header tail

Drupal website optimisation: how to maintain & improve your Drupal site [ultimate guide]

home / Drupal website optimisation: how to maintain & improve your Drupal site [ultimate guide]

Keeping your Drupal website safe, fast and performing optimally is a difficult – and never-ending – task. But in today’s competitive and fast-paced digital landscape, maintaining and improving your Drupal site is more important than ever.

That’s why we’ve created this ultimate Drupal maintenance guide – to explain everything you need to know to optimise your Drupal site, all in one place.

Using our two decades of experience as a Drupal agency, we’ve combined our knowledge, hard lessons learned and Drupal support expertise into a simple-to-follow guide covering all the key areas of website maintenance, from backups to SEO.

Read on to learn how to:

  • Schedule and complete essential Drupal maintenance tasks
  • Undertake a full audit of your Drupal site
  • Update Drupal core, modules and themes
  • Make and store website backups
  • Boost your website’s speed
  • Maximise safety and security protection
  • Improve SEO and increase organic traffic
  • Choose the best Drupal hosting provider for your site
  • Collect and analyse the most important web statistics
  • Ensure mobile and tablet compatibility
  • Understand the latest Drupal best practices
  • Choose a Drupal development agency to support you

Whether you’re an experienced Drupal developer or a Drupal novice, we know you’ll find plenty in this guide to get your Drupal website in excellent form.

Drupal optimisation basics

Before we explore how to maintain and optimise your Drupal website, we cover some of the most common Drupal FAQs. These include what Drupal is, why Drupal website optimisation is needed, and how to choose the right Drupal agency to support you.

what is Drupal?

Drupal is a free, open-source content management software (CMS) that can be used for websites and applications of all shapes and sizes. It’s trusted by thousands of websites globally, including Twitter, Nokia, NASA, Harvard University and eBay.

Drupal has loads of great features as standard, including easy content authoring and rigorous security. Its unique modular approach also means it can be customised for any number of features and functions.

Whether you want a news site, blog, online shop or something else, Drupal can be used for almost any specifications, design preferences and goals. With its limitless possibilities and excellent reliability, we love Drupal and think it’s a brilliant, flexible and trustworthy CMS.

how does Drupal work?

Drupal is an open source software, which means that anyone can use and customise it without paying fees. The Drupal community is one of the largest open source communities, with more a million people working globally to develop and update Drupal all the time.

Building a Drupal site works a bit like baking a cake. There are core modules which provide essential functionality (like the flour, sugar, butter and eggs). Then there’s an almost unlimited range of additional modules (flavours, decorations etc) which can be used to customise websites with specific features, such as social media integration, image optimisation, language translations, and much more!

do I need to optimise my Drupal site?

In today’s fast-paced digital landscape, thousands of new websites are being created and published every day. You therefore need to optimise your site to ensure you stand out from the competition.

Optimising your Drupal site means improving things like speed, functionality, security and search engine performance so that users both find your site and want to engage with it. Ultimately, this impacts achievement of your digital goal and bottom line profits.

Luckily, we’ve put together all of the info you need to optimise and maintain your Drupal website in this ultimate 2020 guide. Keep reading to find out how to get your site in tip-top shape, or get in touch if you’d like expert assistance.

how to choose a Drupal support agency

When choosing a Drupal agency, we recommend considering the following five factors:

Expertise: does the agency specialise in Drupal? At Pedalo, we’re an Acquia partner and active members of the Drupal Association; our Drupal developers live and breathe the software and regularly contribute modules to the Drupal open source community.

Track record: who are the agency’s current clients? At Pedalo, we’ve got two decades of experience and have provided Drupal development and support services for organisations including Body WorldsWorld Cancer Research Fund, the National Film and Television School and many more.

Passion: is the agency enthusiastic about its clients and their sites? We love Drupal and are passionate about collaborating with clients to explore their digital goals and maximise online results.

Value: A highly experienced Drupal agency may cost more but if they perform more efficiently and anticipate potential problems in advance, they’ll save time, money and energy in the long-run. At Pedalo, we have the added benefit of providing Drupal services on-demand, so you only pay for what you need, when you need it.

Transparency: how does the agency share work in progress, timelines and costs? We give clients access to Trello software to log all Drupal issues and requirements, and we regularly respond and update on progress.

For more information about our expert, on-demand Drupal website services, please give us a call – we’d love to chat!


Maintenance checklist

Drupal web maintenance checklist

Regular maintenance is essential to ensure your Drupal site is always secure, speedy and functioning at its best.

Our top advice is to do little and often. By making small, regular tweaks and improvements, you’ll boost your Drupal website performance and online results substantially over time – making your energy and time input well worth it!

Here, we’ve pulled together a checklist of the most important maintenance tasks so you can schedule them in your diary. However, your website and organisation is unique, so you may want to tailor the checklist to meet your specific needs and goals.

regular Drupal optimisation tasks

We start with the regular jobs that need to be performed on an ongoing basis to maintain your Drupal website.

1. Update Drupal core, modules & themes

Updating the Drupal core involves changing your site from one minor Drupal version to another minor version. Such updates are regularly released in order to patch security issues, add features and generally enhance website performance.

Currently, it’s not possible to enable automatic updates for the Drupal core but this feature should be available in the near future. In the meantime, manual updates are required – we explain how to do these in the ‘Updating Drupal’ section below.

For exactly the same reasons, your Drupal modules and themes also need to be updated regularly. You can find further information on this in the ‘Updating Drupal’ section.

As always, don’t forget to backup your site before making updates! This will mean you can restore your website in case of any problems – more on this in our next point.

2. Backup

Backing-up means making and storing a copy of your Drupal website. This will enable you to get back online again rapidly if a disaster – such as hacking, being infected with ransomware, or encountering a technical problem – ever occurs.

The more often you backup, the less data you’ll lose when reinstating your site from a backup version. You should therefore make regular backups and keep them stored securely. This can be done manually yourself, or may be covered as part of your hosting provider or Drupal agency services.

Making backups takes up a lot of site bandwidth, so these should be scheduled for low-traffic periods, such as during the night, when the effect on your website visitors is minimal. We explain everything you need to know about backups in the ‘How to backup a Drupal site’ section below.

3. Optimise images

Images are often the heaviest elements on websites, and are therefore a common cause of slow and frustrating site performance.

If your website uses Drupal 7 or an earlier Drupal version, you’ll need to manually edit and compress images for best results – or ensure you have an image optimisation module to do the job for you. However, for Drupal 8 and 9 websites, images are resized and scaled for different purposes automatically.

Regardless of your Drupal core software version, make sure to add keyword-rich alt text to images to enhance your search engine performance. We explain all about this in the ‘How to improve Drupal SEO’ section.

4. Add content

By regularly adding high-quality content to your website, you signal to search engines that your site is active and worth visiting and indexing. In fact, producing and publishing content is now widely considered to be the most important search engine ranking factor and SEO tactic.

It’s a good idea to create a content plan and schedule blogs, articles and other content to publish in advance. For best results, make sure content includes your main keywords, is displayed appealingly, and is relevant and interesting to your target audience.

monthly Drupal maintenance checklist

We now cover the website maintenance tasks that should be scheduled every one or two months. These are the general checks needed to keep on top of your Drupal website’s speed, functionality and other key areas of performance.

1. Check speed

In today’s rapid-paced digital world, users have short attention spans and high expectations. It’s therefore vital to have a fast-loading website to keep visitors happy and engaged.

We recommend check your site speed regularly with GTmetrix. This free online tool gives two speed scores which can be benchmarked and monitored over time. It also includes recommended speed improvements, which we explain how to action in the ‘Drupal speed optimisation’ section of this guide.

2. Scan for security weaknesses

Make sure to scan your site for viruses and security vulnerabilities at least once a month. You can do this with Drupal’s Security Review module, or via an online scanner such as Sucuri.

Once the scan has been completed, you’ll need to address any security issues or weaknesses. Read our ‘Improve Drupal security section’ for further information on how to ensure your site is safe and robustly-protected.

3. Verify backups

Considering the importance of backups in case of your website crashing or encountering another major problem, it’s worth checking them and verifying they’re working.

You should make sure that backups are being made regularly, that all your relevant Drupal website files and data are being stored, and that backup copies are being saved in different locations. This will maximise your chances of being able to reinstate your site if disaster ever strikes.

4. Check uptime

Uptime is the proportion of time that your website is online and available for users. It’s expressed as a percentage, with 100% uptime meaning that people can access your Drupal site at any time.

You can check your website’s uptime with various free online tools, such as Uptime Robot. When your website’s value is below 100%, the cause is usually a server problem, so make sure to check regularly and contact your hosting provider if necessary.

5. Perform a visual check

Finally, it’s a good idea to give your website a visual inspection each month. You can do this just by navigating through your site and looking at how pages are displayed. It’s also worth checking key functions are working correctly, for example by submitting test contact forms or making a test event booking.

If there are any code, design or functionality issues on your Drupal website, further investigation and fixing is likely to be needed. We recommend speaking to your Drupal support agency for assistance.

You may also find it helpful to perform a visual check on different devices. If you find that mobile or tablet pages are not loading correctly, make sure to follow the advice in our ‘Optimising Drupal for mobile’ section.

maintenance checks every 3-6 months

We now move onto the Drupal website tasks/checks which should be scheduled every 3-6 months.

1. Review web stats

By collecting and reviewing analytic stats about your Drupal website, you can make data-driven decisions to enhance performance and results.

We recommend adding Google Analytics to your site as it’s a brilliant free tool which collects a vast array of useful data. Find out more in the ‘How to add Google Analytics on Drupal’ section of this guide.

Once Google Analytics is set up on your site, you’ll find all of your web stats on your Google Analytics dashboard. We recommend reviewing this periodically and then making informed edits to maximise website performance.

In particular, it’s often a worth finding out which blogs/articles are attracting most traffic, as these can then be updated and republished as part of your content strategy.

2. Check mobile responsivity

With the majority of internet browsing taking place on mobile and tablet devices, it’s essential to check your website’s mobile responsivity/compatibility from time to time.

We recommend performing the Responsive Test and Google’s Mobile-Friendly Test to check how your site is appearing and functioning across different devices. If you encounter any problems or find things are not displaying optimally, then make sure to read our ‘Drupal mobile optimisation’ section for advice.

3. Update passwords

To protect your Drupal site against security threats, it’s a good idea to update your login details regularly. Make sure to choose strong passwords, including a random combination of letters, symbols and numbers.

As well as changing your Drupal administrator password, it’s also worth updating your login details for your custom email address and any other website-related accounts. If you’re worried you’ll forget your passwords, then try using a password manager.

4. Check user permissions

The more users you have on your Drupal site, the more your site is at risk of hacking. Risks also increase when users have greater permissions/capabilities to edit your site as part of their roles.

Therefore, we recommend regularly checking and updating your user accounts. You should ensure that permission levels are correct for active users, and that inactive profiles are deleted. Read the ‘Improve Drupal security’ section below for more information.

5. Clean your database

As you update and edit your Drupal site, your database becomes clogged-up with surplus files. This can both reduce site speed and pose a security risk, so it’s a good idea to have an occasional ‘spring clean’.

The easiest way to check your database and remove unnecessary files is with the Clean up module. Make sure to backup first – just in case you accidentally delete something important!


Drupal audit


Drupal SEO maintenance checklist

Here, we’ve pulled together a checklist of the key jobs needed to maintain and improve your website’s search engine performance. We describe SEO in much more detail in the ‘Search Engine Optimisation for Drupal websites’ section of this guide, but this gives an overview of the main tasks worth scheduling.

How often you need to complete these will depend on the importance of organic traffic in your website’s success. We recommend undertaking this SEO checklist somewhere between fortnightly and biannually, depending on your priorities.

1. Check SEO health

It’s a good idea to start by giving your site a general SEO once-over. We recommend using Ubersuggest’s SEO analyser, but there are also lots of other free, online tools available.

On Ubersuggest, type in your web address, select your language/country and click ‘Search’. You’ll then get a report showing your organic traffic levels, domain score and organic keyword count – it’s worth recording this information and trying to improve your SEO stats over time.

Next, go to the ‘Site Audit’ section in the left-hand menu, where you’ll find a more detailed health-check tailored to your site. This includes a list of SEO issues needing attention, ordered in terms of priority and impact. These should be fixed to improve your website’s search engine performance.

If you’ve installed the Drupal SEO Checklist module, it’s also a good idea to check and follow its ‘to-do’ list of SEO tasks and best practices.

2. Visit Google Search Console

Google Search Console offers a great range of free tools and reports to help you improve your website’s performance on Google. We recommend checking your Google Search Console profile regularly to benchmark your SEO data and see if there are any SEO error messages.

It may also be helpful check your site’s Google’s Crawl Stats Report, which shows the latest Googlebot activity on your site.

3. Fix broken links

Search engines find content via links. When links are broken – ie. they come up as a 404 error message – then this can cause both significant SEO problems and user frustration.

It’s worth checking your website for broken links from time to time. There are lots of free online tools, such as Dr Link Check, which will scan your site for this purpose.

If you have any broken links, you should manually update these to ensure they’re correct. It’s also a good idea to install the Drupal Redirect module and add any old/removed URLs so they can be redirected to the most appropriate new/current URLs.

4. Gain backlinks

Backlinks act like personal recommendations from other websites, showing that your site is worth visiting. They therefore signal to search engines that your site is worth ranking highly!

It’s a good idea to share your latest content as widely as possible via social media, email newsletters and other channels. If you create great, shareable content and ensure it reaches plenty of people, you’ll be likely to attract backlinks naturally.

You can also ask other websites for backlinks directly and/or write guest blogs that include links back to your site. This may be particularly useful if you find other sites that are relevant/similar to yours and have high domain authority.

5. Check keywords

Keywords are the main words and phrases that explain what your website is about, and they massively affect which search engine results pages your website is ranked on. We recommend having a list of 5-10 keywords that your Drupal website is targeting.

As part of SEO maintenance, it’s a good idea to check and refresh these keywords from time to time. You can do undertake research into current user search behaviour with tools such as Moz’s Keyword Explorer or Google’s Keyword Planner. You should also check if your keywords align with any changed organisational priorities.

Once you’ve done this, update your list to reflect the best keywords to meet both your goals and the latest search trends. You should then check through your recently-published content and ensure it includes these keywords.

how to audit your Drupal website (annually)

Finally, we cover everything needed to undertake a full Drupal website audit. This should be done annually, including all of the above tasks as well as those suggested below.

You may find it helpful to ask your Drupal development agency to conduct a full site audit for you, as then they can give their expert opinion. Here are the areas that should be included:

Drupal theme: Are you using the most appropriate theme for your website and goals? It’s worth checking your theme is fast, mobile-responsive and includes all of the functionality required.

Hosting provider: It’s worth reviewing whether your hosting package is meeting your needs in terms of security, speed, reliability and other factors. We explore the types of hosting available and how to choose the right hosting provider for you in the ‘Choosing Drupal hosting’ section below.

Modules: Are your modules all needed and up-to-date? Surplus modules may be slowing down your site unnecessarily, so make sure to check.

Brand mentions: Are your brand mentions up to date with how you’re describing your website and organisation? This means checking your contact details, footer, about us page and any other brand information on your Drupal site.

Domain renewal: Domain names usually need to be renewed annually, so make sure to include this on your audit checklist. Domain renewal can be undertaken either through your Drupal support agency or by contacting domain provider directly.

Design & UX: Great websites are aesthetically-pleasing, easy to navigate and convey clear messages. It’s worth reviewing your Drupal web design and UX as part of your annual audit – you can do this simply by browsing your site and imagining you’re a first-time visitor. If possible, user testing is an even better way to get impartial feedback about your site.

Accessibility: UK law states that all services (including websites) must be accessible for everyone, so it’s vital to check your site’s accessibility as part of your Drupal audit. Tools such as Wave are great for evaluating web accessibility and suggesting improvements.

404 page: A 404 error message is shown when a URL is broken or cannot be found. It’s a good idea to design a friendly and fun 404 page to minimise user frustration and encourage continued browsing. You should check this page is functioning correctly as part of your annual site audit.

Disaster recovery: Are you prepared for the worst? A disaster recovery plan lays out in detail the actions you would undertake if your site was hacked, infected or crashed. We explain all about disaster recovery plans in the ‘Improve Drupal security’ section below, but we also recommend checking and updating your plan annually.

SSL certificate: To keep your site secure (using HTTPS), your SSL certificate needs to be renewed every two years. Make sure to check when your certificate expires and renew it in plenty of time through Let’s Encrypt or via your hosting provider.


updating Drupal

It’s vital to update your Drupal site regularly to ensure everything is secure and functioning correctly. In fact, the vast majority of websites that are hacked have outdated software.

It’s worth clarifying that there are two types of Drupal updates:

  • Updating is the relatively simple process where you change your site from one minor version of Drupal to another minor version (eg. 8.5.0 to 8.5.1)
  • Upgrading is a much more technical and difficult process, changing your site from one major version of Drupal to another major version (eg. Drupal 7 to Drupal 8)

This section focuses on the updates between minor versions, however if you’d like to update your Drupal site to the latest major version, make sure to read our Drupal 9 website upgrade blog.

There are three main options for making Drupal updates:

  • Using Composer – this is Drupal’s recommended option, but it’s only suitable for people who have good technical skills and are familiar with the Drupal system
  • Using Drush – though this is not recommended for versions of Drupal 8 and beyond (so we won’t be including Drush update details in this blog)
  • Manually – ideal for beginners or people with less Drupal knowledge

Of course, you can always ask your Drupal agency for assistance too.

Currently, Drupal does not offer automatic updates but it’s one of the platform’s strategic initiatives and so should be available as an option in the near future.

In this blog, we’ll focus on Drupal 8 sites and Drupal 8 updates, however if you have a Drupal 6 or 7 site, there’s lots of advice covering all aspects of Drupal maintenance and updates on Drupal.org.

Finally – a note of warning to backup your Drupal website before making any updates. This means that you’ll be able to reinstate your website in case there are any problems or issues.

updating Drupal using Composer

Drupal core uses Composer to manage core dependencies. If your site was initially created without Composer, you’ll need to make it Composer-ready first by modifying your composer.json. If you’re updating from a version earlier than Drupal 8.8.0, you might also need to change to the Drupal/recommended-project template.

The first step is to check whether a Drupal update is available. To do this, run:
composer outdated “drupal/*”

If there is no line starting with Drupal/core, then no update is available. If there is a line starting with Drupal/core, proceed to update as follows.

Next, you’ll need to establish whether your website uses Drupal/core-recommended or Drupal/core, as they each have a slightly different update process. To find out, run:
composer show drupal/core-recommended

Where you have Drupal/core-recommended, this will return information about the package. To update, use the command:
composer update drupal/core-recommended –with-dependencies

If you’re using Drupal/core instead, then you’ll get a message saying ‘Package Drupal/core-recommended not found’. If this is the case, use the following command to update:
composer update drupal/core –with-dependencies

Finally, you’ll need to update your database by going to a browser and visiting websiteaddress.co.uk/update.php (eg. pedalo.co.uk/update.php). Once this is done, your site is updated! Make sure to check-over everything and ensure it’s working correctly.

If you encounter problems, there may be a dependency preventing Drupal core from updating. Alternatively, it may be due to poor settings or abandoned templates in Composer. For further information and troubleshooting, Drupal.org has these detailed instructions about updating your website using Composer.

updating Drupal manually

If you’re less technically-knowledgeable about Drupal, then updating your website using manual installation is likely to be the best option. To do this, you’ll need to have user permission to administer software updates.

We’ll show you how to manually update using an FTP client, which is the simplest way. However, if you’d prefer to use shell access, visit Drupal.org for details.

Before commencing, make absolutely sure that you’ve backed-up both your files and database – this will mean you can revert to your previous version if anything goes wrong. If you’ve modified any files such as .htaccess or robots.txt, you’ll also need to copy these changes somewhere so you can reapply them after the update.

Now, we’ll begin updating. First, put your site into maintenance mode by going to Administration > Configuration > Development > Maintenance mode. Tick the ‘Put site into maintenance mode’ box and click to save.

Sometimes, Drupal updates feature changes to the default.settings.php file. If this is the case, it will be stated in the release notes for the relevant Drupal version.

Where such changes are necessary, you’ll need to download and save the new default.settings.php file. Then copy any custom and site-specific entries from your most recent site backup into it, and change the file name to settings.php (so it will overwrite your previous settings.php file). Finally, locate this file in your /sites/* directory.

Next, or if no settings.php updates are required, you’ll need to remove your Drupal top-level directory files, core directory and vendor directory (leaving behind modules, profiles, sites and themes).

To do this with an FTP client, manually select the files in your Drupal top-level directory, plus the core and vendor directories, and delete them. Make sure to include hidden files, but be careful not to delete modules, profiles, sites or themes.

The next step is to download the required Drupal website update and save in a directory outside of your webroot. Then, using your FTP client, upload the new update’s core and vendor directories and top-level directory files into your Drupal directory.

If you had any manual modifications to files such as .htaccess or robots.txt that you saved earlier, now’s the best time to reapply them.

Finally, update your database by going to a browser and visiting websiteaddress.co.uk/update.php (eg. pedalo.co.uk/update.php). This will finalise and complete your manual core update.

We recommend you give your Drupal website a thorough check-over to make sure everything is working correctly. If you have issues logging in or displaying your updated site, try clearing your browser cookies.

updating modules & themes

Just as the Drupal core needs regular updates to stay secure and performing optimally, so too your Drupal modules and themes. It’s also worth noting that some modules/themes might specifically need updating to work with particular Drupal minor versions.

It’s recommended to update modules and themes using Composer and Drush. Composer has a built-in command that lists software with updates available:
composer outdated “drupal/*”

Security updates are only available via Drush, using the command:
drush pm:security

To install updates for a particular module or theme, go back to Composer and command the following:
composer update drupal/modulename –with-dependencies

Once you’ve updated all the required modules/themes, you’ll need to rebuild your cache and export any changed configurations:
drush updated
drush cache:rebuild
drush config:export –diff

Finally, update your Drupal database in a browser by visiting websiteaddress.co.uk/update.php.


People looking at Drupal website

how to backup a Drupal site

Remember how awful it feels when a document crashes before you’ve pressed ‘save’? Imagine that happening with your entire website!

Backing-up means making and storing a copy of your site’s files, content and information. This enables you to reinstate your site and get back online again quickly if disaster ever happens.

It’s vital to backup your Drupal site regularly, and particularly before updating it, adding a new module/theme, or making any other major changes.

Site backups are essential because often problems are totally unexpected – such as your Drupal website being hacked, infected with ransomware, or encountering a technical problem. Without a backup, you could lose everything that’s ever been written, designed or created on your site.

It’s always worth speaking to your hosting provider and/or Drupal agency before backing-up yourself, as they may already include backups as part of their services.

how often to backup on Drupal

There’s no definitive rule about how often to backup your Drupal site – it could be daily, weekly, monthly or at another time interval to suit your needs.

The more regularly you backup then generally the less data you’ll lose if you have to reinstate your website from a backup. It’s worth considering how often you make changes or add new content to your site, and how easy or difficult it would be to re-do this work if it was lost.

It’s a good idea to schedule backups to take place when your website has low visitor numbers, such as during the night, to reduce impact on site speed and user experience.

We recommend always storing three (or more) recent backups. These should be kept in different locations – for example, on different computers, cloud accounts or hard drives. This gives the added security of ensuring your site can still be reinstated even if one of the backups fails.

backing-up your Drupal site

There are two main ways to backup your Drupal site:

  • Using the Backup and Migrate module – a simple method that’s ideal for beginners and includes automatic scheduling options
  • Using a command line interface – a more hands-on and technical option

To backup your Drupal site effectively, you need to backup both your website files AND database. With the Backup and Migrate module, this all takes place automatically once you’ve configured the correct settings.

By default, the module stores backups (of both database and files) on the Drupal private directory. To set this up, create a directory that is on your server but outside of your Drupal installation.

Add the path to this directory in the Drupal settings file, for the file_private_path variable. You should then check this has been set up correctly in Administration > Configuration > Media > File system. You may also need to clear all caches in your Drupal site back-end.

Once you have your Drupal private directory set-up and the Backup and Migrate module installed, go to Administration > Configuration > Development > Backup and Migrate and simply click ‘Backup now’. That’s all you need to do to create a manual backup of your Drupal database and files.

To schedule automatic backups using the Backup and Migrate module, simply tick ‘enable’ and set your desired frequency in the module’s settings.

Alternatively, you can backup your Drupal site using a command line interface. Only two commands are required.

Firstly, to backup your Drupal database, use the following command, replacing ‘USERNAME’, ‘PASSWORD’, ‘DATABASE’ and ‘path/to/backup_dir’ as necessary:
mysqldump -u USERNAME – p’PASSWORD’ DATABASE > /path/to/backup_dir/database-backup.sql

Secondly, to backup your site’s files, use the below command, again changing paths as needed:
cp -rp /path/to/drupal_site /path/to/backup_dir

If you’re using the command line interface method, make sure to set regular diary reminders to backup your site as often as needed.


Drupal website analytics

how to add Google Analytics on Drupal

Google Analytics is a brilliant free tool which enables you to track site visitors and find out how your website is navigated and used.

Google Analytics collects a vast range of website data, including:

  • Which site popular pages are most popular
  • How people reach/find your site
  • How long people spend browsing on your site
  • What paths people take to find content
  • When the busiest and quietist times are
  • What devices are used to browse your site
  • Whether users are new to your site, or returning for a repeat visit
  • User demographical information, such as location, age and gender
  • How data varies over time

With this data, you can update and optimise your Drupal website to better meet users’ needs and therefore boost engagement, increase revenue and reach your digital goals. With Google Analytics, you can make data-driven decisions based on real user insight – thus giving you the best possible chance of success.

We share how to add Google Analytics on Drupal below. The only thing you need to do first is create a Google Analytics account and add your website details in the ‘Admin’ area.

adding the Google Analytics module

The quickest and simplest way to add Google Analytics to your Drupal site is with the Google Analytics module. This also ensures data is always being collected, even if you change your site’s header or footer code.

The first step is to install and enable the correct version of the Google Analytics module – for example, if you have a Drupal 8 site, make sure to install the module version for Drupal 8.

Then, login to your Google Analytics account and get your site’s tracking ID. This can be found in Admin > Tracking Info > Tracking Code.

Next, go back to your Drupal site and go to Configuration > Google Analytics. In the ‘Web Property ID’ box, paste the tracking ID you just found in your Google Analytics account, and click to save.

For most website owners, the module’s default settings will work perfectly. However, you can also customise various settings within the module if required.

Congratulations! Google Analytics is now installed and will start collecting data. You can test that things are working correctly back on your Google Analytics account, though it will take time before any meaningful data or trends can be collected.

adding Google Analytics code

If you’d prefer to get more hands-on with your website, you can add Google Analytics tracking code manually on your Drupal website instead. As always, make sure to backup your site before doing so – just in case you encounter any problems

To set up manual Google Analytics tracking, log into your Google Analytics account and collect your tracking code. This can be found in Admin > Tracking Info > Tracking Code. Under ‘Website Tracking’, there’s a box containing your Global Site Tag (gtag.js) – just copy this code.

Now, return to your Drupal site back-end and paste in the code – either in your theme’s page.tpl.php file, your html.tpl.php file, or in your website’s header/footer. You can also choose alternative locations but we recommend these because they ensure that Google Analytics code tracks across all pages on your site.

Once you’ve saved your updates, Google Analytics will start tracking your website data. You can view your stats at any time back on your Google Analytics account dashboard.

Drupal analytics & GDPR compliance

As part of the General Data Protection Regulation (GDPR), website visitors need to consent to have their data tracked before Google Analytics code is loaded.

Therefore, to comply with the law, it’s vital to ask users for permission to track their data with a cookie notice. The EU Cookie Compliance module is ideal for this purpose and can be easily set-up on your Drupal site.

Once installed, the module will produce a popup message saying ‘We use cookies on this site to enhance your user experience’. It will ask visitors to click either ‘Yes’ to agree or ‘No’ to find out more information (via your privacy policy).

It also tells users that by clicking on any website links that they’re automatically consenting to cookies, thus allowing analytics code to be loaded and visitor data to be tracked even if they don’t engage with the popup message.


Drupal SEO

Search Engine Optimisation for Drupal websites

SEO, or Search Engine Optimisation, means editing and enhancing your website to appeal to search engines such as Google, Yahoo and Bing. With good SEO, your website will be displayed higher up on the results pages when users search for relevant queries.

SEO is important because it’s 2020 and almost everyone uses the internet to find information. Most online content is found through search engines; people type in (or say) a search query, and the search engine displays a list of relevant webpages.

Ensuring search engines know about your site and include it in their search results is therefore vital in generating website traffic. Generally, the higher up your website is displayed on search engine results pages, the more click-throughs and site visitors you’ll get.

Drupal sites generally do well in terms of search engine visibility and performance, so having a Drupal site is a good start for SEO. As long as your website has high-quality content that appeals to your target audience, it should perform well in gaining organic (search engine) traffic.

However, there’s almost an unlimited number of SEO tactics you can use to get your Drupal site performing even better on search engines, as we’ll explore below.

Before we begin, it’s worth bearing in mind that search engines use complex algorithms to understand and rank webpages in their search results. A wide range of factors – including speed, security and mobile compatibility – also affect which sites are displayed highest. These important ‘behind-the-scenes’ factors could be causing problems on your Drupal site even if your front-end design looks stunning.

So, for optimal search engine performance, we recommend following all of the sections in this guide and optimising your Drupal site across all key areas. But for now, read on for Drupal SEO-specific tips and advice…

understanding & choosing keywords

Keywords are the words, phrases and topics that encompass what your website does. They will affect which search engine results pages you appear on and therefore who sees and visits your site.

Your chosen keywords should be the same as what your target audience or customers are looking for on search engines. For example, if you sell knitting kit on your website, your keywords could include things like ‘knitting supplies’ or ‘order knitting needles online’.

Drupal beginners often just guess their keywords, but it’s best to do keyword research to find out exactly which words and phrases are commonly being entering into search engines. You can find lots of simple-to-use keyword research tools online – Moz’s Keyword Explorer and Google’s Keyword Planner are particularly good.

Keyword research can show which keywords are most popular (with highest search engine traffic) and so can help you prioritise the keywords most likely to bring visitors to your site. Although, it’s worth remembering that less popular keywords may also be important as they’ll generally have fewer websites targeting them, and therefore be less competitive.

To commence, think of a few words or phrases to describe your website. Type these into your keyword research tool to find out their search volumes and see what other, similar phrases users are searching for.

Once you’ve done your research, we recommend creating a list of approximately 5-10 keywords that your Drupal website is targeting. You should then use these keywords repeatedly – though not excessively – in your website content and other search engine data, such as metadata and image alt tags.

the best Drupal SEO modules

There are a few essential Drupal modules that are well-worth installing to improve your website’s search engine performance.

1. PathAuto

Each page on your website has a unique weblink or URL, and this is part of the information used by search engines to rank your content. Effective URLs contain keywords or other relevant words/phrases, and thus help search engines understand which pages to prioritise for particular search queries.

Drupal automatically creates URLs for your content, but these are usually not optimised for SEO. For example, they may include numbers/code and often lack any relevant page-specific information or keywords.

With the PathAuto module, you can update the way your URLs are created so that they include the relevant menu area title and content/keyword information. This will mean your page URLs end with something like /category/page-information, instead of /xxx/173, which is of huge benefit in getting your content indexed and ranked for SEO.

2. Redirect

Search engines find content and understand the structure of your website via links. When links are broken, this can therefore cause SEO problems – as well as frustration for your website visitors!

A broken link is a link to a webpage that doesn’t work. When someone clicks on the link, they’re directed to a 404 error message instead of the correct content. Links most commonly end up broken when the URL has been changed or a webpage has been removed.

You can check your website for broken links with various free online tools, such as Dr Link Check. If you have any broken links, you can then manually update these to ensure they’re correct. It’s also important to set up redirects to divert users from old/removed URLs to new/correct URLs.

The Drupal Redirect module provides this functionality so is well-worth installing on your site. It allows you to add redirects quickly and easily from the most common broken links on your site. It also automatically cleans up inactive redirects and optimises redirect performance.

As an extra note, it’s a  good idea to create a 404 error page to appear to users when the URL they’re trying to reach is broken (as always happens occasionally). A friendly or humorous 404 message can help reduce users’ frustration and encourage them to keep browsing your Drupal website.

3. Metatag

On search engine results pages, only a brief ‘teaser’ of content is provided for each of the listed webpages. Here’s how Pedalo’s homepage is displayed in the Google search results:

Pedalo search engine results display

First is the title tag, then your URL, and finally a brief meta description. This information should be optimised to explain what’s on your website and encourage people to click-through – all important components of SEO performance.

The Metatag module allows you to create title tags and meta descriptions for your Drupal website pages. It then places this data in your webpage headers, thus ensuring efficient search engine performance and rapid page loading.

Once you’ve installed the Metatag module, you’ll be able to add site-wide SEO metadata under Administration > Configuration > Search and metadata. For single nodes/pages, a metadata section can be found in each node’s ‘edit’ page. The more you optimise this information, the more search engines will rank your content for relevant search queries and the more organic traffic you’ll get.

For guidance, your title tag should provide a concise explanation as to what a particular webpage is about. It should be around 50-60 characters, including the most important keyword(s) for that page.

Your meta description is a 150-160 character summary of your page’s content. It should again include any important keywords, but this time embedded in a brief sentence or two to entice people to click-through to your site.

4. XML Sitemap

An XML sitemap is a list of your website pages used by search engines to crawl your site. It gives an overview of your website’s content and structure, thus helping search engines find, understand and rank your webpages.

The XML Sitemap module is an essential tool for creating sitemaps on Drupal websites. Once it’s installed, you can submit your sitemap to search engines such as Bing, Google and Yahoo.

For Google, sitemaps need to be submitted via your Google Search Console profile (more on this below). Simply click on ‘Sitemaps’, add yours and then click ‘Submit’. After a few hours, you’ll be able to check your sitemap stats on your Search Console profile – these include the number of links found and whether there are any errors.

5. Image Optimize

Your website imagery needs to be optimised for SEO. The Image Optimize module is a great tool which allows you to adjust image size and quality to improve website loading time – a key SEO factor.

Additionally, it’s vital to add alt text for your images. These are text descriptions explaining (in brief) what’s in each picture – they’re used by both search engines and web accessibility readers. For the best results, make sure your alt text uses descriptive language and includes keywords, where relevant, to help search engines understand your images.

6. Drupal SEO Checklist

Whilst the Drupal SEO Checklist module doesn’t actually do anything itself, it provides a very helpful and comprehensive list of tasks and best practices to enhance SEO on your Drupal site.

Simply install the module and follow its to-do list, and you’ll end up with a fully optimised website! The module also helps you keeps on top of tasks and make gradual improvements by recording a date/time stamp when each task is completed.

other Drupal SEO tips

Now you’ve got the key Drupal SEO modules installed, we consider a few more general SEO tips and best practices to ensure your site performs well on search engines.

If you follow these tips, you’ll give your website the best possible chance of ranking well on search engines and gaining plenty of organic traffic. But don’t forget that improving site speed, mobile friendliness and security are also key SEO ranking factors (explored in other sections of this guide).

1. Consider site structure

The structure of your Drupal website is an important signal to search engines about which of your webpages are most important. ‘Important’ pages should be easy to find, with lots of internal links pointing towards them (we explain more about links below).

To improve your site structure for SEO (and also for users!), consider how your website is organised. It usually makes sense to have a small number of important main pages as ‘header’ items with other, related content nestled underneath. You may need to move pages around and try out different structures until you find the most optimised format for your site.

2. Add high-quality content

Google loves content. In fact, many SEO experts say that ‘content is king’ in terms of website search engine performance.

By adding high-quality content – such as blogs, news articles and information pages – to your site, you increase the number of webpages that search engines can index and display in their search results.

Ensuring that content is relevant to your audience and includes your target keywords helps search engines understand what your site is about. Adding content regularly is also an important SEO signal that your site is active and has new and interesting things to offer.

The better your content, the longer users will stay on your website, which is not only good for you and your organisation, but also yet another search engine ranking factor. So, it’s well worth investing in producing great content and publishing regularly – we recommend creating a content plan and scheduling publication in advance.

For best results, make sure your text includes relevant keywords and phrases that will help people find your site on search engines. Include links to other articles and related information to keep users reading and engaged (more on linking below).

It’s also a good idea to think about how you display your content, as the more appealingly it’s laid-out, the more likely it is to be read. Don’t be afraid to use bright colours – researchers have found that coloured visuals increase users’ willingness to read by 80%!

Choosing clear language, using headings, having short paragraphs, including enough white space, and adding imagery are all great ways to optimise your content. This will help people skim your text and find what’s relevant and useful for them – and therefore help both your SEO and user engagement stats.

3. Get linking

By providing links across your website and content, not only do you keep users reading and engaged but you also help search engines find and understand your content.

There are two types of link: internal links are to other pages on your site, whereas external links direct people to other websites. Links can be embedded within text, in your menu, or displayed as images/buttons.

Internal links are particularly valuable for SEO as they make connections between the various content on your site and help search engines understand and navigate your website structure. A large number of internal links pointing to a particular page also indicates that the page is of high importance.

External (or outbound) links can be helpful to direct users to other sources of information and may indicate to search engines that the external content is related or similar to yours. But make sure to add external links with caution, as they will direct users away from your site.

4. Seek backlinks

Finally, our last SEO tip is about backlinks, or links to your site from other websites. These act like recommendations to show that your site is high-quality and worth visiting – thus indicating to search engines that your site is worth ranking!

The most effective backlinks for SEO are from websites that are high-quality and relevant to your site – there’s little point having backlinks from spam sites or sites that are completely unrelated to your organisation.

There are various methods for getting backlinks but generally the easiest way is by creating great, shareable content. When your content is original and interesting, other websites will want to share it with their audiences by linking to it.

Other ways to get backlinks include adding your site to directories/listings, writing guest articles for other sites, and sending out press releases. Moz’s guide to link-building and Respona’s guide to SEO outreach are great reads for more detailed information.

using Google Search Console

To further enhance your Drupal website’s SEO, Google Search Console offers a great range of tools and reports. Provided by Google, the console is designed to help you measure and increase your website’s organic traffic and performance – and it’s totally free to use.

If you haven’t already registered with Google Search Console, you’ll need sign-up and then add and verify your website. To do this, create a Search Console account, enter the URL of your website and click ‘Add Property’.

Then select ‘Manage Property’ and ‘Verify this site’. To verify using your Metatag module, you’ll need to select the HTML tag option and copy the bit that is found between the quote marks after content=:

On your Drupal dashboard, go to Configuration > Search and Metadata > Metatag and navigate to the ‘Site Verification’ section. In the Google field, add the tag you just copied from Google Search Console, and click to save.

Finally, you’ll need to go back to Google Search Console and click ‘Verify’. Once this is done, you’ll be all-set to record lots of helpful data! You can also submit your website sitemap to Google through the console as explained above.

Google Search Console provides information such as:

  • What search terms people are using to find your website
  • How many impressions your website is getting in Google search results
  • How often your pages are clicked from search results
  • Website errors impacting SEO (and how to fix them)

We recommend checking your Google Search Console profile regularly to keep an eye on your organic performance and measure ongoing SEO progress.

optimising Drupal for local SEO

Lastly, we look at local SEO and consider how to optimise this on your Drupal site.

Local SEO is different to traditional SEO in that it promotes your organisation in terms of its geographical location, such as ‘London’ or ‘Westminster’. This helps people find your website when they’re searching for services in a particular place or ‘near me’.

Firstly, make sure to sign-up for Google My Business. This free tool allows you to add your organisation, web address and any other relevant information (such as opening hours) to Google Maps.

With users increasingly searching on maps and Google prioritising map listings in their search results, this is a great way to ensure your organisation is indexed and displayed in local searches. Once you’re listed, you can optimise your profile for SEO by including keywords in your business description and asking your users/customers to write Google reviews.

Secondly, make sure to include local keywords – ie. the name of the location(s) in which you operate – on your Drupal site. You may also want to write content tailored to your location; for example, if you run a bakery business in Vauxhall, you could publish an article about the most popular cakes chosen by south Londoners.

Using local keywords and creating local-specific content will provide important signals for search engines about your location and help ensure you appear in relevant local searc


Website speed

Drupal speed optimisation

Having a Drupal website that loads rapidly is vital for online success. Firstly, speed is one of the factors used in search engine algorithms, with faster-loading sites appearing higher up in search results and therefore gaining more organic traffic.

Secondly, in today’s digital world, people typically have high expectations and short attention spans. They expect to get the information they need quickly and will exit slow-loading websites. In fact, research shows that a two second delay in page speed can reduce website visitor numbers by 50%!

Thirdly, speed affects how website visitors engage with your content. Faster sites tend to get more page views and conversions – so more rapid loading may even lead to increased profits.

In this section, we explain how to test your Drupal website’s speed and then provide tips to get everything loading as quickly as possible.

how to check Drupal website speed

To get a baseline for how your site is performing in terms of speed, we recommend using GTmetrix. This free tool gives you two speed scores as well as lots of speed and performance tips.

Simply go to GTmetrix, type in your website URL and click ‘Test your site’. Your performance report will include a PageSpeed score and YSlow score – we recommend recording both and seeing if these improve after you follow our speed optimisation advice.

You’ll find detailed speed improvement recommendations in the PageSpeed and YSlow tabs; just click on the small black arrow for any areas rated below grade A. There is also a ‘Priority’ column, which indicates which recommendations GTmetrix thinks are most important and therefore worth actioning first.

As well as checking your homepage, it’s also worth checking the speed of any other particularly important pages on your Drupal website – for example, your online shop or events listings.

Google PageSpeed is another great free speed tool that’s also helpful. It’s less detailed than GTmetrix but has the benefit of showing separate speed scores for mobile and desktop. If mobile speed is a particular problem on your Drupal site, then make sure to read the mobile optimisation section of this guide.

how to improve Drupal website speed

We now explain the most effective ways to improve your Drupal website’s speed. With most requiring little technical knowledge, we’ll ensure you can supercharge your website loading time whether you’re an experienced Drupal developer or a Drupal novice.

1. Enable caching

In brief, caching means storing your website’s data in a local storage space or cache. This involves creating a snapshot of your website pages and files when they are displayed for the first time, and then storing this temporarily for use on future website visits.

Caching means browsers can re-display what’s already been downloaded from your website server, rather than having to re-download your site files every time. The result is that your website loads much more quickly.

The main type of caching is browser caching, where browsers (for example, Chrome and Internet Explorer) hold the most recently downloaded webpages in their caches.

For Drupal 8, there are two caching modules that form part of the core software – Page Cache and Dynamic Page Cache. These are enabled by default so there’s nothing else you need to do. For earlier versions of Drupal, you can enable caching in Configuration > Performance > Caching.

However, for advanced catching options and to boost your site’s speed even further, we recommend installing the Advanced CSS/JS Aggregation module. It can take a bit of patience and ‘trial and error’ to find the best settings for your site and ensure everything is working correctly, but the results are well-worth it.

If your site has a lot of traffic, it may also be worth enabling server catching – you’ll need to contact your hosting provider to arrange this.

2. Optimise images

The heavier your Drupal site files, the longer it takes to load and display everything. Images are typically the largest website elements and therefore it’s vital these are optimised to speed up loading times.

Different images need to be displayed in different shapes and sizes on your Drupal site. You should therefore ideally crop and edit your images to fit their intended purpose, before you upload them.

Generally, the smaller the file size, the better. Images are often created in large, high-quality sizes by default, but they can be resized and compressed for the web without noticeable loss of quality. Tools such as Photoshop, Pixlr and Resize Image are great for editing image sizes.

If your website uses Drupal 7 or an earlier version, we recommend installing a module such as Image Optimize to further compress and optimise images. Happily, if you have Drupal 8 or later, then your core is automatically able to resize and scale images for different screen sizes and purposes.

Another great feature to improve image speed is lazy-loading, which means that images below the fold are not loaded until a user scrolls down and actually needs to see them. This can be enabled with Drupal’s Lazy-load module.

3. Update modules & themes

You need to keep on top of any installed modules and themes to maximise site speed. If you have surplus items that are not needed, these will increase your website’s loading time. Modules and themes that have not been updated are also likely to slow things down.

Drupal beginners often think that fewer modules equates to a speedier site. But actually the quality and usefulness of installed modules is much more important than the quantity.

You can find out which modules are active on your Drupal site your modules list (or ‘Extend’ section in Drupal 8). The enabled ones will be ticked.

You can check if any modules are slowing down your site by disabling each module individually and then running a speed test with GTmetrix. By comparing before and after speed scores, you can evaluate whether any modules would be better removed from your site. Though remember to clear the Drupal cache or you might end up just testing the same cached data twice!

You should also make sure to keep modules and themes up-to-date to maximise speed and performance. You can check for updates by going to Reports > Available updates and clicking ‘Check manually’.

4. Schedule background processes

A variety of background processes are constantly taking place to keep everything running on your Drupal website – for example, making site backups, publishing scheduled content and blocking spam login attempts.

Whilst most of these have a minimal effect on website speed, the more processes taking place, the more chance they’re slowing down your website. In particular, backups take a up a lot of site bandwidth, so you should make sure that these are scheduled to take place during low-traffic website times, such as at 4am.

To further optimise your Drupal site speed, it may be worth installing the Background Process module, which has lots of options for changing how and when background processes take place. Alternatively, ask your Drupal web design agency for advice.

5. Optimise content

As well as optimising images (as discussed above), it’s a good idea to optimise your content more generally.

The more fancy graphics and functions you have on your site, the longer pages will take to load. Therefore, we recommend adopting a minimalist approach and only including the features that are really needed. This will make your site more streamlined, easier for users to navigate, and, of course, faster.

You can further speed up content display by optimising CSS and Javascript files so that they load together. To do this, simply go to Configuration > Performance, select ‘Aggregate and compress CSS files’ and ‘Aggregate JavaScript files’, and click to save.

For more technically-advanced options, you may want to install the Advanced CSS/JS Aggregation module (also mentioned above in point 1 about caching). This can be used to increase site speed in various ways including by compressing files and reducing the number of HTTP requests.

6. Choose rapid hosting

We cover website hosting in detail in the ‘Choosing Drupal hosting’ section of this guide. However, we just wanted to reiterate here the impact your hosting provider has in terms of site speed.

In brief, web hosting involves storing your website’s files on a server. When your URL is requested, browsers then request these files from the server and convert them into a viewable website. How quickly your site is displayed therefore depends on how quickly your hosting provider can process browser requests and hand over your Drupal website files.

Website speed is also affected by the geographical location of your server – the shorter the distance between your server and your user, the quicker your website will load.

If you have visitors from many different countries, it may be worth setting up a Content Delivery Network (CDN). This is basically a network of servers located around the world, thus reducing the distance your website files need to travel to users in different locations. For further information, this GTmetrix article is a great source of information and advice about CDNs.

7. Clean up your database

Your Drupal database is also a big factor in your website’s speed, so keeping it clean and tidy is important for optimal performance.

It’s therefore worth regularly checking through your data and removing any unnecessary or outdated files and old/draft content. This can be done manually, through the database optimise tool in phpMyAdmin, or with a specialist module such as Clean up.

The Node Revision Delete module is also helpful in keeping things squeaky clean. It allows you to track and remove any revisions to content types, which are otherwise automatically stored on your Drupal database.

8. Reduce redirects

Finally, we consider how redirects may impact site speed. Redirecting changed or deleted URLs to live website pages is an important component of both search engine performance and good user experience. However, every time you redirect a page, the loading time is increased.

A single redirect is unlikely to cause any speed problems, but your site may be slowed down significantly if you have chains of redirects, where one redirect points to another (or multiple) redirect(s). Such chains happen where you replace one page with another and then do the same again, without changing the original redirect path to go directly to the newer re-written page.

It’s advisable to keep an eye on your redirects and update any that aren’t going straight to the correct page in order to boost site speed. There are various online tools that allow you to check for redirect chains – we recommend Screaming Frog.


People checking Drupal website security

improving Drupal security

Protecting your Drupal site against hacking and ransomware infections is essential. Just as real-world shop owners lock up their shopfronts, your Drupal website needs to be ‘locked’ against potential online threats.

Without security protection, your website and organisation are vulnerable to data losses and GDPR law violations. Security breaches are also likely to undermine user trust and damage your reputation – as well as having hefty financial implications.

Added to this, web security is an SEO ranking factor, with Google (and other search engines) prioritising secure websites in their search results and regularly blacklisting insecure sites. So having a secure website is vital if you want to attract organic traffic.

The good news Is that Drupal has excellent security credentials so simply having a Drupal website is a great start in terms of online protection.

As an open source web platform, Drupal is scrutinised and updated by more than a million developers around the world. Drupal also has a dedicated team of security experts, an impressive track record, and a robust process for investigating and overcoming security vulnerabilities as they arise.

In this section, we’ll consider the additional measures you can take to ensure your Drupal site is as secure as possible. We also recommend signing up to the Drupal security mailing list, and visiting Drupal.org for more information on secure site configuration.

top tips for Drupal website security

Here, we’ve pulled together the most important actions to undertake to keep your Drupal website protected and secure.

1. Update Drupal core & modules

Outdated software is a common security vulnerability, so it’s vital to keep your website up to date with the latest releases of Drupal core and any modules/themes.

Updates are designed to patch security weaknesses and improve overall performance; without them, your site is wide open for hackers to target. Read our section above for full details on how to update your Drupal site software.

2. Secure your login

Another common way that Drupal sites are hacked is through insecure passwords. Typically, access is gained through brute force attacks where hackers repeatedly attempt various password combinations until one is successful.

Drupal automatically limits brute force attacks, preventing user logins for six hours after five failed attempts have been made. However, strong passwords also provide an important defence against such hacking.

Strong passwords include a combination of letters (mixing upper/lower case and ideally not using dictionary words), plus numbers and symbols. The longer the password, the more secure it is – 12-14 characters is an ideal length.

Using strong passwords applies not only to your Drupal website administrator login but also for any other website-related accounts, such as your custom email address and phpMyAdmin login. If you find it difficult to think of passwords, try using a password generator. And if you find it difficult to remember passwords, try using a password manager.

For additional security, you can set up two-factor authentication (2FA) on your Drupal site. 2FA requires users to login in two stages – by firstly, entering a username and password, and secondly, by entering a one-time passcode delivered by text message, email or authenticator app.

You can add two factor authentication to your Drupal site with the Google Authenticator module. You’ll also need to download and set-up the Google Authenticator app on your phone or device.

Once the 2FA module is installed, you’ll have to type in a 2FA code to login to Drupal. To generate this code, simply go to your Google Authenticator app. It’s worth bearing in mind that two-factor authentication isn’t compatible with all Drupal modules and themes, so we recommend speaking to your Drupal support agency before installing.

3. Manage user accounts & permissions

Your Drupal site needs different types of users (and different user accounts), each with different permissions to make website changes. You can find out which users are registered on your site and what capabilities they have under ‘People’ in your Drupal back-end.

The more users (and logins) you have for your site, and the greater access and permissions users have, the more your site is at risk if it’s ever hacked. It’s therefore advisable to review your users regularly to ensure that people have the correct permissions. You should also delete user accounts when people are no longer contributing to your site.

The main Drupal role capability options (in decreasing order of power/permission) are Administrator, Editor and User. However, Drupal’s flexibility means that you can create any number of different roles with different permissions.

In the basic role capability options, administrators have the greatest capacity make changes on your Drupal site, including adding and editing users. This role should therefore be reserved only for the Drupal website owner and a limited number of other trustworthy users. It’s also absolutely essential that all administrators have strong passwords (as explained in point 2 above).

For other editors/users – who are creating, modifying or just accessing content – it’s best to assign roles with fewer permissions. This will mean there’s a less substantial risk if the profiles are ever hacked.

It’s also worth checking your file permissions for maximum security. Certain core files and directories, such as upgrade.php, index.php and authorize.php should be kept locked so they can be amended by administrators only.

The easiest way to do this is by with the file permissions set of Drush commands, though this requires full root access to your server. For further information and alternative ways to change file permissions, read Drupal.org’s securing file permissions guide.

4. Use HTTPS

If your website isn’t HTTPS, you’re massively increasing your security risk.

Without HTTPS, hackers can interfere in the communications between your website and users/browsers. Because of the importance of HTTPS, Google displays a ‘not secure’ warning on HTTP sites, thus meaning you’re also likely to be losing significant traffic if you don’t have HTTPS.

Luckily, it’s super-easy (and free!) to transfer your site to HTTPS. You just need a Secure Sockets Layer (SSL) certificate, which you can get from Let’s Encrypt or through your hosting provider.

Once your SSL certificate is activated, your URL will become HTTPS (instead of HTTP) and a padlock sign will be displayed in the URL bar, thus indicating that your site communications are secure.

5. Choose secure hosting

All good hosting providers include security protection to keep your website files and information safe on their servers.

We discuss how to choose a hosting provider, including the key factors to consider, below. But it’s worth reiterating here that having secure hosting is an important part of general site security.

We recommend checking with your hosting provider about their security measures and procedures. This will be particularly important if your website includes sensitive data or you’re on a shared hosting plan, which leaves your site more vulnerable than with a dedicated server.

You may also want ask your hosting provider whether they support HTTPS sites, if they include encryption (if needed), and how they ensure compliance with GDPR data protection laws.

6. Add security modules

There are countless great security modules that you can add to your Drupal site. Here, we share just a few of our favourites:

  • Security Kit: This allows you to add various additional security options to your Drupal site, including content security policy implementation and clickjacking prevention.
  • Security Review: This handy module automates testing for the most common Drupal security weaknesses and provides a checklist of improvements needed.
  • Capcha: This adds a capcha field to your contact forms, thus preventing non-human, spambot submissions.
  • Coder: This checks your Drupal website coding against best practices and standards, and highlights any coding issues that are causing security weaknesses.
  • Automated Logout: This allows you to logout users after a period of inactivity, thus reducing the risk of hacking via user accounts.

Once you’ve installed your preferred security modules, make sure to select the most appropriate settings and to keep them regularly updated (see point 1 above).

7. Clean your database

By keeping your Drupal database as clean and up-to-date as possible, you reduce the risk of malware and ransomware infections. It’s therefore a good idea to regularly check your database and delete anything that is no longer needed.

Make sure you always backup your site before cleaning your database – just in case you accidentally remove something important!

The easiest way to check through and remove old database items is with the Clean up module. Alternatively, if you’re more technically-knowledgeable, you can use phpMyAdmin.

For this option, you’ll need to put your site in maintenance mode by going to Administration > Configuration > Development > Maintenance mode. This will take your site temporarily offline for visitors so it’s advisable to wait until a low-traffic period.

8. Block bots

Automated bots and crawlers are constantly trawling the internet for vulnerabilities to hack or exploit. They therefore pose a significant danger to your Drupal website.

We’ve already mentioned using the Capcha module to prevent bots from making contact form submissions. The Honeypot module is another popular option for reducing Drupal form submissions by bots. The SpamSpan Filter module is also a handy tool which prevents spambots collecting email addresses from your site.

However, it’s also often worth blocking bad bots at server level. You can do this either by speaking to your hosting provider or adding the following code to your .htaccess file:
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]RewriteRule .* – [F,L] 

Just make sure you don’t block the Google crawling bot or you might find that your Drupal site suddenly disappears from Google’s search results! 

9. Scan regularly

To keep your site secure, make sure to scan regularly for security issues. You can do this with the Security Review module mentioned above, or with an online scanner such as Sucuri.

How long it takes to scan your site will depend on various factors such as how many web files you have and your server speed. Once the scan has been completed, any possible security errors and/or vulnerabilities will be listed.

Make sure to address any highlighted security issues as soon as possible. Sucuri has lots of information on how to resolve Drupal security problems, or you can always contact your Drupal agency for advice.

10. Backup, backup, backup!

Finally, regularly backing-up your Drupal site is a key part of site security. Backing-up means making and storing a copy of your website; this can then be used to get everything back online quickly in case of a security breach, virus or other issue.

The more frequently you backup, the less data you’ll lose if your site is ever hacked or infected. It’s also a good idea to keep three (or more) backups and store them in different locations – this gives the added security of protecting your site even if one backup fails.

For further information on how to backup your Drupal site, read our detailed backups section above. It may also be worth speaking to your Drupal support agency to see if they backups are included as part of their services.

what if my Drupal site gets hacked?

In case the worst ever happens, you need to be prepared. By following our tips above your Drupal site will be well-protected, but it’s also important to create a disaster recovery plan, detailing exactly what you would do if your website ever does encounter a security problem.

Your website disaster recovery plan should include the following details: your user account names and passwords; the steps you’ll take to resolve particular types of issues (for example, viruses vs cyber-attacks); where backups are stored and who manages them; how you plan to inform staff, users and other stakeholders; and any possible data protection or legal implications.

It’s usually a good idea to ask your Drupal development agency to write this for you to ensure it’s as technically robust as possible. However, if you’d prefer to draft it yourself, make sure to read Drupal.org’s information about how to respond to website hacking.


WordPress server wires

Drupal mobile optimisation

Having a mobile-friendly or responsive website is vital in today’s world, with the majority of internet browsing taking place mobile and tablet devices.

Screens on mobiles and tablets are substantially smaller than on desktop, so your website needs to be adapted so it can be navigated and read effectively. If mobile visitors have to keep zooming in/out or can’t see important information, then they’ll have a poor experience and will be likely to exit.

Mobile optimisation is an important factor in search engine algorithms, with Google prioritising mobile-friendly sites in its search results. In fact, Google generally uses the mobile version of sites for indexing and ranking. This means mobile-friendliness is key if you want your website to gain organic traffic.

Users are also often impatient for content to be displayed with half of people leaving sites which take more than two seconds to load. Combine this with the on-the-go nature of mobile browsing and slower internet connections (such as 4G), and it’s clear that web speed is another must for mobile optimisation. We explain all about how to boost your Drupal website speed in our speed optimisation section.

Fortunately, if you have a Drupal 8 site (or later version), then you’re already set for mobile users! Drupal 8 was made with mobile in mind and has more than 100 features as standard to ensure your site can be displayed beautifully across devices.

The Drupal 8 core features include:

  • mobile responsive themes
  • automatic scaling and resizing of images
  • responsive elements and tables
  • web accessibility
  • back-end administration on mobile

However, it’s still worth thinking about and optimising your site design in terms of mobile. You can do this by focusing on your key messages and avoiding excess imagery, fancy graphics and surplus information that is likely to confuse and distract visitors on small screens.

If you have a website using Drupal 7 core (or an earlier version of Drupal), then there’s a bit more work needed to get everything in mobile-friendly shape. But fear not, as we’ll guide you through exactly how to check your site’s mobile compatibility and improve mobile functioning below.

how to check Drupal mobile friendliness

We recommend two great, free tools to check your site’s appearance and compatibility on mobile.

Firstly, the Responsive Test shows how your site is displayed on different screen sizes. This gives an important insight into what mobile and tablet users see when they visit your Drupal site.

Secondly, Google’s Mobile-Friendly Test rates specific webpages, determining whether or not they’re mobile friendly. It’s worth checking your homepage and any other key URLs, such as your online shop and/or event booking pages.

Once you’ve completed these two tests, you can use these as a baseline and see how things improve after following our mobile optimisation tips.

optimising Drupal 7 for mobile

By far the best way to ensure your Drupal site design is mobile-friendly is with a responsive theme. This ensures your Drupal 7 content is displayed appropriately and appealingly on every device.

By being responsive, rather than having a separate mobile version of your site, you only need to make site changes once. For example, if you change the desktop version, then your edits are automatically applied across other screen sizes.

You can check your theme’s capabilities and features in this Drupal.org list. Most modern themes are responsive but if you have an older theme, it may be worth switching.

Alternatively, you can use specific modules to add mobile-friendly features to your website. For example, the Mobile module removes CSS so that your site displays more easily on mobile. However, there are countless mobile-focused modules with more advanced capabilities, so we recommend speaking to your Drupal development agency for advice about your specific needs.

In addition to optimising your site design, it’s also essential to reduce image sizes for mobile users. The larger your images, the longer everything takes to load. This is particularly important on mobile, where visitors typically expect rapid results.

Ideally, you should crop and compress images before you upload them to your website. Tools such as Photoshop, Pixlr and Resize Image are great for this purpose. It’s also well-worth installing a specialised module such as Image Optimize to further compress and optimise images for different devices.


Drupal website hosting

choosing Drupal website hosting

Having reliable, specialist Drupal hosting is vital to ensure your site’s performance and success. But with countless hosting providers advertising for business, it’s often difficult to know where to start or how to choose the right one for you.

In a nutshell, web hosting involves storing a website and providing infrastructure so it can function on the internet. Hosting providers have servers which hold website files remotely and then deliver these files for display on users’ browsers.

In paying for a hosting provider, you’re basically renting out storage space and processing power for your website on the host’s server.

types of Drupal website hosting

What type of hosting need for your Drupal site will depend on factors such as your website’s size, where your company is based, and how much traffic you get. Here are the main types of website hosting available.

Shared hosting: This is the cheapest and most popular hosting type, where a large server is shared by multiple, different, small sites. It’s a bit like living in an apartment block – cheaper than owning a house, but you need to share communal resources (such as the server’s processing power) with other residents/website-owners.

Virtual Private Server (VPS): This is where multiple websites share a server (and its resources), but each website has its own designated space. This gives website owners more customisation options and greater storage capacity than in shared hosting, making it a great mid-cost option for larger sites.

Dedicated server hosting: This involves renting a whole server just for your website – a bit like having your own house. It gives you full control over options including security, operating system and hardware and is therefore a great option for the largest and most traffic-heavy websites. However, it’s also the most expensive option, and may require technical knowledge to manage and maintain the server.

Cloud hosting: This usually involves having a designated space inside a server (like VPS hosting), but the server is virtual rather than physical. Cloud hosting is generally a great option for flexibility as it means you can easily increase or decrease your website’s storage space as needed.

how to choose a Drupal hosting provider

There are various factors to think about when choosing a Drupal website hosting provider – we recommend considering the following:

  • Expertise: is the hosting provider a Drupal specialist? It’s important that they understand your Drupal-specific needs. Some hosting providers even include Drupal server tools such as Drush and Composer as standard.
  • Reliability: does the hosting provider offer fast and reliable website hosting? You wouldn’t want your website to be slow or keep crashing. It’s worth asking other customers about their experiences and checking the hosting provider’s track-record.
  • Security & compliance: the vast majority of UK (and EU) websites need to comply with GDPR laws and therefore need strong security protection in place. It’s worth checking how your hosting provider ensures compliance with data protection laws, and also asking if they include encryption or other security measures if needed.
  • Support: when is the hosting provider open for support and how can you contact them? For large Drupal sites with high traffic levels, a hosting provider that can deal with problems 24/7 will be vital. Smaller sites may prefer a more cost-effective support service that only operates during working hours.
  • Flexibility: will you be signing up for a set package or can you change and customise your services as you go along? If you’re expecting (or hoping!) your site will grow in size and traffic, you’ll probably need flexibility to scale-up your server capacity.
  • Updates: will the hosting provider manage the server and arrange updates as needed? Updates are usually provided as part of hosting packages for shared and cloud hosting, but may not be on VPS/dedicated servers.
  • Location: this affects the speed of your site – the smaller the distance between your server and your web visitors, the faster your site is displayed. If you have a UK-based audience, it’s definitely worth choosing a UK-based server.
  • Value: finally, consider the cost of your hosting package and make sure it’s good value, affordable and meets your needs. It’s also worth factoring in the value/importance of ensuring your site is always functioning effectively. For example, paying a little less for a hosting provider that is unreliable could cost much more in the long-run in stress, time/energy and lost revenue.
Happy WordPress user

thanks for reading

We hope you’ve found this guide helpful and picked up lots of tips to get your Drupal site performing better than ever!

For further support, please get in touch and we’ll be happy to help. We’re an award-winning Drupal agency with more than two decades of experience providing on-demand Drupal support, maintenance and development.

Please also follow us on Twitter and LinkedIn for regular news, tips and updates.