Dr . Upal Is In:

Healthcheck your site!

 

use ←↑↓→ or <SPACE>

"Where's the links?"

socketwench.github.io/healthcheck-your-site

 
 
 
 
 

We create and care for
Drupal-powered websites.

Minneapolis, MN (Mostly!)

Services

Site and hosting migratiton

Drupal 8 upgrades

Site audits

Process consultantcy

@TEN7
hi@ten7.com

"But my site is fine!"

Every site is healthy

...until it isn't.

Reasons to healthcheck

Errors, breakage, malicious content

Poor performance

"It's your site now."

A feeling isn't an healthcheck

...but a feeling is a sign you need one.

 
 

Smoke testing

Check if you're on the right path

Can be difficult to check in-house

 

It's better to know and plan

...than just hope for the best.

Checking the basics

Checking for updates

Yes, really.

The most basic, important thing you can do!

Using the Update Report

Admin > Reports > Available Updates

I can't find it!

Provided by the Update Manager module

May be disabled on production sites

Enabling Update Manager

Admin > Extend

Don't panic!

Your site won't be a "sea of green"

Look for Red

Security updates, unsupported modules

Take Action ASAP!

Look for Red

Security updates, unsupported modules

Take Action ASAP!

Out-of-date Modules

Some sites break if updated!

Always ask your team first!

 

Status Report

Overview of your site

Admin > Reports > Status

Look for red

Misconfigurations

Updates required

Down connections to external services

Caching

Admin > Configuration > Development > Performance

Caching best practices

CSS and JS files Aggregated

Page cache maximum age set*

* Most sites

Check your log

Don't look for specific errors...

...look for frequency of severe errors!

Using the DB Log

dblog enabled for most sites

Admin > Reports > Recent Log Messages

Automating Checks

Site Audit module

Gathers data, runs best practice checks

drupal.org/project/site_audit

Requires drush

Command Line tool for Drupal

docs.drush.org/en/master/install

Installation for D7

drush en -y site_audit

drush cc drush

cd path/to/your/site
drush aa
  --html
  --bootstrap
  --detail
  --skip=insights
  > path/to/report.html

Best Practice Checks

Read them all!

Highest value checks in the whole report

Caching Settings

Best performance value for small sites

Consider Page cache maximum age carefully!

Status and Updates

Same as Update Manager and Status Report

Replaces manual steps, no login needed!

Content checks

More FYI than problem-finding

Does not replace a content audit

Technical stats

File, code, DB sizes

Sometimes useful! Depends on your site.

Healthcheck module

Not a Drush command!

Monitors continually, pluggable notifications

Currently in beta!

Installing Healthcheck

composer require drupal/healthcheck

Enable like any module

Running an Ad hoc report

Admin > Reports > Healthcheck

Action-oriented, priority ordered report

Email notifications

Send healthchecks to your inbox

Customizable messages, full reports or criticals

Historical reports

Monitor how your site improves

Views-based, customizable

Help us out!

drupal.org/project/healthcheck

Infrastructure checkups

Where're you hosted?

Shared hosting

Managed hosting (Pantheon, Acquia)

Self-managed (VPS, internal)

Still happy with it?

What was your primary motive?

Is that still true?

Enough memory?

free utility

Shows used, free, and available memory

$ free -h
        total    used    free   shared  buff/cache   available
Mem:     15Gi   3.8Gi   4.1Gi    1.7Gi       7.7Gi         9Gi
Swap:    31Gi    77Mi   31Gi
(Scroll right)

What about disk?

df or "disk free" utility

Free space, not performance

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
dev             7.8G     0  7.8G   0% /dev
run             7.8G  1.9M  7.8G   1% /run
/dev/nvme0n1p3  434G  142G  270G  35% /
/dev/nvme0n1p1  599M   42M  558M   7% /boot

CPU load

top utility

Look for idle or id percent

Mem: 12541644K used, 3767604K free, 1816292K shrd, 965248K buff, 6908000K cache
CPU:   1% usr   0% sys   0% nic  96% idle   0% io   0% irq   0% sirq
Load average: 0.70 0.87 0.92 4/1173 264
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
   29     1 apache   S     373m   2%   1   0% /usr/sbin/httpd -D FOREGROUND -f /
   30     1 apache   S     368m   2%   3   0% /usr/sbin/httpd -D FOREGROUND -f /
   33     1 apache   S     368m   2%   2   0% /usr/sbin/httpd -D FOREGROUND -f /
   32     1 apache   S     368m   2%   0   0% /usr/sbin/httpd -D FOREGROUND -f /
  139     1 apache   S     368m   2%   2   0% /usr/sbin/httpd -D FOREGROUND -f /
    1     0 apache   S     368m   2%   0   0% /usr/sbin/httpd -D FOREGROUND -f /
   42     0 apache   S     6244   0%   1   0% /bin/bash
  263    42 apache   R     1532   0%   0   0% top
(Press q to quit)

Managed Hosting

Typically do not need auditing

Memory, disk, CPU typically auto-scaled

Managed Hosting

Typically do not need auditing

Memory, disk, CPU typically auto-scaled

PHP Version

D8 should always be on PHP 7!

For D7, try PHP 7, otherwise PHP 5.6

"Updating" PHP

Actual 5.x to 7.x updates are rare

Better to move to new server/hosting

CLI vs. Web PHP

PHP version (x.y) should always match

Configuration may differ, but only minor

Checking Web PHP

Best done through the web UI

Admin > Reports > Status

Checking Web PHP

Best done through the web UI

Admin > Reports > Status

$ php --version
PHP 5.6.33 (cli) (built: Feb  7 2018 15:35:50)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
with Xdebug v2.5.0, Copyright (c) 2002-2016, by Derick Rethans

As your site grows...

...you can outgrow your hosting.

Auditing modded code

Mods aren't "hacks"

Not malicious!

Intentional modification of core & contrib code

Why mod?

Expediency, lack of knowledge, bug fixes

Unaware of "offical" patching process

Hacked! module

Compares installed core & contrib against D.O

Version aware

When to use

You use ftp (not git or CI) to deploy

You haven't updated in ages

You suspect a breach

Installation

composer require drupal/hacked

drush en -y hacked

Run against Live

Not your local!

Untracked, "cloaked" files

Running the report

Admin > Reports > Hacked

False Positives

Minor changes can flag a module

Missing READMEs, line-endings, best-practice changes

Getting detailed results

Install the diff module

Displays individual line changes

Going Legit

Create patch from changes, add to site repo

Post to D.O if broad benefit

Right way to mod

Use cweagans/composer-patches

Refer to the patch on D.O if posted

Modding isn't wrong

...but it needs to be done right

Hacks and Recovery

Signatures

Clues that imply a hack

eval() + base64_decode()

Common way to unpack, execute exploit code

Scanning code for Hacks

Hacked! report, grep utility

Look for duplicate files & modules

Check the logs?

Use only to corroborate a hack...

...not to detect one.

"Wildlife"

The 'net isn't a clean place!

Frequent drive-by attacks are common

DON'T PANIC

Breathe.

DON'T PANIC

Breathe.

Take the site offline

Better to be offline than compromised

User privacy, partner exposure, brand damage

Backup the hacked site

You need a working copy to examine

Place it in an air-gapped system

When were you hacked?

Requires some sleuthing

Tie to missed module or core security release

Find a clean backup

DB, code, and files from before the hack

Be sure it isn't compromised!

Update the clean backup

Apply all security updates and patches

Copy content over manually

Back it up again

Avoid rebuilding a second time

Site may still be exposed in other ways

No Backup?

Clean up what you can

Accept risk of follow-up hacks

Throw away and rebuild

Really. Assume it's comprimised.

Invalidate all passwords and start over

 

Throw away and rebuild

Really. Assume it's comprimised.

Invalidate all passwords and start over

 

You will be hacked

...but you can be prepared.

Remediation

Recover from hacks first

Restore to a clean state, then...

...apply all security updates.

Then, fix all the easy stuff

Disable bad-practice modules

Best practice config changes

Then, fix all the easy stuff

Disable bad-practice modules

Best practice config changes

Then, fix all the easy stuff

Disable bad-practice modules

Best practice config changes

Statistics module

Does a DB write on each request!

Rarely needed, as other analyics are used

PHP Module

Executes PHP code in content

Instant security vulnerability!

Uninstalling PHP module

Check text-formats, use of Views PHP first!

Test for breakage, then uninstall.

Duplicate modules

Confusing, causes missed updates

Can be sign of a hack

De-duping modules

Remove, drush cr && drush updb

Test locally first!

Audit != Performance Analysis

Different tools, approaches

Time and brain intensive process

Remediation is a process

Not a fix.

Mistakes were made

It's not broken...

...but it's not working (well) either.

Why does this happen?

Inexperience, bad assumptions, changing priorities

Why does this happen?

Inexperience, bad assumptions, changing priorities

 

Too few content types

Articles and Basic Pages everywhere

Tons of fields, not all used

Too many content types

Differentiation only in name, not use or data

Press Release vs. Blog Post vs. News

Rethink Content Stategy

Do a content audit

Use card sorting to rediscover groupings

Drop old, irrelvent content

Merge, split types

Can be done manually or using Migrate

Per-node tasks via Views Bulk Operations

Reorganize

Update menus, build new sections

Use Pathauto and Redirect to keep SEO

Layout is not content

Gives site messy, inconsistent feel

Layout managers

Separates content from layout

Paragraphs, Panels, Block Visibilty Groups

Overuse, abuse of a feature

Causes gradual performance loss

Often unaware, or unintentional

Time for a new site?

Current site code unsupported

Cheaper, easier to rebuild than fix

"It's time for it."

Rebuilds easier on staff

"Rip the bandage off" approach

Enforce best practices from the start

Coodinate with a hosting change

Don't go alone

Bring in external help on a rebuild

Outside perspective, broader experiences

Do they audit?

Good "get to know each other" exercise

Informs better estimating

TEN7 does audits!

Flat pricing

Analysis and recommendations

hi@ten7.com

Look to the long term

Fast fixes bring brief benefit

Special thanks

Flyover Camp

@timplunkett, @wizonesolutions

TEN7

patreon.com/socketwench

Thank you!

socketwench.github.io/healthcheck-your-site