Audit

How to evaluate whether your Drupal partner is doing good work

Good Drupal development shows up when something goes wrong — or doesn't. Here is what to ask and what to look for before you reach that point.

Clients of web projects are often in a position where they are paying for work they cannot evaluate themselves. Drupal development is a technical field — how do you know whether your partner is doing good work?

Signs of good work

Regular security updates without a special request. A good Drupal partner handles security updates as an automated process, not only when the client asks. Ask: "When were security updates last applied? How does that process work?"

A test environment before production. Every change should go through a test environment before reaching the live site. If the partner applies changes directly to production, that is a risk.

Documented code and change log. Every piece of work should leave a trace — what was done, why, when. Without this, transitioning to a new partner later is unnecessarily difficult.

Composer-based workflow. Modern Drupal development uses Composer for dependency management. If the partner uploads modules via FTP, that is an outdated and risky practice.

Version control (Git). All code changes should be tracked in Git. This enables rollbacks, collaboration and auditing.

Red flags

"Everything is fine, nothing to worry about." Without specific indicators, this is empty reassurance. What Drupal version is running? When was it last updated? Which modules are in use?

Cannot say which Drupal version is running. The partner should know which version the site is on and when end-of-life is expected.

High-rate "quick fixes" every month. Quality development keeps the platform in a state where emergency fixes are rare — not monthly.

Refuses an independent audit. A good partner is not afraid of the client commissioning a technical audit from an independent party.

Direct database changes without code changes. Drupal configuration should live in code (Configuration Management), not just in the database. Direct database edits mean changes disappear on the next deployment.

Questions to ask

  1. Which Drupal version is running and when does it go end-of-life?
  2. How does the security update process work? When were updates last applied?
  3. Is there a test environment? How do changes flow from test to production?
  4. Where is the code stored? Who has access?
  5. Are there automated tests? What do they cover?
  6. What does "project handover" look like if we switch partners?

Independent audit

If you have doubts about your partner's work quality, commissioning a technical audit from an independent party is a sensible step. An audit reveals the platform's actual state — security update status, module version problems, code issues and performance concerns.

WebPro carries out Drupal audits in situations where clients are changing partners or want an independent assessment before signing a new contract.

Kaido Toomingas Kaido Toomingas WebPro Company OÜ

Need Drupal help?

If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.

Contact us