The Importance of Maintaining your Site
Drupal is well-known for being a highly secure Content Management System (CMS). It’s an open source platform, which means contributions are being made by thousands of programmers in the world-wide Drupal community. These contributions are also reviewed by the community, ensuring developers adhere to Drupal’s coding standards. Drupal’s security team validates and responds to security issues. Once identified, a security update is released.
But these factors alone don’t make your site secure. Once a security release is made public, your site’s vulnerability increases, because now anyone—including hackers—can read the details of what the security issue was, and try to attack any sites that haven’t incorporated the solution quickly enough. It’s up to you to make sure these updates are implemented immediately. That’s where Twel comes in.
The Twel Maintenance Process
Security releases for contributed modules occur every Wednesday, and for Drupal core they occur once a month. We’ve set up automated notifications in a dedicated Slack channel so we know as soon as updates are released and can take immediate action. For each release, we check all our client’s websites to determine if the update is applicable given the set of modules and version of Drupal they’re using.
In addition, we perform non-security updates on a monthly (sometimes quarterly) basis. We use Butler automations in Trello to generate these recurring tickets. Keeping modules up to date can be just as important as performing security updates. For one, modules will sometimes come out with new features/functionality that could add value to your application. But more importantly, non-security updates typically have smaller changes which are less risky and easier to test. The longer you wait to update, the more interconnected changes you need to test at once, and the more likely something will break. If a security update does come out, you want the ability to roll it out immediately—not get stuck fixing a ton of bugs.
Our maintenance process includes environment cleanup, checking for upcoming module deprecations, thorough QA testing, documentation of findings, and remediation of any discrepancies. Here’s what a typical maintenance checklist looks like:
- Check if there are any old multidev environments that are no longer necessary, and remove them.
- Check if there are any modules or other elements of this website which are likely to become deprecated, or are expecting major updates/changes in the near future. Examples include: Field Collection becoming deprecated, Acquia or Pantheon forcing a PHP upgrade, Module/Core version incompatibilities, etc.
- To minimize content/database differences for the QA person, copy the production database down to the test environment.
- Re-evaluate the patches in place and verify if they are still necessary.
- Double-check our internal documentation to ensure that any custom code or unique aspects of the website’s architecture will not require special treatment during these updates.
- Run all module and core updates in a test environment.
- QA Tester: Confirm that all updates have been completed as expected by comparing current module list from production against that of the test environment.
- QA Tester: Test all updated modules per our library of testing instructions curated by our Development team.
- QA Tester: Test a representative sampling of pages throughout the site (we have our clients give us a list of “Top 10” pages. These are pages that have high traffic, are important to stakeholders, have complex/custom functionality, or have broken in the past).
- Post-Launch: Confirm that any migration scripts are running properly.
- Post-Launch: Re-check "Top 10" pages on production.
- Update maintenance log with Trello ticket URL and date of launch.
QA testing notes and findings are thoroughly documented in each Trello ticket, so it’s clear what we looked at and if we fixed any issues. This ensures a “paper trail” in case an issue is reported later, or if we run into code conflicts when merging our development work across environments, we can always check if it might be related to recent module updates. If we notice any patterns with issues over time, we can add further testing steps to the “Top 10” list for that particular site.
Keep Your Site Secure & Stable
Many Drupal development agencies focus so heavily on full site builds and major feature enhancements, that they leave ongoing maintenance as an afterthought, performing it in a rush without proper testing. That is not the Twel way—we don’t want to see any site we’ve built or contributed to get hacked or broken. We want our clients and partners to have the freedom and peace of mind to focus on their business goals, and not worry about these technical matters. Please let us know if you'd like us to keep your site protected and up-to-date!