I hear a lot from people who know they should be applying security updates, who *want* to apply security updates, but they don’t.
Why good people don’t keep up with security updates:
- The number of updates has built up until the list feels overwhelming
- In an effort to keep their modules page “green” they’ve applied the yellow updates without reviewing them and changed the way their site works in unexpected and unpleasant ways
- They’ve been burned by an update that went out untested and broke their site
- They don’t have time to test the updates and know better than to apply them untested
- They don’t have a clear test plan that leaves them feeling confident that everything is working
Know what needs updating
The Update Status module
Drupal 6 and 7 make it easy to see what needs updating. When the Update Status module, included in Drupal core, is enabled, it checks automatically to see what updates your site needs. You can view what needs updating at Reports > Available updates.
Update Status can be configured to suit your notification preferences at Reports > Available Updates > Settings.
Some people prefer to review the Security advisories or subscribe to the Security mailing list. This can be overwhelming if you’re running a single site with just a few modules, but it’s invaluable to people who build new sites regularly.
Tips for keeping up to date
Here are a few process tips to help you feel confident about keeping your site secure.
- Don’t apply an untested update to your production site
Really. Don’t do this. A bad experience shared with all of your users is just the sort of thing that discourages people from running updates.
- Don’t feel pressured to upgrade modules that are highlighted yellow on the available updates page.
These updates affect functionality and are likely to chage the user experience. If your site is running smoothly and you’re happy with functionality, it’s okay to use the version you have. As rewarding as a page full of green feels to some of us, maintaining a consistent user experience is an excellent reason NOT to update.
- Don’t skip testing your production site
Allow yourself a maintenance window and run through the same tests on production as you do on your staging site, especially if there are any differences in the operating system, database, web server or php versions.
- Remove or disable unused modules on your site
It’s best to remove unused modules entirely and keep modules that are seldom used in production disabled. That way, you won’t be spending time needlessly maintaining modules that no one is using.
- Check the security status of your site at a specific time each week
Setting aside a specific time encourages keeping your site consistently more secure. It’s much easier to approach a single update than to face a mountain of changes that have piled up over months. The Drupal security team makes vulnerability announcements each Wednesday, so depending on your timezone, Wednesday or Thursday is a good time to see what needs doing.
Many weeks, you’ll see nothing at all needs updating. On those weeks, explore the yellow ones. See what features are being changed, and experiment with them on your staging site.
- Apply security updates to a staging site first
This staging site should have the same operating system and the same versions of the web server, database, and php as your production site. Even if for some reason you can’t match them exactly, you’re still better off testing on staging first.
- Before applying updates, make a backup of your database and code
This is a good idea for both your staging and production sites. If you run into something unexpected on staging, the experience of restoring the site can help build your confidence for updates to production.
- Look at the release notes
When you apply an update, look at the release notes. It’s okay if you don’t understand everything in them, but many module maintainers will let you know when a security update is also going to affect the way the module works. Not everyone can or does call it out, but when they do, it saves you from discovering it on your own - or worse, not discovering it until it’s too late.
Interested in developing a robust, effective testing process? Check out our new training: Quality Assurance for Drupal Sites!