When using an open source product like Drupal, it is essential to ensure that you are keeping up to date with security patches. The last thing you need is an insecure Drupal site!
Security updates are released every Wednesday by the Drupal security team, so it is a weekly task for any site that uses Drupal. If you sign up for the email alerts from the security team, you will get an email for each security update as they are released. This can mean you get 10 to 20 emails per week. You may not be using any of the modules that have security updates, so it can be time consuming to look through each one to see which affects you.
There are three more time efficient methods that I use on a regular basis. These all use the core update manager module, which must be enabled.
Checking for updates
1. Drush
To check for security updates, you just need two commands:
drush pm-refresh
This refreshes the update status of your enabled modules and Drupal core.
You can use the alias rf: drush rf
drush pm-update
This will update your enabled modules and Drupal core. It will also apply any database changes that come with the update.
You can use the alias up: drush up
2. Available updates in the admin section
The second option is to check for available updates in the admin section of your site. Go to reports > available updates (admin/reports/updates). There you will see if an update is available for each module and Drupal core.
The update status will be checked when cron is run. So it is important to ensure cron is run after the security updates have been released. You can see how long ago this was with the “Last checked” time at the top of the page. You can click the Check manually link rather than running cron again.
If any updates are available, you can download them directly from this page.
3. Email available updates for your site
In the settings tab for the update module, you can ask to be notified of any updates for your site. This is the most convenient method of all because you will only get an email if an update applies to your site.
4. Recurring reminder
An old fashioned reminder can be used to ensure that you don’t forget to check for security updates. I set a reminder for Wednesday night and another for Thursday morning. Why two? After the experience of Drupalgeddon last year, I want to ensure that I am applying security updates as soon as possible and they are always released on a Wednesday. But sometimes these updates come through late in the evening when I’m fast asleep, so the second reminder on Thursday morning is to check for any late ones.
Applying updates
I find using Drush the easiest method for applying any security updates. Because I will use Drush to apply the update, I use that to check for updates as well. The recurring reminders prompt me to run the update at the right time.
Why don’t I rely on the emails to prompt me to apply the update? I get a lot of emails! I don’t want to rely on an email for something as important as a security update. Having said that, it does act as a good secondary check just in case an update is missed.
