One of our clients mailed me with an urgent problem: His site crashed! Quoting (bolded made by myself):
The amount of testing we need to do with each update makes it almost impossible to keep updating risk free. We would have to test for so long, that by the time we're done, the next module will be ready. It's just too complex a site with too many contrib modules. Maybe if we had a full time person just on that. Despite what the "community" says, my tendency is to only update security changes.Looking at the error message, it took me less than a minute to tell him the writing was on the wall... Well, maybe this is a too obvious case, but let's admin it - maintaining a Drupal site and keeping it up to date, is not always that easy. We all have other things to do, and keeping the site with the latest versions of module X, is not always a top priority. How should one do, to keep his site safe, and his soul sane? There's no one good answer, but for most of site owners, who are not full time Drupal developers, here's a bunch of advices:
- Don't install modules you don't need - stick with the minimum. Every additional module obviously adds some more tasks and maintenance to the overall.
- Don't update immediately - verify the update contains the fixes you need, and the features you were missing. If there are new features - test them first. Updating only when a security update is available is not necessarily wrong.
- Read the release messages - they contain valuable information about changes that might affect your website
- When in doubt - search for more information about the module, and about it's maintainer.
- When still in doubt - read the module's code, and face it with your suspicions
- Sometime in the future - let some 3rd party solution, such as Carbon, or Spokes manage the updates for you. Deal with your site's content and strategy, and not with it's platform.