The Beginner’s Guide to Drupal Security Releases

ost blog drupal patch

There was a Drupal security release this week.

This release managed to confuse several of our users, because it wasn’t clear if they should update their sites.

Security release information is rarely, if ever, written in plain English. And these week’s updates were additionally confusing because they only impacted some Drupal sites.

So here, upon request, is our plain English guide to Drupal security releases.

When do Drupal core releases happen?

They happen once per month, usually on the third Wednesday. Find out more here.

Do I need to update my site every time?

No, you don’t. There are two major kinds of Drupal update:

  • Security release
  • Maintenance releases that only fix bug, not security issues

Particularly with maintenance releases, you can pick and choose which updates to apply.

How often do security releases happen?

Let’s take a look back over the last year. If you launched your Drupal site in June 2014, here are the core updates since then:

So, there have been 6 security releases in the last 12 months.

Does every security issue update impact every site?

No, not always.

Drupal 7.32 was known as Drupalgeddon because it impacted every single Drupal site.

However, some other security issues only apply in narrow situations. For example, with Drupal 7.38, the most serious of the issues only impacted sites that were actively using the OpenID module, and then only if you were connecting to a certain group of sites, including Verisign, LiveJournal and StackExchange. will give you information on whether your site is impacted. Here’s a description of the OpenID issue:


How do I tell if an update is important?

Drupal has a rating system to show how urgent an update is. You can see the full scale here and this is a great explanation.

Drupal 7.38 was marked as 15/25, and labeled “Critical”:


Drupal 7.32 was given the maximum 25/25 and marked as “Highly Critical”.


Yes. You probably should have updated to Drupal 7.32.

In fact, you probably should lean on the side of updating your site whenever you can. The further your site falls behind, the harder it will be to catch up if there’s a truly critical security issue.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

    View all posts
0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
9 years ago

very useful information which every Drupal Administrators, builders or Developers should take serious. I wonder why so many feel reluctantto keep such information close to their hearts?

Steve Polito
Steve Polito
9 years ago

The only thing that concerns me with every update I apply is that it will cause a subtle issue on my site that I will never notice. I always check the log files and homepage after an update, but it can be weeks later before I notice any strange side effects. Is there a way to test for this?

9 years ago
Reply to  Steve Polito

No easy way, I’m afraid, Steve
If it’s a subtle issues, only comprehensive testing might be able to catch it.

Steve Polito
Steve Polito
9 years ago
Reply to  steve

Thanks for the reply. Yeah, I figured there was no easy way to test for subtle errors. That’s why there’s version control and staging sites I guess!

Paul Booker
Paul Booker
8 years ago

Nice article.

Saiful Bahri
Saiful Bahri
8 years ago

Thanks for the article. Enough to give knowledge to me.

4 years ago

thank you for the article! Drupal CMS is one of the most popular tools in the web development world. The great, responsible community, dedicated team of contributors and professional security team make Drupal users feel confident and safe while using their solution. 

Would love your thoughts, please comment.x