As the list of Drupal websites we manage grows, so does our need for a new system to help us accurately and efficiently keep on top of updates. Security is of the utmost importance. Rolling out updates in a timely fashion is a crucial weapon in our armory which helps us defend our clients’ websites against attack.
There are a broad range of software solutions on the market which can help keep on top of Drupal module and core updates using a centralised dashboard. We decided to investigate the functionality each offered.
Dropguard is a friendly German company which offers a free dashboard service allowing you to see which websites have pending updates. Their paid service offers unparalleled (customisable) levels of automation.
For example, you could configure DropGuard so that it detects any security updates which need to be applied to any of your websites, creates a new task on JIRA, updates the code and commits it to a branch in your GIT repository, post an update to Slack, deploy your updated code to your server then make you a cup of tea. Well, perhaps not that last bit but if you used all of the automated options available you’d have time to go and make one yourself.
If you have a large portfolio, the monthly cost would seem high, but a quick back-of-an-envelope calculation could reveal that it would pay for itself each month by saving so much developer time - the time taken to run updates as well as the time taken to maintain a similar system inhouse.
The great thing about Dropguard is that you could use as much (or as little of) the extra bells and whistles as you like. For example you could tell Dropguard to only act on highly critical vulnerabilities.
The setup can be quite fiddly but Dropguard offer very responsive support - their Slack channel seems to give replies to any queries within 30 minutes.
Drupal Remote Dashboard
Drupal Remote Dashboard (DRD) offers some really exciting functionality without the need for a third party service. The dashboard can only be installed on a Drupal 8 website but it can monitor Drupal 6, 7 and 8 sites. Oh, and being a Drupal module, it is of course free and customizable by your Drupal developers.
The dashboard isn’t as intuitive as some of the other products but once we had invested the time to configure everything correctly, we were presented with an immense amount of data about each of our monitored websites including:
Checking the secure connection
Core, modules and themes update status
Status of the Drupal installation
A list of installed modules and their version and update status
Whether update.php is properly protected
JS and CSS Aggregation
Database settings and details
SEO tools and settings
Server and PHP information
With some extra work DRD could be used as part of a process which pushes updates automatically to the GIT repository and to Acquia/Pantheon and other hosts using SSH.
Warden is a self-hosted Symfony server application which displays information about your websites modules on a dashboard. Being open source it is entirely free and customisable.
It doesn’t have any of the extra bells and whistles offered by the other software but is instead a pure dashboard solution. Out of the box it displays all of your websites/modules/libraries and offers the option to send emails about updates and Slack notifications.
It is the only solution which presents information about the third party libraries used by each website, but this information would either need to be manually added to the settings.php file and kept up-to-date, or some time would need to be invested in building an extra system which would keep the settings.php file up to date automatically.
By strict design and principle, Warden doesn't have a user interface. The reason behind this philosophy is that as a pure utility module, only site administrators should be able to change anything and if they do, things should be traceable in settings.php. This does result in time-consuming configuration, but Deeson provide amazing support via GitHub.
Warden have a development roadmap which is working towards making Warden work for non-Drupal websites such as Wordpress.
Warden is a fork of the system_status module which connects to the Lumturio hosted solution (below).
For those who do not want to install, configure and maintain the Warden server application dashboard application, Lumturio offers to do it for you!
The costs are fairly low and the dashboard is quick to set up. It’s easy to use and nice to look at. All you need to do is install the Drupal system_status module and point it at your Lumturio account. At a glance you are able to see which websites and modules need updating.
Again, this is a hosted option (they store all data on Amazon's AWS data centers).
Lumturio currently works with Drupal and Wordpress.
We’ve spoken with developers who have built their own custom tools to help them keep track of updates. Many cited security reasons - not wishing to hand data to a third party solution.
Developers from The University of Northern Iowa gave a talk at Twin Cities Drupal Camp to showcase the dashboard they created to monitor their 200+ websites in dev, stage and production. It provides them with the Drupal version each site is on, as well as information on Git, the database, Google Analytics, and module update status. One area of the dashboard is tasked to noting any pending security updates.
All organisations will have very different criteria against which to evaluate Drupal update dashboard software. Some may be looking to fully automate as much of the updating process as possible to save time (and stress), some may be looking to keep tight control over their website data and the update process itself. It seems there is something for everyone.