Update and Secure Drupal 8 on Ubuntu or Debian
This guide has been deprecated and is no longer being maintained. Please refer to the updated version of this guide.
Drupal 8 is the latest version of the popular Drupal content management system. While a simple incremental update feature is included in version 8.1, manual core updates are required for all preceding versions. This guide demonstrates how to manually install an incremental Drupal 8 update on your Linode. This guide assumes you have a functional Drupal 8 installation running on Apache and Debian or Ubuntu.
Ensure that you have completed the following guides:
Confirm the name of your site’s Document Root folder by running the following command on your Linode:
Update your system:
sudo apt-get update && sudo apt-get upgrade
- This guide will use
- You may need additional firewall rules for your specific application.
- Replace each instance of
userwith the names appropriate to your site, and
203.0.113.52with your Linode’s IP address or domain name.
Back up existing files and move the archive into the backups directory. This process can also be scripted and run on a regular basis using cron:
sudo tar -cvzf example.com-BCKP-$(date +%Y%m%d).tar.gz ./
sudo mv -v example.com-BCKP-*.tar.gz ../backups
Log in to your Drupal site and navigate to the Admin Toolbar. Click Reports, then Available updates.If Available updates is not listed, enable the Update Manager plugin under Extend.
Right click “Download” to the right of the desired version and copy the link address:
Connect to your Linode over SSH:
Navigate to the Apache DocumentRoot directory. Download the new file by using
wgetand pasting the link address you copied from Step 2:
cd /var/www/html/example.com wget https://ftp.drupal.org/files/projects/drupal-8.1.1.tar.gz
Back in your browser navigate to Configuration, Development, then Maintenance mode.
Check the box next to “Put site into maintenance mode.” Enter a message if desired, and click Save Configuration.
While in the site’s
public_htmlfolder on your Linode, remove existing files and folders except
sudo rm -ifr autoload.php composer.* example.gitignore index.php LICENSE.txt README.txt robots.txt update.php web.config && sudo rm -ifr core/ modules/ vendor/ themes/
Go up one directory, then expand the update into your
drupal-8.1.1.tar.gzwith the current update:
cd .. sudo tar -zxvf drupal-8.1.1.tar.gz --strip-components=1 -C public_html
From a browser on your local machine, navigate to
update.phpdoes not load or returns a 403 Forbidden error, you can try to change the ownership and permissions of the newly expanded files:
chgrp www-data /var/www/html/example.com/public_html/sites/default/files chmod 775 /var/www/html/example.com/public_html/sites/default/files chmod 757 /var/www/html/example.com/public_html/sites/default/settings.php
Follow the prompts to continue the update.
If installing additional modules or configuring additional security settings, proceed to the Additional Security section below. Return to Step 6 once those configurations are complete.
Rebuild the site’s cache by clicking Configuration in the Admin Toolbar, then Performance under Development. Click Clear all caches.
Click Reports in the Admin Toolbar, then Status report.
From your Linode, open
/var/www/html/example.com/public_html/sites/default/settings.phpand confirm that
$update_free_access = FALSE.
If everything looks good, take the site out of maintenance mode described above by unchecking the box next to “Put site into maintenance mode.”
Increase password security by adding the following to
- File: /var/www/html/example.com/public_html/sites/default/services.yml
1 2 3 4 5
# Increase the number of password hash iterations. Minimum = 7; Maximum = 30; Default = 16 services: password: class: Drupal\Core\Password\PhpassHashedPassword arguments: 
You may need to add write permission to this file before you can edit it:
chmod u+w /var/www/html/example.com/public_html/sites/default/services.yml
Consider installing additional security modules from the Drupal Project Module:
This page was originally published on