Q. Are there any resources I can subscribe to for Drupal security information?
You can easily start receiving Drupal security updates by:
- Subscribing to Drupal’s security newsletter (subscription info under the Security announcements header)
- Tracking the Drupal Core, Contributed Projects, and Public Security Announcement RSS feeds from drupal.org/security
- Following @drupalsecurity on Twitter
These methods require no setup beyond a simple subscription – but in the long term, receiving updates like this can be a daunting task. The Drupal security team provides updates for every one of Drupal’s contributed modules, themes, and distributions, and with over 20,000 supported, the chances are high that updates you care about will be buried in an avalanche of unrelated information.
To protect your website from bugs and vulnerabilities, it is crucial to update Drupal core and all installed modules as soon as the newest security patches are released. If tracking all updates becomes inconvenient, another approach may be more suited to the needs of your website.
Q. Are there any options that won’t overwhelm me with updates?
Both Drush and Drupal’s update manager can be used to provide you with security updates tailored to the needs of your individual website. The update manager will provide you with a list of available updates for Drupal core, as well as for all modules and themes you have installed. If you’d rather not apply each update manually, Drush allows you to automate the process.
There is a third option available to Acquia customers - Acquia’s Remote Site Administration service. Subscribers can receive notifications for security patches relevant to their website, or simply enjoy the freedom of having Acquia work to implement these updates as they are released. Contact Acquia Sales if you'd like to know more about Remote Site Administration and how you can use it to streamline security maintenance of your website.
Q. What are the benefits of each solution?
If you choose to use Drush or the update manager to keep on top of updates, you’ll only see the notifications you need to keep your website secure. This will save you the trouble of sorting through mountains of unrelated news, but following security updates through the traditional channels has its benefits. Keeping yourself informed about all security updates will alert you to general trends in Drupal security - knowledge you’ll find useful for all your current and future projects.
Q. Where can I go to learn more?
The Acquia Help Center provides a more detailed look at the pros and cons of each approach. After reading through Staying aware of Drupal security updates, you’ll have all the information you need to weigh your options and decide on a plan to keep your website secure.