Checklist for launching a site

Submitted by admin on
Body

This documentation needs review. See "Help improve this page" in the sidebar.

 

When a site is going live, it faces a variety of new performance, user interaction, security, maintenance, and quality assurance concerns. Every site is different, but this checklist will get you started with common site launch tasks. It will also get you thinking about the kind of tasks that may be needed for your specific site's needs.

Performance

  • Go to Configuration > Development > Performance and set "Browser and proxy cache maximum age" to a time span which works well.
  • Under Bandwidth Optimization enable "Aggregate and compress CSS files", and "Aggregate JavaScript files". Note: May cause redeclaration in rare cases.
  • Check performance with Webprofiler and fix slow database queries.
  • Uninstall development modules, such as Devel.

User Interaction

  • Protect your forms against spam and attacks.
    • What kind of forms are anonymous and authenticated users able to access on your site?
    • Have you enabled CAPTCHA, Honeypot, Riddler or an anti-spam service?
    • Be sure that all publicly exposed email addresses are protected from spam bots with solutions like Obfuscate Email or a custom obfuscator.
  • Email: Verify that the site email address at Configuration > System > Basic site settings is not a test address. Also verify email addresses in other modules that send notifications, and verify the text of email messages your site generates.
  • Index your site for search at search settings and test.

Domain

  • Get a HTTPS certificate via your hosting provider, or use Let’s Encrypt which is free.
  • Check if one of the domain redirect options is enabled on the web server (Apache or Nginx), in the .htaccess file, or settings.php. Either redirect to URLs with www. or without.
  • Update API keys for modules that make use of them, such as Mailchimp or Postmark.

Audit and security

  • Check that your admin passwords are secure.
  • Secure the admin super user (#1).
  • Upgrade Drupal Core and Contrib modules to the latest version.
  • Turn off on-screen error reporting at Configuration > Development >Logging and errors.
  • On the People > Permissions page, verify what permissions anonymous and authenticated users have been given.
  • On the Configuration > People > Account settings page, verify that account creation settings are as you intend (can users create their own accounts, and do they need approval?).
  • Check Reports > Status report and make sure there are no warnings or errors.
  • Enable the Update Manager module, and configure it under Reports > Available updates > Update Manager settings, making sure a real email is used, and not a test address.
  • For auditing, install Production check, Security Review, and Site Audit to check for many of the easy-to-make mistakes that render your site insecure.
  • Modules such as Automated Logout, Login Security, Password Policy, and Drupal Perimeter Defence can help secure your site. Read Drupal 10: Adding Extra User Account Protection for more.

Backups and Maintenance

  • Cron - If cron is not running, your database will get bloated.
  • Backups - Regular database backups are essential. Check out how to automate backups of a Drupal web site for more information.
  • Statistics - You'll want to monitor your site going forward. Do you plan to use Drupal core statistics, or have you set up another service such as Matomo, Plausible, or AWStats?
  • Check Reports > Recent log messages for errors and warnings, such as missing files or URLs. Check that there are no red flags in Reports > Status Report.

Quality Assurance

  • Remove test content, such as "lorem ipsum" text, dummy users, or content generated by the Devel module.
Knowledge Category
Administering a Drupal site