Drupal 7, originally released in 2012/2013, still today powers the majority of all websites using Drupal. It has been announced that Drupal 7 will be no longer supported and will no longer receive security maintenance beyond November 2023.
Drupal project lead, Dries Buytaert advise that this is a positive move that will empower the entire Drupal community.
According to Michael Hess at Drupal, “these users should still plan their upgrade to a newer version of Drupal” or to another platform, and that avoiding doing so would “leave them [organizations] vulnerable”. Tim Lehnen and Greg Knaddison, both contributors to the Drupal project, remind us that “a majority of all sites in the Drupal project are still on Drupal 7.”
This means there will be no official development or security support from the Drupal community at that point, which can create potential vulnerabilities for websites running older versions of Drupal.
“At the end of the day, we have a moral imperative to keep as many of those sites secure as we can.” offers Madison Atkins, Drupal developer and project manager, and contributor to the Drupal project.
Drupal 7 End-of-Life (or EOL)
When software reaches its EOL, it no longer receives security updates or other maintenance from the vendor that created it. This also typically applies to any plugins or modules made by third-party developers, as they will also no longer be supported on an EOL version (i.e. Drupal 7) of a platform like Drupal. It’s important to keep up with announcements about when your current versions are nearing end of life so you can make plans accordingly before your site is left vulnerable to attack.
For those using Drupal 7 specifically, the official announcement was released back in February announcing that the EOL date for Drupal 7 would be November 1, 2023; after which all support for security updates and other maintenance will cease.
“Some of our communities’ most critical websites depend on Drupal,” offers Katrina Pftizner, engineer at BIG, a Drupal migration company, and one of the global leaders supporting organizations through this challenge.
It’s important to note, that if your current website is built on Drupal 7, and you decide not to upgrade in time (either to Drupal 8 or 9, or another platform altogether), your site will become vulnerable as attackers are likely already familiar with potential exploits within this version of the software. It can and will become a target.
With no additional ongoing security measures in place, once EOL has been reached, you will be inviting significant risk into your organization.
Next Steps for your organization’s Drupal 7 Website
For your organization, what’s the next steps? We recommend that leaders evaluate all solutions and options, there’s more than one approach to this situation and not all organizations need the solution.
For many, though, we can confidently suggest that you think about:
- Upgrading to a newer version of Drupal: Depending on the version you are on, upgrading to the newer version of Drupal might be the best option. This will ensure that the website is up to date and secure, with minimal complication.
- Move to a different platform: If the modules and plugins you use are no longer supported, it might be necessary to move the website to a different CMS. This would involve migrating content, design, and developing the needed functionality, but it could be the most responsible course of action.
- Look to 3rd-party support providers: Some Drupal vendors are offering support for Drupal software after it reaches EOL. Pantheon, BIG, and others have confirmed continued support. This would involve financial commitment for additional support or for help migrating your website from Drupal to another platform.
- Consider some of the alternatives to Drupal: Open source software can often provide a solution for websites in need of support after the original software reaches EOL. This could involve finding a suitable alternative or even building a custom solution.