Skip to content

Updating Drupal

Drupal CMS provides an interface for reviewing, and applying security updates to your site, and an option to receive email notifications about security related announcements that affect your site.

Note: The UI for performing updates does not work on all hosting providers. Many providers with Drupal-specific hosting plans have their own system for tracking and applying security updates. It's always a good idea to check with your hosting provider to see what options are available.

What are security updates?

Any software occasionally has bugs, and sometimes these bugs have security implications—meaning they create vulnerabilities that malicious users could exploit to gain unauthorized access or otherwise compromise your site. When security-related bugs are fixed in Drupal CMS or extensions (modules, or themes) that your site uses, they are released in a security update.

You will need to regularly apply security updates in order to keep your site secure.

Because Drupal CMS is not locked to a specific vendor, the responsibility for applying these security updates will depend on your situation. Regardless of who does it, it's a good idea to understand the process and make sure that it is being taken care of.

What are regular (non-security) updates?

Drupal CMS and extensions (modules and themes) also periodically have updates to add new features and fix non-security related bugs. These updates are less critical than security updates. As a general rule, updates should be applied as long as they do not cause problems with your site.

Alternatives to using the update UI

When you apply security updates in Drupal CMS, using the built-in UI is convenient and straightforward, especially for smaller sites or less complex environments. However, it's only one of many available solutions. Some hosting providers offer specialized tools – like a "one-click update" feature or automated patching – that handle updates behind the scenes. These hosting-specific solutions can save time and reduce the chance of manual errors, especially when it comes to recovering from a failed update, enabling you to focus on other aspects of maintaining your site.

For many projects, best practices often include a workflow that involves quality assurance testing and peer review. In these workflows, security updates (and any other code changes) are tested extensively in a development environment, moved through review for further validation, and only deployed to the live site after all checks pass. This approach reduces the risk of unexpected downtime and ensures a higher level of quality control. Ultimately, choosing the best update path depends on your project's complexity, team structure, and hosting environment.