book reviews


As part of this review process, I interviewed Ben Finklea. We covered his new book, "Drupal 6 Search Engine Optimization," as well as other interesting topics like how you might need to start your own church to write a book, what it's like to overcome the stigma of doing SEO, and what to expect in the future of search engines and Drupal 7. Listen to the interview here. (right-click and select 'save as' to download)


I have a lot of respect for business owners forging new niches in the Drupal space. Not only has Ben Finkea done this, but he's done it in a niche that's rife with controversy. SEO as a subject is highly polarizing, and choosing it as the topic of a book directed at an open-source audience that highly values the transparency often neglected in the SEO sector seems downright masochistic. So, before even addressing the content of the book I have to applaud Ben's gumption. To have success in a controversial arena like this, I think you have to be quite skilled at filtering out and responding positively the inevitable negative feedback - something that's not always easy to do.

The book

To begin with, I think the name of this book is understandably misleading. While "Drupal 6 Search Engine Optimization" covers many topics related to optimizing a site for search engines, a large part of the book is dedicated to teaching the reader how to improve conversion rates, attract readers and organize content. I think this is a good thing, but going into the book knowing that a variety of non-SEO topics will be covered might allow the reader to enjoy it more.

I've had enough SEO experience to be a bit beyond the curve the book takes on, so I felt a little outside the target audience range. In spite of this, I still found a lot of value in it, and surprisingly this value was mostly in the material that wasn't directly SEO-related. Also, if I step back about 5 years to before I knew much about Drupal or SEO, the value multiplies significantly. If you're new to Drupal, sifting through the module repository to find ones that will help your site become more friendly to search engines is tricky, because they're not all labeled as such. The first part of the book introduces the reader to a variety of helpful modules and walks them through the steps required to configure them. Along the way, the reader is exposed to some basics concepts in SEO, such as the importance of targeting keywords, cleaning up URLs, dealing with redirects and the benefits of writing semantically-correct markup. If you find that you have too few tools in your SEO toolbox, then this initial coverage is important and will get you headed in the right direction. Pages 11-17 in particular lists out a number of useful SEO modules that are mentioned throughout the book, and this list alone is a great resource.

A number of more advanced topics are covered as well, including how to optimize your robots.txt file (something I don't have much experience in), and tips on speeding up your site. For a typical site maintainer who hasn't given much thought to optimizing their site for search engines, there is enough material here to keep busy for a while. And based on my knowledge of SEO, using the collection of tools Ben suggests is an excellent defensive strategy for getting your content indexed by search engines properly, without any fear of sketchy tactics getting your site penalized or banned.

At about page 150, SEO starts to take a back seat and traffic optimization takes the wheel. My favorite two sections in this second part are labeled "Don't Stop" and "Find Inspiration." Don't Stop is a short, single paragraph, but summarizes a principle that is just about the most essential aspect of building meaningful traffic, which is continuing to build content and keep things fresh - an excellent reminder. "Find Inspiration" is a list of around 20 suggestions for sources and structures you can build content from. Ben mentions that he refers to this list when he gets stuck, and I found the list useful enough that I'm going to start doing the same. Some suggestions include subscribing to Google Alerts, reviewing emails and questions from customers, and doing original research. If you've attempted to write on a regular basis, then you know that some days you're more inspired than others. There's something on this list for just about any level of inspiration.

Some interesting additional topics are covered in this second part, such as how to write compelling copy, organize large amounts of content and improve conversion rates, which are all very useful to those responsible for managing web site content.


I understand that one book can't be everything to everybody, and this book serves its purpose well. However, If you have some experience with SEO, you'll notice that there are some notable omissions in this book. With controversial subject matter, one can be be bold, in-your-face, opinionated and passionate, taking a side and sticking with it. Or, one can be cautious and careful and avoid arguable material. This book takes the latter approach. It definitely outlines a clear path of SEO defense which useful material that is difficult to argue against, but leaves out a lot of the meaty bits I find most interesting about SEO. Subjects like inbound and outbound linking, link building campaigns, conducting tests against search engines to see how PageRank is transferred (and is it even important?). Link text - generally thought to be one of the most important aspects of passing value from one page to another - is only briefly mentioned. What about changing content on pages that have been indexed, or how search engines consider the longevity of links? The book but doesn't take the SEO talk further than the basics, which may be disappointing to some.

Those things being said, I recognized a number of suggestions in the book that I don't apply regularly enough, and the argument can be made as to the amount of good the material I'd like to hear about would do me if I'm not executing the essentials properly.

The only other criticism I have is that I would have liked to see more sources referenced. Matt Cutt's blog is mentioned briefly, but I would be really interested to see where the rest of the material came from or from where it was inspired. That kind of list would also be helpful for folks ready to dive a little deeper into SEO.


I think this book can provide a lot of value to new web development shops or freelancers. If you become familiar enough with the material it covers, you will have an arsenal of answers to tough questions you're inevitably going to get from potential customers regarding SEO and managing content. It will take a while to gather this information yourself, and the time it saves you will be worth the cost of the book.

As a new site administrator or owner of a site that needs to optimize its traffic sources, a lot can be gained from utilizing this book as a reference guide for writing and organizing content. As an intermediate Drupal user, I would suggest reviewing this book to make sure you're following the different strategies it outlines. If you find yourself running out of ideas for improving your site and building content, there's some excelent material in the second half of the book for you, too.

Interview notes

Ben was kind enough to interview with me, and some really interesting topics came up. One notable bit that got missed in the interview was that the book probably wouldn't have been written if Ben didn't get appendicitis and had been high on drugs in the hospital with nothing to do but find the bottom of his e-mail inbox. Here's a quick list of what you'll hear about:

  • How the Drupal community has responded to an SEO company in their midst
  • Is organic SEO dead?
  • How will SEO in Drupal 7 be different?
  • How are search engines changing and what can we do?
  • Reflections and tips on writing a book (everyone should do it!)
  • Listen to the interview here

200908131139.jpgIt recently came to my attention that there are some gaps in my conceptualization of Drupal security. I was fortunate enough to have this pointed out to me by the Drupal Security Team, and not by a DOS, CSFR, SQL injection or XSS attack. After publicly bemoaning the mild lashing I received, four members of the Drupal community suggested I read Cracking Drupal. One of them even sent me a copy. No other book was even mentioned, which says to me that - considering how recently it was released - the book fills a void of knowledge that was seriously aching for coverage, and fills it well.

Over years of developing, I've become familiar with the various vulnerabilities that make their way into code, but I've never felt like I could build a complete defense. My knowledge has been piecemeal, drawing from documentation, books, interesting conversations and other people's code. In my case, Cracking Drupal did a fantastic job of gluing these pieces together into a comprehensive frame of mind.

What becomes clear very quickly in Cracking Drupal is that Drupal is quite a wily beast that gives developers real incentive to learn security. There are few functions in Drupal whose exclusive purpose is security, and Greg makes it clear that learning how to secure your site has definite side benefits: "When developers learn and use the API, they are not only safer but more effective and more efficient." When you learn how to use different aspects of the Drupal API (forms, translations, helper functions, theming) you gain bits of security as a bonus. If you set out to learn Drupal security, you'll come out the other end with a pretty solid grasp of Drupal APIs. Either way, it's a win.

Cracking Drupal is surprisingly brief. In 134 pages, Greg covers a lot of ground including:

  • An overview of the different types of attacks one is likely to encounter, from physical to social
  • Most (if not all) aspects of the Drupal API that have security implications
  • Coverage of security-related contributed modules
  • An introduction to the Drupal Security Team
  • Demonstrations of exploiting common weaknesses in Drupal modules and how to fix them

An interesting choice is made in Cracking Drupal to keep a somber atmosphere around the subject matter. In almost any other context, this would be an immediate turn-off. I appreciate humor and optimism to drive my enthusiasm when reading. In contrast with other instructional books which end a chapter with a "go for it, get things done!" message, this book ends chapters with lines like "This paranoid perspective is a good one to maintain as you write, review, and implement features on your site." and "Remember that it is nearly impossible to fully protect yourself from a dedicated and persistent attack." and "If nothing else, I hope this chapter has scared you a bit about the realities of just how easy it is to exploit insecure code and sites".

In a book covering attacks that can result in a very serious loss of time and money, this lack of optimism is probably a good thing. And the final chapter, "Un-cracking Drupal" does leave the reader with the sense that something can be done. It's difficult work, but it's doable. Ultimately, I think the book drives home the fact that the most effective way to make a module or theme secure is to do it right from the start.

The title chapter of Cracking Drupal was probably the most lively and hands-on part of the book. I came out of it feeling like I could really enjoy exploiting vulnerabilities for the greater good. Because of this reaction, I think it would have been a good candidate for a first chapter to really whet people's appetites.

Overall, I think Cracking Drupal does a tremendous service to the community by pulling together the most important aspects of Drupal Security into one solid, compact document. While I came into the book having already been introduced to many of the concepts, it filled in a few gaps, and made the subject matter finite and approachable (albeit a little scary). I suspect this book will serve well as a guide and quick reference as I dive into identifying and patching up vulnerabilities in the modules I maintain.

A couple things I learned

While the greatest benefit to this book was the broad, sweeping overview of security, there were a few additional gems that will come in handy later on:

  • There's a lot more to hook_menu() than I was aware of. Good coverage of examples on p.55
  • I didn't realize that you had to exit after using drupal_access_denied(). p.59
  • Ah, db_placeholders() - a useful function for passing a number of variables to db_query() p.65
  • I had no idea there was such a robust node access API. Wow!

Notes in the margin

Below are a few unorganized comments that constitute my wish-list for future versions and complements to the author:

  • Good quote regarding the definition of security: "For this book I’ll define site security as follows: A site is secure if private data is kept private, the site cannot be forced offline or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users."
  • I would have liked to see more AJAX security strategies and techniques covered.
  • I liked all the Drupal 7 references, gives a good feel as to the direction of things
  • I was surprised that there were not more brutal admonitions about hacking core, but suspect that's because they represent much fewer vulnerabilities than badly designed contrib.
  • I was happy to see some coverage of CVS and DRUSH, namely using CVS to keep code up-to-date
  • Nice coverage of security-related modules starting around p.41
  • A brief mention is made that using mixed-mode SSL is pretty pointless. This is a big deal, I wish it had gotten further coverage.
  • Being more of an optimist, I appreciated this particular phrase: " Every day there are more and more techniques beingdeveloped to attack sites, but every day there are also Drupal users reviewing code and providing new modules and enhancements to core to keep your site safe." Ahh, a glimmer of hope!
  • Would have liked to see more coverage on the use of form tokens. If one must step outside of the forms api, this could be very important
  • I liked that theme safety was covered, and thought the take on it was interesting: Make the theme secure by giving themers no reason to make stupid mistakes.
  • Since the 'Vulnerable' module was patched up in the end, maybe it should actually be named to indicate that it's meant to be a useful module. That would feel more like a practical example.


After reading Drupal 6 Javascript and jQuery (Matt Butcher, Pact Publishing), I gained a new appreciation for writers attempting to expound on a one specific aspect of Drupal development. jQuery, for example, can be used by nearly every layer of Drupal, from module building to theming, from the file system to forms. How does one boil down the many and varied applications of this multi-purpose tool into a reasonably sized book? I think Matt Butcher did a fantastic job of doing just that.

The book was not quite what I expected, and that's a good thing. For one, the author assumed a minimal amount of experience from the reader, and started at square one with some basic terminology and a first 'hello, world' tutorial. Like most tech tutorial books, the chapters are comprised of 1-3 mini projects where some new ideas or techniques are introduced. For the most part, each chapter builds on previous chapters, illustrating more complex functionality. Another thing that struck me from the start and continued to impress me throughout was the quality and creativeness of the example projects. While few of the examples were production-ready, they solved common issues in a compelling way. Here's a quick list of some of the mini-projects:

  • Load an RSS feed via AJAX
  • Create a live in-page alert when new comments are added
  • Create a text editor
  • Create a random, rotating node teasers in jQuery
  • Write a jQuery plugin

A lot of these projects have crossed my mind as things I'd like to dig into at some point anyway. In addition to being interesting ideas, these projects are also executed in a way that brings together many aspects of Drupal. Having used jQuery and Drupal for a couple of years now, I felt like I knew the basics, but I was pleasantly surprised to learn something new in virtually every project. Some things I learned, but didn't expect to:

  • How to use JSON - I've been wanting to wrap my mind around that for a while
  • How to use translations in jQuery
  • What are Drupal behaviors - If you don't know about them now, you absolutely need to! They solve one of the more complex problems I've dealt with in complex jQuery apps
  • How to theme in jQuery - Awesome, I didn't know you could do that
  • Creating jQuery functionality in themes - I had thought this was a purely modular job, but no!

By the time you make it through the book, you've been introduced to all of the major parts of Drupal. If I had known nothing about Drupal from the start, I would come out the other end with the ability to create themes, modules, and jQuery plugins. Not bad for 318 pages, probably half of which is code. And the fact that I was still satisfied even having worked with Drupal and jQuery for the last couple of years says something to the depth of the material covered.

I was excited enough about the new stuff I learned that I picked up a module that had been languishing for a while and re-wrote a bunch of the code using the principles addressed in this book. The code is now a whole lot easier to understand and debug. The 2 major concepts I applied were object oriented javascript and Drupal behaviors. Drupal behaviors is binding jQuery actions to html elements on the fly, so if you load up some new content via ajax, you can then attach all the jQuery stuff to it without affecting the rest of the page (like accidently attaching an action a second time, which can have undesirable consequences). I've found all kinds of ways of dealing with this is the past, and they've all been really ugly in comparison. Behaviors are a breath of fresh air, and there were lots of examples in Drupal 6 Javascript and jQuery to really anchor the coolness of them.

Minor Nitpicks

My criticisms of the book are really minor in comparison with my praise. There were quite a few typos and consistency errors. In another genre of book I wouldn't be as concerned, but when dealing with code where one misplaced character can break an entire script, running into typos in the text reduces confidence that the code will work if copied verbatim, especially for the unexperienced programmer. I actually worked through every example up until the last two chapters, and was pleased to find out that they all (with one exception) worked as advertised. The one exception was in Chapter 7 where a module is required that does not produce valid JSON. It took me a while to discover the problem, look and find a patch to the module. One more really minor thing is that I felt that the tone vacillated a bit, assuming at times that the reader was new to programming, and at others more experienced. Sometimes a good bit of work went into describing more complex programming conventions, and at other times they were more casually alluded to.


Overall, I was really happy to spend the time reading this book. I'm not the fastest reader, and working through the code examples takes me some time, but it was worth it. It anchored some important Drupal 6 conventions, illustrated some best practices for jQuery which can extend from simple to complex projects, and introduced me to some of the ways that jQuery integrates with the different aspects of Drupal. I'm looking forward to reading more from Matt, and would recommend this book to anyone aspiring to jQuery ninja-dom.

Notes in the margin

I made several notes in the margin of the book that didn't make it into the above review, so here they are for those interested:

  • Until later on in the book, the example code snippets were short, which I appreciated
  • I liked the idea of introducing jQuery in the theme layer in early chapters. Really simple, good call.
  • Good callout in the translation chapter, which says 'hey, translations are really important, don't skip this chapter'. By the title, it was the least interesting chapter to me, but I really enjoyed it.
  • Excellent job covering lots of gotchas: Syntax coloring, can't call ajax on a different domain
  • Creating a javascript templating engine - weird and cool!
  • Would have liked a chapter on jQuery.getScript() - dynamically load javascript
  • How to handle cookies in jQuery - yea!
  • I like the .info file trick - stick your own stuff in there, use it later
  • I really liked the using caching for search auto-complete example. Will definitely use that one in the future.

Syndicate content