Drupal CheckDrupal quick tips and tricks before going live!

When developping a module, we often use some commonly used PHP functions. As you may not know Drupal provides some overrides for these functions. They are often related to strings, they have the same name as their PHP native equivalent except that they are prefixed with drupal_. Here is a list of PHP functions you should replace with its Drupal equivalent:

• Replace strlen() with drupal_strlen()
• Replace strtoupper() with drupal_strtoupper()
• Replace strtolower() with drupal_strtolower()
• Replace ucfirst() with drupal_ucfirst()
• Replace substr() with drupal_substr()
• Replace eval() with drupal_eval()
• Replace clone with drupal_clone()

For more on this, you should read includes/unicode.inc and includes/common.inc.

Having an .htaccess file is a pain regarding performances. Apache needs to read it on every single request (the page, every image, CSS files, JS files, etc.).

It is strongly recommended to move rules defined in Drupal .htaccess file in your Apache global configuration or in your vhost configuration file. This way all rules are only loaded 1 time, during Apache start.

To achieve this, just copy/paste your .htaccess content in your Apache server configuration file and don't forget to surround it by the directory where your Drupal install resides.

Note that we added AllowOverride None to prevent Drupal .htaccess to be read by Apache.

Check for syntaxe error:

$ apachectl configtest

And restart Apache:

$ apachectl restart

Note that if you are on Plesk, you must use the following command before restarting Apache:

$ /usr/local/psa/admin/sbin/websrvmng -u --vhost-name=example.com

If you what Pathauto to transform caracters with accents into simple letters like:

• éèêë to become e
• àâï to become a

You must enable in Pathauto the option Transliterate prior to creating alias. But by default, you can't tick the checkbox.

You first need to rename a file. From within the Pathauto directory, rename i18n-ascii.example.txt to i18n-ascii.txt. Once renamed, you can enable the option from the Pathauto settings form.

Drupal comes with a set of TXT files at root level (things like install instructions, upgrade instructions, etc.). To avoid malicious users to have information on the Drupal version you are using, it is strongly recommended to remove those files.

From the root directory of your installation, remove the following files:

• CHANGELOG.txt
• COPYRIGHT.txt
• INSTALL.mysql.txt
• INSTALL.pgsql.txt
• INSTALL.txt
• LICENSE.txt
• MAINTAINERS.txt
• UPGRADE.txt

Whether or not these files contains security information (like Drupal version for example), the all contain a CVS header that gives a really precise version information on your Drupal installation.

Create a node (a page content type for example) with some extra information so that your visitors don't ever fall on the default 404 page not found.

Once this node is created:

• Remember its node ID,
• Go to Administer > Site configuration > Error reporting
• Set Default 404 (not found) page to the node ID you just created
• Save your settings

You can alternatively use the Search 404 module.

Considering the domain name drupal-check.org, we want to redirect all users accessing your website from http://drupal-check.org to http://www.drupal-check.org.

Edit .htaccess file from the root directory of your Drupal installation, find the <IfModule mod_rewrite.c> section and uncomment the following lines, replacing example.com with your own domain name, in this example drupal-check.org:

More information is provided in the .htaccess file itself.

It's highly recommended that you protect user with uid 1, i.e. the one who has life and death rights on your Drupal installation.

Disallow user 1 deletion:

• Install Protect Critical Users

Disable user 1:

• Be sure to have at least one user (other than uid 1) that has the permission administer users from user module.
• Login with this account (again other than uid 1)
• Go to Administer > User management > Users
• Edit user with uid == 1
• Set Status to Blocked
• Click Save

Now user 1 can't login to your website. No more risk for password discovery for this account.

Please note that you should check enabled modules code, sometimes they use user 1 to achieve some tasks. And this could break some modules features. So use with caution.

Use full PHP tags

Write:

Don't write:

Semicolons
Write:

Don't write:

No closing tags
When writing a module or customizing your theme template.php, don't use PHP closing tag ?>.

Notice that at the bottom of the following snippet, there is no PHP closing:

By doing this you prevent PHP interpreter to stop and restart on the next source code file. This mean better performance.