If you have a Drupal site and you need to go to production, here is the list of going to production for the first time.
Making sure the reverse proxy configurations are set and Drupal can know the real IP of each user.
Make sure to restrict access to these folders and files: `/core/tests` AND `/core/scripts` AND `/core/install.php`.
As a security move, you should hide any common things that will allow visitors to know the scripts that you are using on your site. One of the simple things is the generator information.
If you have users you may want to download and enable the password policy module to help your users to protect themselves.
If you still don't believe in Captcha, you should do, please. At least you can use some smart ways to prevent spammers. Make sure the captcha or any solution that you will use is working well on your website. Especially on Contact us form or any form for visitors.
- CAPTCHA : Provides CAPTCHA for adding challenges to arbitrary forms.
- Honeypot : Mitigates spam form submissions using the honeypot method.
- CleanTalk : Antispam service from CleanTalk to protect your site.
- Human Presence Form Protection : Human Presence is a fraud prevention and form protection service that uses multiple overlapping strategies to fight form spam.
- Recaptcha Element : Provides a Webform Handler that allows you to enable reCAPTCHA protection on a webform using the webform UI.
You can download and configure the CSP contrib module. This is a powerful module. Beware that this module might broke your site CSS and JS while it is enabled since it will block some external files like some CDN and any external services. And you need to allow these URLs in the configuration section of this module.
In case you use Google Analytics check if you already finished the setup of Google Analytics or you should do so.
When you are going to production, it's better to disable any UI modules and some modules like `Update manager` module to avoid any performance issues.
If your site does not need any visitors to register by themselves make sure to disable user registration. You can navigate to Home > Administration > Configuration > People > Account settings.
Check the site name in and the site mail and the default home page. You can navigate to Home > Administration > Configuration > System > Basic site settings
If you still didn't upload your Favicon you may want to upload yours now.
For me, this is the first thing that I do always. The `/node` page is created via Views and can be disabled from the views page list. Make sure you are not using it as a home page before disabling it.
Review all views permissions. Are the domain will be public. Are you sure your views not exposing any private content?
Check and disable showing errors from Config > Development > Logging
Setup the cronjob every minute. You can do that by running the needful drush command.
Files folder permissions. Make sure Drupal can create folders inside the file. (try to upload any test file).
If you are using Google Analytics, after going production double-check the Google Analytics and make sure it is working well and counting your visitors. Sometimes you may realize that you missed it.
Test email sending functionality on production. Can users reset passwords?