How to audit Drupal Sites

2016.08.13 | DrupalCamp Colorado 2016

Jon Peck

Software Architect at Four Kitchens

github.com/fluxsauce - drupal.org/u/fluxsauce

Software Architect at Four Kitchens, architected sites like Entertainment Weekly and Successful Farming at Agriculture.com

13 time lynda.com author, including Drupal and PHP development courses

Worked at Pantheon as a Senior Customer Success Engineer for a year; launched and troubleshot countless Enterprise sites, authored Pantheon Academy training videos, Varnish checker, site audit

What is an audit?

Official inspection of accounts
Validate the good things
Highlight areas of improvement

An audit is an official inspection of an individual's or organization's accounts, typically by an independent body.

Audit is not a dirty word. An audit can validate the good things that you are doing, in addition to highlighting areas of improvement.

Why audit sites?

Learn about contents and structure
Ensure optimal configuration
Discover areas of improvement

Every site is unique, but...

Built with the same framework
Similar architectural requirements
One size fits most

Effective auditing

Consistent
Quantifiable
Contextually aware
Easy to understand
Actionable recommendations

Auditing Tools

Yup, it's wood.

Site Audit

drupal.org/project/site_audit
Drupal 7 and 8 site  analyzer
Drush command on  target platform
Powers Launch Check  on Pantheon

Best Practices - configuration Block - caching Cache - settings, backends Codebase - size of code, files Content - content types and vocabularies Cron - frequency Database - collation, engine, size, rows Extensions (Modules and Themes) - count, dev, disabled, duplicate, missing, unrecommended, version Front End - integrates with Google PageSpeed Insights, WebPageTest.org and others System Status - ask Drupal for its own status Security - brand new, scanning for exploits Users - count, blocked, roles, admin Views - caching, enabled views Watchdog - 404s, age, count, php errors, syslog

What doesn't Site Audit analyze?

Usability and site experience
Aesthetics
Semantic content

Read the Full Manual

drush help --filter=site_audit

Audit Cache

drush audit_cache

Show detailed results

drush ac --detail

JSON output

drush audit_cron --json

HTML output

drush audit_best_practices --html --detail

Audit All

drush aa --skip=insights --html --bootstrap

Extending Site Audit

Modules can implement both Checks and Reports
Documentation in README.md
Drupal.org Issue Queue
GitHub Pull Requests

Share your Checks and Reports!

Site Audit Drupal Console Support!

8.x-3.x-dev - work in progress...

Tools with Site Audit support

Unused Modules

drupal.org/project/unused_modules
Lists projects that can be safely deleted
Ignores disabled child modules

Security Review

drupal.org/project/security_review
Checks site and hosting configuration, site content

Hacked!

drupal.org/project/hacked
Compares contrib with versions on drupal.org

Sensitive Data

drupal.org/project/sensitive_data
search content for sensitive information, like credit card or ID numbers

Cache Audit

drupal.org/project/cacheaudit
Caching settings of Drupal core, Block, Views, Panels
Panels is unique (not in Site Audit)

PHP_CodeSniffer / Coder

github.com/squizlabs/PHP_CodeSniffer
drupal.org/project/coder
- Use Drupal 8 version to analyze code on both 7 and 8
Drupal and DrupalPractice sniffs
Detect deviations from Drupal Coding Standards

PAReview.sh

pareview.sh
Automated reviews of drupal.org projects

PHP Tools

PHP Copy/Paste Detector - github.com/sebastianbergmann/phpcpd
PHP Mess Detector - phpmd.org
- Possible bugs, suboptimal or unused code, overcomplicated expressions
PHP LOC - github.com/sebastianbergmann/phploc
- Measures size and structure

Git Tools

GitStats - github.com/hoxu/gitstats
gitinspector - github.com/ejwa/gitinspector

JavaScript Tools

ESLint - eslint.org
- Pluggable linting utility for JavaScript and JSX
- Official configuration in Drupal 8 core/.eslintrc
JSCS - jscs.info
- JavaScript Code Style
JSHint - jshint.com
- Detect errors, potential problems

Use a runner or a script, like gulp, grunt or node.js

Hosted Utilities

WebPageTest.org

webpagetest.org

Google PageSpeed Insights

developers.google.com/speed/pagespeed/insights

WAVE Web Accessibility Tool

wave.webaim.org
Analyzes web pages for accessibility
Actionable recommendations on how to fix problems

Qualys SSL Server Test

ssllabs.com/ssltest
Analyzes SSL configuration

Delivering an audit

Report Structure

Overview of scope, requirements
Actionable recommendations
Appendix
- How to install and use tools
- Raw results

GitBook for publishing reports

github.com/GitbookIO/gitbook
Book format and toolchain using Git and Markdown
Command-line, uses Node.JS
Outputs HTML, PDF, ebooks, and more
Incredibly useful for large structured reports

Editing GitBook structure

GitBook HTML Format

Site Audit co-maintainer wanted.

Interested? Submit an issue.

Good configuration matters.

Thank you! Feedback: goo.gl/8cg3Cn

slides | @fluxsauce | @fourkitchens

How to audit Drupal Sites – 2016.08.13 | DrupalCamp Colorado 2016 – Jon Peck

fluxsauce

How to audit Drupal Sites – 2016.08.13 | DrupalCamp Colorado 2016 – Jon Peck

0 1 (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();