Core themes

Drupal includes core themes, which customize the "look and feel" of Drupal sites, for example, Garland and Bartik.

The Color Module, introduced in Drupal core 5.0, allows administrators to change the color scheme of certain themes via a browser interface.

Drupal CMS

At DrupalCon Portland in 2024, Dries Buytaert called for the Drupal Community to create a new, modernized Drupal experience. The project was initially called Starshot and it was an effort to reframe how people think of Drupal. The project aims to deliver a more user-friendly and out-of-the-box version of Drupal, with a focus on ease of use, faster onboarding, and a polished default experience. In 2025, this project was launched as Drupal CMS. This represents a shift toward making Drupal more accessible to non-developers while retaining its powerful, flexible core architecture.

Drupal CMS includes a number of new artificial intelligence features. It also provides tools intended to support open-source, low-code and no-code development approaches.

Localization

As of September 2022, Drupal is available in 100 languages including English (the default). Support is included for right-to-left languages such as Arabic, Persian, and Hebrew.

Drupal localization is built on top of gettext, the GNU internationalization and localization (i18n) library.

Auto-update notification

Drupal can automatically notify the administrator about new versions of modules, themes, or the Drupal core. Two weeks later the Drupal security team released an advisory explaining that everyone should act under the assumption that any site not updated within 7 hours of the announcement was compromised by automated attacks. Thus, it can be extremely important to apply these updates quickly and usage of a tool like drush to make this process easier is highly recommended.

Database abstraction

Prior to version 7, Drupal had functions that performed tasks related to databases, such as SQL query cleansing, multi-site table name prefixing, and generating proper SQL queries. In particular, Drupal 6 introduced an abstraction layer that allowed programmers to create SQL queries without writing SQL.

Drupal 9 extends the data abstraction layer so that a programmer no longer needs to write SQL queries as text strings. It uses PHP Data Objects to abstract the database. Microsoft has written a database driver for their SQL Server. Drupal 7 supports the file-based SQLite database engine, which is part of the standard PHP distribution.

Windows development

With Drupal 9's new database abstraction layer, and ability to run on the Windows web server IIS, it is now easier for Windows developers to participate in the Drupal community.

A group on Drupal.org is dedicated to Windows issues.

Accessibility

Since the release of Drupal 7, Web accessibility has been constantly improving in the Drupal community. Drupal is a framework dedicated for building sites accessible to people with disabilities because many of the best practices have been incorporated into Drupal Core.

Drupal 8 saw many improvements from the Authoring Tool Accessibility Guidelines (ATAG) 2.0 guidelines which support both an accessible authoring environment as well as support for authors to produce more accessible content.

The accessibility team is carrying on the work of identifying and resolving accessibility barriers and raising awareness within the community.

Drupal 8 has good semantic support for rich web applications through WAI-ARIA. There have been many improvements to both the visitor and administrator sides of Drupal, especially:

  • Drag-and-drop functionality
  • Improved color contrast and intensity
  • Adding skip navigation to core themes
  • Adding labels by default for input forms
  • Fixing CSS display:none with consistent methods for hiding and exposing text on focus
  • Adding support for ARIA Live Regions with Drupal.announce
  • Adding a TabbingManager to improve keyboard navigation

The community also added an accessibility gate for core issues in Drupal 8.

Extending the core

Drupal core is modular, defining a system of hooks and callbacks, which are accessed internally via an API. This design allows third-party contributed modules and themes to extend or override Drupal's default behaviors without changing Drupal core's code.

Drupal isolates core files from contributed modules and themes. This increases flexibility and security and allows administrators to cleanly upgrade to new releases without overwriting their site's customizations. The Drupal community has the saying, "Never hack core," a strong recommendation that site developers not change core files. integrating with BPM portals, and more. the Drupal website lists more than 44,000 free modules.

Some of the most commonly used contributed modules include:

  • Content Construction Kit (CCK): Allows site administrators to dynamically create content types by extending the database schema. "Content type" describes the kind of information. Content types include, but are not limited to, events, invitations, reviews, articles, and products. The CCK Fields API is in Drupal core in Drupal 7.
  • Views: Facilitates the retrieval and presentation, through a database abstraction system, of content to site visitors. Basic views functionality has been added to core of Drupal 8.
  • Panels: Drag-and-drop layout manager that allows site administrators to visually design their site.
  • Rules: Conditionally executed actions based on recurring events.
  • Features: Enables the capture and management of features (entities, views, fields, configuration, etc.) into custom modules.
  • Context: Allows the definition of sections of site where Drupal features can be conditionally activated
  • Media: Makes photo uploading and media management easier
  • Services: Provides an API for Drupal.

Themes

, there are more than 2,800 free community-contributed themes. Themes adapt or replace a Drupal site's default look and feel.

Drupal themes use standardized formats that may be generated by common third-party theme design engines. Many are written in the PHPTemplate engine or, to a lesser extent, the XTemplate engine. Some templates use hard-coded PHP. Drupal 8 and future versions of Drupal integrate the Twig templating engine.

The inclusion of the PHPTemplate and XTemplate engines in Drupal addressed user concerns about flexibility and complexity. The Drupal theming system utilizes a template engine to further separate HTML/CSS from PHP. A popular Drupal contributed module called 'Devel' provides GUI information to developers and themers about the page build.

Community-contributed themes on the Drupal website are released under a free GPL license.

Distributions

In the past, those wanting a fully customized installation of Drupal had to download a pre-tailored version separately from the official Drupal core. Today, however, a distribution defines a packaged version of Drupal that upon installation, provides a website or application built for a specific purpose.

The distributions offer the benefit of a new Drupal site without having to manually seek out and install third-party contributed modules or adjust configuration settings. They are collections of modules, themes, and associated configuration settings that prepare Drupal for custom operation. For example, a distribution could configure Drupal as a "brochure" site rather than a news site or online store.

Architecture

Drupal is based on the Presentation Abstraction Control architecture, or PAC.

The menu system acts as the Controller. It accepts input via a single source (HTTP GET and POST), routes requests to the appropriate helper functions, pulls data out of the Abstraction (nodes and, from Drupal 5 onwards, forms), and then pushes it through a filter to get a Presentation of it (the theme system).

It even has multiple, parallel PAC agents in the form of blocks that push data out to a common canvas (page.tpl.php).

Community

Drupal.org has a large community of users and developers who provide active community support by coming up with new updates to help improve the functionality of Drupal. more than 105,400 users are actively contributing. Attendance at DrupalCon grew from 500 at Szeged in August 2008, to over 3,700 people at Austin, Texas, in June 2014.

Smaller events, known as "Drupal Camps" or DrupalCamp, occur throughout the year all over the world. The annual Florida DrupalCamp brings users together for Coding for a Cause that benefits a local nonprofit organization, as does the annual GLADCamp (Greater Los Angeles Drupal Camp) event, Coders with a Cause.

The Drupal community also organizes professional and semi-professional gatherings called meetups at numerous venues around the world.

There are over 30 national communities around drupal.org offering language-specific support.

By January 2023, The Drop Times became a Drupal-focused media outlet, highlighting stories of relevance to the Drupal community.

Notable users

<!--Only list users notable enough to have an article.-->

Notable users of Drupal include:

  • AMD
  • NBC
  • Nokia
  • Olympic Games
  • Rainforest Alliance
  • Smithsonian Institution
  • Taboola
  • TSMC
  • UNICEF
  • Universal Music Group

Security

Drupal's policy is to announce the nature of each security vulnerability once the fix is released.

Administrators of Drupal sites can be automatically notified of these new releases via the Update Status module (Drupal 6) or via the Update Manager (Drupal 7).

Drupal maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed with the most recent security advisories.

In mid-October 2014, Drupal issued a "highly critical" security advisory regarding an SQL injection bug in Drupal 7, also known as Drupalgeddon. Downloading and installing an upgrade to Drupal 7.32 fixes the vulnerability, but does not remove any backdoor installed by hackers if the site has already been compromised. Attacks began soon after the vulnerability was announced. According to the Drupal security team, where a site was not patched within hours of the announcement, it should be considered compromised and taken offline by being replaced with a static HTML page while the administrator of its server must be told that other sites on the same server may also have been compromised. To solve the problem, the site must be restored using backups from before 15 October, be patched and manually updated, and anything merged from the site must be audited.

In late March 2018, a patch for vulnerability CVE-2018-7600, also dubbed Drupalgeddon2, was released. The underlying bug allows remote attackers without special roles or permissions to take complete control of Drupal 6, 7, and 8 sites. Drupal 6 reached end-of-life on 24 February 2016, and does not get official security updates (extended support is available from two paid Long Term Services Vendors). Starting early April, large scale automated attacks against vulnerable sites were observed, and on 20 April, a high level of penetration of unpatched sites was reported.

On 23 December 2019, Drupal patched an arbitrary file upload flaw. The file-upload flaw affects Drupal 8.8.x before 8.8.1 and 8.7.x before 8.7.11, and the vulnerability is listed as moderately critical by Drupal.

In September 2022, Drupal announced two security advisories for a severe vulnerability in Twig for users of Drupal 9.3 and 9.4. That week, Drupal also announced a patch for the S3 File System to fix an access bypass issue.

See also

  • Backdrop CMS Drupal 2013 fork
  • List of content management systems

References

Further reading

  • Abbott/Jones (2016), Learning Drupal 8, England, Packt Publishing.