Security and Performance: Remove old Modules

Yesterday, the Drupal Security team issued a Security Advisory for the Mollom module, SA-CONTRIB-2018-038. The module is now marked as "unsupported".

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

This serves to illustrate a key principle with any CMS (content management system) website: When you're not using a plugin, module, theme or library, remove it.

First, a bit of background.

Mollom

From their own website:

Mollom launched in 2008 to make it easy for people to ensure the quality of content posted to their online applications. Mollom was used widely in the Drupal community and blocked more than 13.5 billion spam comments since its inception. Mollom has helped grow many web applications, but the online comment and SPAM blocking ecosystems have evolved over the years.

What Mollom was particularly good at doing was triaging comments / emails sent from Drupal sites.

Before Mollom, site administrators had two choices: They could ask every poster to complete a CAPTCHA, or they could use heuristics to determine if a comment or email was spam. The problem was that skilled spammers learnt how to get around the latter, and the former was ineffective. (Spammers can crack CAPTCHAs by using actual, low-paid, humans to do their work; real people get annoyed when they can't successively identify every street sign in a photo).

Along came Mollom, and used automated processes to put posts into one of three categories: spam, ham and not sure. Comments that were clearly spam were blocked; comments that were clearly ham were let through; only the "unsure" ones got a CAPTCHA to solve. They had a huge database based on their vast daily workload that let them learn spam characteristics in real time. Spammers never got to have their human pawns crack the CAPTCHA, because their spam comments got blocked first; real people never got the CAPTCHA, provided their comments looked genuine enough.

It was genius, and it worked very effectively.

But then they shut down on 2nd April 2018. The community of end-users had a year's warning of this, but it was still a sad day. I don't know why they closed. Was it impending GDPR? Was it that there weren't enough paying users to keep the service running? We'll never know.

There are lots of Drupal sites that once ran Mollom, and now no longer do.

Which brings me to my point:

Remove that Module

You no longer need the Mollom module files for your Drupal site. So have you removed them?

This is important from a performance point of view. Even if the module is not enabled, Drupal still has to identify that the files are there, and parse them, in case something of relevance lurks within.

It's important from a security point of view. Some vulnerabilities don't require a module to be enabled for the exploit to work.

Also, once a module is disabled, you'll no longer receive updates from the update notification process. I've found sites of mine where I once tried out a module, years ago. I still have the code for 7.x-2.1 in my site directory, and they're now on 7.x-3.15.

Uninstall First (D7)

A special note to Drupal 7 users.

In Drupal 8, you disable a module by uninstalling it.

In Drupal 7, those are two steps. First, you disable it, but the module's configuration remains stored in the site database. Then, if you know you'll no longer need the module, you can do the second step of "uninstall", which clears any variables / tables that the module may have used.

To uninstall, you need the project's files still in the directory tree. So, if you remove the files before uninstalling, you'll have no easy way to uninstall in the future. So uninstall first, then remove the files. (It's not the end of the world, from a security or performance point of view, to have old module variables and data tables lying around, but it is untidy, and you may regret it.)

Any Other Modules or Themes?

Mollom was extremely popular and widely used, and then totally discontinued. That means there will be a lot of sites that need to remove the mollom directory, if they haven't already.

But whilst Mollom is the prompt to write this, it's not the only culprit. It's easy to try out a module and then stop using it. It's easy to build a site using one module for a particular task, and then switch when a more suitable alternative is released.

Why not use this as a cue to review the modules and themes you have lying around, and get rid of the ones you don't need.

Wordpress too

This isn't just a Drupal issue. Anyone got a Wordpress site that still has the "Twenty Twelve" theme lying dormant?

Drupal - Highly Secure

Drupal has a well-resourced security team, who ensure it remains one of the most secure CMS out there, if not the most secure. They work hard to handle vulnerabilities in a timely and professional manner, ensuring issues are patched before they're exploited, and that this is all communicated to the community.

But we can all do our bit, too. Removing old, redundant code is one part of that. And the site may perform a whisker better as a result.