Drupal CMS has a reputation for being one of the "best maintained" when it comes to security... As long as preventive maintenance is properly carried out, and preferably within a reasonable timeframe.
Drupal CMS has a reputation for being one of the “best maintained” in terms of security... As long as preventive maintenance is properly carried out, and preferably within reasonable timeframes. However, we often observe that it is underestimated and we are seeing more and more urgent cases coming to us, with all the constraints linked to this “panic.” Yet it’s a key point when you want your Drupal site to be stable, reliable, and secure. Here are some tips for organizing your preventive maintenance operations:
Monitoring – Security news
It’s essential to start by reading and following security announcements. Therefore, you should:
- Subscribe to the drupal.org newsletter by logging in to Drupal.org. Once logged in, go to your user profile page, click on the Edit - My Newsletters tab, then check the Security announcements tab.
- Follow announcements on the @drupalsecurity Twitter account.
- Follow these RSS feeds: core, contrib, public service announcements
This way, you’ll be informed whenever a security update is released. Remember to apply it as soon as possible! For example, taking the SQL injection vulnerability from October 15, 2014, it’s easy to say that if you hadn’t applied its patch within seven hours of its release, your site would likely have been hacked. Still, current estimates are reassuring, indicating that on average, a security patch must be applied within a week of release at the latest to avoid random attacks.
Internally, the bluedrop.fr team has integrated the drupal.org RSS feeds into Slack: the whole team is instantly informed about security updates. We even share this “security” channel with our clients under maintenance contracts: alerts are transparent for all parties, and we cannot be held responsible in case of missing updates.
Update reports
Update reports (available at /admin/reports/status) will alert you to problems with your Drupal site. These include security issues such as outdated modules, Drupal core, or database updates that need to be run. You should check this regularly. We recommend doing these reports on the development or staging server. In fact, the module regularly uses unnecessary resources on the production site and may damage the site’s performance.
Additionally, we recommend adding your email address here: /admin/reports/updates/settings, to be notified when an update is available for your core or any of your modules.
Drush, the magic tool
Manually installing module and core updates isn’t particularly complicated, but it is tedious. To save time when updating your modules and Drupal core, we recommend using Drush.
Here are a few useful commands:
drush pm-update
updates Drupal core, modules, themes, and even the database in a single go.
If you don’t want to run all updates with one command, you can use these commands (the first updates the code and the second updates the database):
drush pm-updatecode
drush updatedb
To update just one Drupal module, use drush up followed by the module’s name, for example:
drush up views
drush up --security-only
To get a list of modules needing updates, use:
pm-update --pipe
Don’t hack the core
In Drupal jargon, hacking means modifying the base code of Drupal core or a contributed module. This is exactly what you should avoid doing. All changes made to the core will be permanently lost as soon as an update is performed.
However, if you did not develop the site yourself, you may be unsure whether your code has been hacked or not. Don’t worry – there’s a very useful module that works wonderfully to inform you if your code differs from the base code: Hacked module.
If, after checking, you discover your Drupal core has been hacked, we recommend putting the changes made by the hack into a patch file. That way, when you update your Drupal installation, you’ll just need to apply the patch file to reapply your changes.
Industrialize your hosting infrastructure
- Never make changes on the production site without first verifying that they work and don’t stop the site from running correctly on the development environment.
- Set up an automatic backup system for your database and regularly check that the backups are working.
- Use a version control system, which is useful in many contexts. For example, it lets you know what’s been changed on your site during an update, or even if your site has been hacked by comparing your code with the version in the system. Each change acts as a new “version” of the code.
In conclusion
Security updates generally take between 2 and 4 hours per month for “average” sites (given their functional and technical scope). Bluedrop.fr now offers a global hosting platform optimized for Drupal, with multiple environments, performance optimization by default, a versioning tool (GIT), and a simplified integration procedure. All our hosting contracts include preventive maintenance for the Drupal sites we host. Better safe than... sleepless!
Sofiane Abidi and Christophe Dugué @chdugue
