Site Update
August 06, 2005

Following my site being hacked, I’ve finally been spurred into updating to the latest version of Drupal. Please let me know if you spot any problems.

I suspect that the reason that I was hacked was that I was still running a version of 4.5 which had a security hole in it. This in turn was because I had been putting off the upgrade as it wasn’t reversible and looked like it might require performing some SQL updates. I think that the difficulty of installing and upgrading Drupal are one of its major weaknesses. It often involves backing up, manually downloading items, running scripts, issuing SQL commands, moving files around, all of which can be quite daunting. I’m very capable of doing such things, but the more steps there are, the more it looks like something might go wrong - so you start thinking that you will have to have enough time available to recover from any catastrophic cock-ups, and hence you put it off for another day…

It should be possible to automate most if not all of this process. Installation really ought to be a case of clicking one icon or running one shell script. Creation of databases could and should be automatic, or performed in a wizard on the actual site that it being installed.

New versions of Drupal ought to be detected automatically, and there ought to be an option on the admin page of a site to allow you to perform an update. This update should be performed safely - making a complete backup of all data first - without the administrator having to perform a backup themselves.

Installing updates and custom modules ought to be possible from within Drupal itself, in the same way that Eclipse - for example - has a built in update mechanism. The admin page ought to display a list of all of the items that are available on drupal.org, and there should be support for downloading and installing them from within Drupal. When a new module is enabled, it ought to perform any SQL creation/updating that it needs to do, without the user having to do anything themselves.

All of this wouldn’t be rocket science - the technology mostly exists already, it’s just a question of people taking the time to package things up nicely.