or deny access by IP address, temporarily or permanently.
A set of notifications by email may help the site administrator to know when something is happening with the login form of their site, for example -
password and account guessing,
brute force login attempts
or just unexpected behaviour with the login operation.
For alternative controls, Login Security can disable Drupal core's login error messages, obfuscating the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists.
Flood control
Flood Control provides an interface for hidden flood control variables limiting the number of failed login attempts and an interface for site administrators to remove IP addresses and user ID's from the flood table.
Automated Logout
This module provides a site administrator the ability to log users out after a specified time of inactivity.It is highly customisable and includes "site policies" by role to enforce logout.
I am going to share a link from Drupal regarding security which has more information that you can review and implement!
And now that we have discussed securing the application, now we move to the next topic of Hosting, which will house your application
NEXT SLIDE
Broadly speaking you can categorise the hosting options in two – Infrastructure as a service and platform as a service
IaaS clients are responsible for managing aspects such as applications, runtime, OSes, middleware, and data. However, providers of the IaaS manage the servers, hard drives, networking, virtualization, and storage. Some providers even offer more services beyond the virtualization layer, such as databases or message queuing.
PaaS allows businesses to design and create applications that are built into the PaaS with special software components. These applications, sometimes called middleware, are scalable and highly available as they take on certain cloud characteristics.
IaaS offers many advantages, including:
The most flexible cloud computing model
Easy to automate deployment of storage, networking, servers, and processing power
Hardware purchases can be based on consumption
Clients retain complete control of their infrastructure
Resources can be purchased as-needed
Highly scalable
PaaS aalso offers numerous advantages, including:
Simple, cost-effective development and deployment of apps
Scalable
Highly available
Developers can customize apps without the headache of maintaining the software
Significant reduction in the amount of coding needed
Automation of business policy
Easy migration to the hybrid model
Which option would be right for you will depend on various variables. However, at a high-level, if you have a multiple solutions and a very customised need of infrastructure setup, Infrastructure as a Service would be most probably the best fit for you. But if your requirement is to only host a single application, and all other integration will be handled by communicating with 3rd parties such as a CRM solution, a PaaS approach might give you the best ROI, because you don’t need to worry about maintaining the infrastructure and simply focus on your application.
NEXT SLIDE
When it comes to Drupal, the obvious choice is Acquia, as it will provide you with the best-specialised platform for your Drupal site, and a portal that allows you to manage the setup with ease.
Besides it being the most optimised platform for Drupal and having a great management portal, it does take care of ensuring the platform is secure!
NEXT SLIDE
That’s really interesting and it’s great to see some people are already prepared!
For all those of you still on Drupal 7 – regardless of whether you have a plan for migration yet or not, here’s a cheeky hack to buy you some more time
And won’t cost any where near as much as a rushed website upgrade!
If you migrate your D7 site over to Acquia hosting, they will extend the end of life period and provide the necessary security fixes up to 2025
That will buy you an additional three years if needed to plan and migrate your existing website!
I’m sure Jeff will be able to tell you more about this at the end of the session for anyone that is interested.
Once you have site performance, accessibility, security, and hosting optimised, next step is to optimise the content by tailoring it for each individual users.
So, what is personalisation – it is a process that creates a relevant, individualised interaction between two parties designed to enhance the experience of the recipient.
In other words, personalisation is the act of tailoring an experience or communication based on the information you have learned about the individual.
The importance of personalization is easiest to grasp when you think of your own experience as a consumer.
When you’re on a brand’s website, do you appreciate receiving personalized recommendations and offers?
How about content that is relevant to you, or related to a product or service you’ve recently purchased?
Like most consumers, maybe you’ve even come to expect it as an integral part of your online experience.
And that is why personalisation has become an integral and important part of website development and ongoing maintenance.
While it shouldn’t be an afterthought, it is not something you can always attempt as part of your initial launch.
However, you should plan to take into consideration the data you need to collect and the content you need to prepare.
So, the solution should be built to be able to accommodate personalisation, but the implementation can come later.
There are two approaches when it comes to personalisation – one where you are using an external system like Google Optimisely, salesforce experience cloud etc. to handle personalisation, or it can be built as part of the website, where the personalisation mechanism is handled within the system.
If you are using external systems, that system is integrated with your website, and you manage it via that external system.
For example, for the people’s choice website that we have recently built, the personalisation is handled by an external system (what is the external system?). We implemented the integration with the website, and the editors manage it via the external system.
An example of using the internal tool can be switching the banner image or certain information based on the user’s IP detection. We built a solution for a travel insurance company that operates in Australia and New Zealand. It used to display three banners – one for AU, one for NZ and one for visitors outside of Australia or New Zealand.
Personalisation can be also done for basic preferences. For example, for one of our clients, Century Venues, who run some of the biggest live music and comedy venues in Sydney, we had an event list displayed to visitors. The events belonged to multiple categories. Based on which category the user interacts with, we would store the data in session, and in the next visit, we would prioritise the events that belong to that category.
When it comes to Drupal personalisation, you can start small with the Smart Content Module
This module works great in conjunction with other modules in its suite. The Smart Content Module for Drupal 8 and 9 enables anonymous and real-time web personalization. Site admins will be able to display different content for different user roles based on browser conditions. For example, you can display different content to a returning user or an optimized content to a mobile user. It uses conditions to decide what to show or hide that are evaluated on the client-side. This module comes included with the Smart Content Blocks and the Smart Content Browser modules.
As your requirements grow, to implement proper in-depth personalisation for a Drupal solution, Acquia Personalisation would be a good option as it integrates easily with Drupal.