The risks of staying on Drupal 7 after end-of-life
The end of 2024 is approaching. With it comes the end-of-life for Drupal 7 and the consequences of not upgrading.
14 years to the day since it was first released, Drupal 7 will officially reach its end-of-life on January 5, 2025. With fewer than five months remaining until this deadline, website owners still running Drupal 7 must consider their migration options to Drupal 11 or another CMS.
But what exactly does end-of-life for Drupal 7 mean? And what are the risks of staying on Drupal 7?
What does end-of-life for Drupal 7 mean?
On January 5, 2025, the Drupal community will cease support for Drupal 7, leading to a halt in community-based updates, including bug fixes, new features, and security updates. While your Drupal 7 website will continue to function with no immediate disruption, the following changes will happen:
- Drupal 7 branches for all projects will be marked as unsupported. A message will appear in your Drupal 7 site’s admin user interface to let you know you are using an unsupported version of Drupal.
- Drupal 7 issues, including highly critical security issues, may be made public without a fix or prior notice.
- Key infrastructure maintained by the Drupal Association will be deactivated, meaning no more Drupal 7 packages can be released and the Drupal 7 testing infrastructure will be shut down. However, the git repositories will stay online and so you will still be able to access the code.
- Older versions of the command line tool for Drupal, Drush, may break and it may not be able to download Drupal 7 releases.
- Sites still on Drupal 7 may be flagged as unsupported in third-party scans.
So, what are the risks of staying on Drupal 7?
Your site won’t stop working when Drupal 7 reaches end-of-life, but maintaining a Drupal 7 website after its end-of-life isn’t a safe or practical option.
Here are the main risks:
Increased exposure to security risks
Both the Drupal 7 core platform and any Drupal 7 contributed modules you use will no longer be supported by the Drupal Security Team. This means that no more security updates will be provided for Drupal 7 sites.
As security vulnerabilities may be made public without any prior notice, and most importantly, without a patch, your site is put at even greater risk. These vulnerabilities may be posted on discussion forums or on the dark web, so site maintainers will have to stay vigilant and fix security issues they find themselves.
Without Drupal 7 security updates, hackers may be able to exploit any security vulnerabilities that are not patched in your website’s code, potentially leading to data breaches, defacement, reputational damage or financial losses.
Drupal 7 and its extensions may be dependent on other software or libraries which may have also reached end-of-life and are no longer secure, further increasing your risk.
Risk of server software version incompatibility
If your hosting provider wants to upgrade the operating system or version of PHP in use, then Drupal will also need to be compatible with these new/upgraded versions.
If it’s not, then you may need to make it forward compatible yourself, or be faced with the difficulty of finding a new hosting provider, accepting the additional risk of running unsupported server software, or rebuilding your site.
Compliance issues
Your site will likely be flagged as unsupported by security vulnerability scanners. Most large enterprises won’t allow end-of-life software to run internally, and security frameworks (e.g. PCI-DSS) forbid end-of-life software.
No new features will be released for Drupal 7
Drupal has a strong ecosystem of developers around it who provide new features and extensions for Drupal through contributed modules. However, the Drupal 7 contributed modules will also reach end-of-life and will no longer be supported by the community. This means no new functionality as well as no more bug fixes. Even now, as Drupal 7 approaches its end-of-life, the Drupal community is putting more effort into modules for Drupal 10 and 11 than Drupal 7. If a site owner needs bug fixes or new functionality, then they will most likely need to implement it themselves.
Integration risks
Another potential risk area is that key integrations may eventually start to fail. For example, your Drupal environment may be integrated with another platform. Should that external platform deprecate or update their API, then because the Drupal module that connects to it is no longer maintained, you will have to update the module yourself or write a new custom module in order to keep the integration working.
Performance and user experience issues
Technology is constantly changing and evolving. Without optimisation for modern web standards and technologies, Drupal 7 sites may fall behind their competitors with slower loading times and curtailed user experiences.
Where every second of load time counts, websites that fail to deliver a good user experience risk losing visitors, conversions, and revenue.
Limited support
Drupal.org will no longer support tasks related to Drupal 7 (including documentation and automated testing). In addition, it will become increasingly difficult to find Drupal developers and agencies willing to support your website.
Where to go from here?
So what are the options for Drupal 7 sites? There are a few things to consider if your website is still running on Drupal 7.
You could:
- Take the plunge and migrate, either to Drupal 11 or to another CMS. This takes time and costs money – which is the main reason website owners have been putting off the move. However, can you afford the negative fallout and costs involved if your site gets hacked? Drupal 11 and beyond offer new features, an improved editor experience, as well as upgrade paths for all major versions going forward.
- Rebuild in another content management system (CMS) — again, a big task, with potentially an equally hefty price tag.
- Convert the Drupal 7 website to a static site. These sites are normally more simple sites that display the same content to all visitors in the same format, whereas a dynamic website presents different information to different visitors. A static website is more simple and easier to maintain. If your content will not change, a static site can let you keep your content online with little hassle.
- Engage with us to avail of extended Drupal 7 support. We will continue to provide support for Drupal 7 sites beyond its end-of-life until 2026.
- Continue to use Drupal 7 unsupported. This is not recommended.
Still on Drupal 7?
We can walk you through the options available, and help you decide on your next move.
Stella Power Managing Director
As well as being the founder and managing director of Annertech, Stella is one of the best known Drupal contributors in the world.