Keeping a Drupal site secure means staying on top of security updates, which are a kind of patch-level update. You may have heard of Automatic Updates, a tool that helps you apply patch-level updates to your site without the need to manually use Composer on the command line. Perhaps you’ve installed Drupal CMS and encountered it there or in the documentation as a feature. Before you turn it on, make sure you understand what’s required and the best-fit use cases. Depending on your hosting provider and deployment workflow, you may already have the best update solution in place.
In this post, we’ll walk through:
- What Automatic Updates can and can’t do
- The technical requirements and limitations
- A decision matrix to help you determine if it’s a good fit
- Where to learn more in the Drupal CMS Guide
TL;DR: Automatic Updates can help reduce the manual work of security and patch-level updates in Drupal, but it’s not right for every site. If your host provides update tools or you already have a Composer-based deployment workflow with automated backups, stick with that. For small or low-risk sites, or anyone curious to try Drupal CMS, Automatic Updates is worth exploring—just make sure you set up an automated backup strategy first.
What is “Automatic Updates”?
Automatic Updates refers to an actively developed Drupal feature that includes a contributed module and the core module, Package Manager. The plan is that eventually the contributed Automatic Updates module will be moved to Drupal core.
The purpose of Automatic Updates is to help site owners and developers keep Drupal core (and, eventually, modules and themes) up-to-date safely and easily. Right now, it’s limited to providing patch-level updates to Drupal core. (Patch-level refers to a bug fix or security update release—the third number in a release version, e.g. 11.2.1 to 11.2.2.) The Automatic Updates project currently includes:
- A user interface for attended updates (click a button to update)
- An optional system for unattended updates (cron runs them for you)
- Tools to validate your site’s readiness and detect common update risks
- A sandboxed Composer workflow under the hood — so updates happen in a temporary copy before being deployed
You can try it today by downloading Drupal CMS, where it’s pre-installed and ready to try if it’s compatible with your host. There are also Automatic Updates releases available for Drupal 10 and 11.
What Automatic Updates can do
- Applies patch-level updates to Drupal core
- Optionally updates contributed modules and themes (experimental)
- Validates update readiness
- Works through the UI or command line
What Automatic Updates can’t do
Upgrading is the process of moving your site from a previous major version of Drupal to a newer version, for example from Drupal 7 to Drupal 11.
Is your site ready to run Automatic Updates?
With the Automatic Updates module installed, you can check to see if your site is ready to use Automatic Updates.
Go to Reports > Status report (/admin/reports/status). Under Update readiness checks, look for the status Your site is ready for automatic updates.
Automatic Updates requires:
âś… A Composer-based site
Your site must be managed by Composer. Most modern builds are, but double-check your setup if you’re unsure.
âś… Composer 2.7 or higher
Composer 2.7 is required by Package Manager (as of writing). Package Manager is a core module that the Automatic Updates module depends on.
âś… File system write access
Your site must be able to modify its own codebase during an update. Shared hosting and many platform providers (like Acquia or Pantheon) block this, which makes Automatic Updates incompatible unless you use it in a local or development environment.
âś… An automated backup strategy
Automatic Updates does not back up your site. You’ll need to set up automatic backups before enabling unattended updates. We recommend using your hosting provider’s tools if available.
Learn more: Make a backup before applying security updates
Should you use Automatic Updates on a Drupal project?
Consider these questions before turning on Automatic Updates.
| Situation | Should You Use Automatic Updates? | Why? |
|---|---|---|
| Your hosting provider offers update tools or workflows | ❌ Prefer your host’s tools | Built-in support is often safer and better integrated |
| You already have CI/CD workflows for updates | ❌ Stick with Composer + CI | You’re already in control with better testing |
| You don’t have automated backups set up | ❌ Not safe to use | Updates could break your site with no recovery path |
| You run a simple, low-risk site (blog, brochure) | âś… Worth a try | Automatic Updates lowers maintenance effort |
| You want to test it in dev or staging | âś… Go for it | Safe place to experiment |
| You want to reduce manual steps for patch updates | âś… If you have automated backups in place, yes. | Helpful for reducing friction |
💡 Even if you don’t use it in production, trying Drupal CMS locally can help you understand Drupal’s evolving update infrastructure.
Take Automatic Updates for a test drive
- Download Drupal CMS to get Automatic Updates pre-installed.
- Install some recommended add-ons to try out features and get a demo site running locally.
- Wait for the next patch or security update release.
- Read the documentation on keeping your site up-to-date on the Drupal CMS User Guide. This section of the guide will get you up-to-speed on a general update and backup strategy, regardless if you use Automatic Updates.
Recap
Automatic Updates is a big step forward in making Drupal more accessible and secure for smaller teams and solo site maintainers. But it’s not a one-size-fits-all solution. Automatic Updates and Package Manager are still under active development, and limitations remain.
What you should take away from this is:
- Prefer your hosting provider’s tools when available
- You must have an automated backup strategy set up before you turn on Automatic Updates.
- Use Automatic Updates in development or simple sites to learn and experiment. The easiest way to do this is to install Drupal CMS.
- Read Keep your site up-to-date in the Drupal CMS Guide to learn more about creating an effective update strategy. This advice will apply to Drupal in general as well.
