See more

    Staying aware of Drupal security updates

    Follow

    Issue

    How can I stay informed about Drupal security updates?

    Resolution

    Staying on top of updates to Internet software is a big responsibility. It's critical to the security of your website and yet can take a lot of time. The traditional advice about updates is to subscribe to the updates mailing list: that works well for most projects.

    For broad software projects like Drupal, however, that advice is increasingly unmanageable. Drupal update emails cover not just Drupal core, but also many of the contributed modules, themes, and distributions available on drupal.org —over 20,000 of them. Any individual website may have 50, 100, or more. So, if you sign up to get emails about security issues across 20,000 modules and you only care about 200 of them, the chances of getting a message about a module you don't need are very high.

    Here are some ways you can receive updates; see which one is the best for you.

    Method Pros Cons
    Enable the Update core module with security focused settings (configured at Administration > Reports > Available Updates)
    • It's a focused report to your needs on your website.
    • It can be sent to multiple inboxes, including a ticketing system or support team.
    • This relies on the cron mechanism. In Drupal 7, you can either set up cron to run on your server (for example, using crontab), or it runs using the so-called poor man's Cron, which runs periodically after a page visit by a website visitor. If Cron isn't working, this won't work for you.
    • If email from your server isn't working, then this report won't be delivered to you.
    • It can negatively impact performance. We recommend using it on test environments because the production server shouldn't need to spend time and resources on polling drupal.org.
    Subscribe to the security notification newsletter
    • You get all the important information as soon as possible.
    • It can can help give you an idea of trends in issues; for example, CSRF is less common now than it once was, and seeing the advisories helps you realize that.
    • It has an overwhelming amount of information about core and all other projects, which is very likely more than you need when managing your specific websites with specific modules.
    Follow @Drupalsecurity on Twitter
    • This is fast and simple for people who love Twitter.
    • You can place it into a high-importance Twitter list that you can check before visiting other parts of Twitter.
    • Twitter content tends to be easily forgotten.
    • The Twitter feed contains updates about all content, leading to the same overload problem that you have with the mailing list.
    Subscribe to one of the RSS feeds from drupal.org/security and subtabs
    • There are separate feeds for Core Contrib , and Public service announcements (PSAs) .
    • It's formatted for easy import into systems (for example, ticketing systems) that can import from RSS.
    • It can be paired with a tool like If this then that to trigger other events. These events could include scripts to start automated testing of a new build, email alerts, and so on.
    • For personal consumption, it may get lost among other RSS items.
    • The /contrib feed still shows information about projects you may not need.
    Use Drush to apply security updates
    • Drush is highly customizable for integration with other systems.
    • It's very specific to the needs of your websites.
    • If you're monitoring with a tool like Nagios, it could create an alert if there's no data at all (for example, to prevent problems with cron not running).
    • Drush requires special access (that is, SSH) and some extra work on the server.

    Topics

    Related articles