Application Launcher

Date Published: February 10, 2022

Issue

How can I stay informed about Drupal security updates?

Resolution

Staying on top of updates to Internet software is a big responsibility. It's critical to the security of your website and yet can take a lot of time. The traditional advice about updates is to subscribe to the updates mailing list: that works well for most projects.

For broad software projects like Drupal, however, that advice is increasingly unmanageable. Drupal update emails cover not just Drupal core, but also many of the contributed modules, themes, and distributions available on drupal.org - over 20,000 of them. Any individual website may have 50, 100, or more. So, if you sign up to get emails about security issues across 20,000 modules and you only care about 200 of them, the chances of getting a message about a module you don't need are very high.

Here are some ways you can receive updates; see which one is the best for you.

Note for Acquia subscribers

With an additional subscription, Acquia customers can enable the Remote Site Administration service, which, depending on your preferences, provides you a range of automatic update services - from informing you of necessary patches to complete module deployment.

Method	Pros	Cons
Enable the Update core module with security focused settings (configured at Administration > Reports > Available Updates)	It's a focused report to your needs on your website. It can be sent to multiple inboxes, including a ticketing system or support team.	This relies on the cron mechanism. In Drupal 7, you can either set up cron to run on your server (for example, using crontab), or it runs using the so-called poor man's Cron, which runs periodically after a page visit by a website visitor. If Cron isn't working, this won't work for you. If email from your server isn't working, then this report won't be delivered to you. It can negatively impact performance. We recommend using it on test environments because the production server shouldn't need to spend time and resources on polling drupal.org.
Subscribe to the security notification newsletter	You get all the important information as soon as possible. It can can help give you an idea of trends in issues; for example, CSRF is less common now than it once was, and seeing the advisories helps you realize that.	It has an overwhelming amount of information about core and all other projects, which is very likely more than you need when managing your specific websites with specific modules.
Follow @drupalsecurity on Twitter	This is fast and simple for people who love Twitter. You can place it into a high-importance Twitter list that you can check before visiting other parts of Twitter.	Twitter content tends to be easily forgotten. The Twitter feed contains updates about all content, leading to the same overload problem that you have with the mailing list.
Subscribe to one of the RSS feeds from drupal.org/security and sub-tabs	There are separate feeds for Core, Contrib, and Public service announcements (PSAs). It's formatted for easy import into systems (for example, ticketing systems) that can import from RSS. It can be paired with a tool like If this then that to trigger other events. These events could include scripts to start automated testing of a new build, email alerts, and so on.	For personal consumption, it may get lost among other RSS items. The `/contrib` feed still shows information about projects you may not need.
Use Drush to apply security updates	Drush is highly customizable for integration with other systems. It's very specific to the needs of your websites. If you're monitoring with a tool like Nagios, it could create an alert if there's no data at all (for example, to prevent problems with cron not running).	Drush requires special access (that is, SSH) and some extra work on the server.

Staying aware of Drupal security updates

Issue

Resolution