Maintaining your Drupal website by keeping it up-to-date with Drupal core and contrib module patches, along with ensuring that any libraries that your Drupal site uses are on the latest version is important for a number of reasons.
The obvious first reason is security. If you do not keep your Drupal website up-to-date with the latest security patches, then you are at risk and potentially vulnerable to being exploited by those security vulnerabilities which those patches aim to fix.
There are examples of high profile organisations that have neglected to maintain their Drupal websites and failed to keep them updated with Drupal core and contrib security patches, resulting in equally high profile public relations disasters when those Drupal websites were compromised.
By staying on top of your Drupal updates, you won’t make the headlines in the same way that the following organisations regretted that they did:
- Mossack Fonseca (aka Panama Papers leak)
- Lenovo, and University of California being “Cryptojacked”
It's not just big companies that are targeted by hackers however. Every public-facing site on the internet has to contend with automated malicious crawlers and scanners that are continually trying to detect outdated software and vulnerabilities in the quest for their next victim.
It is also common to not even know that your website has been hacked. In fact, hackers often prefer to work in the shadows and silently exploit a breach for as long as they possibly can without being detected, rather than performing obvious defacement or by cashing in and going for a ransom. The value that the attackers gain from a breach can be realised in a variety of ways, such as:
- stealing information from database
- subtly adding links pointing to spam domains within your page content
- adding it to a botnet
- mining cryptocurrency on your server
- sending out spam emails
Do not let your organisation become vulnerable to security exploitations. Keep your Drupal website up-to-date with security patches.
Fix bugs that you didn’t realise you had
With the huge number of web browsers available on the market; for desktops, tablets and mobiles, coupled with the plethora of devices and operating systems on which they run, there is a vast array of possible combinations of browsers, OS’s and device’s, making it is virtually impossible to guarantee that your Drupal site works as intended across them all. Add to this, that each of these are continually evolving in their own right with new version releases (in which users may not even be upgrading to) introducing another dimension of complexity.
However, by virtue of the fact that the front-end of most websites relies upon many 3rd party open source libraries, it is possible to some extent to keep on top of this evolution process, through keeping those libraries up-to-date and properly patched. In every release of these libraries and modules, changes will be introduced which could for instance fix security issues, fix bugs, make performance and compatibility improvements, introduce new features etc. All of which may be imperceptible to you and how you use the site, but may to certain users make a noticeable positive difference.
This example only considers the front-end, but it also similarly applies to the back-end and any libraries and modules that are used there.
Developers hate code that runs slow, probably just as much as users who hate pages that load slow. Throughout the evolution of the Drupal codebase, be that for library dependencies, core or contrib modules, many of the issues that get raised on the issue queues are related to performance, and how code can be made to execute faster. This leads to work being undertaken to resolve these issues, with many resulting in updates to the codebase, steadily improving the performance of the code. Improved performance of your Drupal website code, generally speaking, equals improved performance of your Drupal website.
Web server software upgrades are less of a headache
The best way to illustrate the benefits of keeping your Drupal website updated, in relation to webserver software upgrades is by kicking off with an example. In December 2018 PHP 5 went end of life (EOL). Despite going EOL, a huge number of websites still ran on PHP 5 and were in desperate need of an upgrade to PHP 7 (the next version from PHP 5) so that they were on a version of PHP that was supported with security and maintenance fixes.
Websites that had not been maintained properly found this upgrade process to PHP 7 much more difficult, as across their codebases would have been extensive usage of functions that are present in PHP 5 but have been since deprecated in PHP 7. Therefore, in order to get a website compatible with PHP 7 (and be able to run on it, without error), all of these areas within the codebase that used those deprecated PHP 5 functions had to be modified and refactored to support and use PHP 7 approaches instead. This can be a time consuming process which involves extensive testing if it is to be attempted as a one-off exercise after a period of neglect.
Compare this to the scenario where maintenance has been diligently carried out throughout the course of the lifetime of the Drupal application. Each successive minor release of Drupal core and Drupal contrib modules may progressively improve compatibility with PHP 7. Therefore when the time comes to upgrade to PHP 7, the effort involved was much reduced and likely that a Drupal application would only have PHP7 compatibility issues within the custom modules, or not at all.
A well maintained application would also have likely moved to PHP 7 well ahead of the PHP 5 EOL deadline, and in doing so not only reaped the performance and security benefits that this brought, but likely also a number of unquantifiable upsides such as customer conversion rates achieved through faster loading pages, and in turn improved search visibility and such that this would bring.
PHP 8 is on the horizon, so starting a program of maintenance now will allow you to reap the benefits of the latest versions of PHP (including minor releases) sooner, than you otherwise would.
Future development work can be more straightforward
When developers are able to work with the latest stable, and recommended versions of libraries and Drupal contrib modules it allows them to be more efficient in a variety of ways. This is true throughout the phases of set up, research, implementation, debugging, testing and deployment. It is more likely that when having to use older libraries and components as building block components for newly commissioned development work, that friction is going to be experienced at various parts of the build process.
When future development work is more straightforward is brings many benefits; it can be cheaper (as it takes less time to implement), quicker to deploy, reduce the complexity of deployments (as other updates don’t have to be rolled out at the same time) and reduce risk when it goes live, to name but a few.
In the event that a Drupal website that you are responsible for becomes the subject of an internal audit, perhaps motivated by organisational priorities such as security, technical strategy, inventory audit etc, you will want to ensure that your Drupal website is not flagged as a security risk with all eyes on you. Websites that had previously attracted little internal scrutiny, will suddenly become top of the agenda and in sharp focus by a wide group of people. Make sure that your area of control is not part of that sharp focus and avoid having to answer some difficult questions.
If you need help with the support and maintenance of your Drupal website then please get in touch with us here at Zoocha. We offer cost-effective plans and provide 24/7 critical cover to organisations all over the globe.