Drupal core got replaced with Wordpress and no one noticed!

  • Rant

I'm pissed. I'm sad. This is such a low blow.

Do you guys remember the SA-CORE-2014-004 security fix from last year, August? A security issue was found and “jointly” fixed by the Wordpress and Drupal teams. Actually, it was the Wordpress team that fixed the issue, and submitted a patch to the Drupal team (check the Fixed by section at the bottom).

However, no one checked the contents of the patch.

It basically replaced the entire Drupal code base with Wordpress. It replaced the unit tests, so all flags would continue to show green, and added a small compatibility layer so modules would continue to “work”.

No one noticed. No one checked. And this got rolled out as version 7.31 of Drupal. Don't believe me? Just download Drupal 7.31 and you will see.

How could this happen

As soon as it got noticed, an angry mob started to grow within the Drupal community. Forum topics got quickly moderated — and some deleted — to prevent the frenzy from spreading, and the Drupal core team quickly rolled out version 7.32, which restored the Drupal code base.

This is, by far, the most humiliating episode of our community.

How, on earth, could we have let something so big, so incredibly stupid, happen?

It is a well established fact that Automattic (the guys behind Wordpress) have a long-standing bloodfeud with Acquia (the major company behind Drupal). For years, the two companies have engaged in legal battles, paintball competitions that didn't end well and sneakily “stealing” core maintainers of the opposite side to work on the competing product.

But, for the last year, Automattic has been gaining the upper hand. Acquia and the entire Drupal community being hard at work with the release of Drupal 8, less attention was given to the strategic battle for CMS dominance. Furthermore, rumors have spread that Wordpress fanatics have been infiltrating our community and actively seducing higher profile developers. I wonder if this is one of the reasons Backdrop got created in the first place, but that is beside the point.

The point is, someone got corrupted — or stupid — enough to accept a patch from a major competitor, without checking it thoroughly. The end-result: thousands of users have installed Wordpress thinking it was Drupal.

Not a new trick

This is not the first time this has happened. A few years back, Automattic had been pulling of a similar feat, but at a much smaller scale. Many agencies had a home-grown CMS that they used for client work. Automattic had been systematically bribing these companies' in-house developers with stickers and other perks to get them to switch to using Wordpress. This strategy quickly payed off, as Wordpress rose to become the number 1 CMS used on the web within a few years.

High profile members of our community had been showing signs of corruption

It is only in hindsight that some odd behavior by our community “leaders” seems to carry a whole new significance. Crell (Larry Garfield), one of our community's most active standards evangelist, and a big defender of the Proudly Found Elsewhere movement within Drupal 8, had been hinting at adopting standards at a whole new level:

Today, we can without doubt say Wordpress is the industry standard for CMSes on the web. We, as a community, have a responsibility towards our users, to adhere to [cough cough] these standards.

Our very own Webchick had moved her up-until-now Drupal powered blog to Wordpress.com in the beginning of 2014.

Merlinofchaos had already begun renaming his Views modules to Views plugins in 2012, an obvious reference to Wordpress' terminology.

What to do

I myself am sick of this. I have already closed my Drupal account and shutdown all my websites that ran on Drupal.

As of today, I'm officially moving to Joomla. You can find my profile here.


Enjoyed this post? Grab the RSS feed or follow me on Twitter!

Found a typo ? Correct it, submit a pull-request and get credited here!