The risk of ignoring Drupal updates

what happens when you don't update regularly

There is no question about the importance of regularly updating your Drupal installation, including core, contribs, and libraries.

No matter how you manage the workflow - by using dedicated tools, custom scripts, or just update the codebase via FTP - keeping the application's 3rd party code always up-to-date is a must for every open source project.

Without getting into the details of why this is important (in fact we believe our readers don't need to be convinced at all), we decided to imagine the consequences of intentionally ignoring all updates in your project or updating the codebase selectively, when some modules get their new versions regularly and the rest remains outdated.

Side note: we're running a small survey "Why I don't update my website continuously" - make sure to check it out.

Here is what happens if you don’t update continuously:

Exposing the application to a significant security risk

The most obvious case. If you don’t monitor for new versions and ignore core and contrib updates, your application is in danger as hackers follow security-related incidents (which have to be published as soon as they're discovered) and try to exploit the known vulnerabilities. 

Missing a critical update

If you decide to apply updates selectively, i.e. choosing to react only on the important security-related updates and to ignore the rest (or applying them selectively when there is a business case for it), there is a good chance of missing the critical update in the end. It can be released in any day and time, even when you’re asleep and unless you're staying alerted all the time or have an established procedure for processing the information on all updates in your projects, the chances of missing the critical update are incredibly high.

Having compatibility issues

Ignoring non-security (normal) updates may lead to compatibility issues between modules in a project. Let's imagine you had to update a single module because of the critical security flaw in it. However, as you haven't updated it for a while, as well as other modules in a project, a maintainer introduced a few API changes since then. So now, when you apply the security update, you will immediately face the compatibility problem.

Spending extra time and money

That's right. Even if you haven't invested in creating a reliable updating workflow before, there is a chance to lose much more money and time in the end. A compromised website may put the whole business at significant risk, and the costs of recovering can be incredibly high. 

Being alerted all the time

This one is more about the peace of mind. Constantly waiting for the @drupalsecurity announcements, being afraid of missing the important update and overflowed with information, irrelevant to your application, is definitely not the best way to do things.  Even if you use one of the external monitoring services, which provide you the information on relevant updates only, see all points listed above for all the other consequences. Being able to monitor properly doesn't mean you have the productive workflow.


Despite all of this, once the website is built, many developers and small Drupal shops prefer not to update the codebase continuously, choosing to perform updates selectively, “when there is time”, or when certain vulnerability gets a lot of traction in the community.

Why it happens and what can be done to make the updating process a breeze - we'll discuss in our next posts. Stay in touch with us and don't forget to share your opinion in the comments.