A regular performance and security audit does wonders for the health of your Drupal application. We obviously run Drupal performance and security audits for our clients, but sometimes it's best to maybe do a quick audit yourself.
Here's a quick DIY Drupal Audit, that'll help you uncover some basic vulnerabilities in your application:
All audits should be done in a test environment, not on the production instance. Deploy it on the same cloud as your production instance. Install the following tools:
JMeter, New Relic, YSlow, PageSpeed
OWASP Zap, Nikto
Drupal modules - Security Kit, Coder,
Memcached/memcached_storage
You can also take a look at a complete list of Drupal website audit tools that we use.
Use xdebug/Blackfire/webgrind as applicable. Run Coder, Hacked and other Drupal modules to check the codebase for coding standards. Review the database configuration (indexes, processes in idle/sleep state, and slow query logs). If you have some benchmarks, check the code and database against those as well. Get a team that is not involved in the development to review the code line by line.
Run JMeter scripts to find poorly performing pages, code sections and queries that affect performance, hardware bottlenecks. Also run JMeter scripts with varying loads so you can figure out the scalability of the application.
You can repeat the performance tests with memcache.
Use YSlow & PageSpeed to see the speed of client side rendering.
Also check out the server CPU utilization and memory usage.
Run New Relic to figure out the website’s database performance, modules, Apdex, function performance and front-end performance.
Use ZAP, Nikto (or QUALYS) for security scan
Run JMeter scripts
Use the modules Security Review, Drupalgeddon to check module vulnerabilities
Check against OWASP Top 10 Compliance, and any other security benchmarks you follow
These steps would uncover the performance and security vulnerabilities of your Drupal website application.
If your team is able to resolve these issues, great! If you think that the challenges discovered by the audit are best handled by an experienced Drupal team, just drop us a line below.