Photo by Joshua Sortino on Unsplash
May 5, 2021

Is your website secure and flexible?

Dave Hansen-Lange

Is your website secure and flexible?  Sarah Durham talks with Dave Hansen-Lange, Advomatic’s Director of Technical Strategy, about what open source is and shares tips on keeping your website up to date in this episode of the Smart Communications Podcast.


Sarah Durham: Welcome back to The Smart Communications Podcast. This is Sarah Durham. We talk about Big Duck, a lot on this podcast, and we interview a lot of people from Big Duck. But what you may not know is the Big Duck partners with lots of other agencies and consultants in the work that we do for nonprofits. And for a very long time, one of Big Duck’s partners was a digital firm called Advomatic, which is a web development shop that builds and supports websites in WordPress and Drupal for nonprofits and higher ed and labor unions. And we formalized the partnership between Advomatic and Big Duck when I acquired Advomatic in 2019. And through my work, as I’ve ramped up and learned about Advomatic, I’ve had to learn a lot about technology and the critical role that it can play in how clearly or smoothly a nonprofit can communicate.

Sarah Durham: I’m sure you can relate. I mean, if you are a person who uses websites all the time like we all are these days, you know what it’s like when you get to a website and you can’t find what you’re looking for or things don’t work, or you get error pages or the information just feels stale or out of date. But the truth of the matter is that most people who work in the nonprofit sector are not techies. And there’s a lot to learn and understand if you’re anything like me and don’t identify as a techie. So that’s one of the reasons I’m a big fan of my guest today, Dave Hansen-Lange. Hi, Dave, welcome to the show.

Dave Hansen-Lange: Hi Sarah.

Sarah Durham: So Dave is Advomatic’s director of technical strategy and he joined Advomatic in 2007, but he’s been developing websites since way before then. He’s passionate about improving Drupal’s performance. He does a lot of his work in Drupal. He’s very focused on the maintainability and security of websites. And as Advomatic’s director of technical strategy, he works to improve quality and process on all projects. He’s been the lead technical person on many, many projects for the Department of State, Columbia University, The Clinton Foundation, Stanford School of Humanities and Sciences, ACLU, and many more. He lives in Canada, but he’s lived all over the world and been very active in Drupal communities in lots of different places. But the best part of Dave is that he can break down. What’s going on technically into simple terms nonprofit people can understand. He speaks nonprofit too, and he understands what nonprofits need. So Dave, let’s get into it. Drupal and WordPress. These are content management systems that most nonprofits these days use. They’re both open-source systems. So first, what does open source really mean?

Dave Hansen-Lange: There are basically two main ways to build any sort of software in computers. Open source and closed source. Closed source is when a company goes off on their own, create some software, and then sells it. That’s very different from open-source where it’s more, a bunch of people get together and it may actually be a bunch of companies that get together or individuals and they create some software to fill some sort of need that they’ve got. Then they work together and the work is all out in the open and anybody can see what’s going on and anybody can join the project and can contribute to it. And that’s how both Drupal and WordPress and lots of other software that powers the world is built these days.

Sarah Durham: And I’m thrilled we’re in a place where most nonprofits do have Drupal or WordPress websites because I remember in the late nineties when nonprofits started building websites, almost all of the websites that our clients were building were closed source. They were often built in proprietary systems. And what that meant for a lot of organizations was that even if you loved your website, if you had a falling out with the person who built it, or they decided they were going to go do something else, you didn’t have a lot of choices. You couldn’t just hand the keys to the car over to another shop and trust that they could take over the website. But one of the beautiful things about both Drupal and WordPress is that a lot of people work in those systems. So it’s easier to hire people on staff. It’s easier to hire agencies. And if you don’t like one partner or one vendor, you have options to work with other ones. So that’s great. I actually recorded a webinar about a year ago about the difference between Drupal and WordPress. I’ll link to that in the transcript for this podcast. If you want to find it, it’s over at We’re not going to go too deep down the road of the difference between Drupal and WordPress. But instead, I want to talk a little bit about the health and maintenance of both. Both of these systems go through regular updates. There are security patches. There are plugins that get updated. Is it important to pay attention to those things? I mean, if you’re not a techie and you’re responsible for your nonprofit’s website, what are the risks of ignoring them?

Dave Hansen-Lange: If you’re not a techie, maybe you don’t have to be the one who pays attention to that. But generally, someone needs to pay attention to keeping the website up to date with the latest releases. And that’s for a couple of different reasons. So the most obvious one is security. All software, there’s always this constant evolution of people finding new ways that it might be insecure. And then the software builders in the case of Drupal and WordPress, the open-source community, and their specific security teams, worked to fix those security problems. And so it’s important for your organization’s website that it’s kept up to date for security, and that’s not going to be the same for every different organization about how important that is, but it’s at least important that you don’t all of a sudden wake up one morning and find that your website’s been replaced with a bank phishing website or all of a sudden people who come to your website, their computers are going to be taken over to mine, Bitcoin for, I don’t know, some Russian cartel or something.

Dave Hansen-Lange: For some organization’s security is even a whole level higher important than that. If your organization, say, works in some sort of political area that may be contentious, you know, maybe there are people who think differently from you that want to actually take down your website or take it over, or actually harm your organization in some way. So security is one side of why you want to stay up to date. But then there’s this whole other side that is a little less well-defined and a little more of a gray area in that, as you’re thinking about what you want your website to be, it’s got to constantly be evolving to keep up with how your organization is evolving. And so keeping your website up to date is more than just keeping the latest security version up to date. It’s about growing and evolving your website over time so that you don’t get yourself into a situation where you’re stuck and the website just can’t reflect who you are or can’t do the things that you want to do.

Sarah Durham: So keeping your website up to date and reflecting who you are. I mean, a lot of what you’re talking about is about content production, right? About producing new articles, changing the structure of the website, perhaps to adapt to new initiatives or new programs you’re launching. How else does a nonprofit website need to adapt in order to keep up with the organization?

Dave Hansen-Lange: Content is definitely a very important part of that and probably the biggest part of that. But oftentimes people find that there just isn’t the ability to do the content that they want to do with their website. And sometimes that’s because of some decision that was made in the past about how, say, your blog posts were set up or something that is now limiting you. But sometimes it’s just like, you’ve got this new idea for this new way to use the website that just wasn’t envisioned when the website was first created. And now you want to do this new thing. And so the website needs to evolve and grow to be able to handle your new ideas.

Sarah Durham: I’ve heard you described Drupal as sort of like this incredibly flexible tool. I think one metaphor that’s often used is Drupal is kind of like Legos. Whereas WordPress is a little bit more fixed. I’ve heard it described more like a transformer. You can’t do everything, but in both of those systems, you can build for flexibility. And I think that’s what you’re talking about, the way you structure the site, when it’s built might make it easier for staff to create new pages or change things or adapt to new types of content. But there’s also a tension with that because you don’t necessarily want to create something so flexible that all the people who use or maintain the website can go rogue and start to make a mess of it. I know a lot of people are worried about that. How do you think about that and how would you encourage nonprofits to think about what to leave open or flexible when they’re building a new site and what to kind of lockdown technically?

Dave Hansen-Lange: Yeah, I really see it as kind of like an art to building a website in that there’s this balance between governance is usually the more technical term that we use to describe that locking things down versus the flexibility. And for some organizations, they really need a lot of governance because there might be a lot of moving pieces to your organization and you want to just ensure that everyone is on the same page. And other times, for other organizations, they want to have ultimate flexibility. It’s important to figure out upfront, like which side do you want to learn more together? Or do you want to keep it perfectly balanced in the middle? And also there’s sometimes maybe a place for going extreme just for short periods of time. For example, there’s lots of competing platforms on the web where you can just create a simple one-page website and you can build the website more like using Photoshop where you move the lines around and create a box here and stuff like that. And sometimes if you’ve got like just a quick campaign about something and you want to make something super unique from the rest of the website, maybe a tool like that is great for something like that. Other times, when we want to have consistency between how your various programs are presented or how your blog posts are presented, those are cases where maybe you want to lean more to the governance side and ensure that things can be very consistently presented.

Sarah Durham: So let’s switch gears and talk a little bit about Drupal 7 end of life because this is a reality that nonprofit people who are in tech teams or digital teams have been thinking about for a while, but people who have inherited Drupal 7 who are less technical, may not really understand what this is all about. So if you have a Drupal site and it’s in version 7 end of life is coming up in 2022, I think it’s November 2022. Is that right, Dave?

Dave Hansen-Lange: That’s right. Yeah.

Sarah Durham: So what does that mean if I’ve got a D7 site, do I have to worry about November 2022 and why?

Dave Hansen-Lange: Yes, you do. Let me back up for a little bit and explain what these versions mean, and what is end of life? Drupal over its history, it’s gone through this very, I would call it traditional, way of creating software and releasing software. There’s a new version, and then people see the limitations of that thing that was created. And so in the past, Drupal has sort of tore the whole thing down and almost started from scratch to build something entirely new for the next version. That’s the style that Drupal 7 was on and different from Drupal 8 and Drupal 9. and what will be Drupal 10 someday in the future. Now Drupal has the approach of, okay, well, let’s create like a strong base and slowly evolve it over time. The difference is with Drupal 7 and 6 and Drupal 5 and those older versions, when you want to move to the next version, it’s like this big transition. You’ve almost got to create a brand new website in order to get to the next version different from Drupal 8, 9, 10, you can just slowly evolve with it over time.

Dave Hansen-Lange: And that’s really similar to the way WordPress works. WordPress does it in a way that sort of always keeps the old thing around Drupal does it in a way where the old bits of it are slowly removed, while constantly evolving to be something new and greater in the future. And so what this means for websites that are on Drupal 7 is that Drupal 7 is now no longer going to be supported for security updates come November 2022. So now you need to think about what do I do going forward. And there’s four main options. Not every option is going to be right for every organization. There’s no one answer that’s right for everybody. It’s important to be thinking well in advance of November 2022, about which direction you’re going to head and in which options you should explore.

Sarah Durham: So Dave and I recorded a webinar where I interviewed him a little bit more about the four options that are available if you have a Drupal 7 site, and you’re thinking about how you’re going to migrate or upgrade, and I will link to that webinar in the show notes and the transcript you’ll be able to skim through the narrative or watch that video any time. It’s really interesting. It’s a pretty useful deep dive into a bunch of different options. So bottom line, if you’ve got a Drupal 7 site between now and November 2022, you need to make some decisions and migrate so that you aren’t in a situation where your site becomes vulnerable. Dave, before we wrap up, do you have any other pieces of parting advice for nonprofit communicators who may not be technical but are responsible for their organization’s Drupal or WordPress websites?

Dave Hansen-Lange: Yeah. One of the things that often happens when people are thinking about something like an old technology that they’ve got to get off of, or even when they’re planning for like, “Oh, we want to create an entirely new website.” They often start by thinking, okay, how much is this going to cost us? Which is kind of a reasonable way to think about it, except I would really encourage people to think more about what is the value of this for our organization? How much should we invest in this? And then find an option that’s going to fit that budget. And maybe you don’t need to come up with an exact dollar budget, but come up with a range because oftentimes whether it’s with Drupal 7 end of life or with something else as technical people, we can give you an option that costs $20,000 or $200,000. And really, I just don’t want to give you the wrong option for you, I want to know a little bit more about what is going to be best for you, and if we can sort of work together to find out what your needs are and what your budget range is, then we can find the best solution for you.

Sarah Durham: The other thing that I love about that recommendation is that it forces an organization to think first and foremost, about how important that website is in the scheme of its overall communications. And I think over 2020, we’ve seen more than ever how important a website can be when we can’t connect in person. When we can’t hand somebody a brochure, when they can’t necessarily come in for services to the program directly, the website just takes on a monumentally important role in representing the presence of your organization. So thinking about what that digital presence needs to be, how your organization comes to life on the website, or should come to life on the website and then trying to scale what the website is or does, and the budget seems really important. And it also seems really important not just to think about how much money you spend externally, but to think about how much staff time you invest in that website? Who’s going to be responsible for content? Who’s going to be responsible for the tech? Who’s going to make sure your organization’s voice is represented in all of the beauty and diversity of the community that you are? So, Dave, I’m really glad you mentioned that. Any other tips?

Dave Hansen-Lange: I think that’s all, Sarah.

Sarah Durham: Okay. Well with that, we are going to wrap up Dave Hansen-Lange, thank you very much for joining me today. You can find more of Dave’s insights, his writings and webinarings, and all those kinds of things at

Dave Hansen-Lange: Thanks a lot, Sarah.

Sarah Durham: Thanks Dave.