cool tech graphics

Drupal 7 Deployment Checklist

Filed under:

This list makes sure that we covers our... Ahem, bases. This is an update to the blog post originally written by Dylan Tack, our Lead Drupal Engineer.

Database logging row limit and Error Reporting (admin/config/development/logging)
I have found the default row limit of 1000 can wrap quickly, leave you without vital debugging information when you need it most. The average row length is generally around 1kB, so even boosting this to 100,000 rows will still leave you with a manageable watchdog table.

On a production site, it's best to suppress on-screen error reporting by choosing Write errors to the log.

User registration settings (admin/config/people/accounts)
The default value of Visitors can create accounts and no administrator approval is required is easily overlooked, and often undesired.
Disable devel modules admin/modules
Not only devel itself, but other other utilities (such as masquerade, trace, or coder) may have been installed that you wouldn't need on the production site. Leaving extra modules enabled can hinder the performance of your site, or even create security vulnerabilities if misconfigured.
Set a maintenance theme (settings.php)
By default Drupal's Site off-line page uses the Minnelli theme. Switching this is a nice enhancement, in case you ever need to use the maintenance mode, or in the unfortunate event you experience unplanned downtime. In most cases your site's theme will work fine; just add $conf['maintenance_theme'] = 'mytheme'; to settings.php. You may also need to add a maintenance-page.tpl.php to your theme; if you're using Zen this is already done for you.
Confirm email settings
Often, placeholder email addresses will be filled in during development, and should be updated before deployment. I try to start with the correct addresses from the beginning when possible, but sometimes you don't have this information until later in the project's life. In addition to Drupal's global site_mail, addresses can be stored in a variety of places: The admin user's account, contact forms, webforms, ubercart, triggers, or CiviCRM settings.
For Zen users – disable theme registry rebuilding (admin/appearance)
If you developed your theme using Zen, don't forget to switch off Rebuild theme registry on every page. This is a huge performance penalty.
Performance settings (admin/config/development/performance)
The best performance settings depends on your site. Also, don't change cache settings at the last moment without thoroughly testing your site's features. Ideally, I like to finalize the cache settings about 2/3 of the way through a project, so that the final stages of development and testing are performed with cache settings that will match production. And if you don't aggregate your CSS, your site could look pretty strange in IE with it's set limit of number of stylesheets.
Redirect to/from 'www.*' (.htaccess)
Drupal's .htaccess file contains an example RewriteRule showing how to redirect from to or vice-versa. Enforcing a single domain name is essential if your site uses SSL, and even with plain HTTP I like the consistency of a single URL.
Additionally, since the RewriteCond declaration is specific to a particular host, you can add multiple domains to the same .htaccess file, either for multi-site installs or for multiple testing / production host names.
Check /sitemap.xml
The defaults for the XML sitemap module exclude all content types, so your sitemap will look a bit empty until the settings are adjusted.
Check proxy settings
If your production server uses a proxy or load balancer, Drupal needs some additional configuration to accurately record remote IPs. This impacts error logging and some modules such as Mollom.
$conf['reverse_proxy'] = TRUE;
$conf['reverse_proxy_addresses'] = array(
Check $drupal_hash_salt
In your settings.php, $drupal_hash_salt needs to be set to a suitably random value. If the Drupal installer created your setting file, you'll be good to go. If not this value may be empty.

What are your favorite last-minute checks? Post them below!

Date posted: October 28, 2011


  • Clear watchdog/accesslog
  • Check if you need a new new keys for any third party services (e.g. google maps key)
  • Search your database for any (accidental) hardcoded references to the testing server
  • Set a cronjob

You might find others at:

How different would you envision a D6 check list being from this one? Thanks.

For my sites in development I have begun to use the Reroute Email module. With it I am able to set all of the email addresses to their final values at the beginning of development and only have to disable the module on launch without any worry of stray emails getting out during the development process.

User registration settings (admin/config/people/accounts)
The default value of Visitors can create accounts and no administrator approval is required is easily overlooked, and often undesired.

I've never seen this. Whenever I create a new D7 site, it's always set to "Visitors, but administrator approval is required" by default for me.

This could be a holdover form our previous post, but better safe than sorry.

The default user creation settings did in fact get fixed in D7.

Great list, thanks for the write-up! I was missing the cronjob too, and my list also includes:

  • Check if files directory is writable
  • Check status page for possible errors (including the one mentioned above)

A final thing to do before going live is search for "Lorem" to find dummy content and remove it :-)

Great Job. It seems need to add more: a) content and images correct. b) Server configuration.

I do a lot of rebuilds and clean-up projects. On those it's vital to seo to make sure any existing pages on the old version redirect to the new url. So that's on my list.

Also we use the robotstxt module so I also have on my list to verify that the robots.txt file is set correctly. On our dev sites we do a disallow: * and that's never fun to accidentally deploy with.


thanks for a great article, I am about to write similar myself and I found couple of good points in yours. Anyway, what's your opinion on remove_generator module which removes the generator meta tag from header? Nothing against Drupal, it's cool, I just think this may lower the amount of spam attempts on my website. What do you think?

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <cpp>, <java>, <php>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Metal Toad is an Advanced AWS Consulting Partner. Learn more about our AWS Managed Services

Have questions?