Drupal site audit and evaluation

What areas does a Drupal site audit and evaluation cover?

Every Drupal site is unique, so every audit is too. After scoping the effort to match your site’s size and complexity, we align on your audit objectives and concentrate the analysis where our efforts will deliver the greatest level of impact and return on investment for your organisation.

Areas we typically assess include:

• Performance & scalability: Core Web Vitals, caching (Drupal, reverse proxy, CDN), image optimisation, render blocking, database/query efficiency, and load behaviour.
• Security: patch status, module risk, configuration hardening, headers, input sanitisation, file handling, secrets management, and third-party exposure.
• Custom modules: architecture, API usage, deprecated code, test coverage, stability, and upgrade paths.
• Theme & Front-end (incl. Accessibility): Twig practices, component structure, CSS/JS delivery, ARIA usage, colour contrast, keyboard support, semantics, and UX performance.
• Drupal configuration: content types, fields, views, workflows, caching, cron, search, and configuration management hygiene.
• Code quality & standards: adherence to Drupal coding standards, static analysis findings, complexity, duplication, and CI quality gates.
• Server & hosting: PHP/DB versions, opcache, web server tuning, TLS, backups, logging, and environment parity.
• Architecture: integration patterns, decoupling strategy, scalability, observability, and resilience.
• Users & permissions: roles, least-privilege access, editorial workflows, and audit logging.
• Technical on-site SEO: metadata, structured data, redirects, canonicalisation, sitemaps, and performance signals affecting crawlability.

This approach is grounded in validating your site against industry and Drupal best-practice standards, turning findings into clear, prioritised recommendations you can act on.

Further tools

In addition to Drupal-based modules, we use a range of external tools that reveal how your site is built, benchmark quality, and surface issues before they reach production:

• SonarQube: static code analysis with Drupal-focused rulesets, highlighting code smells, vulnerabilities and coverage trends
• Nessus & OWASP Zed Attack Proxy: penetration testing tools validate security posture, common OWASP risks and more
• Google Lighthouse: high-level audits across performance, accessibility, SEO and best practices, with clear scoring and fixes
• New Relic: monitoring to highlight slow transactions, expensive database calls and troublesome integrations
• Sentry: real-time error tracking with rich stack traces and
• axe/Pa11y: automated accessibility checks that detect common accessibility problems and suggest remediation

Together, these complement our Drupal audits across security, performance, code quality and accessibility.

Who will complete the audit?

We bring together a senior, cross-disciplinary team to ensure depth, breadth and balance across front-end code, back-end code, and infrastructure:

• Senior Drupal Developer (Acquia Triple-Certified): deep review of configuration, architecture, security posture, code quality and custom modules, including deprecated API usage and upgrade paths.
• Senior Drupal Themer / Front-end Developer (Acquia Front-end Specialist): assessment of the theming layer, component implementation, UI performance and accessibility conformance.
• Senior System Administrator: analysis of hosting estate, server configuration, caching layers, performance tuning and security hardening.
• Technical Architect (10+ years’ Drupal experience): validates overall solution design, risk, scalability and maintainability; shapes the prioritised remediation roadmap.

All findings are consolidated and peer-reviewed by the Technical Architect and/or the Zoocha Technical Director, ensuring recommendations are feasible, sequenced by impact/effort/risk, and presented in a clear, secure final report for your team.