Useful Drupal modules

Click on the module name for notes, comments, patches.
Recommendations (for and against) are my personal opinion only and may be out of date. Feel free to email with corrections/suggestions.

Why doesn't the table mention Drupal 9 or 10?

1. Nowadays, I try and use Drupal as little as possible. Specifically I do not recommend it for a new website. I'd also strongly caution you against choosing Drupal if you're at the beginning of your career and trying to learn web development (front / back / full stack) or just want to manage/maintain a website. More details why by email on request.

2. By February 2022 I'd updated all the sites I look after to Drupal 9 (experience: mixed). As of March 2023, a year later, none of them were fully ready for Drupal 10 (waiting on support for various modules). By 13 Nov 2023 (a week or two after D9 lost support) I had updated a couple of them.

Q: What's the Drupal 9 to 10 upgrade experience like? A: it's what I'd describe as "just bearable", slightly better than D8 to D9, though with plenty of things to still trip you up. There is still deprecated code that needs fixing in D10 modules, and policy changes mean odd things will break (be prepared to turn off Aggregate CSS/JS files if your themes stop working, and note that Drush launcher doesn't work with Drush 12...)

Admittedly the upgrade_status module is the best solution they could have come up with for tracking compatibility. Also watch out for a nasty session headers bug with redirect_after_login.

What about sites still running Drupal 7? In short I still recommend leaving them on Drupal 7 or moving to another platform entirely. My prediction was that Drupal will extend D7 support year after year (note that drupal.org itself is still running D7). It's now been confirmed as 5 Jan 2025. There will have to be some sort of third-party long term support, because of the sheer volume of sites that are not being upgraded.

Your decision is really what specifically you think you will gain from Drupal 8/9/10 - often the answer will be not enough, and one of the main hassles - apart from converting each content type one at a time, and setting up a new theme, will be recreating all your views by hand, as views can't be automatically upgraded.

(134 modules in list)
Module name or machine name
Any text in the notes
Name D8 Personally Tested Sort descending Last Updated
CKEditor Wordcount (ckwordcount)

d.o. page

Adds word/character/paragraph count to the CKEditor status bar (can optionally enforce a word/character limit)

Configured via Text formats and Editors (/admin/config/content/formats).

Requires the ckeditor wordcount library - example composer.json for that (put this in your 'repositories' section):

        "ckeditor.wordcount": {
            "type": "package",
            "package": {
                "name": "ckeditor/wordcount",
                "version": "1.17.4",
                "type": "drupal-library",
                "extra": {
                    "installer-name": "wordcount"
                },
                "dist": {
                    "url": "https://download.ckeditor.com/wordcount/releases/wordcount_1.17.4.zip",
                    "type": "zip"
                },
                "require": {
                    "composer/installers": "~1.0"
                }
            }
        },

and then require:

"ckeditor/wordcount": "1.17.4",

Patch needed:

https://www.drupal.org/files/issues/2018-12-06/ckwordcount_plugin_path_2850845-9.patch

(to ensure modules gives browser correct path of plugin.js - if your ckeditor input disappears, check console.log and it's probably that)

The notification module is a dependency.

Save edit (save_edit)

d.o. page

"Essential"

Add a save and edit button

  • Needed(?) patchto ignore the ?destination=querystring on admin page. 
  • Integrated dropbutton doesn't seem to style correctly, turn this off.
AudioField (audiofield)

d.o. page

"Essential"

This is a formatter, available on node display or in views.

It turns a uploaded file or an external URL into an HTML5 audio player. Also supports various other JS player libraries which you can download. You can turn lazy-loading of the file on or off.

Note: there is a default label added below the player, which is either the URL field description or actual address, if the former is missing. Override the audioplayer.html.twig template to remove this.

TagCloud (tagclouds)

d.o. page

Provides a block with a tag cloud of chosen taxonomy term. Works but a bit buggy, e.g. UI taxonomy setting reverts to 'tags'.  Requires clearing the cache to update (including changing any settings).  Choice of numbers after each tag to indicate quality, or 'wordcloud' style with varying sizes (will need you to modify your CSS to add some spacing between words). 

Advanced Page Expiration (ape)

d.o. page

Not recommended

I would avoid this.  The idea is you enter URL paths with wildcards and override the cache expiration.  I was unable to get it to work properly for pages (settings on config under Development > Performance) Also, re: caching images, those are files being served directly by Apache or Nginx, not via the Drupal front-controller, so caching settings need to be configured there.

Views Secondary Row (views_secondary_row)

d.o. page

"Essential"

For Views that use Table format. Adds a row underneath each record - you change the format from 'table' to the 'secondary row' option, you get an extra select dropdown in the table *settings*, and you can also specify colspan.  This does mean the label will be missing by default (you won't have a column header any more) - so you need to edit the field and tick rewrite output, and then specify your desired label, followed by the field value in Twig.
 

Pathologic (pathologic)

d.o. page

There's a D8 version but I've only tested D7.

It's a filter that fixes incorrect paths in your content - e.g. if you have content with an old domain or IP address specified, you can redirect it.

Views exposed form layout (vefl)

d.o. page

Not recommended

Layouts for exposed filters - i.e. you can move each filter into a region (supports Panels and Display Suite).

When I tried this (Summer 2018) the D8 branch wasn't really there yet - you could only rearrange the basic filter components in D8 (like search term, submit button, reset button), not all the extra ones you've added.   I went with using CSS (e.g. clear: both) instead.

Honeypot (honeypot)

d.o. page

"Essential"

Adds spam prevention to forms (you can select which, including user registration and contact).

Recommended settings:

- turn logging on (look for entries of type = honeypot in /admin/reports/dblog
- if using time limit - i.e the minimum amount of time form is expected to be on screen before module things it's a real person, not a bot, suggest 5 seconds rather than 10 (too agressive when using browser autocomplete for, for example, email address on password reminder form)

Ngrok for drupal (ngrok_drupal)

d.o. page

Sets the cookie domain correctly if you're using ngrok.

Use this if you have an Ngrok secure tunnel - e.g. if you are testing a Stripe Apple Pay integration (needs to run with a valid, publicly accessible SSH domain)

Redirect after login (redirect_after_login)

d.o. page

"Essential"

Sends users (depending on their role) to another page, rather than their profile, immediately after logging in.

There's a bug (patch available, fortunately) with this which will break session cookies in Drupal 9, and upgrade_status doesn't warn you about it. 

Exclude Node Title (exclude_node_title)

d.o. page

There are situations where you will want to hide a node title - e.g. if you have a view and insert an image field that's an entity reference to another content type.  Module allows you to hide titles by content type or view mode and for all nodes or just a custom selection.  Beta in D8.

Twig Xdebug (twig_xdebug)

d.o. page

Use Xdebug breakpoints in Twig templates - {{ breakpoint() }}

Redirect (redirect)

d.o. page

"Essential"

Add redirects, including specifying from the full range of HTTP codes (e.g 307 Temporary).  Won't let you redirect from the homepage, use Config > Basic Site Settings for that.

Webform (webform)

d.o. page

"Essential"

One of the best maintained contrib modules.  Main benefits: nicely presented forms with powerful conditional logic, YAML configuration, flexible user permissions, very clean data storage, secure.  Codebase is also very much written "the Drupal way".

I'm currently using this patch to avoid AJAX errors - it's only necessary where you've both enabled Automatically save as draft when paging, previewing, and when there are validation errors, and are using a confirmation type like inline, that still uses AJAX to submit the form when there are no validation errors.

Troubleshooting install of webform external libraries: (Jan 2020)

Follow these instructions: https://www.drupal.org/node/3003140

If you get a composer SSL error, follow these instructions.

(specifically, you need to set openssl.cafile in php.ini)

SMTP Authentication Support (smtp)

d.o. page

"Essential"

Send mail to a remote SMTP server (e.g. a transactional email provider like Postmark).  

You should put your authentication details in settings.php, rather than files you commit to the repo, for security.  

To get this to work - it was sending tests but nothing else - it seemed I needed to switch to a commit on the dev branch:

"drupal/smtp": "dev-1.x#3d354b3911409c9b11716bf2104498fb431eea72"

(note to self: see SM notes) 
 

Entity Embed (entity_embed)

d.o. page

Lets you insert any entity type (supposedly) via the WYSIWYG editor, and like images you can set alignment etc.  It creates a toolbar button that can be added to the toolbar configuration in 'Text formats and editors'.  The strings needed can be pretty long - e.g. 

<drupal-entity data-embed-button="snippet" data-entity-embed-display="entity_reference:entity_reference_entity_id" data-entity-type="snippet" data-entity-uuid="216914ab-1bc2-4a73-975b-dc1de79e849a"></drupal-entity>
 

Twig VarDumper (twig_vardumper)

d.o. page

"Essential"

Much faster than using kint, with colour coding, and still works nicely within narrow DOM elements.
Make sure you install using composer, as it has symfony dependencies.

Enabling twig debugging in the first place:

Also make sure you've activated twig debugging properly (including enabling the settings.local.php file in settings.php, and adding the debug setting to development.services.yml)
Potential gotcha - settings.local.php needs to be in /sites/default (or whichever), not just /sites/
If Twig debugging isn't enabled, the symptom is you don't see any output for the dump() commands.

Usage Tip:

- Hover over the keys and you get a tooltip that says 'Public method','Protected property' etc.

Node access user reference (nodeaccess_userreference)

d.o. page

"Essential"

Allows you to use an entity reference field on a node to allow (or deny) access to that node to the users you have selected.  Extremely useful for giving selected people access.

This isn't available in D8 or above (though it ought to be) - there's a note in the issue queue about it.  #2655426

Flippy (flippy)

d.o. page

Add Next/previous links to node view for specific content types - e.g. image gallery.  Powerful - supports: next/last, random link, you can specify exact text used etc.  Currently a dev version in D8.

Setup: activate for a content type in the 'Edit' tab (NOT manage display). Once Flippy is active, Manage Display tab will have a pager field so you can reposition the links relative to other fields on the page (e.g. above or below image).

Prepopulate (prepopulate)

d.o. page

Allows you to prefill form fields by supplying values in a query string.  Syntax (also in readme) Useful for bookmarklets.  D8 alpha version.

Token (token)

d.o. page

"Essential"

Adds a user interface for browsing tokens (the tags you can insert into various fields).

General Data Protection Regulation (gdpr)

d.o. page

Not recommended

Couldn't install either alpha branch (8.1 or 8.2on Debian Stretch (9.5) wants php7.1-zip which doesn't seem to be available.  
Got error about missing checklistapi module after uninstall and had to remove from DB manually

Nagios (nagios)

d.o. page

Generate customisable Nagios reports for things like module updates, cron not running etc.  

The D8 version is now compatible with NRPE because there's a Drush command to generate the Nagios string. 

Mydropwizard (mydropwizard)

d.o. page

"Essential"

If you have a Drupal 6 site, this modifies your Available Updates page (/admin/reports/updates) with direct download and release note links to all the D6 LTS (Drupal 6 Long Term Support) releases. 

Custom Add Another (custom_add_another)

d.o. page

"Essential"

The default button text for 'unlimited' fields where you can add multiple items is "Add another item".

You might want to change this.

This module lets you do it per field bundle - there are a couple of text options (for add and remove) added to the field edit screen.

NB: this is not the 'Save and add another' button for an entire content type, just the one that handles the javascript for individual fields with multiple entries.

Warden (warden)

d.o. page

A fork of the System Status module, but with a Symfony app for you to install to act as a server, rather than using a paid third-party service.  Monitor core/module update status of multiple Drupal sites.  If you're familiar with Nagios and NRPE, it's a little bit like that, but for Drupal modules, and more lightweight.  Note the server uses MongoDB, so you need to install that, plus the PHP extension, and it communicates with a public key-pair, though it should set that up itself.  

Field Tools (field_tools)

d.o. page

"Essential"

Provides:

  • /admin/reports/fields/tools - new Tools tab contains a more detailed field list that lists the instances (e.g. entities/content types) where each field is in use
  • editing individual fields in a content type - new Clone tab which will let you copy it to other Bundles (it also copies form and view display options)
  • Manage Fields page of a content type - new Clone tab where you can selectively clone multiple:
    • fields
    • displays
    • copy display settings

 

CSS Editor (css_editor)

d.o. page

"Essential"

If you only need a small amount of CSS, or want users to be able to directly edit it through the admin UI rather than creating a theme or module.

Caveat: doesn't work for admin themes (at least on D7)

Required by role (required_by_role)

d.o. page

"Essential"

Set required fields more precisely.

How to verify it it's in use on any fields (so you can remove it if desired)

I wanted to upgrade a site to D10 and there was a dependency from required_by_role on required_api, which was not yet D10 compatible. I wasn't sure if I was even using required_by_role on any fields - turns out I wasn't. There's no admin UI page overview which shows it's use, but you can just run a simple SQL query:

select * from config where data like "%required_by_role%";

(the config table is where all your field settings are stored).
Captcha (captcha)

d.o. page

"Essential"

Framework for using (many) different types of captchas on forms such as user_registration.
e.g. try 'reCAPTCHA' which is Google's "I am not a robot" captcha.  Personal experience is that's much better at preventing spam than the standard "image" one.

Tested with D7.

Rabbit hole (rabbit_hole)

d.o. page

Lets you set display, access denied, redirect or programmatic accessing for direct access to nodes.

However, note that includes both /node/xxx and the node alias, i.e. you can't just use it to restrict numeric URLs, the human friendly ones will get blocked too - so restrict_node_page_view might be more appropriate.

There's a series of submodules (such as rh_node) and without enabling them you won't see any options in the UI.
(look for the Rabbit Hole tab when editing nodes, for example).

Views PHP (views_php)

d.o. page

Allows you to insert a Global PHP field in a view in D7, so you can have conditionals etc.

Note there's a bug in 7.x-1.1 (Jan 2022) - you need this patch.

(Not available in D8, you should use Twig instead).

Web Profiler (webprofiler)

d.o. page

"Essential"

Install the devel module first.  The profile is a toolbar at the bottom of the screen. Features:

  • useful shortcuts (e.g. clear cache)
  • view info about current user, their role and permissions
  • server HTTP response
  • cache, DB and DOM loading performance
  • memory use
  • which blocks and views have been loaded

Tip: there are further reports ("collectors") you can turn on in the module preferences, and there's a shortcut to these from the menu in the first icon (Drupal logo). The toolbar is only a summary, all icons are clickable to view a full report. Each report is saved in the DB for later reading.

This module was ported from Symfony

@font-your-face (fontyourface)

d.o. page

Not recommended

For using typekit, google fonts etc.  But it's simpler to do web fonts manually in Twig templates/CSS.
D8 stable/mature - however it's confusing how you're meant to setup Typekit etc. and there are problems with uninstall it…  (there was an old D7 "typekit" module - deprecated).

28 Aug 2018: can't be uninstalled cleanly. The method described in #24 here works: https://www.drupal.org/project/fontyourface/issues/2916712#comment-12751073 if for example, you get an "The "font" entity type does not exist." message when running drush cr

Config Ignore (config_ignore)

d.o. page

"Essential"

Selectively ignore configuration entries during an import - e.g. site settings / the system.maintenance message.

Google Authenticator login (ga_login)

d.o. page

"Essential"

Use in conjunction with tfa to support OATH based HOTP/TOTP systems.

Nov 2022: No longer needed (i.e. uninstall it) when you upgrade to tfa 2.x for Drupal 9 and 10.

reCAPTCHA (recaptcha)

d.o. page

"Essential"

Use in conjunction with the Captcha module to prevent spam on forms.
As of Jan 2020, still ONLY supports v2 of Google's reCAPTCHA API (there's an active issue for v3 support)
There's also an option for non-js fallback.

Tested with D7 and D8.

Patch needed for AJAX forms (e.g. Webforms with AJAX support turned on) to stop the ReCAPTCHA UI disappearing when page is reloaded.

Node Page Disable (node_page_disable)

d.o. page

"Essential"

Adds an checkbox labelled 'Retain /node as an active url?' to /admin/config/system/site-information

This lets you disable the /node page which would otherwise list all published content.

Note it doesn't let you individual disable /node/xxx access by content type - see restrict_node_page_view or rabbit_hole for that.

This is for D7 only - in D8 you go to /admin/structure/views and disable /node there.

PDF Reader (pdf_reader)

d.o. page

Render a file field with one of several PDF readers.  Mixed success with pdf.js support - seems to force a full screen view.

IMCE (imce)

d.o. page

Adds a file browser to the CKEditor link dialog, so you can select files that have already been uploaded. Settings in Admin > Config > Media. In many cases will be better IA to add a dedicate file field to the content type and use that, or wait for the new media browser (currently being designed, follow the Drupal UX group.)

Module builder (module_builder)

d.o. page

"Essential"

Add a UI to easily create scaffolding for new modules (including hooks, plugins, permissions etc.) NB: first, you need to download drupal-code-builder from GitHub and place it in a /libraries top-level directory (see module builder's README.txt).   You can preview and edit the output files before writing to disk - and each module's configuration is saved  as a node, so you can add another hook etc. at a later date, regenerate the files and copy/paste the extra things you need. Video walkthrough.

CKEditorHeight (ckeditorheight)

d.o. page

Makes CKEditor fields respect the "rows" setting of the fields. (Has to be converted to pixels - there's a global setting, configured via a pixel factor and offset.)

Role Delegation (role_delegation)

d.o. page

Ordinarily, if you grant a user "Administer Users", they can do everything *except* change the roles (they don't even see the checkboxes).  You could give them 'Administer Permissions', but that also allows them to do other things.  

This module lets you set which roles they are allowed to enable for a user.  Administrators still see the roles checkboxes in the usual place (below 'status' on /user/123/edit), but everyone  gets a new 'Roles' tab.  

Works with D8 but not updated since April 2016.

Patches:

I'm not using any patches, but there are a couple RTBC-ed  the queue.

 

User restrictions (user_restrictions)

d.o. page

"Essential"

Block registrations (wildcards on email address and username)

Useful if you're getting persistent spam registrations from certain domains.

Tested with D7.  This used to be in core in D6.​​​​​​​

Resave nodes (resave_nodes)

d.o. page

"Essential"

If you want to manually refresh a series of nodes.
Mainly useful if you have a rule or a hook that relies on a node being saved, to update a computed field etc.

You can choose the node type.

Memcache API and Integration (memcache)

d.o. page

"Essential"

Enable memcache_admin submodule to access stats page.

Requires the PECL PHP memcached module.   I've written a blog post explaining how to install this on Acquia Dev Desktop

Role Watchdog (role_watchdog)

d.o. page

"Essential"

Logs every time a role is changed. Users get a Role History tab and there's a notification feature. 

Should now work fine on D8, not personally tested it (earlier: 15 Sep 2018 - there's a dev branch, but when you install it complains about missing role entity, and drush updb does nothing) 

Serial Field (serial)

d.o. page

"Essential"

Creates a field with a serial number, so you can have the equivalent of a MySQL AUTO_INCREMENT field for a content type (if nodes are deleted the old serial number is not reused).

Although this only has a dev branch which hasn't had updates since April 2016, it does work in D8.

There's no direct migration path previous versions, but people have written their own migrations.

Check issue queue for patches - including:

 

 

Spambot (spambot)

d.o. page

"Essential"

Scans email addresses/usernames/IP addresses against the stopforumspam.com database and then blocks or deletes the accounts.
You can set the threshold - i.e. how many times an email address needs to be listed in the spam database before action is taken.
You can also have it scan your entire existing database, not just new users. (It does this via a configurable cron run.)

Tested with D7.