Update and Secure Drupal 8 on Ubuntu or Debian

Updated Wednesday, March 4, 2020 by Edward Angert Written by Edward Angert

Deprecated

This guide has been deprecated and is no longer being maintained.

Please refer to the updated version of this guide.

Drupal 8 is the latest version of the popular Drupal content management system. While a simple incremental update feature is included in version 8.1, manual core updates are required for all preceding versions. This guide demonstrates how to manually install an incremental Drupal 8 update on your Linode. This guide assumes you have a functional Drupal 8 installation running on Apache and Debian or Ubuntu.

Before You Begin

1. Ensure that you have completed the following guides:

   • Getting Started
   • Securing Your Server
   • Install a LAMP stack
   • Install and Configure Drupal 8

2. Confirm the name of your site’s Document Root folder by running the following command on your Linode:

   ls /var/www/html
   

3. Update your system:

   sudo apt-get update && sudo apt-get upgrade
   

Note

• This guide will use sudo wherever possible.
• You may need additional firewall rules for your specific application.
• Replace each instance of example.com and user with the names appropriate to your site, and 203.0.113.52 with your Linode’s IP address or domain name.

Create Backups

Back up existing files and move the archive into the backups directory. This process can also be scripted and run on a regular basis using cron:

cd /var/www/html/example.com/public_html
sudo tar -cvzf example.com-BCKP-$(date +%Y%m%d).tar.gz ./
sudo mv -v example.com-BCKP-*.tar.gz ../backups

Download Updates

1. Log in to your Drupal site and navigate to the Admin Toolbar. Click Reports, then Available updates.

   Note

   If Available updates is not listed, enable the Update Manager plugin under Extend.

2. Right click “Download” to the right of the desired version and copy the link address:

   

3. Connect to your Linode over SSH:

   ssh user@203.0.113.52
   

4. Navigate to the Apache DocumentRoot directory. Download the new file by using wget and pasting the link address you copied from Step 2:

   cd /var/www/html/example.com
   wget https://ftp.drupal.org/files/projects/drupal-8.1.1.tar.gz
   

Upgrade Your Site

Put the Site into Maintenance Mode

1. Back in your browser navigate to Configuration, Development, then Maintenance mode.

   

2. Check the box next to “Put site into maintenance mode.” Enter a message if desired, and click Save Configuration.

   

Replace System Files

1. While in the site’s public_html folder on your Linode, remove existing files and folders except sites and profiles:

   sudo rm -ifr autoload.php composer.* example.gitignore index.php LICENSE.txt README.txt robots.txt update.php web.config && sudo rm -ifr core/ modules/ vendor/ themes/
   

2. Go up one directory, then expand the update into your public_html folder. Replace drupal-8.1.1.tar.gz with the current update:

   cd ..
   sudo tar -zxvf drupal-8.1.1.tar.gz --strip-components=1 -C public_html
   

3. From a browser on your local machine, navigate to example.com/update.php:

   Note

   If update.php does not load or returns a 403 Forbidden error, you can try to change the ownership and permissions of the newly expanded files:

   chgrp www-data /var/www/html/example.com/public_html/sites/default/files
   chmod 775 /var/www/html/example.com/public_html/sites/default/files
   chmod 757 /var/www/html/example.com/public_html/sites/default/settings.php
   

4. Follow the prompts to continue the update.

5. If installing additional modules or configuring additional security settings, proceed to the Additional Security section below. Return to Step 6 once those configurations are complete.

6. Rebuild the site’s cache by clicking Configuration in the Admin Toolbar, then Performance under Development. Click Clear all caches.

7. Click Reports in the Admin Toolbar, then Status report.

8. From your Linode, open /var/www/html/example.com/public_html/sites/default/settings.php and confirm that $update_free_access = FALSE.

9. If everything looks good, take the site out of maintenance mode described above by unchecking the box next to “Put site into maintenance mode.”

Additional Security

1. Increase password security by adding the following to services.yml:

   /var/www/html/example.com/public_html/sites/default/services.yml

   1 2 3 4 5

   # Increase the number of password hash iterations. Minimum = 7; Maximum = 30; Default = 16 services: password: class: Drupal\Core\Password\PhpassHashedPassword arguments: [19]

   Note

   You may need to add write permission to this file before you can edit it:

   chmod u+w /var/www/html/example.com/public_html/sites/default/services.yml

2. Consider installing additional security modules from the Drupal Project Module:

   • Secure Login enforces secure authenticated session cookies
   • Password Policy: Define a user password policy
   • Security Review: Automated security testing

Join our Community

Find answers, ask questions, and help others.

This guide is published under a CC BY-ND 4.0 license.