Operating Drupal Securely: Keeping Core, Modules, and Themes Up to Date

A Drupal website is only permanently secure if the system is regularly maintained. This includes updates for Drupal core, installed modules, themes, PHP dependencies, database changes, backups, and a thorough check after each update. Drupal is considered a powerful and highly flexible content management system, but it is frequently used for complex websites, portals, member areas, multilingual projects, or custom applications. This is precisely why a structured update process is particularly important.

Updates are not just a matter of new features. They patch security vulnerabilities, fix bugs, improve compatibility with current PHP versions, and reduce the risk of attackers exploiting known flaws in outdated modules or themes. Publicly announced security advisories are especially critical, as automated attacks often emerge very quickly after their release.

In this article, you will learn how to update Drupal securely, what to consider before an update, how to make sensible use of maintenance mode, backups, and Composer, and which typical mistakes to avoid. This guide is aimed at website owners, agencies, and administrators who operate Drupal on a web hosting package, cPanel hosting, or a managed server.

Important: Never perform Drupal updates unprepared on a live production website. First, create a complete backup of both files and the database, check the compatibility of your modules, and plan a maintenance window for major updates.

Why Drupal Updates Are So Important

Drupal consists of several layers. Drupal core provides the basic functionality, modules extend the website with additional features, themes control the design, and Composer manages many technical dependencies in the background. A vulnerability can therefore arise not only in Drupal core, but also in an additional module, a theme, or a PHP library.

A common misconception is to apply updates only when a visible problem occurs on the website. However, security vulnerabilities are often invisible. A website can appear to function normally even though outdated components already contain known vulnerabilities. Especially for publicly accessible CMS websites, staying up to date is therefore a central component of technical security.

Regular updates help with the following points, among others:

  • Closing security vulnerabilities: Critical flaws in Drupal core, modules, or libraries are resolved through security updates.
  • Maintaining compatibility: New PHP versions, database versions, and server environments require up-to-date software versions.
  • Fixing bugs: Updates frequently contain bug fixes that improve stability and reliability.
  • Improving performance: Updated components can optimize caching, database queries, or internal processes.
  • Ensuring supportability: Outdated Drupal versions or unmaintained modules will eventually stop receiving security patches.

Which Components of a Drupal Website Need to Be Updated

With a Drupal website, you should not just keep an eye on the core. For secure operation, all relevant components must be maintained:

  • Drupal Core: The central Drupal installation with system functions, administration area, user management, routing, APIs, and default modules.
  • Contributed Modules: Additional modules from drupal.org, for example Pathauto, Webform, Redirect, Metatag, or Admin Toolbar.
  • Custom Modules: Individually developed modules programmed specifically for your website.
  • Themes: Design templates and frontend components, which may also require security or compatibility updates.
  • Composer Dependencies: PHP packages that Drupal or modules use in the background.
  • Database Schema: After certain updates, database changes must be executed so that the code and data structure match.
  • PHP Version: Depending on its version, Drupal requires a supported PHP version. An outdated PHP version can pose a security risk in itself.

Where to Identify Available Updates in Drupal

Drupal can display available updates in the administration area, provided the corresponding update module is active and the website is allowed to fetch external update information. Typically, you can find the overview under:

Reports -> Available updates

There you can see if the Drupal core, installed modules, or themes are outdated. Security-related updates are usually highlighted. In addition, it is recommended to regularly monitor official Drupal security advisories, especially for business-critical websites, customer portals, or projects with user accounts.

The update overview is a good starting point, but it does not replace a full maintenance process. Especially for Composer-based installations, updates should not just be viewed in the browser, but should be technically planned and deployed cleanly via Composer.

Practical Tip: Do not just check for updates occasionally, but follow a fixed schedule. For production websites, a monthly check is recommended. For published security updates, you should react much faster.

Recommended Update Process for Drupal

A secure Drupal update process does not consist of a single click, but rather several controlled steps. The more important the website is, the more consistently this sequence should be followed.

  1. Check current status: Note the Drupal version, PHP version, installed modules, themes, and any known specificities of the website.
  2. Create a backup: Back up files and the database completely before making any changes.
  3. Read release notes: Check if there are special instructions, new requirements, or known issues.
  4. Check compatibility: Ensure that key modules and themes are compatible with the target version.
  5. Use a test environment: Apply major updates to a copy of the website first.
  6. Activate maintenance mode: Protect the live website from changes by visitors or editors during the update.
  7. Perform the update: Update the core, modules, themes, and dependencies via Composer or the appropriate maintenance path.
  8. Run database updates: Execute necessary database updates, for example via update.php or Drush.
  9. Clear cache: Clear the Drupal cache and, if necessary, external caches as well.
  10. Test the website: Check the frontend, login, forms, navigation, media, search functions, and critical workflows.
  11. Deactivate maintenance mode: Do not bring the website back online until the check is fully successful.
  12. Document: Record what was updated and whether there were any specific anomalies.

Step 1: Create a Backup Before Every Drupal Update

A full backup is the most important safety net before any update. If an error occurs during the update, you can restore the website to its previous state. A file-only backup is insufficient because Drupal stores essential content and configurations in the database.

Before an update, back up at least:

  • Files: Drupal core, modules, themes, Composer files, and uploads in the sites/default/files directory.
  • Database: Content, users, configurations, menus, blocks, views, and much more website data.
  • Configuration files: Especially settings.php, services.yml, composer.json, and composer.lock.
  • Custom code: Custom modules, custom themes, and project-specific adaptations.

At CURIAWEB, depending on your hosting setup, you can create backups via cPanel, Softaculous, or other available backup features. For example, use the Softaculous backup feature if your Drupal installation is managed via Softaculous.

Backup Rule: A backup is only truly useful if you know how to restore it. Therefore, regularly check whether restore processes work for important projects.

Step 2: Activate Maintenance Mode

Before an update, you should activate maintenance mode. This prevents visitors or editors from changing content, submitting forms, or starting processes while the code and database are being modified.

You can typically find maintenance mode in Drupal under:

Configuration -> Development -> Maintenance mode

Enable the option Put site into maintenance mode there and provide a clear message for visitors. A good maintenance message is short, transparent, and contains no technical details that could be of interest to attackers.

Example of a suitable message:

Our website is currently being updated and will be available again shortly. Thank you for your understanding.

For business-critical websites, you should schedule updates outside of peak usage hours. Inform internal editors or customers in advance so that no parallel changes are made during the maintenance window.

Step 3: Update Drupal Core with Composer

For modern Drupal installations, Composer is the recommended way to manage Drupal core, modules, themes, and PHP dependencies consistently. Composer takes dependencies into account and ensures that related packages are installed in compatible versions.

The exact Composer command can vary depending on the project structure. Frequently, Drupal core is managed via packages such as drupal/core-recommended, drupal/core-composer-scaffold, and drupal/core-project-message. A typical update might look like this, for example:

composer update "drupal/core-*" --with-all-dependencies

The --with-all-dependencies parameter is important because Drupal and its packages have dependencies that must also be adjusted during an update. After the Composer update, you should verify that the composer.json and composer.lock files have been correctly updated.

If you use SSH access, you can run Composer directly on the server. For complex Drupal projects, this is usually more reliable than manual file uploads via FTP. For more information, read our article on SSH access.

Note: If your Drupal website was not installed with Composer, you should check whether migrating to a Composer-based structure makes sense before major updates. For current Drupal projects, Composer is the standard approach in practice.

Step 4: Update Modules and Themes

In addition to Drupal core, contributed modules and themes must also be kept up to date. Popular modules such as Webform, Pathauto, Redirect, Metatag, Token, or Admin Toolbar receive regular updates. Some updates only fix minor bugs, while others are security-related.

An individual module can be updated with Composer like this, for example:

composer update drupal/modulename --with-all-dependencies

Depending on the project, all updateable packages can be checked with a general Composer update. For production websites, however, you should be careful and not update all packages uncontrollably if you do not have a test environment. The more components changed simultaneously, the more difficult troubleshooting becomes.

Pay close attention to the following points regarding modules:

  • Project status: Is the module actively maintained?
  • Drupal compatibility: Does the module support your Drupal version?
  • Security coverage: Is the module covered by the Drupal security advisory policy?
  • Release notes: Are there any breaking changes or modified configuration options?
  • Dependencies: Does the module require other modules or PHP packages?

Step 5: Run Database Updates

After a Drupal update, database updates must frequently be executed. These adjustments ensure that new code versions work together with the existing database structure. If you skip this step, error messages, broken administrative pages, or incomplete features may occur.

The traditional method is accessed via:

https://your-domain.ch/update.php

Depending on the configuration, you must be logged in as an administrator or temporarily set specific update permissions. Follow the instructions on the screen and execute all pending database updates.

If Drush is available, the database update can also be run via the command line:

drush updatedb

The cache should then be cleared:

drush cache:rebuild

Even if you use update.php in the browser, you should clear the Drupal cache afterward so that new routes, configurations, templates, and services are loaded correctly.

Step 6: Test the Website Thoroughly After the Update

An update is only complete once the website has been checked. Test not only the homepage, but all business-critical functions. Many issues only appear in forms, the login area, multilingual content, views, or custom modules.

Check at least the following after an update:

  • Frontend: Homepage, subpages, navigation, mobile view, and layout.
  • Backend: Login, administration menu, content overview, and configuration pages.
  • Forms: Contact form, webforms, registrations, and upload fields.
  • User roles: Access for administrators, editors, and regular users.
  • Media: Images, documents, responsive image styles, and file downloads.
  • SEO features: URL aliases, redirects, meta tags, sitemap, and canonical URLs.
  • Multilingualism: Language switcher, translations, and language-dependent menus.
  • Performance: Load times, caching behavior, and error messages in the log.

Additionally, open the Drupal logs under Reports -> Recent log messages. There you can often identify warnings, PHP errors, missing files, or module issues faster than in the frontend.

Security Updates Take Priority

Not every update is equally urgent. A minor bugfix update can be scheduled, whereas a critical security update should be deployed promptly. When a Drupal security advisory is published, it is important to check quickly whether your website is affected.

Consider the following:

  • Is the affected component installed on your website?
  • Is the module enabled, or does it just exist in the code?
  • Does the vulnerability affect anonymous visitors or only logged-in users?
  • Is there a recommended immediate mitigation, or only an update?
  • Is an exploit likely or already publicly known?

For critical advisories, do not wait several weeks. Plan a short test, create a backup, and apply the update as quickly as reasonably possible.

Security Tip: Subscribe to Drupal security advisories or check them regularly. This way, you will find out early if core, modules, or themes require a security-relevant update.

Composer, composer.lock, and Reproducible Updates

In Composer-based Drupal projects, the composer.lock file is particularly important. It records exactly which package versions are actually installed. This allows the exact same version to be installed reproducibly across test, staging, and production environments.

When you perform an update locally or in a test environment, you should transfer the updated composer.lock along with composer.json. On the production system, exactly the verified state can then be installed using the following command:

composer install --no-dev --optimize-autoloader

This workflow is especially useful for agencies and professional projects. It reduces the risk of different package versions being installed on the live system compared to the test environment.

Manual Updates via FTP: When Is Caution Advised?

Older Drupal guides sometimes describe manual updates via FTP. This involves downloading files, unpacking them, and transferring them to the server. For modern Drupal installations, this method is prone to errors, especially when Composer dependencies are involved.

Manual file updates can be problematic because:

  • Dependencies are not automatically updated,
  • Files can be accidentally overwritten or forgotten,
  • Composer-based projects become inconsistent as a result,
  • Custom modifications in the wrong directories can be lost,
  • Troubleshooting after an incomplete upload is time-consuming.

If your website is still maintained manually, you should document exactly which files are being replaced before major updates. In the long term, Composer-based maintenance is generally recommended for modern Drupal projects.

Typical Mistakes in Drupal Updates

Many update problems are caused not by Drupal itself, but by incomplete preparation or a lack of verification. You should avoid the following mistakes:

  • No backup: Without a backup, a faulty update can lead to prolonged downtime.
  • Updates directly on live: Major updates should first be tested in a test environment.
  • Forgetting maintenance mode: Visitors or editors can trigger changes during the update.
  • Database update skipped: Code and database may not match afterward.
  • Cache not cleared: Drupal can cache old information, making it appear faulty.
  • Ignoring release notes: Critical notices regarding breaking changes are missed.
  • Too many changes at once: Changing the core, multiple modules, the theme, and the PHP version simultaneously makes troubleshooting difficult.
  • Keeping outdated modules: Unmaintained modules can become a security risk in the long run.

Update Strategy for Small Websites

For smaller Drupal websites without complex custom features, a streamlined but consistent process is often sufficient. Check for available updates monthly, create a backup, activate maintenance mode, perform the update, and test the most important pages and forms.

For simple websites, it is particularly important not to install unnecessarily many modules. Every additional module increases maintenance effort. Cleanly remove modules that are no longer needed via the Drupal uninstallation interface, and only delete them from the codebase afterward.

Update Strategy for Larger Drupal Projects

For more complex websites, portals, intranets, or multilingual projects, the update process should be organized more professionally. Ideally, use a staging environment, version control, and clear deployment steps.

A professional workflow can look like this:

  1. Copy the live website to a staging environment.
  2. Create a backup and Git snapshot.
  3. Perform updates via Composer in the staging environment.
  4. Run database updates and clear the cache.
  5. Perform automated or manual tests.
  6. Document changes.
  7. Deploy the verified changes to the production environment.
  8. Perform live testing and log verification.

This procedure requires a bit more planning but significantly reduces the risk of downtime. Especially for client projects, it is much more reliable than spontaneous updates directly in the live system.

Replacing Modules That Are No Longer Maintained

An important part of Drupal security is clean-up. Modules that are no longer actively maintained or do not support a current Drupal version should be replaced or removed. This applies especially to modules concerning forms, user permissions, file uploads, email sending, or external interfaces.

For problematic modules, check:

  • Is there a stable version for your Drupal version?
  • Has the module been updated in recent months or years?
  • Are there open security advisories?
  • Does a recommended successor project exist?
  • Can the functionality be replaced by Drupal core or another maintained module?

Do not simply remove a module via FTP. First, uninstall it in the Drupal backend under Extend -> Uninstall so that associated configurations and database entries are processed correctly. Only then should the code be removed.

Considering PHP Version and Hosting Environment

Drupal updates also depend on the server environment. A new Drupal version may require specific PHP versions or drop support for older ones. Therefore, check which PHP version your website uses and what requirements the target version has before major updates.

In cPanel, depending on the hosting package, you can often manage the PHP version and extensions. Ensure that required PHP extensions are active and that memory limits are sufficiently dimensioned. Drupal projects with many modules, Composer, and extensive configuration often require more resources than simple websites.

Our cPanel Web Hosting is suitable for Drupal projects where an up-to-date PHP configuration, SSL, databases, backups, and SSH access need to work together seamlessly.

SEO and GEO Advantages of a Maintained Drupal Website

Updates impact not only security, but also indirectly affect SEO and GEO, meaning traditional search engine optimization and discoverability in AI-based answer engines. A technically stable, fast, and secure website is crawled more reliably, less frequently interrupted by error pages, and offers consistent content.

For SEO and AI-SEO, the following points are particularly relevant:

  • Stable URLs: URL aliases and redirects should continue to function correctly after updates.
  • Fast load times: Up-to-date modules and optimized caches aid performance.
  • Error-free pages: 500 errors, broken forms, or PHP warnings can negatively affect trust and crawling.
  • Secure website: Malware, outdated components, or compromised pages harm visibility and reputation.
  • Clear structure: Well-maintained menus, metadata, and sitemaps support search engines and AI systems in understanding the content.

For businesses in Switzerland, it is also important that the website, domain, hosting, and technical maintenance work together reliably. A well-maintained Drupal installation on stable Swiss web hosting supports trust, data privacy, loading speeds, and long-term discoverability.

Checklist: Updating Drupal Securely

  • Check current Drupal, PHP, and module versions.
  • Read official security advisories and release notes.
  • Create a complete backup of files and the database.
  • Use a test or staging environment first for important websites.
  • Activate maintenance mode.
  • Perform updates via Composer whenever possible.
  • Execute database updates via update.php or Drush.
  • Clear the Drupal cache.
  • Test the frontend, backend, forms, roles, menus, and SEO features.
  • Check logs for errors.
  • Deactivate maintenance mode.
  • Document the update.

Frequently Asked Questions About Drupal Updates

How often should I update Drupal?

Check for available updates at least monthly. Security updates should be deployed much faster as soon as it is clear that your website is affected.

Can I install Drupal updates directly in the backend?

Depending on the Drupal version and project structure, certain administrative functions are visible in the backend. For modern and professional Drupal installations, however, Composer is generally the more reliable route because dependencies are cleanly managed.

Do I need to run update.php after every update?

If Drupal flags database updates, they must be executed. After core or module updates, you should always check whether pending database updates are present.

What do I do if an update breaks the website?

Do not bring the website back online prematurely. Check error messages, logs, Composer outputs, and database updates. If the issue cannot be resolved quickly, restore the previously created backup and analyze the cause in a test environment.

Are disabled modules also a risk?

Disabled or uninstalled modules are less critical than active modules, but they should still be cleaned up. Unnecessary code increases complexity and can lead to confusion during later work.

Should I enable automatic updates?

Automatic updates can be helpful, but they do not replace backups and testing. For business-critical Drupal websites, updates should be carried out in a controlled manner, especially if custom modules, themes, or integrations are used.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

User Management in Drupal: Securely Assigning Roles and Access Rights

User Management in Drupal: Assign Roles and Access Rights Securely Quick answer: Drupal...
Extending Drupal: How to Install and Manage Modules

Extending Drupal: How to install and manage modules Tailored functionality: why modules matter...
Drupal Basic Configuration: Managing Site Information and Maintenance Mode

Drupal Basic Configuration: Managing Website Info and Maintenance Mode Correctly After...
Managing Drupal Content

Managing Drupal Content: Using Pages, Articles, and Content Types Correctly Drupal is more...
Drupal Layout Design: How to Manage and Create Content Blocks

Drupal Layout Design: Creating, Placing, and Managing Content Blocks Effectively The block...