Overview
This guide walks you through the process of safely applying security updates to your Drupal website. Security updates patch vulnerabilities that could expose your site to attacks, making timely installation critical for protecting your data and users.
The guide covers essential steps including backing up your database and files before making changes, updating Drupal core and modules using Composer or Drush, running necessary database updates, and restoring from backups if something goes wrong. Whether you're running Drupal 8, 9, 10, or 11, you'll find clear command-line instructions and alternative methods for different hosting environments.
Following this process helps ensure your site remains secure while minimising the risk of downtime or data loss during updates.
Updating Drupal Core
Backup CMS DB
Make sure you've backed up your DB and have saved a copy in your cloud storage.
# Backup your database
drush sql-dump > backup-$(date +%Y%m%d).sqlUpdate using Composer
# Put site in maintenance mode
drush state:set system.maintenance_mode 1
# Update Drupal core
composer update drupal/core "drupal/core-*" --with-all-dependencies
# Run database updates
drush updatedb
# Clear cache
drush cache:rebuild
# Take site out of maintenance mode
drush state:set system.maintenance_mode 0Confirm updates installed correctly
The safest way to check to ensure that there are no pending updates to be installed is to first check for security updates via Drush:
docker exec -w /opt/web web ../vendor/bin/drush pm:securityAdditionally, you can visit the Reports section in Drupal to verify this:
- Log in to your Drupal admin at
http://localhost:8081/user/login - Navigate to Reports → Available updates
- Direct URL:
http://localhost:8081/admin/reports/updates
- Direct URL:
- On this page you'll see:
- Drupal core update status
- Contributed modules update status
- Color-coded indicators:
- Green: Up to date
- Yellow: Update available
- Red: Security update available
