Why you shouldn’t install Drupal updates… yourself

Why you shouldn’t install Drupal updates… yourself

  Posted on September 25, 2014 by Bob Kruse

Sometimes I wish Drupal was as easy to update and maintain as WordPress, one click and WordPress updates itself and all of its plugins and everything magically continues working. Drupal is a totally different animal, one false move and you can quickly disable your site.

The reason why Drupal is so touchy is because most modules have dependencies on other modules in addition to sharing all the same “plumbing” as Drupal core. This is actually a good thing and what makes Drupal so modular, flexible, and integrated. However it can also be a bad thing because you need an awareness of all the moving parts in order to troubleshoot updates that go awry.

Many people who manage Drupal websites from a content perspective, don’t always know or understand what’s under the hood, but when they see a message that says, "There is a security update", it seems almost friendly enough to try. “Heck, I can use Windows Update, how hard can updating Drupal be?“ – Next stop, the Drupal support forums. That being said, if you are not a developer, Drupal site builder, or someone who knows Drupal inside and out, then you should seek out the help of a Drupal pro.

What about the Update Module page?

Drupals updating interface


A common mistake I see is using Drupal’s built in Updating mechanism. On the surface it seems nice and easy, but when it fails there is no undo - Drupal crashes with error messages and usually prevents you from making any changes within the UI. Not even Backup and Migrates Restore feature can save you.

Common reasons it crashes or fails:

  • Problem downloading the module or core updates
  • A drop in your internet connection corrupts an update
  • Not compatible with another module
  • Not compatible with something on the server, like a specific version of PHP
  • FTP problems
  • File system problems, usually due to permissions

Most likely people using this function are doing it on their live site. This super-bad because when you’re down, you lose customers and if you’re down for too long enough, Google will index your site with whatever errors are now showing. Sayonara SEO.

What about using FTP to update everything?

Drupal files structure

Ok, if you’re savvy enough to use FTP, then you’re safer but not totally safe. If you don’t understand the structure of Drupal’s file system then you could potentially put things in the wrong places, overwrite the wrong files, or not even be aware of hidden files like .htaccess.

In one case I worked on, a client had uploaded the same module in three different places and wondered why his site was running so slow. Little did he know, Drupal was trying to load that module 3 times and caused a major memory leak. So it’s good to know where to put things or it will cause problems.

The other problem with FTP is that you’re still uploading updated modules to your live site. Errors can still happen, such as module or PHP incompatibility, which can hinder your live site until you either re-upload the old module or figure out how to fix the problem.

So how should it be done?

Well first of all - never, never, never do core or module updates on your live site. I mean never. Would you tight rope walk for the first time… or any time… without a net?

Drupal professionals use staging servers (development servers, testing servers, whatever you want to call them) to test any and all updates on a COPY of live your website first. This is the safest way. Now you can be sure that all of the updates are safe and you can confirm that your site is not broken. It allows you to work out any bugs, errors, or issues offline so your customers and Google will never get to see them.

For an extra “safety net”, we use GIT. Utilizing a version control system when performing updates ensures that you can always “undo” if something goes wrong with an update.  

Once you test all of the updates and confirm the site is in good working order, only then it is save to upload them to the live server. When uploading updates to a live server, using tools like Rsync or GIT is much preferred over FTP because of their speed and smarts.

This isn’t the end.

Installing Drupal updates should be addressed at least once a month and no more than a month if any of them are security related. There isn’t a month that goes by where I haven’t had at least one module that required updating.

You need to keep on top of updates, because just like your car, it needs to be maintained. You can drive your car anywhere you want, put stickers on the windows and bumpers, and you can play any music you’d like, but when it breaks or needs service, you should always take it to a professional. It will save you time and headaches and allow you to focus on your business instead of worrying about your website.


About the Author

Bob Kruse is the founder of Drupal Aid and a Drupal fanatic since 2008. He is also the creator of Cart Craze, an ecommerce website design gallery and Sick Journal, an online tool for keeping track of your family's health, sicknesses, and medications.