Modern website checklist — security, performance, GDPR and AI readiness

The question is no longer only whether a website works. It must meet a range of parallel requirements — some regulatory, some technical, some tied to how search engines and AI agents read the web.

The context for running a website has shifted significantly over the past few years. Some changes have accumulated gradually: security headers, HTTPS, cookie consent, accessibility requirements. Others are newer: AI agents retrieve information directly from the web, search engines evaluate pages across different signals, and user devices are more varied than ever before.

The result is that a website today must meet multiple requirements simultaneously — requirements that are largely independent of each other, each owned by a different part of the team, and all affecting whether the site works as it should.

Security

Security has several layers that are often reviewed separately but affect one another.

Software versions. Outdated CMS, plugins and libraries are the most common entry point for attacks. Drupal 7 and 8 have reached end of life and no longer receive security patches. PHP versions below 8.1 are also unsupported. This does not mean a site breaks immediately — it means known vulnerabilities will not be fixed.

Security headers. Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, Referrer-Policy — these are HTTP response headers that tell the browser what the page is and is not allowed to do. Missing headers do not cause immediate harm, but they leave open attack vectors that are straightforward to close.

SSL certificate. HTTPS is the minimum requirement. The certificate must be valid, not expired.

Exposed files and paths. /admin, /user/login, /.env, xmlrpc.php, CHANGELOG.txt — these paths give attackers information about the system. Some are publicly accessible in Drupal by default and need to be closed deliberately.

Performance

Google measures Core Web Vitals — LCP (Largest Contentful Paint), CLS (Cumulative Layout Shift) and INP (Interaction to Next Paint) — and uses them as a ranking signal. Performance is therefore not only a user experience question.

Common issues:

images that are too large or in the wrong format (WebP and AVIF are the current standard);
JavaScript that blocks page rendering;
third-party scripts (advertising, analytics, chat) adding hidden loading time;
a slow server response (TTFB — time to first byte).

In Drupal projects, performance problems often come from configuration gaps: caches are not enabled, views generate too many queries, images are uploaded by editors without resizing.

Privacy and GDPR

GDPR applies to every website that processes data of EU residents. In practice, that includes almost all public-facing websites.

The most visible requirement is cookie consent: Google Analytics and other tracking scripts must not run until the user has agreed. Consent must be voluntary — a blocking banner where the only real option is to accept does not meet the requirement.

Less visible but equally important:

the privacy policy must be current and easy to find;
contact forms must explain what happens to the data;
using external libraries (fonts, CDN, maps) sends data to third parties — this must be justified.

Accessibility

The European Accessibility Act started applying fully across the EU on 28 June 2025. Private-sector e-commerce, banking, transport and other services are now under the same requirements that public sector websites have been held to for years.

WCAG 2.2 is the current version. This means a website must be usable with a keyboard, heading structure must be logical, colour contrast must meet the minimum, forms must describe errors clearly and focus must be visible.

For a deeper look at accessibility requirements: Why WCAG is not only a public-sector topic.

AI readiness

A layer that did not exist a few years ago. AI assistants and agents retrieve information from the web either via search (Bing Grounding, Google AI Overviews) or by reading pages directly.

Three practical things this means:

llms.txt — a file that tells AI agents what on the site is worth reading and what to skip. Analogous to robots.txt, but designed for large language models. llmstxt.org describes the standard.

Structured data. Schema.org markup (JSON-LD) helps both search engines and AI systems understand what kind of page they are looking at — a service, an article, an organisation, a product. Google uses structured data to generate rich search results.

robots.txt and crawl rules. Some AI agents respect robots.txt user-agent rules — GPTBot, ClaudeBot and PerplexityBot, for example. If you want to allow or block certain crawlers, that is where to do it.

How to check

Some of these requirements are publicly verifiable — from the browser, with tools, by reading response headers. Others require looking inside the system.

For a public initial check, the Drupal platform assessment covers security headers, version traces, GDPR signals, basic accessibility markers, technical SEO and AI readiness. The result shows which risks are visible from the outside.

For a deeper review — software versions, configuration, code quality and automated tests — there is a separate audit and testing service.

What this means for maintenance

None of these requirements can be met once and then forgotten. Security updates arrive continuously. Regulations change. Third-party libraries need reviewing. SSL certificates expire.

This is why regular Drupal maintenance is not a luxury — it is the mechanism that keeps these requirements met a year from now as well.

Kaido Toomingas WebPro Company OÜ

Need Drupal help?

If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.