drutiny/plugin-drupal-8
Configuration development module is not installed
Name: Drupal-8:ConfigDevelDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module helps with developing configuration. Do not deploy in production environments. Exercise caution and always use version control.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | config_devel |
Cron last run
Name: Drupal-8:CronHasRun
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\CronHasRun
Cron should be run regularly to ensure that scheduled events are processed in a timely manner.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| cron_max_interval | integer | The maximum number in seconds alloweds since last cron run | 86400 |
Cron running regularly
Name: Drupal-8:CronLast
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\CronLast
Making sure the cron jobs are running properly is key to a healthy Drupal site.
CSS aggregation is enabled
Name: Drupal-8:CssAggregation
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
With CSS optimization not installed your website visitors are experiencing slower page performance and the server load is increased.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The config collection the config item belows to | system.performance |
| key | string | css.preprocess | |
| value | boolean | true |
Database logging is not installed
Name: Drupal-8:DblogDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Drupal core databse logging module can cause database performance issues in production. It is recommended to disable and uninstall this module. Use the syslog module in its place.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | dblog |
Memcache set as default cache backend
Name: Drupal-8:DefaultCacheMemcache
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare
Ensure the majority of your application caching is driven through Memcache by setting it as the default backend (usually opposed to using the database).
Memcache is a better service for cache storage over the database as it decouples cache performance from database load. This means slow queries will not impact cache performance (beyond any shared resourcing between the services).
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The key in settings.php to check. Use dot syntax to traverse settings array. | |
| cache.default | |||
| value | string | The value that should be set if the settings key exists. | |
| cache.backend.memcache |
Devel module is not installed
Name: Drupal-8:DevelDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
A suite of modules containing fun for module developers and themers. Not recommended for production use.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | devel |
No duplicate modules found
Name: Drupal-8:DuplicateModules
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\DuplicateModules
Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.
Hide errors from screen (log only)
Name: Drupal-8:ErrorLevel
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The collection the config belongs to. | system.logging |
| key | string | The key the config belongs to. | error_level |
| value | mixed | The value to compare against the retrived value. | hide |
Core Fast 404 Enabled
Name: Drupal-8:Fast404Enabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Core's fast 404 configuration allows Drupal to spend little time on 404 error pages that match the Fast 404 criteria.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The collection the config belongs to. | system.performance |
| key | string | The key the config belongs to. | fast_404.enabled |
| value | mixed | The value to compare against the retrived value. | true |
Javascript aggregation
Name: Drupal-8:JsAggregation
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
With Javascript aggregation not installed your website visitors are experiencing slower page performance especially on slower networks.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The collection the config belongs to. | system.performance |
| key | string | The key the config belongs to. | js.preprocess |
| value | mixed | The value to compare against the retrived value. | true |
Kint module is not installed
Name: Drupal-8:KintDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Kint for PHP is a tool designed to present your debugging data in the absolutely best way possible. In other words, it's var_dump() and debug_backtrace() on steroids. Easy to use, but powerful and customizable. An essential addition to your development toolbox. Should not be used in production.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | kint |
Memcache module enabled
Name: Drupal-8:MemcacheEnabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Audit\Drupal\ModuleEnabled
This module provides integration between Drupal and Memcached with the following features:
- An API for using Memcached and the PECL Memcache or Memcached libraries with Drupal.
- Memcache backends for the following systems (all drop-in): Caching Locking
- A module that provides a comprehensive administrative overview of Drupal's interaction with Memcached and stats.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is enabled. | memcache |
Memcache extension set
Name: Drupal-8:MemcachedExtension
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare
In order for the memcache module to work, the php memcached extension must be available on the runtime environment. In addition, Drupal must tell the memcache module to use this extension (opposed to the memcache extension).
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The key in settings.php to check. Use dot syntax to traverse settings array. | |
| memcache.extension | |||
| value | string | The value that should be set if the settings key exists. | |
| Memcached |
Automated Cron module is not installed
Name: Drupal-8:NoAutomatedCron
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The automated cron module will hijack page requests in order to run cron. This has a performance impact for end users who are unlucky being burdened with the task without consent and unknowingly.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The module to check is enabled. | automated_cron |
Backup and Migrate is not installed
Name: Drupal-8:NoBackupAndMigrate
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
With Backup and Migrate you can dump some or all of your database tables to a file download or save to a file on the server or offsite, and to restore from an uploaded or previously saved database dump. You can choose which tables and what data to backup and cache data is excluded by default. It is not advised to use this module in production if there are alternative options to obtain the same ends.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | backup_migrate |
No Experimental Modules in Use
Name: Drupal-8:NoExperimental
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\NoExperimentalCore
Drupal 8 core introduces the concept of experimental modules. These are modules that are provided with Drupal core for testing purposes, but that are not yet fully supported. Experimental modules are included in the Core (Experimental) package on the Extend page of a Drupal site (/admin/modules).
More information at https://www.drupal.org/core/experimental
Page cache expiry is set
Name: Drupal-8:PageCacheExpiry
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Page cache expiry informs upstream proxies such as Varnish and CDNs how long they may cache a page response before it should be considered stale and refetched from Drupal.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The collection the config belongs to. | system.performance |
| key | string | The key the config belongs to. | cache.page.max_age |
| value | integer | The number of seconds page cache should be considered valid for. | 3600 |
| comp_type | string | The type of comparison to conduct. Defaults to equals. See Drutiny\Audit\AbstractComparison | '>=' |
PHP module is not installed
Name: Drupal-8:PhpDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | php |
Purge module enabled
Name: Drupal-8:PurgeEnabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Purge modules integrates other services into Drupal's caching strategy
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is enabled. | purge |
Shield module is not installed
Name: Drupal-8:ShieldDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The module to check is enabled. | shield |
Simpletest module is not installed
Name: Drupal-8:SimpleTestDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Simpletest module is for testing purposes only and shouldn't be enabled in production.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | simpletest |
Statistics module is not installed
Name: Drupal-8:StatisticsDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | statistics |
Untrusted Roles with administrative permissions
Name: Drupal-8:UntrustedRoles
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\UntrustedRoles
Make sure administrative permissions has not been assigned to untrusted roles.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| untrusted_roles | array | The untrusted Roles. | - anonymous - authenticated |
Unused modules in the codebase
Name: Drupal-8:UnusedModules
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\UnusedModules
Update module is not installed
Name: Drupal-8:UpdateDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | update |
Administrator login is locked down (uid:1)
Name: Drupal-8:User1LockDown
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\User1
It is important to lock down user #1 in Drupal, this user is special an ignores access control.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| blacklist | string | The usernames of the the uid:1 user that are considered forbidden. | |
| Expression maybe a regular expression to match patterns. | |||
| (admin | root | drupal | |
| string | The email that the uid:1 user should have. If an empty string is provided | ||
| then this check is omitted. | |||
| no_reply@example.com | |||
| status | boolean | Ensures the uid:1 user status reflects the same as this argument. Defaults | |
| to active (1). | |||
| 1 |
User registration available to administrators only
Name: Drupal-8:UserRegistrationAdminOnly
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Anonymous sites should have user registration set to off to prevent spam registrations
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| collection | string | The collection the config belongs to. | user.settings |
| key | string | The key the config belongs to. | register |
| value | mixed | The value to compare against the retrived value. | admin_only |
Webprofiler module is not installed
Name: Drupal-8:WebprofilerDisabled
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The web profiler is a developer module to help profile a PHP page load.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is not installed. | webprofiler |
X-Drupal-Cache-Tags Header Disabled
Name: HTTP:X-Drupal-Cache-Tags
Package: drutiny/plugin-drupal-8
Class: \Drutiny\Http\Audit\HttpHeaderNotExists
X-Drupal-Cache-Tags is a debugging HTTP header Drupal sends to inform developers what cache tags are being utilised in an HTTP response. The header can be high verbosity on responses that use a lot of entities from both content and configuration.
This header should only be used in local development or in environment specific debugging.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | X-Drupal-Cache-Tags |