Production Checklist

This checklist is also available with the Production Checklist (opens in a new tab) module.

You might also want to review Production check & Production monitor (opens in a new tab).

System wide status and reports

• Review status report
  Contains general system information
• Site information
  Make sure the email address and site name are correct. Check the homepage title.
• Review recent logs
  Monitor your site or debug site problems.
• Disable error display
  Disable any errors to be displayed on the frontend.
• Core search
  Disable core search if not relevant or if a replacement search is used (Search API, ...).
• Enable Syslog core module and optionally disable Database Logging for performance.
  Logs and records system events to syslog.

Projects review

Core, modules and themes.

• Uninstall development modules like Devel (Devel, Devel generate, Kint, Webprofiler).
• Unused modules
  Uninstall and remove unused modules.
• Unused themes
  Uninstall and remove unused themes.

Vendors, custom code and libraries

• Remove development vendors like PHPUnit, Behat.
  Run composer install --no-dev --optimize-autoloader - Composer install documentation (opens in a new tab)
• Remove unused libraries.
  Check the /libraries directory
• Node modules
  Check if Node modules dedicated to SASS build, ... are not in the deployed codebase.
• PHP Mess Detector
  Run PHP Mess Detector on custom code.
  PHP Mess Detector (opens in a new tab)
• PHPCS
  Run the phpcs command on custom code.
  PHP Coding Standards (opens in a new tab)

Spam related configuration and modules

• Review user registration
  Depending on the use case, new account creations can be limited to administrators.
• Check permissions for content creation
  Node, terms, media, ... related permissions.
• Check permissions for comment creation
  Comment related permissions.
• Check contact form and webform configuration
  Are the main contact form and personal contact form enabled? Is Webform installed?
• Are the forms protected with Honeypot and Captcha (and optionally reCaptcha) ou Antibot?
• Email obfuscation
  Are the email addresses protected against bots harvesting? In fields, via the WYSIWYG, Twig templates, ...

Security and access control

This topic can be extended with Site Audit (opens in a new tab) and Security Review (opens in a new tab). Basically, test simultaneous and consequent anonymous access scenarios and behavior when every cache is enabled.

• Drupal and other projects update
  Are all the security updates applied?
• Review the permissions
  This should be done for each role.
• Input format
  Make sure that input formats are correctly configured. Full HTML should be avoided for untrusted users.
• Admin user name
  The user 1 name (or other users that have the administrator role) should not be defined as 'admin' so it will be harder to guess for attackers.
• Check passwords
  Passwords should be hard to guess, especially for author and admin roles. Use a module like Password Policy.
• Review access denied errors
  If needed block IP addresses with the core Ban module. This process can be completed with the recent log messages.
• Changelog
  Do not publish CHANGELOG.txt and other .txt files at the root of the code base.
• Staging and dev environments
  Make sure that your staging and dev environments does not contain sensitive data and are non indexable (headers) and/or protected with Shield (basic auth) if accessible from the outside.
  Securing Non-Production Environments (opens in a new tab)

Content model review and proofreading

• Review content model
  Remove unused content types, vocabularies, roles, fields, ...
• Remove dummy content
  Content, terms, users, ... dedicated to site building (e.g. devel generated) should not be there.
• Proofreading
  Content proofreading.
• Remove forms tests
  Webform provides a test deletion tab for each webform.
• Files sub directories
  Configure file and media fields for storing files in sub directories instead of the sites/default/files root.
• Content translation
  Are all the necessary content translated?
• Entity and field translation
  Are all the entities and fields configured properly?
• Localization
  Is the localization up to date?

Frontend basic checks

• Provide a maintenance page
  Check the maintenance page layout.
• Provide a good 404 page
  Check the 404 page layout. Optionally provide a dedicated design and improve it (smart 404, search engine, ...).
• Provide a good 403 page
  Check the 403 page layout. Provide options to login and redirect to the accessed route.
• Favicon
  Provide favicons in several formats.

Database and configuration

• Check database update
  Run /update.php, get a backup first.
• Export current configuration
  Run drush cex.

Performance and caching configuration

To go deeper, consider using Varnish Purge (opens in a new tab), Memcache (opens in a new tab), Advagg (opens in a new tab).

• Caching
  Are page caching and CSS/JS aggregation enabled?
• BigPipe
  Consider enabling the BigPipe module.
• Views
  Checks views caching (on a View edit: Advanced > Other > Caching).
• Custom code
  Check cache tags and invalidation.
• Audit performances
  Use tools like Google PageSpeed Insight or Acquia Insight.
  Google PageSpeed Insights (opens in a new tab) | Acquia Insight (opens in a new tab)
• Profilers
  Use profilers like XHProf or Blackfire.
  XHProf Drupal.org documentation (opens in a new tab) | Blackfire.io (opens in a new tab)

Various test coverages

• Manual test
  Test the website for each role, anonymous included. Test with caches enabled. Use Masquerade (opens in a new tab) to substitute as other users.
• Run PHPUnit tests
  Use them before a deployment: Functional, Kernel, Javascript, ...
• Continuous Integration system
  Use tools that fits your needs like Travis CI, CircleCI, Jenkins.
  Travis CI (opens in a new tab) | CircleCI (opens in a new tab) | Jenkins (opens in a new tab)

Analytics

• Google Tag Manager
  Is the Google Tag Manager (opens in a new tab) module installed and configured?
• Google webmaster tools
  Are Google webmaster tools configured?

You may consider alternatives like Matomo (opens in a new tab) or Plausible (opens in a new tab).

Server configuration and backups

• Backups
  Make sure that you have database and files backups enabled. Use a module like Backup Migrate (opens in a new tab).
• Mails
  Have mails being tested for each form (e.g. password reset). Is a third party needed, like Mandrill or Sendgrid? Are SPF, DKIM and PTR ok?
• SSL certificate
  Free SSL certificates are available from Let's Encrypt (opens in a new tab).
• Maximum file upload size
  This should be set in your per vhost php.ini configuration if available. Set post_max_size and upload_max_filesize (Apache) according to your needs.
• Maximum memory and execution time
  This should be set in your per vhost php.ini configuration if available. Set memory_limit et max_execution_time (Apache) according to your needs.
• Check files / directories permissions and ownership
  Usually one owner and group per virtual host, files at 644 and directories at 755.
• Check cron jobs
  Modules like Scheduler should work properly. If you have custom cron jobs, check if your system cron is executed on startup and configured properly for your user.
• Monitor your server and check the server load
  Configure your monitoring, optionally use a service like New Relic. Will your server support peaks?
  New Relic (opens in a new tab)
• Reverse proxy
  If your production server uses a proxy or load balancer, configure it in your settings.php.

Basic SEO

For an extended list, use SEO Checklist (opens in a new tab).

• URL rewriting
  Is URL rewriting enabled and Pathauto (opens in a new tab) configured?
• Review 404 errors and redirect 301 legacy URL's
  Consider using the Redirect (opens in a new tab) module.
• Review your .htaccess if you use Apache (or your nginx configuration). There should be a single accessible URL for your site, redirect non www prefix to www (or the opposite) and http to https.
• Review your robots.txt
  Especially if some paths should be excluded.
• Sitemap
  Configure your sitemap.xml with a modules like Simple Sitemap.
  Simple Sitemap module (opens in a new tab)
• Submit the URL
  For new sites only.
  Submit URL to Google (opens in a new tab)

Legal aspects

• Cookie compliance with regulations
  Install a cookie validation module and provide explanation about cookie usage.
  Cookie control module (opens in a new tab)
• Privacy policy and general conditions
  Provide also extra legal information (delivery, cancellation, ...) for commerce use cases.
• GDPR
  Check compliance with the General Data Protection Regulation.
  GDPR module (opens in a new tab)

Documentation related to the persona

• Editor documentation
  Leave Drupal and custom use cases documentation to the authors, accessible from the Help section.
• Developer onboarding
  Create a developer onboarding documentation at the root of your repo (README), provide wiki, the project setup guide, ...