Drupal CMS provides an interface for reviewing, and applying security updates to your site, and an option to receive email notifications about security related announcements that affect your site.
While the default setting for Drupal CMS is attended updates that require you to review and apply the updates manually, there is an option to use unattended updates that are applied automatically.
Note: The UI for performing updates (attended or unattended) does not work on all hosting providers. Many providers with Drupal-specific hosting plans have their own system for tracking and applying security updates. It’s always a good idea to check with your hosting provider to see what options are available.
Back to topWhat are security updates?
Any software occasionally has bugs, and sometimes these bugs have security implications—meaning they create vulnerabilities that malicious users could exploit to gain unauthorized access or otherwise compromise your site. When security-related bugs are fixed in Drupal CMS or extensions (modules, or themes) that your site uses, they are released in a security update.
You will need to regularly apply security updates in order to keep your site secure.
Because Drupal CMS is not locked to a specific vendor, the responsibility for applying these security updates will depend on your situation. Regardless of who does it, it’s a good idea to understand the process and make sure that it is being taken care of.
Back to topWhat are regular (non-security) updates?
Drupal CMS and extensions (modules and themes) also periodically have updates to add new features and fix non-security related bugs. These updates are less critical than security updates. As a general rule, updates should be applied as long as they do not cause problems with your site.
Back to topAlternatives to using the built-in update UI
When you apply security updates in Drupal CMS, using the built-in UI is convenient and straightforward, especially for smaller sites or less complex environments. However, it’s only one of many available solutions. Some hosting providers offer specialized tools – like a “one-click update” feature or automated patching – that handle updates behind the scenes. These hosting-specific solutions can save time and reduce the chance of manual errors, especially when it comes to recovering from a failed update, enabling you to focus on other aspects of maintaining your site.
For many projects, best practices often include a workflow that involves quality assurance testing and peer review. In these workflows, security updates (and any other code changes) are tested extensively in a development environment, moved through review for further validation, and only deployed to the live site after all checks pass. This approach reduces the risk of unexpected downtime and ensures a higher level of quality control. Ultimately, choosing the best update path depends on your project’s complexity, team structure, and hosting environment.
Back to topDid you know?
Did you know that your Drupal CMS site is a combination of Drupal core, and select contributed modules and themes? When you’re notified about updates, just because they don’t come with the Drupal CMS name doesn’t mean they aren't necessary.
Back to topNext
When critical security updates are announced, they will be shown in the administration pages of your website. See Section 13.4, “Keeping Track of Updates” (Drupal User Guide) to learn how to be notified of security updates by email.
- Make a backup before applying security updates
- Learn about applying updates to Drupal core using the UI.
- Learn about applying updates to your site’s module and theme extensions using the UI.
Wrap-up
Drupal CMS and the specific extensions that make up your site are constantly evolving to fix bugs and add new features. As a site administrator, you can keep track of these updates by having Drupal CMS send you notifications. And then apply the updates either using the built-in UI, features offered by your hosting provider, or a custom workflow defined by your development team. Whatever approach you choose, it’s important to keep your site up-to-date to ensure the security of your site and your users.
Back to topAdditional resources
- 13.1. Concept: Cron (Drupal User Guide)
- Section 13.4. Keeping Track of Updates (Drupal User Guide)
