How to install a security update for Drupal modules or themes

  1. Home
  2. How to install a security update for Drupal modules or themes
Installing Drupal security update
Drupal modules security update statuses

 

Introduction

Keeping your Drupal website secure is crucial for protecting your data and maintaining its integrity. Neglecting security updates for your modules and themes leaves your site vulnerable to attacks, including data breaches and malicious code injections.

This guide will walk you through the essential steps to identify, prepare for, and apply security updates, ensuring your Drupal site remains safe.

 

Setup:

Web server running on Ubuntu 18.04, 20.04, 22.04, LAMP stack
Drupal 8,9,10,11
Installed Drush, Composer

 

Why You Need to Check and Install Security Updates

Security updates are critical for several reasons:

  • Vulnerability Patching: Developers frequently release updates to patch newly discovered security holes or vulnerabilities. Hackers actively search for these flaws, and applying updates is the most effective way to close these doors before they can be exploited.
  • Data Protection: Without updates, your site is at risk of a data breach, which could expose sensitive information belonging to you and your users.
  • Site Integrity: Malicious attacks can deface your website, inject spam, or even take it offline entirely. Security updates protect your site's functionality and reputation.

 

Status

When your Drupal site requires a security update, it will automatically notify administrators through a prominent message displayed directly in the admin dashboard and can also be configured to send email alerts.

 

The message:

There are security updates available for one or more of your modules or themes. To ensure the security of your server, you should update immediately! See the available updates page for more information and to update your software.

 

Drupal security message
Example of Drupal security message. New security updates on Google Tag (Security update) module

 

To manually check for all available security updates and other module or theme updates, navigate to the Reports > Available updates page in your admin dashboard.

/admin/reports/updates/update

 

Solution

Now that we have identified which module is requiring security updates, we can proceed with the actual update process.
Before starting the update, the most important step is to back up the entire site. 
Once that's complete, we can begin the update process using the Composer application to ensure all dependencies are handled correctly. After Composer finishes, we'll need to run a database update and clear site's caches to finalize the changes and ensure everything functions properly.

 

In our case, we would be updating the Google Tag (google_tag) module to the latest secure version.
google_tag (2.0.7) => google_tag (2.0.9)

We are going to update only one Drupal module google_tag.
Command for the update is: 
 

composer update $name_of_the_module_to_update$ --with-all-dependencies

 

 

Running security updates on Drupal google_tag module
composer update drupal/google_tag --with-all-dependencies

Composer command to update google_tag Drupal module with all dependencies

Security update
Security update process (Drupal google_tag module) in command line by Composer
Finishing the update process
drush updb
drush cr

Finishing the Security update process by running this 2 commands. 
drush updb - to implement required database changes
drush cr - to clear / rebuild caches

 

Summary

Regularly installing security updates for your Drupal modules and themes is a non-negotiable part of website maintenance. By staying on top of these updates, you can proactively defend your site against potential threats, protect your data, and ensure your website remains a secure and reliable platform for your users.