Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Services Security Updates
This page is used as documentation for Services Security. It is unfortunate that issues come up that affect Services, but running the latest version of Services should help mitigate any issues.
If you see an issue and think it is security related, please follow the instructions here
SA # - . Due to a bug in Services that was committed, all passwords that are registered through Services 3.7 and up would be set 1 ( users from July 30th, 2013). There is a long discussion about how it was fixed here. Services update 7401 will reset the passwords of users and this was required by the SA team for Drupal. That being said, there are examples of why you don't need to run this update. If any of the following applies to you, you may set the variable "services_skip_security_update_7401" to TRUE and then run the update.
- Users were never registered through Services Stock user resource.
- Services module was not enabled.
- Services user Resource was never enabled.
- You used a custom resource to create/register users.
- Your Drupal site with services enabled does not use core Drupal user module. IE, you have a SSO provider who handles registration.
- Site was never upgraded to Services 3.6 or beyond.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
