Useful Drupal modules

Click on the module name for notes, comments, patches.
Recommendations (for and against) are my personal opinion only and may be out of date. Feel free to email with corrections/suggestions.

Why doesn't the table mention Drupal 9 or 10?

1. Nowadays, I try and use Drupal as little as possible. Specifically I do not recommend it for a new website. I'd also strongly caution you against choosing Drupal if you're at the beginning of your career and trying to learn web development (front / back / full stack) or just want to manage/maintain a website. More details why by email on request.

2. By February 2022 I'd updated all the sites I look after to Drupal 9 (experience: mixed). As of March 2023, a year later, none of them were fully ready for Drupal 10 (waiting on support for various modules). By 13 Nov 2023 (a week or two after D9 lost support) I had updated a couple of them.

Q: What's the Drupal 9 to 10 upgrade experience like? A: it's what I'd describe as "just bearable", slightly better than D8 to D9, though with plenty of things to still trip you up. There is still deprecated code that needs fixing in D10 modules, and policy changes mean odd things will break (be prepared to turn off Aggregate CSS/JS files if your themes stop working, and note that Drush launcher doesn't work with Drush 12...)

Admittedly the upgrade_status module is the best solution they could have come up with for tracking compatibility. Also watch out for a nasty session headers bug with redirect_after_login.

What about sites still running Drupal 7? In short I still recommend leaving them on Drupal 7 or moving to another platform entirely. My prediction was that Drupal will extend D7 support year after year (note that drupal.org itself is still running D7). It's now been confirmed as 5 Jan 2025. There will have to be some sort of third-party long term support, because of the sheer volume of sites that are not being upgraded.

Your decision is really what specifically you think you will gain from Drupal 8/9/10 - often the answer will be not enough, and one of the main hassles - apart from converting each content type one at a time, and setting up a new theme, will be recreating all your views by hand, as views can't be automatically upgraded.

(134 modules in list)
Module name or machine name
Any text in the notes
Name D8 Personally Tested Sort ascending Last Updated
Unique field ajax (unique_field_ajax)

d.o. page

"Essential"

Gives you a checkbox for 'Unique' when editing fields - can have it checked during form entry (via AJAX) and specify a custom error message per field.  Seems to have bug where field you're checking is sometimes refocused (even if no errors) if you've already tabbed away from it and continued typing.

View Migration (view_migration)

d.o. page

Not recommended

Migrate views from D7 to D8.
Once installed on D7 - you need to go to /admin/config/view-migration 
It outputs multiple YML files and you're specifying a directory to put them in, which you need to create first.

My experience of the YAML output has been:

- incomplete (e.g. multiple missing displays in a complex view, views without a machine name)
- invalid UTF8 due to the next and previous arrows in pager.options.tags being encoded wrong
- the dependencies section at the top of the file not being set out correctly

It doesn't look like there's much current development activity (likewise migrate_views, which is the other plugin people usually mention).

Comment Notify (comment_notify)

d.o. page

"Essential"

Allows users to receive emails for replies to their comments (or optionally for all comments on a node).  Can be toggled by content type (although not by comment type, if you have more than one comment entity).  In permissions, you can also control which roles can subscribe.  Can also set it so the author of a node also automatically gets emailed for every comment.

I'm using three patches:

I also have a site which uses two comment types; I wrote a patch to turn off the notification checkbox for one of them.

Devel (devel)

d.o. page

"Essential"

Key features:

  • Kint (enable kint submodule, for pretty variable printing, way to view properties and methods)
  • DevelMailLog (redirect all mail to text files instead, specify location directory, specify filenames using tokens for recipient, subject, timestamp) - DevelMailLog requires that you also install the MailSystem module to activate it
  • Config Editor and State Editor (enable via /admin/config/development/devel/toolbar)
Add another (addanother)

d.o. page

"Essential"

For this to work for any content type after you activate it, you have to manually edit and save that content type's settings, otherwise the buttons will be missing.

Responsive and off-canvas menu (responsive_menu)

d.o. page

This uses a JS library and works without a second copy of the menu in the HTML, and you don't need to make any changes to your existing navigation menu.

Look at the README file for instructions.
You need to install mm_menu and superfish in your libraries folder.

Note you're forced with the mobile version of the menu to have it expand to full depth (although the hack/workaround, if you want a top-level menu only,  is to hide the lower elements in CSS)

For hand-crated CSS / minimal javascript solutions, see https://css-tricks.com/responsive-menu-concepts/

SEO Checklist (seo_checklist)

d.o. page

Shows a long checklist, split over a series of tabs, you can tick off items and some (e.g. modules you need to install) are auto-detected. See Module of the Week blog post. 

Configuration Update Manager (config_update)

d.o. page

You also need to enable config_update_ui, which adds an 'Updates report' tab to Config Sync (/admin/config/development/configuration/report)

Better Exposed Filters (better_exposed_filters)

d.o. page

"Essential"

My recommendation - safe to use but understand it's currently pretty limited due to bugs.

To activate, change a view's Exposed Form style (Advanced column) to 'Better exposed filters'.  

  • Lets you enable AJAX auto submit. The difference is without BEF, with Use AJAX, an AJAX request (vs a full page reload) is made but ONLY when you click 'Apply'.  With BEF, as soon as you change a dropdown the view updates (like the filters on this site).  
  • You can change the input method for each field (e.g.a single checkbox for what would otherwise be a True/False dropdown), make them "collapsible", add select all/select none links where appropriate.  
  • Rewrite option that lets you reword all the options for the filter and also delete some.

Limitations:

  • If you have a search field - e.g. Combine fields filter - you MUST turn on 'Exclude Textfield' if you are using 'Autosubmit'  
  • Most of these options *aren't* available for taxonomies (e.g. webform where  
  • If you use the default views single or grouped exposed filters, with selects/radios, they work correctly, but when you change them to BEF style, with checkboxes and AJAX, they don't (form is submitted and the checkbox has disappeared)
  • Bug: reset button doesn't use AJAX, it sends you to a view URL instead (disable it in settings)

 

So all you can really do with BEF at the moment is use the AJAX setting.

Documentation 

Real Name (realname)

d.o. page

Use tokens to merge first name, last name or any other fields.
Then you can display the realname field in various places.  

Note: you have to add code to substitute the default username in the title of user node views - e.g. in mytheme_preprocess_block(&$variables)

Computed Field (computed_field)

d.o. page

Add a field whose value is calculated using raw PHP; specifically $value = 'foo';

(The recommendation is you write your PHP in a module of your own, and then call that method from the UI - for security and version control reasons).

Note: value is only calculated when nodes are saved (i.e. will initially be empty for existing content).

D8 status; alpha but working.

Toolbar menu (toolbar_menu)

d.o. page

"Essential"

Add extra menus (which appear as cog icons with a title, which you can click and expand) to the admin toolbar at the top of your site.

Views Contextual Filters OR (views_contextual_filters_or)

d.o. page

"Essential"

By default if you add multiple contextual filters to a view, they must all pass (AND).
This gives you a checkbox in Advanced > Query Settings for the view which switches it to OR.

Coffee (coffee)

d.o. page

"Essential"

Keyboard shortcuts. A bit like Spotlight/Alfred/Launchbar.

Alt+D to launch (memonic: alt + D = coffee!)

Handy as it doesn't clash with browser keyboard-shortcut extensions such as Vimium.

Tips:

  • April 2020: 8.x-.10 released, means you no longer need this patch to fix CSS colours
  • remember that you can/should add your own menus to the search index
Configuration Override Warn (config_override_warn)

d.o. page

"Essential"

Displays a message on config pages indicating which config settings have been override by settings.  
There's a config setting where you can hide the actual values (so you can hide API key - you need to use config editor to edit that, there's no admin page)

D8 Editor Advanced link (editor_advanced_link)

d.o. page

Adds options should as choice of target, title, class ID etc. to the link dialog in CKEditor.

Needs configuring after install.

Snippet Manager (snippet_manager)

d.o. page

Snippets are Twig templates that can be managed using the UI.  They can be inserted in various ways including via CKEditor, tokens.

Support for HTML, CSS, JS, and variables.

Environment Indicator (environment_indicator)

d.o. page

"Essential"

Change the colour of the admin menu according to whether you're using dev, staging, production etc.

(You can also add 'switcher' menu links, e.g. Open in dev, Open in Prod). 

Notes:

- need to reset the cache after you've made changes [#2406619]

Content access (content_access)

d.o. page

"Essential"

Set permissions by content type (with the option of overriding node by node)

Rules (rules)

d.o. page

Patch needed (the pages and roles tabs are missing on block editing form otherwise):

https://www.drupal.org/project/rules/issues/3160347

HMS Field (hms_field)

d.o. page

Hours/minutes/seconds field type (formats: h:mm, h:mm:ss, m:ss, h, m or s). Drupal 8 in beta.

Two Factor Authentication (tfa)

d.o. page

"Essential"

install tfa and ga_login (TFA is just a framework, it doesn't come with it's own login plugins.)

Use this patch I wrote - it adds display of validation skip times and an admin reset button for users who are got locked out.

My installation instructions:

Next you need to generate an encryption profile.
First you need to generate a key - key type needs to be Encryption (not Authentication).
A 128bit key = 128/8 bytes = 16 characters - so generate a random 16 character string.

Set key provider to File rather than Configuration, this means the key won't end up in your version control.

Tick the 'strip trailing line breaks' box to avoid the "The selected key size does not match the actual size of the key." error

Key path should be relative to Drupal so the config will work on multiple sites
e.g. if you have created a file called /app/tfa.key on a lando container, set the key path to ../tfa.key
I'm actually creating mine in a keys directory.

Remember to save the key somewhere in your password manager, or your ansible variables, in case you lose the files later.
Remember to add /keys to your .gitignore file, so it won't get stored in version control.
Remember to copy it manually onto your production server.

In the TFA settings (/admin/config/people/tfa) you probably want to increase the number of times a user can skip validation.

Note that TFA has a separate 'Tfa user login' block (replacing the ordinary 'User login') 

AJAX Comments (ajax_comments)

d.o. page

Not recommended

Not very actively maintained and it can be quite buggy.

Needs this patch:

Reply button can be pressed multiple times, resulting in multiple comment forms

I abandoned it for a project because the admin XHR response when you submit comments sends back comments you've already filtered out (I had written code to restrict visibility of certain comments).   Also had a problem where the initial comment form was left in place rather than being replaced, so you ended up with duplicates.

Automatic User Names (auto_username)

d.o. page

"Essential"

Removes the 'Username' field from registration form.  Use in conjunction with a module that allows users to login with their email address.
Generates a username in the background (Drupal still requires one) - adds 'Patterns' tab to Account settings for configuring the name.

Patches:

 

Layout builder (layout_builder)

d.o. page

Benefits:

  • Build layouts using GUI - arrange fields in columns/blocks (or add a block, or menu, or tag cloud, user info etc.) 
  • Easily override layout of individual nodes without needing to clone/design/apply a template (and reset to default easily afterwards)


Status:

Nov 2018: core, experimental in 8.6.x
May 1 2019: due for stable release in 8.7.0

Issue queue

Installation:

  • Enable the layout_builder module (which also enables layout_discovery)
  • Clear cache.
  • Activation:  Content type -> Manage Display -> scroll down to Layout Options - tick Use Layout builder

By turning on Layout Builder, you switch from the standard Manage Display view (field, label, format/widget settings) and the layout builder GUI.

Resources:

Compatibility:

  • A migration path is being built for Panels / Panelizer.
  • Undecided (Nov 2018) how Layout builder will work in conjunction with Paragraphs

 

Login email or username (login_emailusername)

d.o. page

"Essential"

Self-explanatory.

Views Aggregator Plus (views_aggregator)

d.o. page

Provides extra options for aggregating data in tables - e.g. grouping sets of rows together and summing the values of particular fields.

Has a hook - hook_views_aggregation_functions_info() - which lets you add your own options to the table aggregation settings - e.g.  supposing you have a limit for something (number of tickets, nights of accommodation) and want to decrement it - you can write a method to sum the matching rows and then do a calculation on the total.

Also supports 'add column function' - adds a grand total (or other summary field) at the very bottom of the table.

Caution - this module breaks hook_views_pre_render() - you can write your own pre_render method to remove or shuffle entire rows, but any chances to values will be overwritten (discovered this by looking through the source and looking for the use of that hook).  The workaround is to try and do what you need to by using hook_views_aggregation_functions_info() instead.

Configuration Read-only (config_readonly)

d.o. page

Lock all configuration changes via the admin UI - e.g. if you need to lockdown a production environment.

config_readonly now has a whitelist, added via an array in settings.php.

Password policy (password_policy)

d.o. page

Not recommended

There are still quite a few bugs open. I dropped this for a project, partly because it adds a load of clutter with the 'resets' and reset dates.
The minimum password policy in Drupal is already 12 characters anyway (and one issue is changing the minimum length doesn't change the help text.) 
You need to enable the submodules to use the various constraints:
drush pm:list | grep 'password_policy_'
Admin users see password policy stuff on the user profile page.
You need to set password reset days to 0 if you don't want to enforce a reset policy.
Policies can be applied by role.  
You get a generic warning about the password 'not matching the password policy'. Suggest using string overrides to change the "To change the current user password, enter the new password in both fields." message users see.
Instructions: add/edit the policy, click next, choose constraint then click 'Configure constraint settings' otherwise you won't be able to change anything.
It also lets you do a forced reset by role.

Automatic Entity Label (auto_entitylabel)

d.o. page

"Essential"

Hide entity labels (i.e. titles) or auto-generate them. (Works for anything - nodes, comments, taxonomies).

Field Formatter Condition (fico)

d.o. page

(based on ffc which hasn't been ported to D8).  

Allows you to configure field display based on value.  Adds a 'Conditions' pane to the cog in Manager Display of all entities (so content types but also comment types, e.g. if you have comments with multiple fields)

Requires Display Suite (ds)

Note: if you wanted to hide say a checkbox when it's value is false - you can do in it core with Manage Display - turn the label off then set (via cog wheel) the output format to Custom, and you can enter a value for true and leave false blank - exactly the same widget for boolean values you use when setting the output of a field in a view.

Webform Views Integration (webform_views)

d.o. page

"Essential"

This module lets you add fields from submissions to view, and sort/filter the view on them, in the same way you would standard fields from the Field API.

It's still alpha and not as polished/robust as the webform module itself - but it's certainly OK to use in production provided you test things first - check every combination of exposed filters works, and double check you aren't seeing duplicate rows (right now I've locked it to a recent commit on the dev-5.x branch, which doesn't need any patches).

Menu position (menu_position)

d.o. page

"Essential"

Assign various pages (by content type, URL, role etc.) to certain menu entries - so the 'active' status of the menu is set correctly (i.e. they appear within the sections you want).

- patch: Add enabled checkbox to edit form + enable new rules by default

As of alpha2 - views with contextual filters (e.g. myview/somefilter) will work correctly when a rule is added with pages / pages with wildcards specified.

 

Conditional Fields (conditional_fields)

d.o. page

Adds a 'Manage dependencies' tab to the admin page for content types.

This lets you set a 'target field' whose visibility is set according to a 'control field' and whether the latter is full/empty/checked/unchecked/has a specific value.

Another useful feature is you can prefill/pre-tick etc. the target field (including with a custom text value, for example).

To detect quickly if it's in use anywhere (I needed to do this before being sure I could uninstall the module on a site), export your site config and grep the /config/sync directory for 'conditional_fields' - it's stored in the 'third_party_settings' key in core.entity_form_display.node.[content type].default.yml

Telephone (telephone)

d.o. page

Telephone number field type.  This is in core, but you need to enable it.

Field Permissions (field_permissions)

d.o. page

"Essential"

Control editing/visibility of individual fields by role.  

As well as custom settings ('create own', 'edit own', 'view own', 'edit any' and 'view any' - all per role), there's a Private setting which gives access to the author and administrator only. 

These are automatically applied to views.

Finding the setting: Look for  Field visibility and permissions – on the Edit tab, NOT Field Settings.

In /admin/people/permissions there's also a Access other users private fields permission.

Bamboo Twig (bamboo_twig)

d.o. page

Way to embed lots of objects in twig. note you have to selectively enable various sub modules for each of the commands.  Seems pretty actively developed and well documented.

ClamAV (clamav)

d.o. page

"Essential"

Virus check files uploaded by users.

In Drupal - when it can't connect you get an error on the Status Report.
The status report also shows you the version which includes the virus signature info.
As soon as it can that error goes away.

There's a "verbose" option in the config settings (which logs files that "passed" the virus check as well as failed)

You need to tick 'Enable ClamAV integration' before it will actually scan any files.

Test it's working by creating a small file with the short Eicar test signature string

Notes: ClamAV does use a fair bit of memory (because it keeps a copy of all the virus signatures)

Also sensible to run a Nagios NRPE check to ensure ClamAV is always running.

Patch:

Requires core patch to avoid possible data loss (race condition) - use my rerolled patch (#35) 

Menu Token (menu_token)

d.o. page

Add tokens, such as a user ID, to text or URL paths of menu items. 

Be wary of this issue: Current-user:uid not correct

CKEditor Wordcount (ckwordcount)

d.o. page

Adds word/character/paragraph count to the CKEditor status bar (can optionally enforce a word/character limit)

Configured via Text formats and Editors (/admin/config/content/formats).

Requires the ckeditor wordcount library - example composer.json for that (put this in your 'repositories' section):

        "ckeditor.wordcount": {
            "type": "package",
            "package": {
                "name": "ckeditor/wordcount",
                "version": "1.17.4",
                "type": "drupal-library",
                "extra": {
                    "installer-name": "wordcount"
                },
                "dist": {
                    "url": "https://download.ckeditor.com/wordcount/releases/wordcount_1.17.4.zip",
                    "type": "zip"
                },
                "require": {
                    "composer/installers": "~1.0"
                }
            }
        },

and then require:

"ckeditor/wordcount": "1.17.4",

Patch needed:

https://www.drupal.org/files/issues/2018-12-06/ckwordcount_plugin_path_2850845-9.patch

(to ensure modules gives browser correct path of plugin.js - if your ckeditor input disappears, check console.log and it's probably that)

The notification module is a dependency.

Save edit (save_edit)

d.o. page

"Essential"

Add a save and edit button

  • Needed(?) patchto ignore the ?destination=querystring on admin page. 
  • Integrated dropbutton doesn't seem to style correctly, turn this off.
AudioField (audiofield)

d.o. page

"Essential"

This is a formatter, available on node display or in views.

It turns a uploaded file or an external URL into an HTML5 audio player. Also supports various other JS player libraries which you can download. You can turn lazy-loading of the file on or off.

Note: there is a default label added below the player, which is either the URL field description or actual address, if the former is missing. Override the audioplayer.html.twig template to remove this.

TagCloud (tagclouds)

d.o. page

Provides a block with a tag cloud of chosen taxonomy term. Works but a bit buggy, e.g. UI taxonomy setting reverts to 'tags'.  Requires clearing the cache to update (including changing any settings).  Choice of numbers after each tag to indicate quality, or 'wordcloud' style with varying sizes (will need you to modify your CSS to add some spacing between words). 

Advanced Page Expiration (ape)

d.o. page

Not recommended

I would avoid this.  The idea is you enter URL paths with wildcards and override the cache expiration.  I was unable to get it to work properly for pages (settings on config under Development > Performance) Also, re: caching images, those are files being served directly by Apache or Nginx, not via the Drupal front-controller, so caching settings need to be configured there.

Views Secondary Row (views_secondary_row)

d.o. page

"Essential"

For Views that use Table format. Adds a row underneath each record - you change the format from 'table' to the 'secondary row' option, you get an extra select dropdown in the table *settings*, and you can also specify colspan.  This does mean the label will be missing by default (you won't have a column header any more) - so you need to edit the field and tick rewrite output, and then specify your desired label, followed by the field value in Twig.
 

Pathologic (pathologic)

d.o. page

There's a D8 version but I've only tested D7.

It's a filter that fixes incorrect paths in your content - e.g. if you have content with an old domain or IP address specified, you can redirect it.

Views exposed form layout (vefl)

d.o. page

Not recommended

Layouts for exposed filters - i.e. you can move each filter into a region (supports Panels and Display Suite).

When I tried this (Summer 2018) the D8 branch wasn't really there yet - you could only rearrange the basic filter components in D8 (like search term, submit button, reset button), not all the extra ones you've added.   I went with using CSS (e.g. clear: both) instead.

Honeypot (honeypot)

d.o. page

"Essential"

Adds spam prevention to forms (you can select which, including user registration and contact).

Recommended settings:

- turn logging on (look for entries of type = honeypot in /admin/reports/dblog
- if using time limit - i.e the minimum amount of time form is expected to be on screen before module things it's a real person, not a bot, suggest 5 seconds rather than 10 (too agressive when using browser autocomplete for, for example, email address on password reminder form)

Ngrok for drupal (ngrok_drupal)

d.o. page

Sets the cookie domain correctly if you're using ngrok.

Use this if you have an Ngrok secure tunnel - e.g. if you are testing a Stripe Apple Pay integration (needs to run with a valid, publicly accessible SSH domain)

Redirect after login (redirect_after_login)

d.o. page

"Essential"

Sends users (depending on their role) to another page, rather than their profile, immediately after logging in.

There's a bug (patch available, fortunately) with this which will break session cookies in Drupal 9, and upgrade_status doesn't warn you about it.