Drupal patching — a complete Drupal self-help guide for effective patch management to keep your website up-to-date, stable and secure

Drupal self-help guide #4

Article summary: Patching your Drupal website is crucial to ensure the security, stability, compatibility, performance, and long-term maintenance of your website. It helps protect your website from security threats, resolves bugs, maintains compatibility with modules and themes, improves performance, and establishes a solid foundation for ongoing maintenance. See our top 6 Drupal patching tips.

On this page:

Date:
27 September 2023

Drupal patching to keep your site up-to-date, stable and secure

Welcome to the fourth instalment of our comprehensive self-help guide series, focused on improving your Drupal website. In this 6-part series, we delve into six vital metrics for a successful Drupal website:

  1. Security
  2. Performance
  3. Accessibility
  4. Patches
  5. SEO
  6. Carbon emissions

In this guide we focus on application patchingExternal Link , a crucial aspect of maintaining any software including Drupal. With continuous improvements and updates, it’s vital to ensure your Drupal installation is up-to-date and secure.

A well-maintained Drupal website not only offers a reliable user experience but also keeps your data secure from potential threats. Regular application patching ensures that you stay ahead of any vulnerabilities and can leverage new features that enhance your website's overall performance.

As an open-source content management system (CMS), Drupal has a thriving community that continuously works on enhancing its capabilities, and patching your application is a way to benefit from these collective efforts.

In this guide, we explore the importance of application patching, its impact on your Drupal website, and the best practices you can follow to keep your site secure, updated and running smoothly.

View top 6 tasks for effective application patching

Part 1 — Understanding application patching

What is application patching?

Application patchingExternal Link refers to the process of applying updates, fixes or improvements to a software application. In the context of DrupalExternal Link , this involves updating the core systemExternal Link , contributed Drupal modulesExternal Link and Drupal themesExternal Link to keep your website secure and functioning optimally.

Why is application patching important?

Patching your Drupal website is essential for several reasons:

  • Security: regular updates help address security vulnerabilities that may expose your website to attacks.

  • Performance: updates often include optimisations that enhance the performance and responsiveness of your website.

  • Bug fixes: patches can fix bugs and issues that affect the user experience and site functionality.

  • Compatibility: maintaining an up-to-date Drupal installation ensures compatibility with new modules, themes and other components.

  • New features: updates bring new features and enhancements that can improve your website's capabilities.

Global authorities, guidelines and policies

While there isn't a single centralised entity that governs this process, there are several resources and practices that the Drupal community follows to ensure effective patching. Here are some important ones:

  1. Drupal Security TeamExternal Link
  2. Drupal.org security advisoriesExternal Link
  3. Drupal security best practices (e.g. Drupal’s Writing Secure CodeExternal Link guidelines)
  4. Community engagementExternal Link

While there are no specific global authorities governing application patching, Drupal has an active security team that releases security advisoriesExternal Link , guidelines and best practices to help users keep their websites secure. Following Drupal's security team recommendations is crucial in maintaining a secure and well-performing site.

Positive impact of proper application patching

When done right, application patching can provide the following benefits:

  • Enhanced security, reducing the risk of data breaches and unauthorised access
  • Improved site performance and user experience
  • Fewer bugs and issues, leading to smoother site operations
  • Access to new features and enhancements that can boost your site's capabilities
  • Improved compatibility with third-party components

Consequences of ignoring application patching

Ignoring application patching can have significant consequences, such as:

  • Increased risk of security vulnerabilities and cyberattacks
  • Poor website performance, affecting user experience and search engine rankings
  • Proliferation of bugs and issues, leading to a subpar site experience
  • Missing out on new features and improvements that could benefit your site
  • Incompatibilities with other components, potentially causing site issues or crashes

Part 2 — Drupal and application patching

Drupal's approach to application patching

As an open-source CMS, Drupal has a dedicated community of developers who work tirelessly to improve security, performance and functionality. This commitment includes releasing regular updates to Drupal coreExternal Link , contributed Drupal modulesExternal Link and Drupal themesExternal Link .

Drupal security team and guidelines

The Drupal Security TeamExternal Link is responsible for monitoring, identifying and addressing potential security vulnerabilities. They release security advisoriesExternal Link and guidelines to help site owners and developers maintain a secure environment. Adhering to these guidelines and implementing timely patches is crucial for maintaining a secure Drupal site.

Application patching across Drupal versions

Different Drupal versions have specific approaches and considerations for patching:

  • Drupal 7: Drupal 7 is officially reaching its End-of-Life on 5 January 2025. It’s strongly recommended to upgrade to Drupal 9 or higher for ongoing security and feature updates.

  • Drupal 8: Drupal 8 has reached its End-of-Life, and it's strongly recommended to upgrade to Drupal 9 or higher for ongoing security and feature updates.

  • Drupal 9: Drupal 9 is built with backward compatibility in mind, making it easier to keep your site up to date with security and feature updates. Regularly check for updates and follow the recommended upgrade path.

  • Drupal 10: Drupal 10External Link continues the same commitment to security and features, with regular updates and improvements. Site owners should monitor and apply updates as recommended by the Drupal Security TeamExternal Link .

Well-known examples of proper application patching

Proper application patching has saved many organisations from potential cyberattacks and vulnerabilities. For instance, when the Drupalgeddon 2External Link and Drupalgeddon 3External Link vulnerabilities were discovered, the Drupal Security Team released timely patches. Site owners who promptly applied these updates were protected from potential attacks and breaches.

Examples of inadequate application patching

Failing to apply patches can have serious consequences. In 2018, the Panama Papers leakExternal Link was traced back to a vulnerable Drupal installation with outdated components. By not updating their site, the organisation exposed sensitive data and faced severe reputational damage. This case emphasises the importance of timely application patching for Drupal websites.

Part 3 — 6 steps for effective application patching

The top 6 tasks for effective application patching are:

  1. Stay informed on updates and security advisories
  2. Regularly update Drupal core
  3. Regularly update contributed modules and themes
  4. Test updates on a staging environment
  5. Implement a strong backup and recovery plan
  6. Training and awareness

1. Stay informed on updates and security advisories

What it is: Regularly monitoring Drupal's security advisoriesExternal Link and other relevant channels to stay informed about available updates and potential vulnerabilities.

Positive impact: Staying informed helps you act promptly, ensuring your Drupal site remains secure and up to date.

Steps to implement:

  1. Subscribe to the Drupal Security mailing list. You can do this via your user profile page in the Edit>My newsletters tab.
  2. Follow Drupal Security on TwitterExternal Link (@drupalsecurity).
  3. Regularly check your site's available updates page (/admin/reports/updates).
  4. Set up an RSS feed to receive updates directly — RSS feed for coreExternal Link and RSS feed for contribExternal Link
screenshot of Drupal security advisories

Above: Screenshot of Drupal security advisories.

screenshots taken from the updates page
screenshots taken from the updates page

Above: Two screenshots from the updates page (found at /admin/reports/updates).

2. Regularly update Drupal core

What it is: Ensure that you’re running the latest version of Drupal core and apply updates as soon as they become available.

Positive impact: Regularly updating Drupal core reduces the risk of security breaches and enhances site performance.

Steps to implement:

  1. Backup your site files and database.
  2. Put your site in maintenance mode.
  3. Use composer to update the Drupal core version.
  4. Run the update.php script to update the database OR run 'drush updb'.
  5. Test the site to ensure functionality.
  6. Disable maintenance mode.
Screenshot shows update for Drupal core using composer.

Above: Screenshot shows update for Drupal core using composer.

3. Regularly update contributed modules and themes

What it is: Just like Drupal core, contributed modules and themes must be updated regularly to maintain a secure and high-performing site.

Positive impact: Updated modules and themes ensure optimal performance, stability and security.

Steps to implement:

  1. Check the available updates report page for module and theme updates.
  2. Read the release notes for each update to understand the changes.
  3. Backup your site files and database.
  4. Put your site in maintenance mode.
  5. Use composer to upgrade the module or theme files.
  6. Run the update.php script to update the database OR run `drush updb`.
  7. Test the site to ensure functionality.
  8. Disable maintenance mode.
Screenshot shows update for Drupal core using composer.

Above: Screenshot shows update for address module using composer.

4. Test updates on a staging environment/span>

What it is: Test updates on a staging environment before deploying them to your live site to ensure compatibility and prevent regression issues.

Positive impact: Testing updates in a staging environment reduces the risk of causing downtime or other issues on your live site.

Steps to implement:

  1. Set up a develop and staging environment that mirrors your live site.
  2. Apply the updates to the staging environment.
  3. Perform QA. Test the site thoroughly, checking for issues or incompatibilities.
  4. Apply the updates to the staging environment.
  5. Perform UAT. Test the site thoroughly, checking for issues or incompatibilities.
  6. Once satisfied, apply the updates to your live site (production).
sample development workflow

Above is a sample development workflow.

screenshot showing multiple environments

Above: Screenshot showing multiple environments.

5. Implement a strong backup and recovery plan

What it is: Maintain a robust backup and recovery plan to ensure you can quickly restore your site in case of any issues or security breaches.

Positive impact: A reliable backup and recovery plan minimises downtime and data loss, ensuring your site remains operational and secure.

Steps to implement:

  1. Determine the frequency of backups (daily, weekly or monthly) based on your site's needs.
  2. Use a reputable backup solution or service.
  3. Store backups in multiple, secure offsite locations.
  4. Test your backups regularly to ensure they’re functional.
  5. Create a recovery plan outlining the steps to restore your site from a backup.

6. Training and awareness

What it is: Educate your team on the importance of timely patching and maintenance of a website.

Positive impact: A knowledgeable team is more likely to spot potential issues and maintain a secure site.

Steps to implement:

  1. Provide regular security training for your team members.
  2. Share relevant security news, updates and best practices with your team.
  3. Encourage open communication and collaboration on security issues.
  4. Conduct security drills or simulations to test your team's preparedness.

Part 4 — The importance of Drupal patching

Maintaining a secure and up-to-date Drupal site is crucial to protect your site from potential threats and vulnerabilities. By following this comprehensive guide on application patching, you can take proactive measures to safeguard your site and ensure it runs smoothly without compromising security.

Using the 6 tips for Drupal patching from this article will help ensure your site is up-to-date and secure.

As technology continues to evolve, so too do the threats targeting web applications. Staying informed and taking appropriate action in response to emerging threats is vital for the long-term security of your Drupal site. Make sure to invest time and resources into regular site audits, user education, and staying updated on the latest security developments.

And, remember to leverage tools like Drupal360.io to track your site's metrics, including its security status, to help maintain a secure, high-performing and accessible website.

Part 5 — Our contribution to application patching

In this section, we share our experiences, expertise, and the ways we contribute to the Drupal community, specifically in the area of application patching. We also introduce our free audit tool, Drupal360.io, which tracks all metrics with a special focus on application patching.

Our three main areas of contribution are:

1. Case studies

We’ve worked with numerous clients, helping them maintain secure and up-to-date Drupal sites by applying the best practices of application patching. By following the strategies outlined in this guide, we’ve successfully protected our clients' websites from potential threats and vulnerabilities.

The Salsa Service Desk regularly performs patches for our ongoing support clients.

2. Drupal community involvement

We actively participate in the Drupal community by sharing our knowledge, contributing patches, and helping maintain the security of Drupal core and contributed modules. Our involvement in the community ensures that we stay up-to-date with the latest security trends and best practices.

Screenshot of community contributions by Salsa - https://www.drupal.org/salsa-digital.

Above: Screenshot of community contributions by Salsa - https://www.drupal.org/salsa-digitalExternal Link .

3. Introducing Drupal360.io

Our audit tool, Drupal360.io, tracks all metrics, including application patching, to help you maintain a secure, high-performing and accessible website. With Drupal360.io, you can self-assess your site's patching status and receive actionable insights to make informed decisions about necessary improvements. Drupal360 is in development, and will be released in alpha in the next month.

By sharing our expertise, contributing to the Drupal community, and providing valuable tools like Drupal360.io, we aim to help site owners maintain a secure and up-to-date Drupal site, ensuring the ongoing success and security of their web presence.

Part 6 — How we can help you with application patching

Our team of experts is here to help you with all aspects of Drupal patching services for your Drupal site. Our patching and related services cover:

  1. Salsa Support
  2. Drupal patch audits

1. Salsa Support

Salsa Enterprise Drupal Support can be used to monitor and apply patches as they become available. Our experienced team will ensure patches are applied correctly and tested thoroughly to minimise any potential issues or downtime. You can focus on your core business while we take care of your site's security and stability.

2. Drupal patch audits

Salsa's application patch audit evaluates your Drupal website's core, modules and themes to identify outdated components and available updates.

View Drupal patching services