Security and performance¶

A well-optimized site must also be secure and performant. Follow these steps to ensure your site remains fast, safe, and reliable.

Status: Not completed by default
What's this about? Install this module to automatically test for common security vulnerabilities.
Recommended for: All Drupal CMS websites
Next steps:
Download and install the Security Review module.
Use the provided Configure permissions link to ensure the appropriate roles have permission to access and run security review checks.

Status: Not completed by default
What's this about? Select and configure the specific security checks to run.
Recommended for: All Drupal CMS websites with the Security Review module installed.
Next step:
Use the provided Configure link, then navigate to the Help tab to read more about security review checks or go to Configuration > System > Security Review (admin/config/security-review).
Use the Settings tab to update the default configuration.
Use the Run & review tab to run the security check.

Status: Not completed by default
What's this about? Search engines like Google consider page speed as a ranking factor. Perform site speed tests to establish performance benchmarks.
Recommended for: All Drupal CMS websites
Next steps:
Run a speed test using one or more of the tools listed below.
Tools:
Google PageSpeed Insights
WebPageTest.org

Status: Dependent on your site's hosting
What's this about? HTTPS protects the information sent between your site and a user's browser – like passwords or personal information – is encrypted. Sites without HTTPS may show a "Not secure" warning to visitors, harming your site's credibility. Search engines like Google prioritize secure websites and HTTPS is a confirmed ranking factor.
Recommended for: All Drupal CMS sites
Next steps:
When you have moved your site to a hosting provider, ensure that your site has an SSL certificate. Choosing a hosting provider that handles installing and renewing your site's SSL certificate is highly recommended.

Status: ✅ Completed by default, but may be turned off in local development environments.
What's this about? On any given page on your Drupal CMS site, there may be many files attached that handle style and behavior. Drupal CMS aggregates these files to make your site more performant. Aggregation of CSS and JS files is turned on by default. But if you're developing a custom theme, you may have turned off certain caching or CSS and JS aggregation, so it's important to double-check that caching and aggregation are turned on for the live site.
Recommended for: All Drupal CMS websites
Next Steps:
Verify CSS and JavaScript aggregation and ensure caching settings are optimized on the live site by using the provided Configure link, or go to Configuration > Development > Performance (admin/config/development/performance).
Under Caching, ensure that there is a reasonable value for Browser and proxy cache maximum age. (The default value is 15 minutes.)
Under Bandwidth optimization, ensure both aggregation options are toggled "on".

Status: Not completed by default.
What's this about? If you have a high-traffic site, consider integrating Cloudflare or similar CDN services for improved global performance and security.
Recommended for: Sites with international or high-traffic audiences
Next steps:
Check with your hosting provider about any CDN integration they provide
Install Cloudflare module

Status: Depends on your hosting provider.
What's this about? Consider upgrading your hosting solution to significantly improve site performance and search rankings.
Recommended for: Websites experiencing slow response times or performance bottlenecks
Next steps:
Run performance analysis to determine how your site's performance could improve, and if changing your hosting provider is warranted.