1.) Update Manager Module – The module responsible for notifying you if our Drupal installation is updated is the Update Manager Module. This is ‘part of Core’, meaning that it is part of Drupal’s installation files. It’s job is to check if all your other core modules and contributed modules (the modules you added yourself) are using the latest versions. Note that these modules have to be activated for Update Manager to check them. If they are inactive Update Manager will not add them to its list of update checks.
As a matter of good housekeeeping especially for production sites, keep this module activated at all times. If you are not running a production site or otherwise do not need this functionality, you can deactivate it.
2.) You’ll Update Only When You Need To – It is important to note that the updates the Update Manager tell you about often address many smaller updates at a time. As is the nature of open source projects, many incremental updates ie. bug fixes and new features, are made to other core files and are essentially joined together for one major release. You do not need to update each and every time the developers change something. For the most part, it is only vital to update if the Update Manager tells you to. If it is important for you to maintain the absolute newest and most bleeding edge version, if you happen to be testing a new module for example, you can check keep an eye on revisions for a particular release, for example for Drupal 7.12 here.
3.) Familiarize yourself with the 5 Security Risk Levels – Listed here. As a general rule, update your site anyway even if the update is marked at the lowest level.
4.) Subscribe to Drupal.org’s security RSS feeds – As an extra measure of safety, consider subscribing to the RSS feeds of the following:
- http://drupal.org/security (http://drupal.org/security/rss.xml) – Important
- http://drupal.org/security/contrib (http://drupal.org/security/contrib/rss.xml) – Optional
- http://drupal.org/security/psa (http://drupal.org/security/psa/rss.xml) – Optional
As soon as a new update is posted your RSS reader should automatically inform you and you can take action quickly. A note re the contributed modules (the 2nd feed): This feed will reflect updates for ALL contributed modules, so oftentimes it will show updates to modules you do not use. It is important to keep an eye on this anyway because it helps give you an idea of how sound Drupal is security – wise, and also shows how hackers are able to find a way to apply malicious code – which is good information for website security in general.
