And in either case, always backup the site before installing any updates. That way if the site breaks then you can restore from backup. Most of my clients simply forward these "Security Update Notifications" to me so that I handle the patching, but this is not obligatory.
How often do you recommend us to do it? Should we do it every time we received an email alert about security update?
That's a tough question to answer. I should probably cover myself by first saying that we should install the "security" updates ASAP. That should help keep the site best protected from hackers and the like.
It's open source software, you own the site, and nobody can really tell you what to do with it. However, if it gets hacked, the hosting company may suspend your account, and we wind up restoring the site from backup. It's not fun cleaning up that type of mess.
Sometimes there are multiple security patches released per month, other times they go months at a time with no patches. For reference, here are the last few security releases:
- Drupal 7.67 (5/8/19)
- Drupal 7.66 (4/17/19)
- Drupal 7.65 (3/20/19)
- Drupal 7.64 (2/6/19)
- Drupal 7.63 (1/16/19)
- Drupal 7.62 (1/16/19)
You don't necessarily NEED to install them, but it's a good idea because the latest security patches will help keep your site secure from hackers. Some of my clients choose to hold off on installing them and wind up calling me in a panic if / when their site gets hacked. It's a roll of the dice…
You'll also see that the security patch details will usually tell you if it's a low / medium / high importance patch. The low importance ones are still "security" updates even though it's highly unlikely that your site actually gets hacked from a low importance vulnerability.
Example text of email notification coming from Drupal:
Subject: New release(s) available for Your Site
There is a security update available for your version of Drupal. To ensure the security of your server, you should update immediately!
There are security updates available for one or more of your modules or themes. To ensure the security of your server, you should update immediately!
See the available updates page for more information:
Your site is currently configured to send these emails only when security updates are available. To get notified for any available updates, https://www.mysite.com/admin/reports/updates/settings.