Drupal security updates with Drush


You get an email about a Drupal security update. Or you see a red message on your Web site, telling you that there's a security update available. What do you do?

This article walks through the process.


Install Drush, a program that will make it easier to manage your Drupal site. This article is about Drush.

(If you're a WBC person, Drush is already installed.)

Drush is a command-line program. You need to log in to your server to run it. This article talks about using the command line.

How do you know what needs to be updated?

Log in to your site as an administrator. In the admin menu, select Reports | Available updates. The direct URL is /admin/reports/updates.

You'll see a list of your modules and themes, plus an entry for Drupal itself. If you need to update Drupal core, you'll see something like this:

Core update needed

If you have a module or theme that has a security update, you'll see something like this:

Module or theme update

You'll see optional updates in yellow, like this:

Optional update

Only apply these updates if you know what you are doing.

To run the updates, you need to know the name of the Drupal project to be updated. Each project has two names: a friendly one for people, and the official project name, used by Drush and other software.

Each project has a page on Drupal.org. The last part of the URL for that page is the project name. For example, here's a page for a module on Drupal.org:

Page for the image resize filter module

The human-friendly name of the module is Image Resize Filter. But you need to tell Drush the project name. That's at the end of the URL, after "project/". The project name is "image_resize_filter".

You can get the project name of a module or theme from the page on available updates. Here's part of it again, showing that a security update is available for Views:

Module or theme update

The word "Views" at the top left is a link to the project page for the Views module. Click it. The project name of the project is on the end of the URL.

Log in and switch to your Drupal directory

Log in to your server, and switch to the root of your Drupal site. The command line article tells you how. Usually, your Drupal site will be in a directory with a name like "public_html" or "www".

Put your site offline

In the admin menu, go to Configuration | Development | Maintenance mode. You'll see a checkbox:

Maintenance mode

You'll be able to use the site, but other people won't.

Backup your site


drush ard

to backup your site. Drush will backup both the database and the files.

Run the Drush update command

Type "drush up PROJECT NAME". For example, to update Views:

drush up views

To update image resize filter:

drush up image_resize_filter

To update Drupal core:

drush up drupal

Drush will ask you to confirm.

Check your site's available updates page

Refresh the available updates page. Check that your modules have been updated.

Put your site back online

In the admin menu, go to Configuration | Development | Maintenance mode. Uncheck the checkbox, and save.


Yay! No more red messages!

When you get used to it, you'll be able to do security updates in a few minutes.