Entries Tagged 'Web' ↓

The Decline of Drupal, or How to Fix Drupal 8

Prologue

Almost 4 years ago I wrote a controversial post entitled "17 Reasons WordPress is a Better CMS than Drupal" that caused me to be persona non grata among some of my prior Drupal friends.

But while some of the issues I mentioned have been addressed by the Drupal community most of the issues remain in Drupal 7, and WordPress has continued to gain strength as a CMS.

Unlike almost 4 years ago, I’m now seeing many people replacing Drupal solutions with WordPress and the end users becoming happier. My team is even bidding on replacing a website so we can build a member’s-only private site to go with it after the Drupal developers have not been able to deliver on the private site for over 2 years.

The Impetus

What triggered me to write this post was I was composing a long reply to a comment on the other post and it became clear it would be better as a new post.

In the comment the commenter asserted:

With Drupal 8 coming up, I am sure the difference in number of users between Drupal and WordPress will come down.

However, I think that the commenter will find that the exact opposite happens. Why do I think this? I started college shortly before the IBM PC was released so I’ve seen enough computer industry history firsthand to know a bit about the patterns that repeat related to software platforms.

Will Drupal 8 grow Drupal’s User Base?

I highly doubt it, and I think there is strong evidence in the history of software platforms that would support my view. Those patterns I mentioned above indicate to me that the strategy of changing Drupal’s architecture in Drupal 8 will be a failing strategy.

Let me explain.

Fans Like Things As They Are

As with all software products and platforms that gain a notable level of success, Drupal 7 and earlier appealed to people who valued what Drupal had to offer. Some of those things include ease of end-user configuration and other things include hierarchical software architecture and the hook-based extensions mechanisms. Or at least those are what originally appealed to me in Drupal before I discovered all the downsides I explained in the prior post.

Now Drupal 8 promises to be a lot more "modern frameworks and platforms," adopting "modern PHP concepts and standards, object-oriented programming, and the Symfony framework." Now that sounds awesome, and on the surface should cause almost any Drupal fan to cheer.

But those stated aspects require a lot more programmer skill to work with yet one of the things that appealed to a lot of Drupal users-cum-developers is that they did not have to understand object-oriented programming, nor modern frameworks and techniques. To quote Jennifer Lea Lampton:

Back in the day, Drupal used to be hackable. And by "hackable" I mean that any semi-technical yahoo (that’s me, btw) who needed a website could get it up and running, and then poke around in the code to see how it all worked. he code was fairly uncomplicated, though often somewhat messy, and that was fine. At the end of the day, it did what you needed.

Given the fact far fewer people have a high-level of programming skill many of those who do NOT see themselves as professional programmers do not want to improve their coding ability, they would rather just focus on their chosen career where Drupal is only a tool to help them.

So Drupal 8 will be will be alienating all those users and they will feel abandoned. Or as Ms. Lampton says:

Today, the majority of the people in our Drupal Community aren’t CS engineers. They are self-taught Drupal experts, people less technical than myself, and people who can get by using this awesome software we’ve developed to help make their lives easier. What is the transition to Drupal 8 going to be like to them? Well, I asked some non-core developers, and I didn’t like what I heard.

A lot of professional Drupal developers already have exit strategies.

And my guess is that most of those alienated users and new users who would have otherwise chosen old Drupal will move to WordPress.

But Pros Want to be Pros

And on the other end of the spectrum are those who DO see themselves as professional programmers and those people (almost) always want to increase their coding skills. They will start asking themselves why they are working on a platform (Drupal) that still has lots of "impurities" when the could just more over to a "real" framework such as Symfony or even Rails or Node.js, and not have to deal with all the legacy issues of Drupal?

Or as Ms. Lampton continues (emphasis on WordPress mine):

They may even have a day job building or maintaining Drupal 6 and/or Drupal 7 sites, but they go home at night and study Ruby, Node.js, Angular.js, even some are looking into WordPress. They want to be "out" before they have to learn Drupal 8. These are smart, capable people, who I’m sure - if they wanted to - would be able to pick up Drupal 8. So, why are they leaving? Because Drupal 8 has become different enough that learning it feels like learning something new. If they are going to invest in learning something new, why not Ruby, or Node.js, or something else?

What Visual Basic’s History Can Teach Us

What makes me think the above scenario is likely? Because I saw it happen with Visual Basic and C#. Visual Basic pre .NET was easy to use and became arguably the world’s most widely used programming language for a time. But it was a ugly language with many inconsistencies and was very limited in what it could do compared to C++ so it was always looked down on by "real" programmers ignoring how Visual Basic empowered so many people who never would or could develop using C++.

So Microsoft envisioned a "better" way; a .NET platform on which both Visual Basic and a new language called C# would live making Visual Basic a "proper" programming language, almost on par with C+.

Fast forward to today and what happened was that those who valued Visual Basic’s simplicity continued to use the old Visual Basic (for a while), abandoned it for other tools that were easier, or just quit developing and focused on other parts of their career.

Those who wanted to become better professional programmers asked themselves "why stay with VB?" so most everyone just moved up and over to C#. This migration effectively killed off what 10 years ago was once the most popular programming language in was the world.

And I believe a pattern similar to the Visual Basic decline will occur with Drupal starting at version 8.

When Upgrades are Challenging People Evaluate Options

And then there are those who will stick with their current version of Drupal until they can no longer maintain the solution and still get the evolving solutions they need for web and mobile.

At which point these people will be forced with a choice; migrate to the newer Drupal, or migrate to a different platform? And given how little interest the Drupal core team places in 1.) "Being backward compatible" and 2.) "Creating an interface that is usable for end-users" the choice will often not be "Move to newer Drupal."

True Believers will be True Believers

Of course there will still be people who love Drupal 8. And unlike proprietary software like from Microsoft, Drupal 8+ will continue to exist as long as a group exists who are passionate enough to maintain it. But I am almost certain Drupal’s market share will drop significantly and lose most of it to WordPress (which BTW won’t make that much different to WordPress’ marketshare, by comparison.)

Don’t Mess With My Status Quo!

And this being the open-source world, Drupal has already been forked and the fork is called Backdrop from the same Ms. Lampton quoted above as well as Nate Haug. Assuming Ms. Lampton and Mr. Haug and team executes at least reasonably well then some of the more fervent believers in "Drupal Classic" will move over to Backdrop, and Drupal 8 will loose more marketshare from yet another source.

But Backdrop will almost assuredly never be more than a footnote because it won’t have the marketing muscle in IT shops that Acquia has, and IT shops have been the primary drivers of Drupal adoption from best I can tell looking in from the other side. And Backdrop being a fork won’t have the 10+ years of supporting organization that Drupal now has. Plus, Backdrop has an unknown brand at this time and building up that brand will take time.

Old Doesn’t Inspire, It Just Fades Away

Given that Backdrop is basically a stake in the ground to avoid evolving Backdrop is highly unlikely to become "the hot new thing" but will instead be like FoxPro that for years after Microsoft acquired it was "a user base Microsoft could not grow and Microsoft could not kill"; that’s a direct quote from a former marketing manager at Microsoft.

The Shrinking Girth: Traveling Up the Pyramid

So Drupal 8 will be pushed by Acquia into IT shops, but it will be used by an increasingly narrow user base until the user base becomes so small that Acquia can no longer survive.

This long tail may take a really long time, but I am certain it is inevitable, unless of course Drupal/Acquia/Dries change strategy.

What SHOULD Acquia/Drupal Do Instead?

So here’s where I’ll divert from my criticism of Drupal and advocacy of WordPress; I’ll actually recommend what I think Drupal/Acquia/Dries should do and how they could potentially grow their business even if they do not catch WordPress in marketshare.

Announce the Drupal 8 Will Be "Drupal 7 Enhanced"

Dries Buytaert should do an about-face and announce that Drupal 8 will NOT be based on a new architecture but will instead simply be an enhanced Drupal 7, much like the about-face Tim Berners-Lee famously did when he announced XHTML was no longer the future of the web.

Adopt the Backdrop Team for Drupal 8 and Beyond

Dries should then work the Backdrop team and any of the Drupal 8 team who want to continue the status quo albeit with evolutionary improvements, much like how Merb broke off from and was later merged back into Ruby on Rails.

Further, adopt a no-breakage policy for future Drupal releases and work to ensure backward compatibility so that people are not forced into painful upgrades if they do not want to invest a significant amount into redevelopment. Learn from WordPress how to evolve without introducing breaking changes.

Announce a New CMS Called "Acquia"

Then, take all the ideas and lessons learned with Drupal that were destined for Drupal 8 and create a clean from-the-ground-up implementation of a next generation CMS targeting those who work rather program at the level of a framework but prefer to have more of the features needs for content management ready-built and available so as not to require people to reinvent the wheel.

Launching an Acquia CMS would have the benefit of being new in a way that could appeal to more than just the existing Drupal user base that does want to level up but not abandon Drupal. And Acquia is already a very strong company that has a stellar enterprise sales and support team so they would be in a great position to market a new CMS, and launching it would give them a stronger offer to sell to and support for their customers.

Acquia CMS could become the better alternative to Symfony that offers more functionality without all the legacy cruft of Drupal instead of Symfony being viewed as the better alternative to the Drupal CMS that carries so much baggage which is where I think things are headed.

Give Developers Something NEW To Adopt

And this branding is not just for technical improvements, it’s more important for positioning reasons.

Acquia CMS could have none of the negative associations developed by prior users of Drupal. Acquia CMS would be free to address all the problems I outlined in my prior blog post. And Acquia could once again become the CMS mindshare leader, a position that Drupal previously held IMO.

But Wait, Don’t Listen to Me!

If Drupal/Acquia/Dries does follow my advice, it would probably mean that I’d loose opportunities to work on certain future projects. The type of work I do with WordPress is most often competitive with Drupal in the minds the stakeholders deciding the platform the project will use. So I really hope they do not listen. :)

But hell, if they do follow this advice I would evaluate Acquia CMS and might even consider using it instead of WordPress in the future.

But really Dries if you are listening, please don’t! I’m currently really happy with the progression of WordPress and doing this would just throw a monkey wrench into my future works.

So nothing to see here; just carry on as planned. Nothing to see. :)

UPDATE

In the first version of this post I incorrectly referred to the fork as "Backstory", not "Backdrop" and I did not include a link to the Backdrop website nor mentioned Nate Haug. I have corrected the post.

Thanks to commenters Doug Vann, Brian and Jen Lampton for pointing out my error.

Why REST is More Like Religion than Most Technologies

As someone whose entire career has been involved with technology platforms, and specifically programming platforms in some form or another, it’s clear to me something which is obvious to most patient observers: that adherents of a particular technology platform tend to become very “religious” about it.

Advocates of specific a technology platform are known to rather vigoursly proselytize and defend their technology platform of choice, and they are also known to call out “blasphemy” (as they see it) against their technology platform. I guess it’s just human nature to gravitate to concepts and communities and to then defend them from perceived outside attackers. I myself have at times been among the technology platform devout over the years though I do try my best to keep it in check.

But I’ve noticed that the concept of RESTfulness in Web APIs has a religious tenor that is beyond what I’ve observed elsewhere. This post’s goal is to explain what I’ve perceived. As you read, note that I make several points along that way that seem to unrelated, but I bring them together at the end.

Well-Known Founders

Many technology platforms, while possibly having a single founder are promoted by companies and over time their marketing and promotion tend to minimize the founder’s visibility among its adherents, such as Windows, Java, .NET, Zend Framework, Sitecore and ExpressionEngine to name some commercial examples.

Yet other technology platforms have a single visible founder and they tend to be open source, for example: Linux, PHP, Python, Ruby on Rails, Drupal and WordPress to name just a few.

Like these mentioned open-source technology platforms REST also has a well-known founder Dr. Roy Fielding who named and defined REST in his chapter 5 of his doctoral thesis, titled Representational State Transfer (REST).

Architectural Style vs. Platform

Now if Dr. Fielding reads this post I’m sure he would first object to my associating REST with Platforms; he has made it clear on numerous occassions he considers REST to be an Architectural Style and not a Platform.

That’s fine and I don’t disagree in the least, but I’m associating them because they share at least one (1) attribute. Few (if any?) architecture styles have emerged that are the result of one man’s PhD definition, as I’m far as I am aware. And that has ramifications that caused REST to be treated by its adherents more like a software platform than a lower-level architectural style.

Requirements and Constraints

Unlike most technology platforms which are often not focused on the rules of how to use it properly, REST is instead a prescription for the requirements and constraints a system must follow. In other words its about both what you must and what you cannot do (in order to be considered RESTful).

Potential critics of this post might point out that that is the point of an architectural style. But this style has an engenered a level of religious fevor, similar to that seen around technology platforms that I’m not aware any of other architectural style receiving, at least not lately.

The Good Book

And this prescription for must and must not is where REST starts to look a lot more like a religion than most technology platforms. The Torah, the Bible and the Koran, for example, they are all written works that prescribe correct and incorrect behavior among their faithful. Similarly Roy’s thesis defines what is and what is not correct among the REST faithful.

God and the 10 Commandments

While most technology platforms that have a visible founder see the founder actively involved in evangelizing, writing about, and shepherding their platform on an ongoing basis, Dr. Fielding has pretty much been an absentee founder. In the earlier days of the web he was active on W3C and related mailing lists, and he wrote a seminal post clarifying (especially in his reply to comments) that REST APIs must be hypertext-driven But since then Dr. Fielding has been conspiculously absent when any of the debates regarding the application of REST have emerged.

In many ways Roy has been for REST like the God of the Old Testament; he spoke to the people in the early days and wrote his “commandments” in the form of his thesis, but since then the faithful have only had his thesis and that one blog post to clarify the meaning of REST.

Disagreement and Debate

Today, fourteen (14) years since Roy’s thesis and six (6) years after his seminal post on REST disagreement and debate rages on regarding RESTfulness and Web APIs, its relative usefulness, the level of RESTful purity required, and especially as it relates to one specific constraint; HATEOAS.

I’d link to specific debates but there are so many yet few epic or seminal debates so it’s hard to pick just one. But I can link to several conferences and mailing lists where you’ll find these debates and mentions of REST-related debates on blogs across the web:

The primary things you’ll find among these debates is disagreement on the role of hypermedia and an assertion that permeates much of the dialog among the most fervent being that most other people building APIs “don’t get it” and “are doing it wrong.” On the other hand there appears to be very little agreement on how to do it right, at least when it comes to specifics.

I will say that I do tend to agree with those debating that most people do not get it and that they are doing it wrong because parts of REST are not easy to fully understand so it’s very difficult to be sure of what exactly “right” is. And why is that?

Exegesis

It boils down to this. There’s little disagreement about who gets to define REST; everyone (I know of) points to Dr. Fielding as being authoritative and his writings canoncial. REST was defined by this one (1) man who wrote down it’s specification in an academically defined manner sans examples, and then briefly clarified it in one (1) blog post with follow up replies to questions for about two weeks after.

Since then the REST faithful have been left to interpret what REST means on their own much like the process of Exegesis related to religious texts.

And like religious movements, REST has a good many people who have taken it upon themselves to explain the meaning of The Good Book and the intentions of it’s founder. Without Fielding actively participating and making judgements on these debates who has the authority to declare who is right and who it wrong?

What if God was One of Us?

Imagine if God had decided to hang around all these years and intervene on the topic of religous debates? Imagine how much less contentious religion would be?

In that vein, I leave you with this joke from Emo Phillips as hopefully an appropriate analogy:

Once I saw this guy on a bridge about to jump.

I said, “Don’t do it!”
He said, “Nobody loves me.”

I said, “God loves you. Do you believe in God?”
He said, “Yes.”

I said, “Are you a Christian or a Jew?”
He said, “A Christian.”

I said, “Me, too! Protestant or Catholic?”
He said, “Protestant.”

I said, “Me, too! What franchise?”
He said, “Baptist.”

I said, “Me, too! Northern Baptist or Southern Baptist?”
He said, “Northern Baptist.”

I said, “Me, too! Northern Conservative Baptist or Northern Liberal Baptist?”
He said, “Northern Conservative Baptist.”

I said, “Me, too! Northern Conservative Baptist Great Lakes Region, or Northern Conservative Baptist Eastern Region?”
He said, “Northern Conservative Baptist Great Lakes Region.”

I said, “Me, too! Northern Conservative Baptist Great Lakes Region Council of 1879, or Northern Conservative Baptist Great Lakes Region Council of 1912?”
He said, “Northern Conservative Baptist Great Lakes Region Council of 1912.”

I said, “Die, heretic!” And I pushed him over.

P.S. Credit for Inspiration

This entire post was inspired by Nick Kallen’s comment on Roy’s blog post about REST and hypermedia. His comment starts with this (emphasis mine):

I had a hard time with the writing in this article; I don’t normally perform exegesis on blog posts. Am I interpreting this correctly?

The Web Needs You To… STOP BLOGGING!

Well, that was an incendiary title. On purpose.

Now that I have your attention, let me say that I don’t literally mean “stop blogging”, I mean to object to the meme that seems to have overtaken the zeitgeist of too many lately. The “You Should Blog Every Day” meme. Here are some of it’s advocates:

As an aside I think somehow the folks at WordPress.com must have used subliminal messaging on their platform to encourage blogging addiction and thus, for them, revenue growth. But I digress…

What’s Wrong with Daily Blogging?

If you’ve read (any) of the posts above you’ve read glowing prose about how and why you should post daily, but none of the counterpoints. Just as we wouldn’t appreciate our neighbors leaving their trash bags on their lawn why do so many people champion other people to churn out non-stop pablum? Where in anyone’s good book has this endeavor been canonized as a virtue?

Lacks Depth

Daily posts are rarely more than opinion, and from what I’ve seen are usually without significant research, or links to related information on the topic. After all, who has the time for any of that when posting daily?

Adds High Noise, Low Signal

Publishing daily adds to the total amount of information out of them web. Let’s just say only 1% of US Citizens, let alone the rest of the world followed the “Blog Every Day” meme; together they would produce 1 trillion posts/year! Do we really need that much more low-information content to contribute to overload on the web?!?

More is Not Better

Daily posts focus on volume and not excellence. Unless you are one of those extremely rare prolific individuals who can be blog daily and write high quality content (and those people are usually known as “professional jounralists”) then posting daily is just setting one’s self up for #fail.

Not that you won’t be able to successful at daily posting, you might, but is daily posting really more beneficial than writing a much higher quality post less frequently?

No Time for Greatness

Similar to the previous, people who blog daily set themeselves up on a treadmill after which they’ll likely never have time to write a truly epic post. Some of the best and most valuable posts I have read on the web have been long form posts that clearly took more than a day to write. Few daily post ever gain continous linkage, at least not from what I’ve seen.

Why Should You Not Want to Blog Daily?

Besides the reasons above not to blog daily, what about selfish reasons for not blogging daily?

Busy People Will Tune You Out

Although I can’t say it’s a completely valid indicator, busier people seem to be the ones who accomplish more. As such, they are a higher value audience most of the time. If you post daily you’ll likely overwhelm people who want to consume your content but simply cannot handle the volume.

Expect More of Yourself

The first question to ask yourself is “What else could you be doing with your time?” If you spend only an hour a day blogging that’s over 9 weeks full time for a year; could you not achieve something better than a slew of blog posts?

If you are a programmer, for example, why not build and release an open-source project? If you are venture capitalist, why not take more meetings with entrepreneurs or use your network to help your existing investments more? If you are a social media maven (really? seriously?) maybe you could use your time to research all the emerging tools for tracking and analysis.

In other words, envision a BHAG project you could complete rather than just writing a new blog post every day. If John F. Kennedy had rallied US citizens around all journaling daily instead, would we ever have ever made it to the moon?

You Are Competing with Millions

If you are blogging about anything that is not highly unique, you are competing with millions.

Consider if you were paid your effective hourly rate for the time you spend blogging; would you invest that money in lottery tickets if you had it in your bank account? If not, why would you compete for the attention of people against so many others who are blogging too?

Life is Too Short

One of the mantras regarding daily posting is that you have to train yourself and develop discipline, which means that for most people blogging daily is just not fun. Why put yourself through that unless you are really going to benefit greatly from it?

But What About the Benefits?

Reading through all of the posts listed above about why you should blog each day it seems that the primary benefits stated are these, paraphrasing of course:

  • Increasing your blog traffic
  • Readers expect it
  • Developing habits are a key to success
  • Establishing yourself as an expert
  • Exercising your “Writing Muscle”

Let me tackle these one-at-a-time, in reverse order:

Exercising your “Writing Muscle”

That’s probably the best reason listed, and I agree. Except.

If it is really important to you to become a better writer, then yes, write every day. But you don’t have to push the “Publish” button, at least not for your public blog. Here are strategies that you could use instead that would excerise that muscle just as much:

  • Write a portion of a longer blog post, and do it every day.
  • Create a Facebook page and write posts for it daily.
  • Write a private journal daily. If you really need/crave feedback, invite friends to access it. But publish your best work less frequently on your blog.

Establishing Yourself as an Expert

This is another good reason. But a weekly blog can be just as successful at establishing your expertise, if not more so.

Look around at some of the leading experts you know via their blogs; how many of them blog daily? I’ve listed at least one below, Mark Suster. His expertise is well established, but he doesn’t blog daily unless he has something to blog about.

Developing Habits are a Key to Success

Agreed. But do you really need to blog daily to develop habits? Aren’t there other habits that can generate a better return in your life? (exercise, to name one?)

Readers Expect It

Sorry, this is just rationalization as far as I’m concerned.

When I was young my father told me:

“Don’t worry what other’s think; they think about you about 1/1000th as often as you think about yourself.” Similarly, most people don’t wait with baited breath for you to generate yet another post.

As for the few people who do tell you they wanted you to blog more (search for “Loyal Readers Crave More Content”) they are just feeding your confirmation bias compared to the majority of your vistors.

Increasing your Blog Traffic

Really, it comes down to this.

Yes, blogging daily is about driving more traffic to your blog, nothing else. And sadly, it works.

If your primary goal is to drive more traffic to your blog but not necessarily higher quality traffic, and the other reasons for not blogging daily are of no concern to you then more power to you. Just please don’t try to fool yourself or convince others that your daily blog ritual is for any other person than yourself.

Sorry to be harsh, but I haven’t seen anything that has given me evidence to believe there’s any other reason for it than self-promotion, and in some cases even narcissism. Maybe you can convince me otherwise in the comments below?

Are There Exceptions?

Of course there are exceptions. The ones who should daily blog (well, actually “write daily”) are professional journalists, you know people who get paid to write daily, and especially those who write news stories, which by definition require daily writing.

Also, anyone who generates highly unique content, such as content about their own company’s products or services could possibly benefit from daily blogging, especially if they have internal content developed by others from which to draw upon.

Effectively anyone who is likely to write content that nobody else is going to write could be forgiven for blogging daily. But even then, less frequently per author is better because then they have the time to write higher quality posts.

Information Overload Redux

When I was in college and learning to love programming computers there was one (1) monthly magazine that covered the programming language I was learning at the time. Each month I would read it cover-to-cover several times, and anxiously await the next issue to start again.

Today, thinking of programming for WordPress, I could spend every waking minute reading good quality articles that would be somehow relevant and informative regarding my current chosen professional. But to find the good articles I’d have to sift through the other 90% of that were published just for publishing sake, the ones that are little more than noise.

Simply put, blogging daily exponentially increases the amount of noise on the web. And that’s really not good for (the users of) the web, or humanity.

Bloggers I Wish Didn’t Post Daily

Speaking of daily bloggers, here is a short list of people who I really respect and admire and who I would love to see write some truly epic posts inspired by their knowledge and experience. Unfortunately each day I find a typically a mediocre post albeit occasionally a few almost good ones. But (almost?) never do these people product really great posts.

Fred Wilson of AVC.com

Fred <@fredwilson> is known as the VC who has funded some of the most visibly successful Internet startups in the past decade. He blogs daily, and I get an email containing his daily posts. Given his daily blogging schedule and all of his other obligations and evident success, I am constantly amazed at how good his posts are.

But more than being amazed, I’m also disappointed because he never blogs long form or in-depth. I know he has great knowledge and experience to share, but I never really feel like I’ve learned something after reading Fred’s blog posts, I just feel like I’ve been kept up to date.

Now Fred’s blog has generated an incredibly active community of commentors. Many of the frequent commentors are well-known and successful people in the startup world, but I constantly amazed at how much time these people can spend commenting on Fred’s blog in a day. It flabbergast me, frankly.

Fred’s blog uses Disqus for commenting, a company he has invested in but one where I find product usability very lacking other than I do really like the ability to edit the typos in my comments, which you can’t do on most blogs. The reason I mention this is that as soon as I comment on Fred’s latest blog I am inundated with about 250 emails that day because Disqus emails every me comment, not just replies to my comments, and Fred’s blog overflows with comments. This is clearly good for Fred’s personal branding and provides him with a posse of people he can ask for help, but then if Fred wasn’t an uber-successful VC I doubt he would get the same following from his daily blog.

After all, people are attracted to where the money is…

David Cummings on Startups

David <@davidcummings> is an incredibly talented individual. He’s a “local boy done good”; he built and then in late 2012 sold Pardot for $90 million to ExactTarget, which was then sold to Saleforce.com. Almost immediately after be purchased a 100,000 SQFT building in Buckhead, Atlanta’s prime real estate market, a.k.a where old money lives and new money parties.

David christened his new Buckhead facility Atlanta Tech Village, now home to 100’s of startups. He has become a well-known ambassador in town for high tech startups and has receive the attention of the USA Today, the Mayor of Atlanta Kasim Reed, the Atlanta Journal/Constitution, Atlanta’s Creative Loafing, InvestAtlanta, the Metro Atlanta Chamber of Commerce and more.

I think 20 years from now Atlanta will look back at David as the father of Atlanta’s High Tech Industry Boom, or something similar. When I tell people about David who don’t know of him I say his is Atlanta’s future equivalent of Brad Feld re: Bolder, Colorado.

CLEARLY David is amazing, one of the best business thinkers in Atlanta. And he blogs daily, and yes I get an email for every one of his posts. Unfortunately David’s posts are short and rarely ever better than a high-level outline of some topic that he has clearly queued up for the day. I receive his post via email, like clockwork, around 10pm ever night.

David has so much value to share, and he obviously devotes the time to sharing. But unfortunately David’s choice of daily bloggingmeans that he rarely if ever (has the time to) write a really valuable, in-depth post that leverages his profound knowledge, experience and expertise. For example, David frequently mentions the importace of establishing a great company culture but he’s never blogged anything that helps a would-be entrepreneur know how to establish a great culture in a startup.

Such as shame, really.

Tom McFarlin

Tom <@tommcfarlin> is one of the sharpest guys in the WordPress space, if not the sharpest WordPress guy I know personally.

Tom is also incredibly prolific. He blogs nonstop it seems, constantly writes for Envato, he’s written numerous plugins listed on WordPress.org, he gets profiled frequently, he was a partner at 8Bit which used to sell the Standard Theme he helped develop, and he was a contributor to their WPDaily blog, which is no more.

Anyway, I tried to follow Tom’s blog for a while and periodically he had some incredibly valuable posts. Unfortunately they were interspersed with numerous opinion and/or low information posts many of which generated a lot of comments but few if any dispensed any real usable knowledge, at least for me. It’s as if he set himself a goal to write daily, so by gosh that’s what he is going to do.

Sadly, I had to unsubscribe because the noise-to-signal ratio was just so high. And that made me sad, but I had to do it.

Honorable Mention: Eric Mann

I got to know Eric <@ericmann> during the time I was actively involved in moderating and answering questions on WordPress Answers. While I learned that Eric is a very bright WordPress developer with lots of relevant experience and a great ability to explain answers to WordPress questions in writing, what I admired the most about him was how even-keel he was when interacting with others on the web. Never did I see Eric involved in a flameware (unlike me, unfortunately) nor have I ever witnessed him talking down to someone online, a behavior that otherwise runs rampant online, especially in certain open-source circles. Eric really has my respect.

And when Eric blogs a how-to article about WordPress, it’s usually well worth reading, at least for me. I know Eric has interest in writing a novel, and recently it seems Eric has decided to blog every day (if I misunderstood Eric, please forgive.) My criticisms are not of his posts so much as a knowledge he wants to blog daily and I fear we’ll see more quanitity and less quality.

As an aside, it was actually that comment exchange which triggered me to finally write this post rather than just repeatedly think this sadness I feel when faced with the daily blogging of others who blog posts I would love to read, albeit not daily.

Awesome Bloggers Who Don’t Post Daily

Conversely, here are a few of my (current) favorite bloggers. They seem to only post when they have time and inspiration, but their posts are almost uniformly excellent. When I think of these people I don’t think of how much pablum they have churned out, I only think of how much I am in awe of them.

Mark Suster of Both Sides of the Table

Mark’s <@msuster> blog tagline is “Entrepreneur turned VC” and his experience just exudes from his posts. From my perspective Mark is a VC on par with Fred Wilson albeit he’s not been a VC as long thus he hasn’t had the time to rack up an equivalent number of successes. But like Fred he writes for entrepreneur’s benefit and is clearly not a VC who thinks the best way to win is to take advantage of startup entrepreneurs. Both he and Fred write as if the best entrepreur-VC relationship is a win-win relationship, and that’s why I think both of them has gained so much attention.

Whenever one of Mark’s posts arrives in my email I think “I need to make time to read that, because I know it will be worth reading.” And 9 times out of 10, it is relevant to me and my interests in startups and provides me with significant insight or understanding that I would struggle to find published elsewhere.

Kudos to Mark, he’s my favorite blogger and I would love to have the opportunity to meet him in the future under circumstances where I have something of benefit to offer him.

Price Intelligently

I don’t know who actually blogs for Price Intelligently <@priceintel> but their posts are almost consistently excellent. They blog more frequently than Mark Suster, which surprises as they are able to keep up the quality, but if you care about optimizing pricing for a SaaS then this a must-read blog.

And I’m really glad they don’t try to do the daily thing.

April Dunford of RocketWatcher

Contrary to the rest of this post, I really wish that April <@aprildunford> would blog more. I think she’s like me; she’ll get a burst of inspiration and write a few posts, and then she’ll get busy and 6 months will have gone by with no new posts.

I don’t know April well but she’s got a startup marketing blog, and it’s excellent. When she posts.

Nuff said.

At Least I’m not the Only One

Finally it seems these people agree with me, at least somewhat:

One Final Takaway

So if you are contemplating the development of a daily blogging habit, please consider this the summarization of the above:

  • Choose Quality Over Quantity

 

-Mike

P.S. I do get the irony of my blogging on this topic. But since it’s contrarian in nature I think it counts as unique. One thing’s for sure; I could not write posts like this every day.

Tags: ,

Proposal - Securing the WordPress JSON API

I was recently added to the WordPress API team and this post contains my thoughts about the recent authentication discussion.

WordPress have a reasonably robust authentication system built in, the username and password system and it would be possible to use it along with Basic Auth to allow for API authentication. Please forgive any typos in advance; this was long and I didn’t really have the time to fully proof it.

Authentication, Identity and Authorization

While Authentication is very important there is also Authorization to consider. Here’s a nice blog post from Apigee on the difference between three (3) terms: Identity, Authentication and Authorization (IMO Apigee are the leading experts on web API design at the moment). In a nutshell here’s what they terms mean:

The Term What it Means
Identity Who is making the request?
Authentication Are they really who they say they are?
Authorization Are they allowed to do what they are trying to do?

And as they point out we may not need them all but what we need is the point of this post.

As a side note they say "Take Twitter’s API; open for looking up public information about a user, but other operations require authentication." What this says to me is an API key would be ideal for most read activities but most write activities should require Authentication.

Authorization without Authentication

As much as we need Authentication I think we need Authorization even more. There are some API actions we’ll happily allow anyone to do such as download the list of our most popular posts and we don’t need to authenticate for that, we only need to authorize.

Why authorize? Why not just allow open access? So we can track who we authorized in case, for example we need to rate-limit their usage or even revoke their access.

About SSL

Let me get this out of the way sooner than later. Anything that requires SSL is a non-starter just as requiring PHP 5.3 for WordPress 3.7 is a non-starter. Need I say more on this point?

However we could allow support for SSL, assuming that for what we implement the SSL and non-SSL solutions are compatible.

Mainstream Options for API Security

Let’s discus the variety of methods for securing an API; some mainstream and some a bit esoteric. Bottom line is that most informed people seem to say "Don’t role your own." So with that in mind I believe we have these options:

Option Discussion
OAuth 2 Generally considered the best balanced security option for mainstream web apps where security and ease of interaction for users is balanced. But can be complex to implement, especially on the client end, and requires SSL to be secure.
Basic Auth Not as good as OAuth 2 but super easy for the client to implement OTOH it is not secure unless SSL is used.
Digest Auth More secure than Basic Auth but still not fully secure. Quite a pain for the client to implement..
Amazon Auth Well-tested and doesn’t require SSL but is non-standard (ignoring "defacto-" standards) and still requires an API key.
API Keys Very simple for the client to implement and as secure the Capabilities tied to the API key, i.e. if it can only see public data and not update then it’s "secure enough". Fully secure if used with SSL. Assuming users can’t change passwords with the API key then it’s more secure than Basic Auth because user credential are never in a position to be compromised.

(Did I miss anything?)

Given the available options it would seem to me that OAuth 2, Digest Auth and even Amazon Auth are non-starters as a requirement for use of a JSON API in WordPress core because of the complexity each of them heave onto the API client developer, at least if one of these is the option for accessing the JSON API.

Basic Auth vs. API Keys

Which leaves the unsecure Basic Auth and mildly secure API Keys. So review the pros and cons of using Basic Auth – which is tied to the WordPress user’s username and password in the current version of the JSON API – and API keys:

  Pros Cons
Basic Auth
  • Easy to implement
  • Insecure
  • If API login is compromised then user may loose their account or be made to go through the hassle of regaining access.
  • Since APIs access can be automated it’s much more likely that a hacker could capture a username/password on a non-SSL API call (calls might be made continuously) than for a user login (which comparatively happen very infrequently.)
  • Can only support one Authorization profile per user account.
  • To support multiple authorization profiles a user would need create multiple user accounts,
  • To allow another person API access they either need to share their username/password or create another user account for them.
  • If API access requires a user account some sites could go from 5-10 users to having 50,000+ users (think of smaller sites like Mashable.)
  • If multiple user accounts are required then we’ll need a way to relate user accounts and allow one user account to manage other user accounts.
API Keys
  • API authorization is decoupled from user accounts.
  • One or many API keys can be tied to a single user account.
  • If API Key is compromised user can login and deactivate it.
  • Plugins could easily deactivate API keys if they follow an abuse pattern.
  • API keys could be added with expiration dates.
  • Sites with a large number of API users do not gain an explosion of regular users.
  • Each API Key can potentially support a different Authorization Profile (example use-case: I provide on API key to a social network – the key has limited capability – and use another API key – one that can do anything my user account can do – for an official WordPress mobile app that I use to access my site.)
  • Requires what appears to be more architecture

It seems to me from this comparison that API keys are the only reasonable option for allowing JSON API access to much of WordPress. However they are only appropriate for some use-cases and not even as-is they are not as a complete solution. Let’s discuss the rest of the solution for the use-cases in which I think they apply.

It also seems to me that tying API access to users accounts could easily create an explosion of complexity and significant user experience problems as users see their logins hacked by unsecure usage and then are locked out of or even loose their blogs.

API Roles and Capabilities

One of the ways in which API Keys might be acceptable without Authentication is that some things can be made freely available holders of API keys if we add in "API Roles and Capabilities."

Just like User Roles that are assigned a collection of Capabilities we could add "API Roles" that also have "API Capabilities". These Capabilities could be used to determine the Authorization status for each (what I’ll name) an "API Service" when requested.

Note: I’m defining an "API Service" as a URL + an HTTP method (GET, POST, etc.) and I’m calling the collection of Authorizations for all API Services as a "Authorization Profile."

I’ve reviewed the code for the WP_Role, WP_Roles and WP_User classes and I think the first two could be used without modification. If so then we only introduce a WP_API_Request class. And depending on the opinion of others the WP_API_Request class could be standalone or the WP_User class could be refactored to extend from an abstract WP_Auth class thereby allowing the new WP_API_Request class to also extend from WP_Auth.

We could then decide on a convention that any Capability name prefixed with 'api_' is a capability for an API Service and we add a function current_api_request_can() or just api_request_can(). Armed with api_request_can() we could write code like the following (note that api_request_can() assumes 'api_' as a prefix and thus does not require it to be passed):

Source code example

Are We Adding Too Much Code?

Although a comment was made that "we don’t want a huge chunk of code just for authentication" I would suggest that even if it were to be a large amount of code, which I doubt there would be, it shouldn’t matter how much code we add as long as that code doesn’t require significant maintenance and more importantly does not impose significant complexity onto the admin user in terms of "more options."

  • Assume that in Settings > General we add only one (1) single checkbox with the label "Enable JSON API" which by default we leave unchecked.

  • Once the user has explicitly chosen to enable the API (the equivalent of activating the plugin we have today) a single "Tools > JSON API" option is added.

  • The Tools/JSON API admin page can use tabs to organize the information so it would not be overwhelming, if even needed.

  • To offer the user the list of API keys we can reuse/modify the Taxonomy add/edit functionality assuming we add a 'user_api_key' taxonomy to allow us to store, lookup and manage API keys related to Users who would "own" the API keys.

  • Another tab for the Tools/JSON API admin page could potentially offer the ability to add and manage API Roles and another tab for API Capabilities. Or not, we could require these be managed programmatically just like User roles currently are.

  • And finally a main tab that allows you to force SSL use, or not.

What I’ve describe above it really not that much code. Would it make sense to risk the potential downside of tying the API to username and password in order to simply avoid the code that the API keys management would require?

Handling Escalating Security Requirements

Consider the "API Services" discussed earlier; we could implement a mapping of authentication requirements to API services such that different services have different authentication/authorization requirements. Consider this table:

Requirement HTTP Methods API Services That Allows Example API Service
No API Key Required GET Access to public information with a low risk of needing a rate limiter. An API service that returns site name and other metadata. The metadata could also including a links to an API service to request an API key via API.
API Key GET Access to public information that might need to be rate limited. Return the current list of blog posts.
API Key + Nonce POST, PUT Add Content or Update Revertible Content Update of Posts, add Taxonomy Terms.
Nonce GET Add Content or Update Revertible Content Update of Posts, add Taxonomy Terms.
SSL+Basic Auth GET Returns secure information for client w/o API Key Retrieve an API key programatically.
SSL+API Key POST, PUT Updates secure information Modify User Profile, Deletes Posts.
SSL+Basic Auth POST, PUT Update highly sensitive information Change user password

API Keys + Nonces

Note that we combine nonces with API keys. One of the ways WordPress handles security is with nonces, and the API need be no different. Note that the nonce would be generated by WordPress core or a plugin for the logged in user to allow their browser’s to use the API via AJAX. These use-cases would authorize for the JSON API similar to how the current AJAX system in WordPress authorizes.

For mobile apps nonces could also be offered to last for longer, requiring a mobile device to retrieve a new nonce once every 15 minutes or so but then allowing them to just use the nonce + API key within those windows. Of course you wouldn’t want a 15 minute window for nonces used with AJAX apps

Using SSL

So if we follow the outlined approach we can provide a reasonably level of API access without requiring SSL but we can still enforce the benefit of SSL for those who are likely to have the where-with-all to upgrade to SSL.

Consider this, if they need their sensitive parts of their site updated via API then they are likely special enough that they can make sure that SSL happens. But if unexpected consequences occur and someone builds a SaaS that people want to use but that requires SSL then frankly it creates an opportunity for hosting companies to see a high level of demand for turnkey SSL setup.

And optionally we can add an 'WPAPI_ALLOW_NO_SSL' constant for those site builders and site owners with a "Devil May Care" attitude.

Summary

In summary I’m proposing for the JSON API for WordPress to:

  • Use API Keys for Authorization
    • (And if you are still not convinced, read this).
  • Incorporate API Roles and Capabilities
  • Support Escalating Authentication Requirements for API Services
  • Build Single Menu Item Admin UI for the admin to Manage the API.

Let me know your reactions in the comments below.

17 Reasons WordPress is a Better CMS than Drupal

This blog post has been simmering inside me for while. Some might think it as link bait but frankly I don’t blog often because I don’t have the time to manage lots of comments. So the thought of posting something that will likely be controversial has me going against my better judgment (but it won’t be the first time I’ve done that. :)

Drupal is for Serious Web App Dev but WordPress is Just Blogware?!?

Say what?!?!? Although the conventional wisdom is that WordPress is really just a great blogging tools and Drupal is more appropriate when you need a full-featured CMS for business use, the conventional wisdom is unfortunately outdated. Since WordPress released version 3.0 in mid-2010 there are now very few if any good reasons to use Drupal instead of WordPress when your business needs a CMS.

Heresy?

Maybe, but history has shown much heresey to be the voice of truth later vindicated. However, rather than ask you to just take my word for it, I’m going to explain below 17 tangible and specific reasons why WordPress is a much better choice for a business CMS than Drupal. 

Just the Facts

But for those of you who can’t be bothered to read the details I can summarize in two (2) points:

  1.  Site Architecture and
  2.  Backward Compatibility

Drupal’s site architecture, which on surface appears quite elegant is in reality Drupal’s biggest weakness. Drupal projects can start very inexpensively with large initial wins but the costs to add increasing functionality are discontinuous and in my experience soon soar out of control. I’ve seen several Drupal projects fail simply because of Drupal’s architectural inflexibility; many projects becoming difficult if not impossible to complete On the other hand there is WordPress’ architecture which, while seemingly less sophisticated and with more code duplication nonetheless enables the perfect combination of flexibility and unlimited functionality in my opinion where the increase in cost for more functionality scales linearly starting from zero.

As for Drupal’s position on backward compatibility they only maintain compatibility between major versions, which means you’ll be probably be forced into having to do a fork-lift upgrade since they only official support one major version behind. Who in their right mind would put their business in such a position? WordPress, on the other hand, bends over backwards to maintain an upgrade path between 0.1 versions.

About Terminology

WordPress and Drupal have some different terms for similar concepts and the following might be confusing if you are not aware of how these terms relate.  What WordPress calls a "Custom Post Type" Drupal calls a "Custom Content Type."

In WordPress a developer uses the register_post_type() function to define a custom post type whereas in Drupal a developer or user defines a custom content type in the admin console using the "Content Creation Kit" module (a.k.a. "CCK".) WordPress calls all content items "posts" (which is the generic term for the more specific "Pages" and "Posts"; confusing, I know, but that’s for legacy reasons. Drupal on the other hand alternates between calling content items "Content" at times and "Nodes" at other times.

Both WordPress and Drupal use the term "Theme" to refer to the collection of files that collectively create the unique look and feel for a site. Themes are comprised of some or all of these items: PHP scripts, HTML, CSS, SQL queries, Javascript, Images, Flash and maybe more. Themes are designed to be interchangable so that by replacing a theme a site can be given an (almost?) completely different look.

For extensiblity both WordPress and Drupal support the concept of componentized functionality with WordPress calling their functionality "plugins" and Drupal calling their functionality "modules." Aside from some technical implementation differences both plugins and modules are conceptually the same; componentized functionality. They are both typically comprised of PHP scripts and HTML but like themes may also incorporate CSS,  SQL queries, Javascript, Images, Flash and more.

As for versioning, WordPress strives every four (4) months (but it sometimes takes six) to launch a "point 1" or 0.1 version increment (such as v2.9, v3.0, v3.1, etc.) whereas Drupal uses major and minor versions (i.e. v5.x, v6.x, v7.x, etc.) with no specific release schedule between major versions.

Now with that out of the way, on to the 17 reasons.

17 Reasons to Pick WordPress vs. Drupal:

  1. WordPress Allows Infinite Design Flexibility - Drupal not so much. Because of it’s fundamental technical architecture most Drupal sites have a certain look and feel that is very difficult to get away from (note the "I think though doth protest too much" quality of these three (3) posts),   WordPress is as flexible as HTML because of it’s architecture.

    More specifically when a browser requests a web page from a Drupal-based website, Drupal inspects the requested URL and then delegates reponsibility for generating parts of the HTML page to both applicable modules and to components of Drupal itself. Drupal then collects up the generated HTML and composes a completed  HTML page when it sends to the browser.  Drupal manages everything and this archecture is minimizes duplication of responsibilities and is an architecture that an engineer can truly love.

    Unfortunately Drupal’s architecture is also highly coupled and thus rather inflexible; when you want a web page that doesn’t fit into Drupal’s model you either 1.) learn complex and arcane methods to achieve what in pure HTML would be incredibly simple, 2.) rebuild major portions of Drupal functionality for your custom page or 3.) just give up and do it the way Drupal wants you to. Or as I like to say when explaining this unfortunate aspect of Drupal:

    As a Drupal developer you are constantly battling Drupal to get back in control of the HTML that it will output for any given URL. Drupal is like a "Roach Motel" for URLs: Once a URL enters Drupal it never leaves!

  2. Usability has been "Baked-in" to WordPress - With Drupal, usability was an afterthought until version 7 and they’ve been desperately trying to improve it; usability tests by the Univeristy of Baltimore identified many critical usability issues in Drupal (the video is a must watch.) But some things such as usability need to be central to the philosophy of the developers and not tacked on as an afterthought. In Drupal you frequently need to visit at least two different pages in the admin to affect what a user would see to be one external change. With WordPress the admin console was originally user tested by the project founder’s mother ("If mom can use it, anybody can!") and that fanatical concern for usability has permetated the project. In Drupal some of the more active developers are known to say "If you don’t find Drupal usable maybe Drupal is not for you."
  3. WordPress has a WYSIWYG Content Editor in Core - Also a usability issue but an important specific one, with Drupal there is no standard WYSIWYG editor leaving the site implementor to choose from thirteen (13!) suboptimal editor module choices, none of which are maintained at the same level of Drupal core.  In WordPress, TinyMCE has been a highly usable standard for more versions that I’ve been using WordPress. (Personally this was one of the biggest issues I had with Drupal and why moving to WordPress was such a godsend for me.)
  4. WordPress Strives to Maintain Backward Compatibility - Drupal wears as a badge of honor that they wipe the slate clean with every major version. Drupal mostly ignores backward compatibility with the prior major version because yes it is nicer for the core developers not to have to worry about backward compatibility. But for your business the reality is that if you implement a site using Drupal you are stuck on that major version until you choose to invest in an expensive rewrite of your website. 

    Ponder this issue for a moment.  In my opinion, choosing Drupal can result in a nightmare once the version of Drupal they are using becomes too obsolete and is no longer supported. This is such a huge negative that I can’t really see why any business that is doing their due diligence would ever choose Drupal no matter its feature set.

    With WordPress most upgrades are seemless and those that are not are usually easily fixed because of the attention to maintaining backward compatibility.

  5. A WordPress-based Website’s Source Code is Easier to Manage - Drupal co-mingles user content with what is in effect a website’s source code in much more significant ways than WordPress does.  For example, to design of "Custom Content Type" in Drupal gets stored in the MySQL database; in WordPress "Custom Post Types" are stored as PHP code. For any business website managed by professionals it is critical to use a source code version control system and it’s easy to submit PHP code to version control but very difficult to submit records in a database to version control. This fact alone is a extremely strong argument for WordPress and against using Drupal for any serious website development project.

    Yes out-of-the-box Drupal is easier for a non-technical power user to add custom content types compared to with WordPress, but we are not talking about the needs of a housewife to organize her recipes, we are talking about which one is the better choice for a business CMS and WordPress wins hands down in this category. (BTW, there are plugins for WordPress such as Custom Post Type UI that provide the end-user with the same ease of use for creating custom post types that Drupal has for creating custom content types.)

  6. Collaborative Development is Easier with WordPress - This reason is a variant of source code being easier to manage. Without a good version control strategy it is much harder to get a local copy of a website for development. Developers in a Drupal shop have to spend a lot more time merging their databases so the up-shot is that many Drupal developers co-develop on the same installation, and often the live installation at that which results in overwriting each other’s code and limits a developers ability to roll back.  It’s much easier to develop with a local copy of WordPress so WordPress developers tend to do it more often.
  7. Revisions of WordPress-based Websites are Easier to Deploy - This reason is also a variant of source code being easier to manage. 1 but the headaches are seperate so I list is as a seperate reason. Because WordPress maintains a lot more of its logic in PHP code WordPress is much easier to deploy than a Drupal application. Drupal developers end up writing a lot more SQL code that they then need to test everytime they need to merge data used to control new application logic into the database of a production webserver on deployment of a revision to an existing website. The significance of this is hard to underestimate.
  8. Easier to Find Skilled Designers for WordPress -  To create a beautiful website design for WordPress designers need to be good at design, of course, but beyond that they really only need to learn how to copy and paste "Template Tags" as they able to have full design freedom when producing the HTML that will be used for a WordPress theme.

    Drupal designers, on the other hand, need to be skilled PHP developers too and with a rare exceptions those two skillsets are mutually exclusive. When you do find someone who can do both and do both well, they will be hugely in demand and thus outrageously expensive but the real problem is with Drupal you really won’t know if they are one of the rare few until after you’ve paid them a lot of money to either create a "house of cards", or a really ugly house.

    With WordPress you can get a great designer to work with a great developer, both of which are easier to evaluate than combined greatness, and you are set.

  9. There are More WordPress Professionals Available - A corollary to finding skilled designers, it’s simply much easier to find WordPress professionals to hire for projects than it is to find Drupal professionals.
  10. WordPress Professionals Charge Lower Rates - Another corollary to finding skilled designers and more WordPress professional being available is it is less expensive to find a WordPress professional than a professional for Drupal.  If you ignore the fact that there are many more WordPress professionals another factor is WordPress professionals don’t need to be as proficient in as many areas as their Drupal counterparts.  People who can really make Drupal sing are really expensive.
  11. WordPress’ Code is Much Easier to Debug - Drupal’s highly nested architecture makes it so that a developer spends most of his time looping through a few core functions waiting to find which code controls what they need to modify.  Often with WordPress the developer can simply set a breakpoint on the theme’s template file and debug from there.
  12. WordPress Sites Load Much Faster than Drupal Sites - Drupal runs upwards of 100 SQL queries for every page load because of its site architecture. With WordPress the number can easily be less than 10. And the time to run those SQL queries easily add up. Drupal advocates will claim those queries can be made insignificant by the creative use of caching but the reality is that you cannot cache most items in the admin console so the end user who is forced to use Drupal will be saddled with a level of fatiged and is just not necessary, if you instead choose WordPress.

    And lest you feel this is unimportant technical concern be aware that site performance is now something that Google uses to determine search engine result rankings. Host your website on a slow platform and prepare for an uphill battle when it comes to achieve top rankings in Google’s search engine results pages.

  13. WordPress Requires Less Expensive Hosting - A corollary to page load performance is that the typical Drupal site requires a lot more server to serve each of it’s pages than does a typical WordPress site. Those who choose WordPress for a seriously high traffic site will usually find they can serve more pages with the same servers and/or that the memory requirements for WordPress will typically be a lot less. And for a high traffic sites this could either be real money and/or it can mean that the site is less likely to fail in the case of a flash mob such as a Slashdotting.
  14. WordPress has the Most Integrations -  More companies or their 3rd parties offer plugins for WordPress to integrate with their services than another other platform, specially more than modules available for Drupal. Twitter, Facebook, Freshbooks, MailChimp; you name it, they all have WordPress plugins. If you need one for Drupal and it’s not a mainstream service like Twitter or Facebook chances are you’ll have to pay to have it written.
  15. WordPress has More Robust Extensibility Method - Both WordPress and Drupal use the term "hooks" to describe their exensibility mechanisms and while there are similar there is an important technical difference. In WordPress you associate a bit of functionality to either run or filter a value based on the name of the hook and you can have as many hooks of each type as are needed. In Drupal you do the same except that hooks are identified hook name prefixed with module name which means you can only use a given hook once in a module; if you need to use it twice you have to create another named module.

    Of course the module name limitation is an annoyance but not a huge problem. The huge problem comes when you need a module to disable a hook that was enabled by another module you otherwise need. This is a technique used somewhat frequently in WordPress but when it’s needed it is essential. In Drupal, even if you need to you simply can’t. And all because of Drupal’s architecture choices.

  16. WordPress has Far More High-Quality Attractive Themes - Drupal has almost two orders of magnitude less.  Why is this the case? Because it is so much harder to create a Drupal theme (as mentioned above), designers have to be good developers to theme Drupal (also mentioned above) and there are just so many more people using WordPress.

    Now having off-the-shelf themes is great for micro-businesses, startups and even tactical projects but most businesses will want a custom theme developed to showcase their brand in the best light possible yet the existence of so many commercial themes still benefits those who need custom themes.  Why?  Because it means that collectively WordPress custom theme developers have a lot more experience developing quality themes than their collective Drupal counterparts because many WordPress designer offer up commercial themes for sale in addition to their bespoken work.

    And then there are the theme frameworks for WordPress like StudioPress’ Genesis and WooTheme’s Canvas which create excellent headstarts for theme designers with lots of pre-built functionality that designers would often have to charge clients to develop.  Drupal does have the concept of theme frameworks but they are really an esoteric option for Drupal.

  17. Lastly (for my list, at least) there is a WordPress Answers but not one for Drupal - Yes an attempt has been made but there’s just not enough community support for a Drupal Answers (yet?) And while this reason may seem gratuitous, believe me it is not!

    The official support forums for both Drupal and WordPress and even the mailing lists for WordPress evidently encourage a level of disrespectfullness that is pervasive in so many open-source communities and it can be a huge time sink for the business person who just wants a problem solved. On the other hand the mechanism used by StackExchange’s WordPress Answers brilliantly encourages timely and helpful support discourages such unproductive behavior with its reputation system.

    And whereas many support queries on the Drupal (and WordPress) forums go unanswered, the majority of questions receive a reasonable answer on WordPress Answers (currently at 94%.)  If you have a WordPress issue you need solved, or that your developer needs to solve, the existence of WordPress Answer compared with the non-existence of Drupal Answer means that solutions will come far more quickly and far less expensively.

So there you go.  17 Substaintial Reasons why WordPress "The open source blogging tool" is a far better pick when selecting a CMS for business use compared with "*The* (2009) open-source CMS" Drupal. (Oh, and the judges picked WordPress as the best CMS for 2010.) Need another opinion? See Wikipedia’s criticisms of Drupal and the relative lack of criticisms about WordPress.

Of course it would be unfair and disingenous of me to call out WordPress strengths and Drupals weaknesses without also telling you where I see weaknesses with WordPress and strengths of Drupal and for me not to tell you what are the use-cases where I’d be hard-pressed to dismiss Drupal in favor of WordPress. So here you go:

  1. Drupal Allows for More Flexible URL Design - Since WordPress grew up as a blog they hardcoded the URL routing logic which has resulted in some rather odious limitations in how you can design your URLS.  Drupal’s URL management is no panacea either — you can end up with a difficult to maintain mess — but at least Drupal *allows* you flexibility that is often just too hard to implement robustly with WordPress

    (Note: I have a plugin on the drawing board whose goal is to remove this limitation from WordPress. Once it sees the light of day  I believe WordPress’ URL routing will be much better than that of Drupal. But alas, at least today, Drupal wins in the URL category. If someone using WordPress really badly needs better URL routing in WordPress and can fund the plugin development please contact me as by nature my priorities are defined by my client’s needs.)

  2. Drupal Offers Out-of-the-Box Content Type and View Creation in the Admin - Yes, out of the box a saavy end user with adminstrator rights can create and define Custom Content Types with custom fields and even custom reports/queries called "Views." This enable and end user with the time to learn Drupal to build a content-based system without any developer help. And for certain scenarios this would be invaluable, such as in certain government or academic departments were there is zero budget for development today, there never will be budget, and the end user either does not want to or is simply incapable of learning how to write the simply PHP required to register custom post types in WordPress.

    On the other hand, there are WordPress plugins that duplicate the functionality of CCK and there are numerous plugins that expore the Custom Post Type registration via a UI in the WordPress Admin.  Still, as far as I know, there really is not WordPress equivalent of Views.

    Still, even though you can create custom post types in WordPress using a plugin that exposes an admin UI it doesn’t mean you always should. As I said above I highly recommend that anyone business that is having custom solutions built using WordPress not build them using an admin UI for defining custom post types but instead embed that logic into version-controllable PHP files.

    As for Views, it’s basically the same recomendations as for custom post types; rather than store them in the database like Drupal does it works much nicer just to code calls to WP_Query into PHP code; easier to version control and also easier to test, verify correct and certain that aspect of the site to be bug free.

  3. Drupal has Positioned Themselves Better in the Eyes of Large Enterprise - Here’s where I think Drupal has succeeded brilliantly. Because of the efforts Acquia’s products, services and solutions there are many large companies that believe in Drupal. I believe they have done a much better job of courting the Fortune 500 crowd than WordPress has via Automattic and it’s VIP Support and Hosting offering.

    That’s not to say there are not some really phenominal companies delivering enterprise class solutions on the WordPress platform such as Voce Communications and TayloeGray just that there is a segment of decision makers in large business who will only consider working directly with the primary vendor and in these two cases the primary vendor for WordPress is Automattic and the primary vendor for Drupal is Acquia. And while I love WordPress and think highly of the team at Automattic it’s clear to me that Acquia have done a much better job of positioning themselves as a company that provides enterprise class support for their platform.

But what about Drupal for Community Sites?

One of the use-cases oft cited for Drupal’s superiority is for community sites.  But frankly, I don’t buy it. 

As an active member of the Drupal community for two years (speaking of which, I need to update my profile there) I found drupal.org to be an extremely frustrating website in which of participate in a community. The forums were not at all effective in the ways that other forums I’ve seen like vBulletin have been effective, and using them as a user was far more pain then pleasure (by contrast I find StackExchange mechansim at WordPress Answers to work brilliantly but alas it’s not software you can implment for your own community.)

Actually at this point I think it’s counter productive to set up yet another social network but if you are convinced your strategy makes sense I’d be included to launch it on BuddyPress instead of Drupal, and BuddyPress is now a plugin for WordPress. And one of the really great aspects of BuddyPress is it that it leverages the brilliant network/multisite feature of WordPress which has completely nailed the "single install - multiple website" architecture.

Who am I to Judge WordPress vs. Drupal?

Full disclosure, I’ve been making my living as a WordPress specialist for almost two years and I plan to launch a company that provides tools and support for professional website developers and interactive agencies who have chosen WordPress as their platform for client solutions. The reality is that I could easily choosen to do the same for Drupal but did not. 

I spent two years working with Drupal as my preferred platform, from mid 2007 through early 2009 and I gained experience working with versions 4, 5, and 6. I was drawn to Drupal by it’s elegant architecture (I’m an engineer by degree and thus appreciate elegant technical architectures) and frankly by the fact that Drupal was the only solution of the three main open source CMSes that  could actually be used as a CMS without obvious issues (why I avoided Joomla is the story for another day.)

Back in 2007 using WordPress as a CMS was simply not an option, so I moved forward and became enamoured with Drupal and it’s Custom Content Kit, Views and so many other (what seemed like) wonderful modules. I became active in the local Drupal Meetup group and spoke at several of their meetings. I registered a "DrupalCamp.com" domain with plans to launch a local DrupalCamp and more. I really drank the Drupal koolaid.

But then by happenstance I had finished a Drupal project and was looking for another when a 6 week project to write custom admin plugins for WordPress 2.7 fell in my lap.  Since I far prefer to develop admin functionality than full websites I figured "How hard can it be?" and took the job.  While I worked on these plugins I discovered WordPress much easier to develop for than Drupal but I still held on to the notion I’d return to doing Drupal work once the project was done. As the project progressed an inner conflict raged as I came to prefer WordPress all the while mourning what I would be loosing if I were to leave Drupal (CCK and Views, mostly.)

However by the end of the 6 weeks it became crystal clear to me; WordPress was a much better system than Drupal even without all the CMS features. I was reminded of how many personal Drupal projects I had unfinished simple because it’s do hard to get a good looking site completed in Drupal, the last 15% it pure hell to complete. So I decided I would build my own CCK equivalent and use WordPress instead. Honestly, it didn’t go so well with WordPress at first. Trying to create my own CCK was fraught with frustration and I wasted copious time trying to bend WordPress to my will. But I did and limped along.

Then v2.8 came out. And then v2.9. And then finally v3.0 was announce with Custom Post Types and fortunately I was in a position to just on the beta version. It soon became clear to me that the WordPress team got Custom Post Types right and that v3.0 was going to be a watershed release and, as they say, the rest is history. 

As I write this v3.1 is going into beta and with its Internal Linking Dialogs, Post Formats and more WordPress continues to prove that it really is the best choice for almost every business CMS need out there.

So Why Did I Write this Post?

Recently I met with a Senior Vice President of Strategy and Innovation at a large well-known non-profit who is planning to launch a major initiative and he’d narrowed his choices of platform down to two (2): Drupal or WordPress.  On a personal level we hit if off fabulously so if it were just personalities I think he might be inclined to take my recommendation on faith but I sensed he is enough of a real professional that he looks beyond the personality of the advocates to assess the actual best solution for this organization.

What he wanted to hear from me which platform I thought was the best and why. I had already reviewed their design brief and wireframes so I had a good idea of what they wanted, and on the surface it looked rather much like a community app. Because of this and also because he had previously talked with several Drupal advocates I think he was leaning towards Drupal.  But looking at his requirements and given my issues with Drupal that I detailed in these 17 reasons it was clear at the day is long that WordPress would be a far better platform to meet his needs.

Still, as I tried to explain to him why Drupal would not be a good choice I felt that I might have been coming across as a bit too much of a WordPress zealot whose opinion was not based on objective reasoning. So I decided that I should  writing this up to make the case using objective criteria for anyone evaluating the two.

But I still didn’t get around to writing it up because there are always too many other things to do in a day. It wasn’t until a series of posts on Quora with the leading title "Why do so many people use Drupal instead of WordPress?" that I got off my duff and finally wrote this post (even though I have clients whose projects I probably should be working on!)

In Summary

While Drupal had the lead as best open source CMS for many years, WordPress has eclisped Drupal as the best open source CMS as of mid 2010 with the addition of Custom Post Types.

More specifically Drupal’s site architecture makes it a less than ideal platform for business websites when compared with Wordpress, and Drupal’s philosophy on backward compatibility make it really hard to recommend it to any company for almost any reason at all.

Postscript: About Comments and Revisions

If you are going to post comments:

  1. Be sure to include something specific about the post in your comment rather than a generic like "Yes I agree" or I might think is spam and delete, and
  2. If this post gets a lot of comments (which I fear it might) be aware that if your comment doesn’t appear for a few days it’s simply because my client demands have limited my free time and I haven’t had time to release it from moderation.

FYI, I plan to revise this post if new evidence comes to light, somehow I got my facts wrong, or I just identify more to add. Frankly I’ve never much liked the "write-once, forever outdated" form that most blog posts take, so why conform?

UPDATE (2010-12-13)

Alastair McDermott has just written a blog post on a very similar subject entitled "Why I Recommend WordPress as a CMS." It’s a good read.

UPDATE (2010-12-17) 

If you are going to leave an inflammatory comment criticizing my post then at least have the integrity to leave your full name, your email and a link to something where I can verify who you are and I’ll be happy to publish it (you know who you are.) Otherwise I’ll simply moderate your comment into the trash.

And for what it is worth, it looks like even the Drupal community knows about many of the problems with Drupal:

 

 

What’s Wrong with Forward-to-Friend.com URLs?

A friend recently sent me a URL via a Forward-to-Friend.com which is a service of MailChimp. While I really love the guys at MailChimp their URLs for their Forward-to-Friend.com are simply awful. There days of social media well designed URLs are finally being recognized by many as being extremely important, but not everyone gets it yet nor does everyone know best practices for designing URLs.

Make ‘em Short and Sweet

One of the traits of a well designed URL is that they can be grokked with a quick visual scan. They should also be no longer than really necessary because one of the more common link sharing sites (Twitter) shortens long URLs automatically. There are many other traits of a well designed URL, some of which are specific to context but if it’s too long and you can’t understand something about the URL by looking at it something is really wrong. And anything that impedes sharing of links is a foolish addition. So I bitched about this URL on Twitter that a friend of mine sent me in email (let’s call her "Jane Smith" and @BenChestnut asked me to clarify. Here’s the URL:

http://us1.forward-to-friend.com/forward/show?u=0fea6c2e08126550f4c318d4b&id=cd941d1fa5

What’s wrong with this URL?

So what’s really wrong with this URL? Let me count the ways:

1.) "us1."

This subdomain seems to imply that its specific to the US which I’m lukewarm on having a subdomain in this context it adds unnecessary characters. And what’s with the "1?" Is there a ".us2?" Is this just a server convenience? C’mon guys, hide that crap the user; they don’t want to know.

2.) "forward-to-friend.com"

Okay, so it’s a cool domain, but you really couldn’t you come us with something shorter than 21 characters?!?

3.) "forward/show"

Uh, one word: "Why?!?"

4.) "?u=0fea6c2e08126550f4c318d4b"

Do I really need to say anything about this? I mean, it’s waaaay too long and how does any of this mean anything to anybody? The only thing is does it make the programmer’s life a tad easier to uniquely identify the user but only on the day it was implemented.

5.) "&id=cd941d1fa5"

Another too long and non-meaningful computer number. The "id=" identifies the URL being forwarded. But does it mean anything?

What would be better?

So here’s a better hypothetical URL with analysis to follow:

http://fwd2.net/janesmith/laura-coyle-at-fernbank

"fwd2.net"

The "fwd2.net" domain is owned by a squatter. Why not pay them a few bucks and pick it up? (or get something similar and short?)

"/janesmith"

Not super short but much like Twitter’s screen name it identifies the links shared by the user who picked the name "janesmith" (i.e it replaces "?u=0fea6c2e08126550f4c318d4b.")

"/laura-coyle-at-fernbank"

Again not short, but as this would be selected by the user before sharing it would be as short as the user wanted it to be. So the user could have picked just "coyle-fernbank" or "fernbank-oct2" or similar. But what is really important is that it is meaningful!

And another benefit?

With this format you also get this URL:

http://fwd2.net/janesmith

At that URL you could have all the links "janesmith" shared when she is logged in, and she could set those shared links to be private or public, or later once more functionality is added the links could be made selectively available to different groups of friends.

Further there could be groups of URLs shared such as anything with a trailing slash could be tagged links, i.e. in this case "jazz":

http://fwd2.net/janesmith/jazz/

Hopefully you can see a tremendous amount can be done with URL design but sadly there are still too few people who pay attention to it. Maybe that’s because there’s no book of best practices. Hmm, might be an opportunity there…

Still think it is unimportant?

And for you skeptics out there who really think that "users don’t look at URLs" take a look at the apps that are succeeding lately, Twitter being a main one. Most of them are designing their URLs well. Coincidence? I don’t think so.

Thanks for asking

Anyway Ben, thanks for asking. Hoping you see the value in it, make the suggested changes, and find that it’s made a positive difference.

Atlanta Web Entrepreneurs learn about Twitter

Lots of Atlanta Web Entrepreneurs

Last month on the 21st we had a blowout meeting about Twitter for the Atlanta Web Entrepreneurs meetup group I organize; over 100 people attended!

We started out with an Intro to Twitter which I prepared and delivered. It reminded me of delivering training long ago during my DSW Group, Financial Dynamics, and Expert Education days.

Loren Norman setting up videocast for AWE

Triangle Tweetup and Robert Scoble on AWE Videocast about Twitter

Normally we find others to give all the presentations but given how confused some people where at our Facebook meeting when we started with the assumption they knew about it, I decided it was best for me the Twitter newbie to give the other newbies the introduction and then let the "rock stars" in our lineup really get into the meat of things.

We then launched into a video conference with both Wayne Sutton (@waynesutton on Twitter) and the Triangle Tweetup (@triangletweetup on Twitter) as well as Robert Scoble a.k.a. "Scobelizer" (@Scobelizer on Twitter).  Loren Norman (@lorennorman on Twitter) of Snowcap Labs did the honors of organizing the video conference and for that we were very grateful. Knowing what a web celeb that Robert is and the subsequent constant demand on his time, we scheduled Robert to speak for only 5-10 minute but instead he spent over 30 minutes answering audience questions. Kudos! Sanjay Parekh (@sanjay on Twitter) Tessa Horehlad (@tessa on Twitter)

After the video conference we have the took a break and then moved into a Q&A session with Sanjay Parekh (@sanjay on Twitter), Tessa Horehled (@tessa on Twitter), and Paul Stamatiou (@stammy on Twitter) each gave us their perspectives on why Twitter is so invaluable.

Paul Stamatiou at (@stammy on Twitter)

As many people said after the event this was one of their very favorite AWE events yet, and I certainly agree; it was right up there. Thanks to all involved including Wayne and the Triangle Tweetup, Robert, Loren, Sanjay, Tessa, and Paul for making this such a great event.

 It really is great to have such nice people who are willing to help their peers all here in our hometown of Atlanta GA.

Go Atlanta!

Visit Flickr to see all photos I took for this event.

P.S. Oh, and I almost forgot!  Atlanta Web Entrepreneurs is @atlantaweb on Twitter, and I’m @MikeSchinkel on Twitter.  See ya in the Twittersphere!

Event: Why you MUST have a Twitter Strategy

Just an announcement that we are going to be discussing Why you MUST have a Twitter Strategy at Atlanta Web Entrepreneurs on August 21, 2008.

I’m going to present a short intro/overview to Twitter and then, god willing and the creek don’t rise, we plan to have two (2) video conferences, one from Triangle Tweetup and the other from a soon-to-be-announced Industry luminary with over 25,000 Twitter followers!

After the 8pm break we’ll have a roundtable-less discussion and Q&A led by our featured participants:

Anyone that wants to attend should first be sure to have a Twitter account and to follow atlantaweb. We’ll use that list as a roll call for the meeting and we’ll announce our special guest on the atlantaweb Twitter account by 6pm Wednsday August 20th.

For more details and to RSVP see go here.

 

Is .COM Still Required for Mainstream Success?

delicious .US domain is now the Dunce

It’s been almost fifteen years now since the web first hit it’s tipping point and transitioned from an academic’s playground and a mere curiosity for the average person to the decidedly mainstream global change agent that now drives trillions of dollars in global value creation annually. During that time we’ve gone from asking "What’s this ‘World Wide Web’ thingy the geeks keep talking about?" to rapidly seeing Web-based services dominant the activities of practically every business person alive. In the days of the first Internet "gold rush" a.k.a. the "dotcom bubble" it seems that everyone and their brother grabbed a .COM domain, or ten, and set out to strike it rich.  Back then you really didn’t even consider getting anything besides a .COM for your website business but that was okay because many good brand names could be created from still available .COM domains.

Fast forward a decade and great .COM domain names have became scare and even good .COM domain names are hard to come by especially with all the domain squatters.  In addition a lot more top-level domains have opened up, and many small countries such as Tuvalu (.tv) have decided to cash in on their (un)natural resources. And just as fashions change, some creative types who needed a good domain name chose to forgo the .COM status quo and the "www." sub-domain convention and instead compose domain names from words by ignoring the domain level separators (i.e the periods ".") From this trend popular websites with domain names like http://del.icio.us (aka "delicious") were born.

If you are not familiar with delicious it is essentially a website to store your web bookmarks, but storing them "in the cloud" as opposed to in your browser. And one of it’s best innovations, since mimicked by thousands of other sites, it the ability to allow users to categorize with freeform "tags" and later recall their bookmarks by the tags they assigned. These tags are just words, any words your chose, such as "marketing", "video", "php", "bestpractices" or even "shoes."  What words you use to tag with is totally up to you. 

I’ve been using delicious for several years now and at this point not a day goes while surfing the web that I don’t tag at least one website for future reference.  You can even use it to create lists of sites groups by a tag and then send those links to others so they too can see your list of links. But I digress; there is a lot more to delicious but the subject of this post is the .COM domain so we’ll my detailed description of del.icio.us for another day.

As delicious got more popular with the many influencers on the web, Yahoo stepped in and bought them.  Since then delicious has languished for years, still there but never updated. Probably the best thing that has happened to delicious during that period was Firefox built delicious tagging into their browser as their favorites list — if you choose to let Firefox use delicious for you — and the fact that since it hasn’t changed it’s been a pretty stable target for people who wanted to use to delicious API to create add-on functionality and integrations.

delicious .COM domain is the new King

So, after years of languishing it turns out Yahoo has been paying attention to delicious behind the scenes, and behold; there is a new delicious! [1]  What’s more, Yahoo has redirected all attempts to access delicious at http://del.icio.us to instead find delicious at http://delicious.com/ and thus, in one fell swoop, have extinguished the quirky domain name that was in part why the web’s tastemakers first took note of delicious. The powers that be at Yahoo probably choose to do this because of usability data I expect they’ve collected that probably told them that the "in crowd" got the funny spelling but that the vast majority of users were simply confused.

Which brings me to the crux of my post where I posit the following:

Are .COM domains still required for commercial success in a mainstream website? Or or those rushing to get domain names with all the new top level domains simply exercising futility?  Were all these idiosyncratic domain names merely a fad and now we’re back to business with .COM, or did Yahoo jumped the shark on this one?[2] 

So what do you think? 

Footnotes

  1. Frankly I’ve long thought delicious to be Yahoo’s secret weapon with Yahoo just not yet realizing it. And it’s no wonder they haven’t realized it as anyone who’s paid attention what the critics have been saying about Yahoo being spread too thin. But that is all an entirely different topic and way beyond the scope of this post, yet again.
  2. While part of me feels the pang of loss from this change and what it may imply about the use of other non-.COM domains, I find that I quite prefer using http://delicious.com when compared to the original http://del.icio.us domain.

 

Anti-Follow Spam for Twitter

No Twitter Spam!
Wall of Spam courtesy of freezelight and enabled by Creative Commons

Damon Clinkscales blogged about Twitter Spam last month where he advocated proactively cleansing one follower’s list of "follow spammers" to help reduce the load on Twitter, improve Twitter’s reliability, and increase the value of the Twitter community in general.

I agree!

Still, I think Twitter could take a proactive step reasonably easy that would make it so we don’t have to. I think Twitter could reduce most of the type of Twitter follower spam I got today by applying two simple criteria (And I think Damon also got that same spam today. BTW, nice blog theme Damon! ;-)

I think a strong indication of Twitter follower spam is simply:

  1. Their following/follower ratio (or their ing/er ratio for short), and
  2. Their follow rate (i.e. how quickly they follow someone after that last time they followed someone.) 

This spammer I got today followed me with 4 different Twitter accounts within a few minutes and each account had around 2000 followings and just over 10 followers making their ing/er ratio about 20-to-1 and I’ll bet their followers were all auto-followed. It’s also clear from the fast & furious tweets that I was not their only mark.

I think it would be reasonable for Twitter to auto-block anyone with a ratio of greater than 15-to-1 ing/er ratio. Twitter could even remove the auto-followers from the calculation; those that follow within around 90 seconds of being followed wouldn’t count as a follower. Doing this Twitter would still give someone the ability to follow 15 people for every one that follows them, and heck they could give them their first 150 people[1] for "free" (i.e. not counting against the limit.) If someone really wants to follow 15,000 people they need to be interesting enough to have at least 1000 people follow them. Shouldn’t be that hard…

Also, Twitter could limit followings per day to, say, 75.  That should be enough for anyone, even the most hard-core twitter newbie (150 "free" + 75 more), and it’s not unreasonable to require a newbie to wait a few days to follow lots and lots of people. 

If I were in charge of setting these limits, I’d set the ing/er ratio to 5-to-1, give them only 25 "free" and then limit to 25 followings per 24 hour period, but I shot high because I was trying to be "reasonable." Of course, Twitter could allow for special cases by allowing people to request to have those limits manually raised if they provide a good justification for it.

What do you think?  Would this work to reduce most Twitter follow spam?  I think so.

Footnotes