All professional software packages are subject to periodic software updates. This is because developers are constantly interacting with users to identify and correct potential problems (known as software bugs) and, even more critically, identify and correct potential security flaws.
Bugs and Security Concerns for Websites
Websites are connected to the internet, and by nature most are designed to allow anyone in the world to use the software. This means that people from all walks of life may visit your site, from all sorts of operating systems and web browsers, as well as different reasons and intentions.
With an open-source platform like Drupal this type of diversity is amplified because Drupal websites are used by millions of people every day, and thousands of developers scrutinize all aspects of the code to make improvements and expand on features. Even though Drupal is a secure and stable platform, the code is in a constant cycle of growth and corrections.
Adjustments to the code are released in packages. Because Drupal is a modular platform, each module has its own series of packages, and each module on your site must be kept up-to-date with the latest update package.
This means that your website administrator must stay on top of the status of every module used on your site, and Drupal provides some tools to make the task easier. For instance, the administration panel has a tool that can automatically check for available updates for every module on the site, and produces a report that the website administrator can use to decide when to perform updates.
When to Perform Updates?
When an update package is released, the reasons for the update are documented so that site administrators can make smart decisions. Sometimes the reason for an update is to correct very minor bugs found under special circumstances, and in those cases installing the update may not be a priority. However, security concerns are identified and corrected all the time, and it is important to install those security updates as soon as possible.
One way to plan for updates is to plan according to the overall level of risk for the website. For instance, small websites that do not handle critical information are considered low-risk websites because, even if a security flaw goes unattended, there is nothing of value that a hacker may steal and the site can be quickly restored from backups in case of a security breach. For a low-risk website the site administrator may choose to plan a schedule of site-wide updates a few times per year, regardless of when those updates become available or how critical they may be.
In contrast, for high-risk website which are those that are mission-critical or that store sensitive information, it is important to engage in security proactively by keeping track of updates as they become available.