This is a quick post to go through some of the important factors to consider when applying security updates to your Drupal site. It's not always as easy as just downloading the updates and applying them. I've assembled a list of things we consider when we are updating our client sites. For our clients that are reading this post, this is what we do for the $$ you pay us each month!
Before you update
- Read the issue queue before doing the update. See if other users are experiencing problems with the update. Sometimes issues might have no fix yet, so you may have to wait until a fix is released or a work around is discovered. A lot of times a second update is released shortly after the original update.
- Read the release notes. This will give you a general idea of what was changed so you should definitely test those new features.
- Find out if your site has any dependencies on a specific version of the module/core that you are trying to update. If yes then you will need to find ways to eliminate those dependencies otherwise you are stuck using the un secure version.
- If the module is abandoned and it's a module you use frequently, consider talking to the module maintainer to see if you can become the maintainer (that is, if you are a Drupal developer). In the case of other module replacing its functionality then consider using the replacement module instead.
- After you download the new files, read the README.txt or UPGRADE.txt for any known issues
- Test it on your development environment first. If for some strange reason, you have no development environment, read the next line.
- This is the most important step. BACKUP YOUR FILES AND DATABASE!!!! In case things turn sour at least you can roll back to the pre-upgrade state.
- Consider deploying your changes during less busy time
- Put your live site offline so that users won't see any error while files are being transferred or the database is updating to a new config.
After you update
- Test as much as possible. Even though you tested on your development environment, your production server could have a different configuration and the updates could still break the live site. Make sure you catch issues before your users do.
- Check /admin/reports/status to see if there are any outstanding issues that needs to be resolved.
- Put your site back online.
Tools to help you
- Drush - Saves you time. No need to download and un-zipping the new module. Just type "drush pm-update yourmodulename" in the command line.
- Backup and Migrate module or phpMyadmin or Drush sql-dump to backup your database
- Use a version control tool such as Git or Subversion to version track code changes made to your site. It will let you easily roll back any changes if things go wrong.