Last updated July 9, 2015. Created on February 19, 2005.
Edited by gdaw, nitishchopra, n00b_nuggit, gsofia. Log in to edit this page.

If you are going to invest the time to set up a CMS, then you should protect your investment by following some simple best practices. These guidelines are only suggestions. It is up to you to decide what is appropriate for your site.

The following list contains some quick pointers (for more detailed information, see the list of articles at the bottom of this page):

  • Plan your site. Drupal provides a good toolset to help you build your site, but you should still develop a plan. Good wireframes and proper planning can help avoid significant misunderstandings and problems later.
  • Plan for the future. You should revisit and reevaluate your site each time there is a major version release of Drupal. This does not mean you have to upgrade it, but you should evaluate and plan for an upgrade approximately every 12-24 months. This also involves applying patches and upgrades, especially when they have been released to fix security issues that may arise.
  • Get involved in the community. This will help you follow development trends and, while helping others, you may just come across a cool idea that solves your own problem. It is also one of the best ways to help strengthen your Drupal skills.
  • Back up your site. Back up both the database and the files on the web server. Test your backups! If you don't test them, you have no idea if your backup will actually work when you need it.
  • Use PHP snippets sparingly and carefully. Drupal gives you a great deal of power and flexibility when using PHP code in blocks. Unfortunately, a stray character or a missing semi-colon breaks PHP. Drupal then attempts to evaluate this broken code on any requested page, the PHP interpreter chokes on it and therefore your whole site is broken. Worse yet, a PHP snippet entered by an unauthorized user can expose your entire website to hacker attack. An outsider who gains PHP access to your site will be able to read and write anything that is in your database and pretty much do anything he or she wants. You should be careful not to grant permission to use the PHP format to anyone other than trusted site developers. When creating a block that uses the PHP input format, you can avoid the risk of having the block take down your entire website by first testing the code inside a temporary story or page node. Use PHP input format, write the code, and then Preview to debug your code. When you are satisfied that your code is working, copy then paste the code into the block.

The links below will explore some basic to intermediate best practices. If you're looking for advanced, programmer-type best practices, go to the Programming Best Practices pages.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.