techcafeteria

Last week, I kicked off this series on setting up a basic web site with Drupal, the popular open source Content Management System. This week we’re going to take a closer look at Modules, the Drupal add-ons that can extend your web site’s functionality. One of the great things about Drupal is that it is a popular application with a large developer community working with and around it. So there are about a thousand modules that you can use to extend Drupal, covering everything from document management to payment processing. The good news: there’s probably one that supports the functionality that you want to add to your web site. Bad news: needle in a haystack?

A potentially easier way to add extra functionality to Drupal is to download a customized version, such as CiviCRM or Open Atrium. We’ll discuss those options later in the Drupal 101 series.

Core Modules

Drupal comes with a number of built-in modules that you can optionally enable. Some are obviously useful, others not so much. Here are some notes on the ones that you might not initially know that you need:

I’ve been doing a lot of work with the open source content management system Drupal lately, and thought I’d share some thoughts on how to get a new site up and running. Drupal, you might recall, got high ratings in Idealware’s March ‘09 report comparing open source content management systems. Despite it’s popularity, there are some detractors who make good points, but I find Drupal to be flexible, powerful and customizable enough to meet a lot of my web development needs.

While you can put together a very sophisticated online community and/or website with it, you can also use it for pretty simple things. For example, the nptech aggregator at nptech,info uses Drupal’s excellent RSS aggregation functions extensively, and not much else. No blog, no forums. But, having installed and tried standalone RSS aggregators like Gregarius, it became clear that Drupal was just as good an aggregator and, if desired, much, much more. Similarly, when co-workers were looking for a site to share documents with optional commenting (to replace an FTP repository), Drupal was a good choice to support a simple task without locking out growth possibilities.

Installation

Installing Drupal can be a three click process or a unix command line nightmare, depending on your circumstances. These days, there are simple options. If you are using a web host, check to see if your site management console is the popular CPanel, and, if so, if it includes the Fantastico utility. Fantastico offers automated installs for many popular open source CMSes, blogs and utilities.

Absent Fantastico, your host might have something similar, or you can download the Drupal source and follow the instructions. Required skills include the ability to modify text files, change file and folder permissions, and create a MySQL database. At a minimum, FTP access to your server, or a good, web-based file manager, will be required.

If you’re installing on your own server, things to be aware of are that you’ll need to have PHP, MySQL and a decent web server, such as Apache installed (these are generally installed by default on Linux, but not on Windows). If you use Linux, consumer-focused Linux variants like Ubuntu and Fedora will have current versions of these applications, properly configured. More robust Linux distributions, like Redhat Enterprise, sometimes suffer from their cautious approach by including software versions that are obsolete. I’m a big fan of Centos, the free version of Red Hat Enterprise, but I’m frustrated that it comes with an older, insecure version of PHP and only very annoying ways to remedy that.

Up and Running

Once installed, Drupal advises you to configure and customize your web site. There are some key decisions to be made, and the success of the configuration process will be better assured if you have a solid idea as to what your web site is going to be used for. With that clearly defined, you can configure the functionality, metadata, site structure, and look and feel of your web site.

1. Install and enable Modules. Which of the core modules (the ones included in the Drupal pacckage) need to be enabled, and what additional modules are required in order to build your site? This is the first place I go.
2. Define the site Taxonomy. While you can build a site without a taxonomy, you should only do so for a simple site. A well structured taxonomy helps you make your site navigable; enhances searching; and provides a great tool for pyramid-style content management, with broad topics on one level and the ability to refine and dig deeper intuitively built into the site.
3. Structure your site with Blocks. You can define blocks, assign them to regions on a page (such as the sidebars or header) and restrict them to certain pages. On the theory that a good web site navigates the user through the site intelligently, based on what they click, the ability to dynamically highlight different content on different pages is one of Drupal’s real strengths.
4. Theme your web site. Don’t settle for the default themes—there are hundreds (or thousands) to choose from. Go to Drupal Theme Garden and find one that meets your needs, then tweak it. You can do a lot with a good theme and the built in thee design tools, or, if you’re a web developer, you can modify your themes PHP and CSS to create something completely unique. Just be sure that you followed the installation suggestions as to where to store themes and modules so that they won’t get overwritten by an upgrade.

This just brushes the surface, so I’ll do some deeper dives into Drupal configuration over the next few weeks.

The credit card industry is doing the right thing by consumers and enforcing proper security measures regarding the handling of credit card information.  You might have heard about this – a number of the popular vendors of donor databases are recommending upgrades based on their compliance with these regulations. The “Payment Card Industry Data Security Standard”, commonly known as PCIDSS, is a set of guidelines for securely handling credit card information.  The standard has been around for about four years, but early enforcement efforts focused on companies with a high volume of credit card transactions.  Now that they’re all in compliance, they’ve set their sites on smaller businesses and nonprofits. So, what does this mean? Here’s the simplest F.A.Q. that you’re likely to find on the topic:

• Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?

If no, you don’t have to worry about this.

• If yes, do you have more than 20,000 such transactions annually?

Well, if you do, congratulations!  Most nonprofits don’t, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of “4”.  Higher validation types are subject to stricter security standards.

The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures.  Do you have a firewall?  Are all of your transactions encrypted?  Do you use anti-virus software?  Is credit card information properly restricted to authorized staff?

Depending on your network, you might already comply with a lot of the requirements.  If you don’t, then it might require a significant investment to get there.

• What will happen if I ignore this?

This isn’t government regulation (although your state might have laws in place that do mandate some similar response). participation is mandatory.  But, should your security be breached, two things will happen:

1. The compliance requirements for your organization will be reassessed to level one or two, and they’ll be much more costly and complicated to meet.  The credit card companies might decline to do business with you if you don’t comply.  Can you afford to not take Visa?

2. You will likely be indirectly fined for non-compliance.  The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard.  Your bank will likely pass that fine on to you.

• So what’s the easiest way to deal with this?

Simple: don’t handle credit cards.  There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud’s BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.

I’ll share that, at the Goodwill where I used to work, outsourcing wasn’t an option, because we were both a charity and a retailer. Our frustration was not that we didn’t have good security in place.  It was that there were differences in how we had set up our security and the PCIDSS requirements.  So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant.  In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem.  We also engaged a consultant.  Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.

Blackbaud has put together some good further reading on this topic (and they are one of the vendor’s whose latest software is compliant; ask your eCRM vendor!).