A website audit can be done in two ways. Bear in mind that these two ways are complementary to each other not alternative.
Most third-party tools are used for monitoring performance, query load time, profiling, number of function calls, JS load time, HTML best practices and mobile usability. Below are the third-party tools which I prefer for auditing Drupal websites.
New Relic provides deep insights for Drupal websites, including database performance, modules monitoring, Apdex, function performance and front-end performance. It also provides Real User Monitoring (RUM), which gathers time information and shows you which hotspot in DOM (Document Object Model) rendering time may be causing your page to take several seconds to load.
XHProfiling measures the relative performance of your application at the code level. It captures things like CPU usage, memory usage, time and number of calls per function, a call graph, etc. The act of profiling impacts performance.
Third-party websites monitor your site based on specified URLs and report what part of the sites can be improved. These part of the sites can be JS, third-party URLs, services URLs, or HTML markups for desktop users and mobile usability. Generally, third-party sites check the page load time.
Below is a list of a few tools which can be used.
- PageSpeed Insight by Google (https://developers.google.com/speed/pagespeed/insights/)
- Pingdom website speed test (http://tools.pingdom.com/fpt/)
- GTMetrix (http://gtmetrix.com/): It actually scans your webpage and returns the Page speed grade, YSlow grade and timeline of all files included on the page.
Being a open source, there are many modules available which also help us in auditing Drupal sites. These modules can be independent or use third-party services. For example, coder, xhprof, Dcq, Hacked, Security_Review and Drupalgeddon.
The Hacked module scans your site’s core/contrib modules/themes which have been modified originally and creates a patch. It also tells users exactly what has been changed. It is integrated with Drush as well.
Coder checks your Drupal code against coding standards and other best practices. It also supports Code_Sniffer and can be used on command line.
It integrates Drupal with xhprof and helps report function-level call counts, and inclusive and exclusive metrics such as wall (elapsed) time in Drupal.
Security Review (https://www.drupal.org/project/security_review)
The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
Drupal Code Quality (DCD https://www.drupal.org/project/dcq)
This is used to check the code quality through GIT. It can be used with Drush. It will help you get into the habit of following good practices while writing code.
Drupalgeddon (with an "L") checks for backdoors and other traces of known Drupal exploits of "Drupageddon" (no "L"), aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it's a Drush command.
Site Audit (https://www.drupal.org/project/site_audit)
This is a Drupal static site, which is an analysis platform that generates reports with the best actionable recommendations.
That's a quick look at some of the tools that can be used for a Drupal audit. You could get a team of professionals to carry out the audit, or you could do a DIY Drupal Audit to identify major issues and vulnerabilities that need professional help.