A Drupal Pre-Launch Checklist

3rd June 2011 | Tags:

There are numer­ous steps you should com­plete before launch­ing a new web­site; cross-​browser test­ing, check­ing for dead links, proof-​reading. These are cov­ered more than ade­quately else­where but in this arti­cle I’m going to look at a num­ber of steps applic­a­ble specif­i­cally to launch­ing a Dru­pal site. You may not agree with them all, but then none of the fol­low­ing are com­pul­sory — these are just my per­sonal recommendations.

There are numer­ous steps you should com­plete before launch­ing a new web­site; cross-​browser test­ing, check­ing for dead links, proof-​reading. These are cov­ered more than ade­quately else­where but in this arti­cle I’m going to look at a num­ber of steps applic­a­ble specif­i­cally to launch­ing a Dru­pal site. You may not agree with them all, but then none of the fol­low­ing are com­pul­sory — these are just my per­sonal rec­om­men­da­tions. Rather than sim­ply list them as bul­let points, I’ve tried to give some of the ratio­nale between these tasks, and point­ers to online resources where I can.

Server Con­fig­u­ra­tion

Con­fig­ure Cron

Dru­pal pro­vides an exten­si­ble num­ber of Cron jobs sched­uled to run at vary­ing inter­vals, such as re-​indexing the search mech­a­nism and check­ing for updates. Con­tributed or cus­tom mod­ules may define their own Cron jobs, from retriev­ing the lat­est Twit­ter feeds to pro­cess­ing mes­sage queues. Whilst it is pos­si­ble to run a Dru­pal site with­out ever need­ing to run Cron, it’s highly rec­om­mended that you do so — the Update sta­tus mod­ule in par­tic­u­lar is well worth using to help main­tain the secu­rity of your web­site. There is good doc­u­men­ta­tion on set­ting up Cron for Dru­pal in the offi­cial doc­u­men­ta­tion. Alter­na­tively you may wish to look at Poor Man’s Cron, though this is sim­ply a back­port of auto­matic cron-​running func­tion­al­ity offered in Dru­pal 7.

Check the max­i­mum file upload sizes and max_​execution time

If your site facil­i­tates uploads of large files — such as MP3 files or videos — ensure that your server is con­fig­ured to allow file uploads up to an appro­pri­ate size. In con­junc­tion with this, look at the max_execution_time set­ting, which may well get exceeded if you’re upload­ing par­tic­u­larly large files.

Check recip­i­ent email addresses

Check that all forms, mod­ules and so on are send­ing to the cor­rect email addresses — it’s very easy to for­get to update these once you go from devel­op­ment (your own addresses) to a client’s.


Set the file permissions

It’s vital that you cor­rectly con­fig­ure the secu­rity per­mis­sions on your filesys­tem in order to secure your site from mali­cious hack­ers. In par­tic­u­lar, you should ensure the secu­rity of your settings.php file, which con­tains your data­base con­nec­tion details. Note also that to facil­i­tate uploads and so on your files direc­tory needs to be write­able by the web server, and you should ensure your instal­la­tion is con­fig­ured with access to a write­able tem­po­rary direc­tory. The offi­cial doc­u­men­ta­tion con­tains a use­ful arti­cle on secur­ing file per­mis­sions and own­er­ship, and the instal­la­tion guide con­tains infor­ma­tion about the files direc­tory specif­i­cally.

Pro­tect your root account

Typ­i­cally you’ll build your site using the default admin­is­tra­tor account — the one you set up upon instal­la­tion — but do remem­ber that this account has full access to your web­site. Not only that, but the havoc which could be wreaked by a hacker get­ting access to this account could, net­work secu­rity not per­mit­ting, be car­ried out using noth­ing more than a web browser. You may select any user­name you wish; rather than, say “admin” you can make some­thing alto­gether more dif­fi­cult to guess. Ensure you’re using a strong pass­word. Some peo­ple rec­om­mend that this account be dis­abled alto­gether, though this can com­pli­cate things when it comes to upgrad­ing mod­ules etc; some­thing you’re likely to need to do often. As an aside, the pass­word hash­ing mech­a­nism used in ver­sion up to and includ­ing 6 is inher­ently inse­cure; you may wish to use a mod­ule such as AES to toughen up your security.

Check Per­mis­sions

Luck­ily new per­mis­sions intro­duced by installed mod­ules tend to default to being pretty restric­tive, and have to be man­u­ally enabled for other roles (whether anony­mous, reg­is­tered or cus­tom). One of the flip-​sides of this is that it can be easy to set up parts of a site as the root user only to find some way down the line that nor­mal users can’t access things which they ought to be able to access. Always test the site under each role care­fully before launching.

Turn off error reporting

I’m still amazed how often I see Dru­pal error mes­sages on live sites. It’s not just Drupal-​specific mes­sages either; PHP errors can be ren­dered by Dru­pal itself. You can opt not to dis­play sys­tem error mes­sages and warn­ings in Site Con­fig­u­ra­tion -> Error Report­ing; set the option of the same name to Write errors to the log so that they aren’t dis­played to the user.

Error Han­dling

Han­dle 404 errors gracefully

Do ensure that you cater for miss­ing pages (404 errors) in as help­fully as pos­si­ble. One (delib­er­ate, I might add) fea­ture of Drupal’s built-​in 404 han­dling is that a page is dis­played with­out any blocks, even if those blocks were set to appear on every page. As such, often your nav­i­ga­tion dis­ap­pears from the page when you get a page not found error. Con­sider using a mod­ule such as 404 blocks (renamed 404 Nav­i­ga­tion in Dru­pal 7) for this, and per­haps a mod­ule such as Cus­tom Error to define spe­cific error pages. If you want to go the extra mile you may even wish to use some­thing like Search 404 which upon dis­play­ing a page not found error, tries to second-​guess what a user was look­ing for by feed­ing terms from the URL into the search engine.

Search Engine Optimisation

Com­bine Pathauto with Global Redirect

If you use the Pathauto mod­ule to auto­mat­i­cally gen­er­ate “friendly” URL’s (and I can’t rec­om­mend that step highly enough), you should install a mod­ule called Global Redi­rect as well. This mod­ule works by analysing a vis­ited link and if an alias for it exists, it per­forms a 301 redi­rect to the aliased path. For exam­ple, sup­pose contact-​us is an alias for node/​123, and some­how or another a user vis­its node/​123 directly; Dru­pal will redi­rect back to contact-​me. Why is this impor­tant? Well, if a sin­gle page is acces­si­ble from mul­ti­ple URL’s, this — at least as far as Google is con­cerned — can impact neg­a­tively on your search ranking.

Check robots.txt

If appro­pri­ate, check your robots.txt to ensure that the rel­e­vant sec­tions of your new site are excluded from crawlers. There is some doc­u­men­ta­tion on robots.txt in Dru­pal on the offi­cial site.


Cre­ate a Main­te­nance Page

Should you need to take your web­site down for any length of time, such as dur­ing a site upghrade, it’s worth think­ing about what a vis­i­tor will see if they visit your site dur­ing that period. What a user gets by default is pretty unfriendly and some­what unpro­fes­sional. Luck­ily — at least from Dru­pal 6 onwards — it’s pretty easy to cre­ate a cus­tom main­te­nance page. For Dru­pal 6, the offi­cial doc­u­men­ta­tion con­tains some use­ful infor­ma­tion on them­ing the Dru­pal 6 main­te­nance page.


Con­fig­ure Caching

Caching will deliver sig­nif­i­cant per­for­mance boosts, par­tic­u­larly on high-​traffic sites. Ensure that you’ve con­fig­ured it in the Per­for­mance tab, but also, double-​check any pages or blocks cre­ated by the Views mod­ule; these have their own caching options which are gen­er­ally switched off by default.

Con­fig­ure CSS and JavaScript Optimisation

One of the by-​products of Drupal’s mod­u­lar sys­tem is that a typ­i­cal site will prob­a­bly have scores of JavaScript and CSS files, increas­ing the num­ber of HTTP calls for every page sig­nif­i­cantly. (As an aside, if you have a lot of mod­ules it’s actu­ally quite easy to hit Inter­net Explorer’s limit of 31 links.) For­tu­nately you can “squeeze” all the rel­e­vant CSS and JavaScript files, com­press­ing them at the same time by enabling this fea­ture in the Per­for­mance sec­tion. This is a typ­i­cal last-​minute con­fig­u­ra­tion, as gen­er­ally you’ll need this facil­ity switched off dur­ing the devel­op­ment process.

Con­tent and Publishing

Check Unpub­lished Con­tent is not Visible

In cer­tain tasks, for exam­ple, when cre­at­ing a view — and not to men­tion when writ­ing cus­tom code — it’s very easy to for­get to check the sta­tus of a node before dis­play­ing it. Thus, draft con­tent could appear on the web­site before it’s ready. Try adding a few items of con­tent, leav­ing them unpub­lished and brows­ing the site try­ing to find them. Double-​check the fil­ters on your views. Check that any cus­tom SQL includes a check of the sta­tus column.

Check your RSS feed

By default Dru­pal gen­er­ates an RSS feed of your con­tent, includ­ing indi­vid­ual feeds for your tax­on­omy terms. The default feed is com­prised of pub­lished nodes which have been pro­moted to the front page — a facil­ity which isn’t always rel­e­vant. In Dru­pal nodes can rep­re­sent all sorts of things, which might not always be log­i­cal to pub­li­cise in a feed. Blog entries or new sto­ries very much belong in a feed, sta­tic pages less so. How­ever you may also have var­i­ous other pages and objects that it doesn’t make sense to syn­di­cate; cus­tom error pages, con­fir­ma­tion pages or land­ing pages, for exam­ple. You could con­sider imple­ment­ing your feed(s) using the Views RSS mod­ule, which allows much more finely grained con­trol over what goes into your RSS feeds. In any case you may wish to dis­al­low access to rss.xml altogether.

Check your favicons

If you’re going to use a fav­i­con, make sure it’s dis­play­ing cor­rectly — and if not, ensure that you uns­e­lect the option to dis­play Drupal’s default fav­i­con in your theme settings.

Site Mon­i­tor­ing

Con­fig­ure Statistics

It’s not just the secu­rity and reli­a­bil­ity of your site you might want to be mon­i­tor­ing — you may wish to (and indeed prob­a­bly should) mon­i­tor site usage, be it using the core sta­tis­tics mod­ule — per­haps using the Advanced Sta­tis­tics set­tings com­pan­ion mod­ule — or an exter­nal ser­vice such as Google Ana­lyt­ics. Have I missed any­thing? Please let me know using the com­ments below.


No comments yet.

Links and images are allowed, but please note that rel="nofollow" will be automactically appended to any links.