Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Congratulations! You have completely upgraded your Drupal installation.
Depending on your site, you may need to log in using the following URL: http://example.com/?q=user
You should now go to your administer > site building > modules page and enable new modules from your upgrade. Be sure to then go to administer > user management > access control to enable permissions to use that module for different roles.
You might consider deleting text files from the web root. However this is not advised. You will not be able to hide the fact that your site is built with Drupal.
If you have upgraded a test site and are satisfied with the results, you will now need to copy the test site to a live site.
If you have more questions, please consult the Troubleshooting FAQ guide or ask for help in the forums.
Comments
"The last step in an upgrade..."
Can someone explain to me why deleting/moving these files is necessary/advised?
Just curious...
This is so wayward hackers
This is so wayward hackers can't figure out what version of drupal your running.
Never even considered that....
....how come they aren't tucked away by default then?
You can find links to the
You can find links to the issue / documentation which explains the reasons why CHANGELOG.txt is not hidden by default. In short: obscurity is not secuity
Perhaps it is, but still...
Even if you delete these files from your Drupal root anyone can still easily find out which version you site is running. The only thing you will have to do is to open up telnet or similar in a terminal and do something like this:
or just grab the response headers
This will return the page and you can search the response for the following meta header:
You could also look for strings like "sites/default/files" and so on.
Of course you could also simply surf to the page and look at the source code to find the same information.
So it wouldn't be that hard to build a simple scanner using sockets or perhaps curl to go through a list of hostnames, grab the headers or complete source code and scan it for things that will tell you that the site is in fact running Drupal.
You will be able to tell the
You will be able to tell the major version but not the minor version. The point is to limit your exposure to users finding out you haven't updated to the latest security release.
Drupal 8.9.20
Drupal 8.9.20
I just deleted a node, and the install.php file came up in the browser!
When I hit the browser's back button, a 404 Page came up!
This was in my PRODUCTION SITE!!!
This was as a Logged in user and could have been very dangerous if some novice thought they needed to install it as an app or the like!
Clearly, there is something that must be done to avoid this!