Useful Drupal modules

Click on the module name for notes, comments, patches.
Recommendations (for and against) are my personal opinion only and may be out of date. Feel free to email with corrections/suggestions.

Why doesn't the table mention Drupal 9 or 10?

1. Nowadays, I try and use Drupal as little as possible. Specifically I do not recommend it for a new website. I'd also strongly caution you against choosing Drupal if you're at the beginning of your career and trying to learn web development (front / back / full stack) or just want to manage/maintain a website. More details why by email on request.

2. By February 2022 I'd updated all the sites I look after to Drupal 9 (experience: mixed). As of March 2023, a year later, none of them were fully ready for Drupal 10 (waiting on support for various modules). By 13 Nov 2023 (a week or two after D9 lost support) I had updated a couple of them.

Q: What's the Drupal 9 to 10 upgrade experience like? A: it's what I'd describe as "just bearable", slightly better than D8 to D9, though with plenty of things to still trip you up. There is still deprecated code that needs fixing in D10 modules, and policy changes mean odd things will break (be prepared to turn off Aggregate CSS/JS files if your themes stop working, and note that Drush launcher doesn't work with Drush 12...)

Admittedly the upgrade_status module is the best solution they could have come up with for tracking compatibility. Also watch out for a nasty session headers bug with redirect_after_login.

What about sites still running Drupal 7? In short I still recommend leaving them on Drupal 7 or moving to another platform entirely. My prediction was that Drupal will extend D7 support year after year (note that drupal.org itself is still running D7). It's now been confirmed as 5 Jan 2025. There will have to be some sort of third-party long term support, because of the sheer volume of sites that are not being upgraded.

Your decision is really what specifically you think you will gain from Drupal 8/9/10 - often the answer will be not enough, and one of the main hassles - apart from converting each content type one at a time, and setting up a new theme, will be recreating all your views by hand, as views can't be automatically upgraded.

(134 modules in list)
Module name or machine name
Any text in the notes
Name D8 Personally Tested Last Updated
Field Permissions (field_permissions)

d.o. page

"Essential"

Control editing/visibility of individual fields by role.  

As well as custom settings ('create own', 'edit own', 'view own', 'edit any' and 'view any' - all per role), there's a Private setting which gives access to the author and administrator only. 

These are automatically applied to views.

Finding the setting: Look for  Field visibility and permissions – on the Edit tab, NOT Field Settings.

In /admin/people/permissions there's also a Access other users private fields permission.

Field Tools (field_tools)

d.o. page

"Essential"

Provides:

  • /admin/reports/fields/tools - new Tools tab contains a more detailed field list that lists the instances (e.g. entities/content types) where each field is in use
  • editing individual fields in a content type - new Clone tab which will let you copy it to other Bundles (it also copies form and view display options)
  • Manage Fields page of a content type - new Clone tab where you can selectively clone multiple:
    • fields
    • displays
    • copy display settings

 

Flag (flag)

d.o. page

"Essential"

Handle favourites, reading lists, spam, friend lists etc.  Can be applied to any entity (nodes, users, comments etc.)  It appears as a clickable link. Can choose between page reload and AJAX when user toggles it.  Linked with views, and you can trigger events when flag count reaches a threshold.

Flippy (flippy)

d.o. page

Add Next/previous links to node view for specific content types - e.g. image gallery.  Powerful - supports: next/last, random link, you can specify exact text used etc.  Currently a dev version in D8.

Setup: activate for a content type in the 'Edit' tab (NOT manage display). Once Flippy is active, Manage Display tab will have a pager field so you can reposition the links relative to other fields on the page (e.g. above or below image).

Flood Control (flood_control)

d.o. page

Protect against brute-force login attacks. Unclear what's happening with porting of this.

General Data Protection Regulation (gdpr)

d.o. page

Not recommended

Couldn't install either alpha branch (8.1 or 8.2on Debian Stretch (9.5) wants php7.1-zip which doesn't seem to be available.  
Got error about missing checklistapi module after uninstall and had to remove from DB manually

Google Authenticator login (ga_login)

d.o. page

"Essential"

Use in conjunction with tfa to support OATH based HOTP/TOTP systems.

Nov 2022: No longer needed (i.e. uninstall it) when you upgrade to tfa 2.x for Drupal 9 and 10.

Group (group)

d.o. page

Alternative to the Organic Groups module. Allows you to create groups - e.g. classes, subscriptions, multiple communities.  Drupal module of the week post. Blog post.  It is by all accounts solidly written, but I found the initial UI confusing (in a "so what do I do now?" way) - you probably need to watch the YouTube video to understand it.

HMS Field (hms_field)

d.o. page

Hours/minutes/seconds field type (formats: h:mm, h:mm:ss, m:ss, h, m or s). Drupal 8 in beta.

Honeypot (honeypot)

d.o. page

"Essential"

Adds spam prevention to forms (you can select which, including user registration and contact).

Recommended settings:

- turn logging on (look for entries of type = honeypot in /admin/reports/dblog
- if using time limit - i.e the minimum amount of time form is expected to be on screen before module things it's a real person, not a bot, suggest 5 seconds rather than 10 (too agressive when using browser autocomplete for, for example, email address on password reminder form)

Image Lazyloader (lazyloader)

d.o. page

Images are hidden until they scroll into view.  Can specify distance before loading is triggered, also placeholder image, loading GIF and any pages to be excluded.  There's been some Drupal 8 development but unclear how complete it is.

IMCE (imce)

d.o. page

Adds a file browser to the CKEditor link dialog, so you can select files that have already been uploaded. Settings in Admin > Config > Media. In many cases will be better IA to add a dedicate file field to the content type and use that, or wait for the new media browser (currently being designed, follow the Drupal UX group.)

Layout builder (layout_builder)

d.o. page

Benefits:

  • Build layouts using GUI - arrange fields in columns/blocks (or add a block, or menu, or tag cloud, user info etc.) 
  • Easily override layout of individual nodes without needing to clone/design/apply a template (and reset to default easily afterwards)


Status:

Nov 2018: core, experimental in 8.6.x
May 1 2019: due for stable release in 8.7.0

Issue queue

Installation:

  • Enable the layout_builder module (which also enables layout_discovery)
  • Clear cache.
  • Activation:  Content type -> Manage Display -> scroll down to Layout Options - tick Use Layout builder

By turning on Layout Builder, you switch from the standard Manage Display view (field, label, format/widget settings) and the layout builder GUI.

Resources:

Compatibility:

  • A migration path is being built for Panels / Panelizer.
  • Undecided (Nov 2018) how Layout builder will work in conjunction with Paragraphs

 

Login email or username (login_emailusername)

d.o. page

"Essential"

Self-explanatory.

Masquerade (masquerade)

d.o. page

"Essential"

Allows you to browse the site as another user (to see what they see) and then quickly switch back again.  A general Drupal recommendation is to create test accounts for each of your roles, so this is useful for testing them.  (As per notes, don't use it for anonymous access, just log out.)  Replacement for 'Switch User'.

Patch and known bug:

Memcache API and Integration (memcache)

d.o. page

"Essential"

Enable memcache_admin submodule to access stats page.

Requires the PECL PHP memcached module.   I've written a blog post explaining how to install this on Acquia Dev Desktop

Menu position (menu_position)

d.o. page

"Essential"

Assign various pages (by content type, URL, role etc.) to certain menu entries - so the 'active' status of the menu is set correctly (i.e. they appear within the sections you want).

- patch: Add enabled checkbox to edit form + enable new rules by default

As of alpha2 - views with contextual filters (e.g. myview/somefilter) will work correctly when a rule is added with pages / pages with wildcards specified.

 

Menu Token (menu_token)

d.o. page

Add tokens, such as a user ID, to text or URL paths of menu items. 

Be wary of this issue: Current-user:uid not correct

Metatag (metatag)

d.o. page

"Essential"

This comes with a whole series of modules, including metatag_verification that will allow you to insert a google-site-verification tab. Instructions

How to add it to a content type/bundle:

  • You need to add the metatag field to the content type and position it on the form (it'll display as a disclosure triangle in the sidebar)
  • You also need to configure the level of available options at /admin/config/search/metatag/settings
Module builder (module_builder)

d.o. page

"Essential"

Add a UI to easily create scaffolding for new modules (including hooks, plugins, permissions etc.) NB: first, you need to download drupal-code-builder from GitHub and place it in a /libraries top-level directory (see module builder's README.txt).   You can preview and edit the output files before writing to disk - and each module's configuration is saved  as a node, so you can add another hook etc. at a later date, regenerate the files and copy/paste the extra things you need. Video walkthrough.

Mollom (mollom)

d.o. page

Deprecated

Not recommended

DO NOT USE - security issue and Acquia will no longer support or maintain it.

Spam filtering SaaS from Acquia. Free for up to 50 "ham" messages a day.  Scans message then provides a captcha if appropriate, scores each message for reputation, spam etc.  I never tried this module and anecdotally I've seen mixed reports / people suggesting it's not all that good.

Mydropwizard (mydropwizard)

d.o. page

"Essential"

If you have a Drupal 6 site, this modifies your Available Updates page (/admin/reports/updates) with direct download and release note links to all the D6 LTS (Drupal 6 Long Term Support) releases. 

Nagios (nagios)

d.o. page

Generate customisable Nagios reports for things like module updates, cron not running etc.  

The D8 version is now compatible with NRPE because there's a Drush command to generate the Nagios string. 

Ngrok for drupal (ngrok_drupal)

d.o. page

Sets the cookie domain correctly if you're using ngrok.

Use this if you have an Ngrok secure tunnel - e.g. if you are testing a Stripe Apple Pay integration (needs to run with a valid, publicly accessible SSH domain)

Node access user reference (nodeaccess_userreference)

d.o. page

"Essential"

Allows you to use an entity reference field on a node to allow (or deny) access to that node to the users you have selected.  Extremely useful for giving selected people access.

This isn't available in D8 or above (though it ought to be) - there's a note in the issue queue about it.  #2655426

Node Export (node_export)

d.o. page

Tto actually export node content. An 8.x version has begun development:

composer require 'drupal/node_export:1.x-dev'

Node Page Disable (node_page_disable)

d.o. page

"Essential"

Adds an checkbox labelled 'Retain /node as an active url?' to /admin/config/system/site-information

This lets you disable the /node page which would otherwise list all published content.

Note it doesn't let you individual disable /node/xxx access by content type - see restrict_node_page_view or rabbit_hole for that.

This is for D7 only - in D8 you go to /admin/structure/views and disable /node there.

Paragraphs (paragraphs)

d.o. page

For those familiar with WordPress, this is the equivalent of the ACF repeater field.  You can create paragraph types, which are collections of one or more fields, and the user can add as many of them as they like.  So you could have distinct paragraph styles, e.g. with images aligned in a certain way, or a page consisting of parallax backgrounds etc.

Password policy (password_policy)

d.o. page

Not recommended

There are still quite a few bugs open. I dropped this for a project, partly because it adds a load of clutter with the 'resets' and reset dates.
The minimum password policy in Drupal is already 12 characters anyway (and one issue is changing the minimum length doesn't change the help text.) 
You need to enable the submodules to use the various constraints:
drush pm:list | grep 'password_policy_'
Admin users see password policy stuff on the user profile page.
You need to set password reset days to 0 if you don't want to enforce a reset policy.
Policies can be applied by role.  
You get a generic warning about the password 'not matching the password policy'. Suggest using string overrides to change the "To change the current user password, enter the new password in both fields." message users see.
Instructions: add/edit the policy, click next, choose constraint then click 'Configure constraint settings' otherwise you won't be able to change anything.
It also lets you do a forced reset by role.

Pathauto (pathauto)

d.o. page

"Essential"

Generates URL aliases for new content automatically - using token-based patterns per content type - e.g. /reports/[node:title]

When you install this, the settings are in /admin/config/search/path – normally this page has no tabs, with this module you get Patterns, Settings, Bulk Generate, Delete Aliases). 

Pathologic (pathologic)

d.o. page

There's a D8 version but I've only tested D7.

It's a filter that fixes incorrect paths in your content - e.g. if you have content with an old domain or IP address specified, you can redirect it.

PDF Reader (pdf_reader)

d.o. page

Render a file field with one of several PDF readers.  Mixed success with pdf.js support - seems to force a full screen view.

Permissions Filter (permissions_filter)

d.o. page

"Essential"

The admin permissions page can get pretty long. 

This lets you narrow it down by typing permission names into a text field.

Prepopulate (prepopulate)

d.o. page

Allows you to prefill form fields by supplying values in a query string.  Syntax (also in readme) Useful for bookmarklets.  D8 alpha version.

Rabbit hole (rabbit_hole)

d.o. page

Lets you set display, access denied, redirect or programmatic accessing for direct access to nodes.

However, note that includes both /node/xxx and the node alias, i.e. you can't just use it to restrict numeric URLs, the human friendly ones will get blocked too - so restrict_node_page_view might be more appropriate.

There's a series of submodules (such as rh_node) and without enabling them you won't see any options in the UI.
(look for the Rabbit Hole tab when editing nodes, for example).

Raven (raven)

d.o. page

"Essential"

This module logs events and sends them to Sentry.  Sentry is an open source application you can self-install, but also a free/paid SaaS version.

For a content management framework as complex as Drupal it's worth logging errors.

Tips:

  • In Raven config, recommend not logging debug and info messages, but do select Enable fatal error handler and Enable stacktraces.
  • You can enable the javascript error handler as well, but personally I only use PHP.


Drupal benefits:

  • logs the Drupal uid
  • logs referrer URLs
  • you can tag versions (e.g. commits) as well as different environments
  • you get a full breakdown of AJAX requests

 

Real Name (realname)

d.o. page

Use tokens to merge first name, last name or any other fields.
Then you can display the realname field in various places.  

Note: you have to add code to substitute the default username in the title of user node views - e.g. in mytheme_preprocess_block(&$variables)

reCAPTCHA (recaptcha)

d.o. page

"Essential"

Use in conjunction with the Captcha module to prevent spam on forms.
As of Jan 2020, still ONLY supports v2 of Google's reCAPTCHA API (there's an active issue for v3 support)
There's also an option for non-js fallback.

Tested with D7 and D8.

Patch needed for AJAX forms (e.g. Webforms with AJAX support turned on) to stop the ReCAPTCHA UI disappearing when page is reloaded.

Redirect (redirect)

d.o. page

"Essential"

Add redirects, including specifying from the full range of HTTP codes (e.g 307 Temporary).  Won't let you redirect from the homepage, use Config > Basic Site Settings for that.

Redirect after login (redirect_after_login)

d.o. page

"Essential"

Sends users (depending on their role) to another page, rather than their profile, immediately after logging in.

There's a bug (patch available, fortunately) with this which will break session cookies in Drupal 9, and upgrade_status doesn't warn you about it. 

Refreshless (refreshless)

d.o. page

Only loads the parts of page that change when navigating between pages.

Unclear if still being maintained (no updates since Sep 2016) - part of the issue is it requires a core patch.

Required by role (required_by_role)

d.o. page

"Essential"

Set required fields more precisely.

How to verify it it's in use on any fields (so you can remove it if desired)

I wanted to upgrade a site to D10 and there was a dependency from required_by_role on required_api, which was not yet D10 compatible. I wasn't sure if I was even using required_by_role on any fields - turns out I wasn't. There's no admin UI page overview which shows it's use, but you can just run a simple SQL query:

select * from config where data like "%required_by_role%";

(the config table is where all your field settings are stored).
Resave nodes (resave_nodes)

d.o. page

"Essential"

If you want to manually refresh a series of nodes.
Mainly useful if you have a rule or a hook that relies on a node being saved, to update a computed field etc.

You can choose the node type.

Responsive and off-canvas menu (responsive_menu)

d.o. page

This uses a JS library and works without a second copy of the menu in the HTML, and you don't need to make any changes to your existing navigation menu.

Look at the README file for instructions.
You need to install mm_menu and superfish in your libraries folder.

Note you're forced with the mobile version of the menu to have it expand to full depth (although the hack/workaround, if you want a top-level menu only,  is to hide the lower elements in CSS)

For hand-crated CSS / minimal javascript solutions, see https://css-tricks.com/responsive-menu-concepts/

Restrict Login or Role Access by IP Address (restrict_by_ip)

d.o. page

Can specify single IP address or ranges. Two modes: restrict login, so they can only login from certain IPs, and restrict role, so they can login from anywhere but only access a role's permissions from the defined IPs. There's a D8 dev branch, last updated June 2016.

Role Delegation (role_delegation)

d.o. page

Ordinarily, if you grant a user "Administer Users", they can do everything *except* change the roles (they don't even see the checkboxes).  You could give them 'Administer Permissions', but that also allows them to do other things.  

This module lets you set which roles they are allowed to enable for a user.  Administrators still see the roles checkboxes in the usual place (below 'status' on /user/123/edit), but everyone  gets a new 'Roles' tab.  

Works with D8 but not updated since April 2016.

Patches:

I'm not using any patches, but there are a couple RTBC-ed  the queue.

 

Role Watchdog (role_watchdog)

d.o. page

"Essential"

Logs every time a role is changed. Users get a Role History tab and there's a notification feature. 

Should now work fine on D8, not personally tested it (earlier: 15 Sep 2018 - there's a dev branch, but when you install it complains about missing role entity, and drush updb does nothing) 

Rules (rules)

d.o. page

Patch needed (the pages and roles tabs are missing on block editing form otherwise):

https://www.drupal.org/project/rules/issues/3160347

Save edit (save_edit)

d.o. page

"Essential"

Add a save and edit button

  • Needed(?) patchto ignore the ?destination=querystring on admin page. 
  • Integrated dropbutton doesn't seem to style correctly, turn this off.
SEO Checklist (seo_checklist)

d.o. page

Shows a long checklist, split over a series of tabs, you can tick off items and some (e.g. modules you need to install) are auto-detected. See Module of the Week blog post.