Before you begin: prerequisites and environment
Preparing the environment makes the configuration process faster and reduces surprises. Confirm your server meets drupal‘s requirements: a supported php version, a compatible database (mysql/MariaDB, PostgreSQL), and appropriate php extensions (gd, pdo, mbstring, xml, json). Use composer to manage Drupal and contributed modules; Composer keeps dependencies correct and simplifies updates. Decide whether you’ll use the web installer or a command-line tool like Drush for installation and maintenance. Also choose hosting that allows cron jobs and https, and make sure you have ssh access if you plan to run Composer or Drush commands remotely.
Step 1 , Install Drupal the recommended way
The modern, recommended approach is Composer-based. From a shell in the directory where you want the project, run the composer command below. It creates a standard project layout that isolates vendor files and makes updates predictable. If you prefer a GUI installer, you can download a tarball or ZIP and run the web-based installer, but Composer is strongly recommended for production sites.
- composer create-project drupal/recommended-project my_site_name_dir
- cd my_site_name_dir
- Set up a virtual host or local server document root to point to web/
After files are in place, create your database and a database user. Either run the web installer by visiting your site in a browser and following the prompts, or use Drush: drush site:install standard –db-url=mysql://user:pass@localhost/dbname –site-name=”Example Site”. During installation you’ll set an administrative username and password and choose a profile that defines basic content types and sample content if you want it.
Step 2 , File system and permissions
Drupal needs a writable files directory (sites/default/files) and a protected settings file. After installation, ensure that settings.php exists in sites/default and is not writable by the web server. The files directory should be writable so users can upload images, and web processes must have access to it. A common approach is to set ownership to a web server user and restrict permissions: 644 for files and 755 for directories, with settings.php set to 444 or 440 to prevent accidental edits. On shared hosts check their guidance; on vps or dedicated servers set proper ownership (for example, www-data or apache) and avoid leaving settings.php world-writable.
Step 3 , Basic site configuration
Once Drupal is installed, configure the core settings that define how your site behaves. In Admin > Configuration > System > Basic site settings you can set the site name, email address, default front page and slogan. Configure regional settings (time zone, default country), set up clean and human-readable urls using the Path module and consider installing Pathauto to generate URL aliases automatically for content and taxonomy terms. Set up the site logo and favicon through Appearance settings, and configure default meta tags, if you install a meta tag module.
Essential administrative tasks to do immediately
- Configure the administrative email and contact forms.
- Create at least one content type tailored to the site’s needs (blog post, article, product).
- Set the front page and contact forms, and configure site slogan and name.
Step 4 , Modules and themes: enable only what you need
Modules extend Drupal’s functionality. Start by enabling modules that are essential,Views, Block, Path, and others that your site specifically needs,rather than turning on many modules at once. Contributed modules should be installed via Composer (composer require drupal/ctools, drupal/pathauto, etc.), which keeps the dependency graph correct. For theming, pick a base theme or a responsive theme that matches your design requirements, and install it via Composer or the admin UI. After enabling a theme, place blocks and configure regions through Structure > Block layout to shape your pages.
Step 5 , Create content types, fields, and views
Define content types that reflect real content on your site. For each content type add fields (text, image, entity reference, etc.) and set their display and form widgets. Use Views to create lists, pages, and blocks of content with filters and sorting. Views is highly flexible: it can create paginated content lists, RSS feeds, or admin-style pages. When building complex pages, use a combination of Views, custom blocks, and layout tools,Layout Builder or Panel modules,to place fields exactly where you want them.
Step 6 , Roles, permissions, and user management
Security and workflow depend on well-defined roles and permissions. Create roles such as Editor, Content Creator, and Site Manager, and assign only the permissions each role needs. Avoid giving the “administer site configuration” permission broadly. Use the People admin to add users, set up authentication methods if needed (OAuth, LDAP), and configure password policies. If you have multiple environments, be sure to test role permissions thoroughly before giving them to non-technical users.
Step 7 , Performance tuning and caching
Improve site speed with caching and aggregation. Enable Page and Dynamic Page cache (core modules) and configure css/js aggregation in Performance settings. Use an opcode cache (like OPcache) on the server and consider a reverse proxy or CDN for static files. For large sites enable Redis or Memcache for Drupal caching via contrib modules, and tune the database for your workload. Also set up cron (either with system cron calling cron.php or using the system cron integration in your hosting control panel) to run scheduled tasks like cache clearing, indexing, and feed updates.
Step 8 , Security best practices
Secure the site by enforcing HTTPS, keeping Drupal core and contributed modules updated, and using strong passwords and two-factor authentication for administrative accounts. Add trusted_host_patterns in settings.php to prevent HTTP host header attacks, and move sensitive settings into settings.local.php for local development. Remove or restrict access to the update.php and install.php pages on production sites. Limit write permissions on code and configuration files, and use the Security Kit and Paranoia modules judiciously when extra hardening is needed.
Step 9 , Configuration management and deployment
Drupal’s Configuration Management system lets you export the active configuration to YAML files, which is essential for consistent deployments across environments. Use config export and import (drush config-export, drush config-import) and store the configuration repository in git. For a typical workflow, make configuration changes on a development site, export them, commit to version control, and import on staging/production. When using Composer-managed projects, vendor files and module code are handled separately from configuration, so deployments become predictable and repeatable.
Step 10 , Backups, updates and ongoing maintenance
Establish a routine for backing up the database and files, ideally automated and tested regularly. Use Composer to update contributed modules and core (composer update drupal/core –with-dependencies) and run database updates (drush updb) after applying code changes. Monitor logs for errors, set up alerting for downtime and high error rates, and schedule periodic audits of unused modules and themes so they can be removed. Keeping an eye on performance and security updates reduces the risk of incidents over time.
Summary
Configuring Drupal well combines a solid server setup, a Composer-based code workflow, sensible file permissions, careful selection of modules and themes, and disciplined configuration management. Start small: secure the site, create the content structures needed, then optimize performance and automate backups and updates. With those pieces in place you’ll have a maintainable site that can grow without technical debt.
frequently asked questions
How should I install modules and themes safely?
Use Composer to add modules and themes to your project (composer require drupal/module_name). Avoid downloading and placing modules manually on production servers. After pulling code into an environment, run database updates (drush updb) and clear caches. Test module changes on a development or staging environment before moving to production.
Can I configure Drupal without the command line?
Yes, many tasks can be done through the admin interface, including installing modules from the Extend page, changing themes, creating content types, and managing users. However, Composer-based workflows and Drush provide better reproducibility and are recommended for production sites, especially for updates and dependency management.
Where do I store settings that vary between environments?
Place environment-specific settings in a settings.local.php file and include it from settings.php. Use environment variables for sensitive values like database credentials and API keys, and configure trusted_host_patterns and other server-specific options only in environment-specific files to avoid accidental exposure.
How do I handle configuration changes between dev and production?
Use the config export/import workflow: export changes from development to YAML files, commit them to version control, and import on staging/production. Drush commands (drush config-export, drush config-import) or the admin UI for Configuration Synchronization can be used, but version control and CI help avoid mistakes during deployments.
What are the most common security mistakes to avoid?
Common issues include running outdated core or modules, leaving settings.php writable, not enforcing HTTPS, granting excessive permissions to users, and running unnecessary modules. Regular updates, principle of least privilege for roles, secure file permissions, and automated backups are effective mitigations.
