Updated on 19 March 2018
This checklist has been turned out into the Production Checklist module.
System wide status and reports
Review status report
Contains general system information.
Make sure the email address and site name are correct. Check the homepage title.
Review recent logs
Monitor your site or debug site problems.
Disable error display
Disable any errors output on frontend.
Disable core search if not relevant or if a replacement search is used (Search API, ...).
Enable Syslog core module and optionally disable Database Logging for performance.
Logs and records system events to syslog.
Contributed projects review
Core, modules and themes.
Uninstall development modules like Devel (Devel, Devel generate, Kint, Webprofiler).
Uninstall and remove unused modules.
Uninstall and remove unused themes.
Vendors, custom code and libraries
Remove development vendors like PHPUnit, Behat.
Run composer install --no-dev
Composer install documentation
Remove unused libraries.
Check the /libraries directory
Check if Node modules dedicated to SASS build, ... are not in the codebase.
PHP Mess Detector
Run PHP Mess Detector on custom code.
PHP Mess Detector
Run the phpcs command on custom code.
PHP Coding Standards
Spam related configuration and modules
Review user registration
Depending on the use case, new account creations can be limited to administrators.
Check permissions for content creation
Node related permissions.
Check permissions for comment creation
Comment related permissions.
Check contact form and webform configuration
Are the main contact form and personal contact form enabled? Is Webform installed?
Are the forms protected with Honeypot and Captcha (and optionally reCaptcha)?
Are the email addresses protected against bots harvesting? In fields, WYSIWYG, Twig.
Security and access control
Drupal and other projects update
Are all the security updates applied?
Review the permissions
This should be done for each role.
Make sure that input formats are correctly configured. Full HTML should be avoided for untrusted users.
Admin user name
The user 1 name (or other users that have the administrator role) should not be defined as 'admin' so it will be harder to guess for attackers.
Passwords should be hard to guess, especially for author and admin roles. Use a module like Password Policy.
Review access denied errors
If needed block IP addresses with the core Ban module. This process can be completed with the recent log messages.
Do not publish CHANGELOG.txt and other .txt files at the root of the code base.
Staging and dev environments
Make sure that your staging and dev environments does not contain sensitive data and are protected with Shield if accessible from the outside.
Securing Non-Production Environments
Content model review and proofreading
Review content model
Remove unused content types, vocabularies, roles, fields, ...
Remove dummy content
Content, terms, users, ... dedicated to site building (e.g. devel generated) should not be there.
Remove forms tests
Webform provides a test deletion tab for each webform.
Files sub directories
Configure file and media fields for storing files in sub directories instead of the sites/default/files root.
Are all the necessary content translated?
Entity and field translation
Are all the entities and fields configured properly?
Is the localization up to date?
Frontend basic checks
Provide a maintenance page
Check the maintenance page layout.
Provide a good 404 page
Check the 404 page layout. Optionally provide a dedicated design and improve it (smart 404, search engine, ...).
Provide a good 403 page
Check the 403 page layout. Provide options to login and redirect to the accessed route.
Provide favicons in several formats.
Database and configuration
Check database update
Run /update.php, get a backup first.
Check entity update
Run drush entup.
Export current configuration
Run drush cex.
Performance and caching configuration
Consider enabling the BigPipe module.
Checks views caching (on a View edit: Advanced > Other > Caching).
Check cache tags and invalidation, make use of Drupal cache for heavy tasks.
Various test coverages
Run PHPUnit tests
Continuous Integration system
Use tools that fits your needs like Travis CI, CircleCI, Jenkins.
Travis CI | CircleCI | Jenkins
Is the Google Analytics module installed and configured?
Google webmaster tools
Are Google webmaster tools configured?
Is Hotjar or another heatmap service installed and configured?
Server configuration and backups
Have mails being tested for each form (e.g. password reset). Is a third party needed, like Mandrill or Sendgrid? Are SPF and PTR ok?
Free SSL certificates are available from Let's Encrypt.
Maximum file upload size
This should be set in your per vhost php.ini configuration if available. Set post_max_size and upload_max_filesize according to your needs.
Maximum memory and execution time
This should be set in your per vhost php.ini configuration if available. Set memory_limit and max_execution_time according to your needs.
Check files / directories permissions and ownership
Usually one owner and group per virtual host, files at 644 and directories at 755.
Check cron jobs
Modules like Scheduler should work properly. If you have custom cron jobs, check if your system cron is executed on startup and configured properly for your user.
Monitor your server and check the server load
Configure your monitoring, optionally use a service like New Relic. Will your server support peaks?
If your production server uses a proxy or load balancer, configure it in your settings.php.
For an extended list, use SEO Checklist.
Is URL rewriting enabled and Pathauto configured?
Review 404 errors and redirect 301 legacy URL's
Consider using the Redirect module.
Review your .htaccess
There should be a single accessible URL for your site, redirect non www prefix to www (or the opposite) and http to https.
Review your robots.txt
Especially if some paths should be excluded.
Configure your sitemap.xml with a modules like Simple Sitemap.
Simple Sitemap module
Submit the URL
For new sites only.
Submit URL to Google
Cookie compliance with regulations
Install a cookie validation module and provide explanation about cookie usage.
Cookie control module
Provide also extra legal information (delivery, cancellation, ...) for commerce use cases.
Check compliance with the General Data Protection Regulation.
Documentation related to the persona
Leave Drupal and custom use cases documentation to the authors, accessible from the Help section.
Create a developer onboarding documentation at the root of your repo (README), provide wiki and UML diagrams.