Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By rcls on
Hi,
I lately read about the newest Wordpress and Drupal version releases which both included major security risk fixes. Wordpress fixed a cross-site scripting issue with 4.01 and Drupal fixed an SQL injection with 7.32 and another issue with 7.34.
I'm a developer who uses both systems. Mostly Drupal but also Wordpress when requested. I however am a freelancer and I do not have the time to monitor all sites and their versions. This is a flaw, I know. These issues are however serious and must be dealt with. Wordpress has created an automated update process or a manual one, with the push of a button. Something Drupal has not.
The fastest way for me to update Drupal is to backup the site and database via SSH, wget the new package, delete all old folders, unpack the package, move the files and run the update.php. This requires a set of technical skills which a normal client does not possess. However in Wordpress a person who does not possess these skills can easily update their version to be secure.
Does anyone have a clue if this improvement might be introduced in the upcoming versions of Drupal or if there is some sort of easy script for completing the update for a person of low technical skill?
Comments
Drush
I understand your problem. We currently host about 80 websites for clients, mostly Drupal. I have three tools that I use to update websites and protect against vulnerabilities.
1. CloudFlare - Provides SSL encryption and Web Application Firewall. The Web Application Firewall settings can be tuned to a specific development platform. This won't stop all attacks, but it is better then having nothing. Recently Google posted a blog that encourages encryption for the entire website. I decided to redirect all traffic for sites that use CloudFlare to HTTPS. We only use CloudFlare for websites that need security, but it can be used on all websites if you are willing to spend a little more money.
2. Drush - The way that we perform updates is through a command line tool called Drush. If you have access to the command line then it is the fastest way to update core, contributed modules, and database. Just make sure to updated the file permissions when you are done. (https://github.com/drush-ops/drush)
3. Daily Backups - Sometimes the best offense is the best defense. Even though we have great tools to protect against attacks there are times when compromises still occur. In those cases, having good backups in place is important. With the recent Drupal 7 vulnerability we had a few websites compromised and the backups saved us a lot of time.
Modules have a pretty good
Modules have a pretty good update method, I'd imagine Drupal is going to implement something similar for core very soon. I'm not sure why it hasn't been implemented yet, but I'm also sure there're very good reasons.
For now as the previous comment suggests, have good security practices, secure your environment, and secure those backups. A backup is the only 100% full proof method of recovering from a disaster scenario if one were to happen.
Core hasn't been implemented
Core hasn't been implemented because automatic updates will break many people's sites.