Drupal security updates with Drush
You get an email about a Drupal security update. Or you see a red message on your Web site, telling you that there's a security update available. What do you do?
This article walks through the process.
Install Drush, a program that will make it easier to manage your Drupal site. This article is about Drush.
(If you're a WBC person, Drush is already installed.)
Drush is a command-line program. You need to log in to your server to run it. This article talks about using the command line.
How do you know what needs to be updated?
Log in to your site as an administrator. In the admin menu, select Reports | Available updates. The direct URL is /admin/reports/updates.
You'll see a list of your modules and themes, plus an entry for Drupal itself. If you need to update Drupal core, you'll see something like this:
If you have a module or theme that has a security update, you'll see something like this:
You'll see optional updates in yellow, like this:
Only apply these updates if you know what you are doing.
To run the updates, you need to know the name of the Drupal project to be updated. Each project has two names: a friendly one for people, and the official project name, used by Drush and other software.
Each project has a page on Drupal.org. The last part of the URL for that page is the project name. For example, here's a page for a module on Drupal.org:
The human-friendly name of the module is Image Resize Filter. But you need to tell Drush the project name. That's at the end of the URL, after "project/". The project name is "image_resize_filter".
You can get the project name of a module or theme from the page on available updates. Here's part of it again, showing that a security update is available for Views:
The word "Views" at the top left is a link to the project page for the Views module. Click it. The project name of the project is on the end of the URL.
Log in and switch to your Drupal directory
Log in to your server, and switch to the root of your Drupal site. The command line article tells you how. Usually, your Drupal site will be in a directory with a name like "public_html" or "www".
Put your site offline
In the admin menu, go to Configuration | Development | Maintenance mode. You'll see a checkbox:
You'll be able to use the site, but other people won't.
Backup your site
to backup your site. Drush will backup both the database and the files.
Run the Drush update command
Type "drush up PROJECT NAME". For example, to update Views:
drush up views
To update image resize filter:
drush up image_resize_filter
To update Drupal core:
drush up drupal
Drush will ask you to confirm.
Check your site's available updates page
Refresh the available updates page. Check that your modules have been updated.
Put your site back online
In the admin menu, go to Configuration | Development | Maintenance mode. Uncheck the checkbox, and save.
Yay! No more red messages!
When you get used to it, you'll be able to do security updates in a few minutes.