A DIY Drupal Audit

A regular performance and security audit does wonders for the health of your Drupal application. We obviously run Drupal performance and security audits for our clients, but sometimes it's best to maybe do a quick audit yourself. 

Here's a quick DIY Drupal Audit, that'll help you uncover some basic vulnerabilities in your application:

Set up a test bed

All audits should be done in a test environment, not on the production instance. Deploy it on the same cloud as your production instance. Install the following tools:

• JMeter, New Relic, YSlow, PageSpeed

• OWASP Zap, Nikto

• Drupal modules - Security Kit, Coder,

• Memcached/memcached_storage

You can also take a look at a complete list of Drupal website audit tools that we use.

Run a code review

Use xdebug/Blackfire/webgrind as applicable. Run Coder, Hacked and other Drupal modules to check the codebase for coding standards. Review the database configuration (indexes, processes in idle/sleep state, and slow query logs). If you have some benchmarks, check the code and database against those as well. Get a team that is not involved in the development to review the code line by line.

Do performance testing

• Run JMeter scripts to find poorly performing pages, code sections and queries that affect performance, hardware bottlenecks. Also run JMeter scripts with varying loads so you can figure out the scalability of the application. 

• You can repeat the  performance tests with memcache. 

• Use YSlow & PageSpeed to see the speed of client side rendering. 

• Also check out the server CPU utilization and memory usage. 

• Run New Relic to figure out the website’s database performance, modules, Apdex, function performance and front-end performance. 

Do security testing

• Use ZAP,  Nikto (or QUALYS) for security scan

• Run JMeter scripts

• Use the modules Security Review, Drupalgeddon to check module vulnerabilities

• Check against OWASP Top 10 Compliance, and any other security benchmarks you follow

These steps would uncover the performance and security vulnerabilities of your Drupal website application.

If your team is able to resolve these issues, great! If you think that the challenges discovered by the audit are best handled by an experienced Drupal team, just drop us a line below.