Run deployment Checklist

[Krista-Nuams]

Security and Spam Possibilities

File Permissions

• [ ] Make sure file permissions for file directories and code directory are set correctly: http://drupal.org/node/244924
• [x] Run the 'Security Review' module on the production environment: http://drupal.org/project/security_review
• [x] On /admin/modules
 the 'PHP Filter' module must be disabled.
• [x] On /admin/config/content/formats filtered HTML or plain text MUST be set as the default to prevent cross-site scripting attacks. You must also check the configuration of the Filtered HTML format to ensure that the HTML filter is enabled for it and that no tags are allowed such as img, embed or object.
 If the 'Better Formats' module is enabled, check the default formats assigned to the roles.
• [x] On /admin/config/people/accounts cCheck the registration settings are appropriate for the site.

  Security Updates

  On /admin/reports/updates/list

• [x] Check for any security releases and run updates (testing locally first) if required.
• [x] Drupal 7 will automatically alert you about security updates for enabled modules. If the client receives ongoing support, set the email to the proper notifications address.

  Modules

  On /admin/modules/list

• [ ] Make sure that only the modules that are being used are enabled. The more modules that are enabled, the slower the site will run and may be confusing to the administrators.
• [ ] Uninstall, then git remove any modules that are not being used and are not part of core.
• [ ] 'Devel' module and other similar tools should be disabled at launch, but not removed.

  Email

• [ ] On /admin/config/system/site-information make sure the email address and name are correct.
• [ ] On /admin/structure/contact and /admin/config/content/webform Make sure email addresses are set correctly for contact forms and webforms.
• [x] Disable reroute_email module after informing all developers and QA users that email is going live.

  Permissions

  On /admin/people/permissions/list

• [x] Ensure permissions are set appropriately and minimally.

• [x] Any permission granted to anonymous users should generally also be given to authenticated users.

• [x] Be careful with granting the administer users permission.

• [x] The 'View Media' permission from the 'Media' module actually bypasses other file control and should only be for administrators.

• [x] Be sure that if one or more node access modules is in use (workflow access, og access, content access etc) that node permissions are not given which would prevent access from being determined by these modules.
• [x] Once permissions are set, create a test user for each role, log in as them and try using the site the way they would to see if all goes well. (Hopefully this and some of the other items in this list were done during QA rather than now, but this is your last reminder!)

  Status Report

  On /admin/reports/status

• [x] Ensure that 'Cron' has been running.
• [x] Make sure database updates are up to date.
• [ ] Take care of any other concerns listed on this page.

  Pathauto Settings

• [ ] On /admin/config/search/path/patterns make sure all paths are set properly, especially node path settings.
• [ ] On /admin/config/search/path/settings change general settings for 'Update actions' to something other than 'Create a new alias.' and 'Delete the old alias.', which are only appropriate during development.

  Content types & Nodes

  On /admin/structure/types

• [x] Check to see if there are any content types not being used. If there are, confirm the type can be removed, and if so delete that content type.

• [ ] Delete any dummy nodes that were created during development for testing. Track these down by searching for 'test', 'dummy', and for content created by the super user.

  Views

  On /admin/structure/views

• [x] Delete any views no longer in use.
• [ ] Ensure all views have been exported to Features and are not in an overridden state.
• [ ] Public facing views, especially on the home page and on sites with a lot of authenticated traffic, should be configured within each view for caching.

  Error Reporting

• [ ] On /admin/config/development/logging st the 'Error messages' display to 'None'.

  Performance Settings

  On /admin/config/development/performance

• [x] Set 'Caching Mode' to normal.
• [x] Enable
 'Page compression'.
• [x] Enable
 'Optimize CSS' and 'Optimize JavaScript'.
• [x] 
'Block caching' should be enabled, unless there is help text on the form warning otherwise.
 Minimum cache lifetime and expiration of cached pages should both be an hour, or as appropriate for the site.
• [ ] Alter the following lines in settings.php:

ini_set('session.cache_expire', 200000);

ini_set('session.cache_limiter', 'none');

ini_set('session.cookie_lifetime', 2000000);

ini_set('session.gc_maxlifetime', 200000);


The default values result in the sessions table growing very quickly and unnecessarily. Changing the numbers to something reasonable will not hinder the user experience and will prevent database bloating.

• [ ] Check for full URLs in node bodies etc. The client may have put in full URLs that will not work when the site goes live. Search in PHPMyAdmin or by grepping a tab-separated database dump, and fix or flag to the client anything you find.

  General Housekeeping

  Remove .txt files from Core

• [ ] Get rid of CHANGELOG.txt etc (from git etc). Do NOT remove robots.txt!
• [ ] Edit robots.txt to be standard (in case it has been edited during dev to restrict search crawlers).

  Do a click-through (for small sites without a formal QA process).

• [ ] In addition to checking the site as a test admin, also check the site logged out as an anonymous user.
• [ ] Click around and make sure there are no broken links and everything looks okay.

  Update external services

• [x] If using Google Analytics or Facebook integration, you need to update settings for the live domain. You may need to put these settings changes into a script to run at launch time.
• [x] If using Commerce, ensure that the payment provider is set to live and has been tested.

  Check SSL

• [x] If using SSL (you should be), change your local /etc/hosts to point the site to its live domain and ensure SSL redirection is working correctly.

  Update features

• [ ] Make sure all features are up to date so that the launch configuration is saved and can be reverted to.

[Krista-Nuams]

http://www.zivtech.com/blog/impending-drupal-site-launch-use-list

[dafeder]

This may be opening a can of worms, but according to security standards, HTML uploads are not safe, and we have several fields that allow them.

[dafeder]

• [ ] Need to disable/uninstall twitter module on live, wait for pull and cipp_blocks will update to remove dependency.