Production Checklist

Production Checklist

This checklist is also available with the Production Checklist (opens in a new tab) module.

You might also want to review Production check & Production monitor (opens in a new tab).

System wide status and reports

  • Review status report
    Contains general system information
  • Site information
    Make sure the email address and site name are correct. Check the homepage title.
  • Review recent logs
    Monitor your site or debug site problems.
  • Disable error display
    Disable any errors to be displayed on the frontend.
  • Core search
    Disable core search if not relevant or if a replacement search is used (Search API, ...).
  • Enable Syslog core module and optionally disable Database Logging for performance.
    Logs and records system events to syslog.

Projects review

Core, modules and themes.

  • Uninstall development modules like Devel (Devel, Devel generate, Kint, Webprofiler).
  • Unused modules
    Uninstall and remove unused modules.
  • Unused themes
    Uninstall and remove unused themes.

Vendors, custom code and libraries

Spam related configuration and modules

  • Review user registration
    Depending on the use case, new account creations can be limited to administrators.
  • Check permissions for content creation
    Node, terms, media, ... related permissions.
  • Check permissions for comment creation
    Comment related permissions.
  • Check contact form and webform configuration
    Are the main contact form and personal contact form enabled? Is Webform installed?
  • Are the forms protected with Honeypot and Captcha (and optionally reCaptcha) ou Antibot?
  • Email obfuscation
    Are the email addresses protected against bots harvesting? In fields, via the WYSIWYG, Twig templates, ...

Security and access control

This topic can be extended with Site Audit (opens in a new tab) and Security Review (opens in a new tab). Basically, test simultaneous and consequent anonymous access scenarios and behavior when every cache is enabled.

  • Drupal and other projects update
    Are all the security updates applied?
  • Review the permissions
    This should be done for each role.
  • Input format
    Make sure that input formats are correctly configured. Full HTML should be avoided for untrusted users.
  • Admin user name
    The user 1 name (or other users that have the administrator role) should not be defined as 'admin' so it will be harder to guess for attackers.
  • Check passwords
    Passwords should be hard to guess, especially for author and admin roles. Use a module like Password Policy.
  • Review access denied errors
    If needed block IP addresses with the core Ban module. This process can be completed with the recent log messages.
  • Changelog
    Do not publish CHANGELOG.txt and other .txt files at the root of the code base.
  • Staging and dev environments
    Make sure that your staging and dev environments does not contain sensitive data and are non indexable (headers) and/or protected with Shield (basic auth) if accessible from the outside.
    Securing Non-Production Environments (opens in a new tab)

Content model review and proofreading

  • Review content model
    Remove unused content types, vocabularies, roles, fields, ...
  • Remove dummy content
    Content, terms, users, ... dedicated to site building (e.g. devel generated) should not be there.
  • Proofreading
    Content proofreading.
  • Remove forms tests
    Webform provides a test deletion tab for each webform.
  • Files sub directories
    Configure file and media fields for storing files in sub directories instead of the sites/default/files root.
  • Content translation
    Are all the necessary content translated?
  • Entity and field translation
    Are all the entities and fields configured properly?
  • Localization
    Is the localization up to date?

Frontend basic checks

  • Provide a maintenance page
    Check the maintenance page layout.
  • Provide a good 404 page
    Check the 404 page layout. Optionally provide a dedicated design and improve it (smart 404, search engine, ...).
  • Provide a good 403 page
    Check the 403 page layout. Provide options to login and redirect to the accessed route.
  • Favicon
    Provide favicons in several formats.

Database and configuration

  • Check database update
    Run /update.php, get a backup first.
  • Export current configuration
    Run drush cex.

Performance and caching configuration

To go deeper, consider using Varnish Purge (opens in a new tab), Memcache (opens in a new tab), Advagg (opens in a new tab).

Various test coverages


You may consider alternatives like Matomo (opens in a new tab) or Plausible (opens in a new tab).

Server configuration and backups

  • Backups
    Make sure that you have database and files backups enabled. Use a module like Backup Migrate (opens in a new tab).
  • Mails
    Have mails being tested for each form (e.g. password reset). Is a third party needed, like Mandrill or Sendgrid? Are SPF, DKIM and PTR ok?
  • SSL certificate
    Free SSL certificates are available from Let's Encrypt (opens in a new tab).
  • Maximum file upload size
    This should be set in your per vhost php.ini configuration if available. Set post_max_size and upload_max_filesize (Apache) according to your needs.
  • Maximum memory and execution time
    This should be set in your per vhost php.ini configuration if available. Set memory_limit et max_execution_time (Apache) according to your needs.
  • Check files / directories permissions and ownership
    Usually one owner and group per virtual host, files at 644 and directories at 755.
  • Check cron jobs
    Modules like Scheduler should work properly. If you have custom cron jobs, check if your system cron is executed on startup and configured properly for your user.
  • Monitor your server and check the server load
    Configure your monitoring, optionally use a service like New Relic. Will your server support peaks?
    New Relic (opens in a new tab)
  • Reverse proxy
    If your production server uses a proxy or load balancer, configure it in your settings.php.

Basic SEO

For an extended list, use SEO Checklist (opens in a new tab).

Legal aspects

  • Cookie compliance with regulations
    Install a cookie validation module and provide explanation about cookie usage.
    Cookie control module (opens in a new tab)
  • Privacy policy and general conditions
    Provide also extra legal information (delivery, cancellation, ...) for commerce use cases.
  • GDPR
    Check compliance with the General Data Protection Regulation.
    GDPR module (opens in a new tab)

Documentation related to the persona

  • Editor documentation
    Leave Drupal and custom use cases documentation to the authors, accessible from the Help section.
  • Developer onboarding
    Create a developer onboarding documentation at the root of your repo (README), provide wiki, the project setup guide, ...