Drupal 7 End of Life – What are your options?
UPDATE 23-02-22: Drupal have announced that the Drupal 7 end-of-life date has been extended to at least November 2023: https://www.drupal.org/psa-2022-02-23
Drupal 7 was first released in January 2011 and In November 2022, after over a decade, Drupal 7 will reach end of life (EOL).
This is an honest and straight-forward perspective on what options you have. We do offer Drupal 7 services and we will provide a link later, but this post is about what option is right for you specifically and that may mean not availing of our services, or indeed anyone’s services possibly.
What exactly happens in November 2022?
When November 2022 arrives what exactly will happen? Well on the face of it, very little. Your Drupal 7 website is not going to suddenly stop working, nor is it going to suddenly come under attack.
The Drupal community and the Drupal security team will stop supporting Drupal 7 in November 2022, but what does this mean in practical terms?
It means that updates, security fixes, and enhancements will no longer be provided by the community. The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. Reports about Drupal 7 vulnerabilities might become public creating 0-day exploits.
But what does it ACTUALLY MEAN??
It means your website is more likely to be hacked and it means your website will eventually start displaying errors or stop working completely after some time, simply due to becoming too old to keep up with modern web technologies.
What are the real risks?
The risks of running a Drupal 7 website past end of life without further support will largely depend on what your website does, how it works, and what data it contains.
If your website does not contain any sensitive data (like ecommerce transactions), does not hold personal data on users, is not integrated with any 3rd party systems, and does not allow users to log in, then the risks are fairly minimal.
The worst you could expect is for your website to go offline, or for it to potentially be defaced in some way by a hacker, which of course could harm your reputation. However, a hacker generally wants some kind of reward, and if there’s nothing of value to steal on your website its fairly unlikely they are going to bother defacing your website unless you are being specifically targeted. In reality the vast majority of attacks are automated.
So, if you have a basic Drupal 7 website that meets the description above, is it really an option just to leave it running past end of life without further support? The answer is yes, despite the fact that everyone in the Drupal community would advise against this.
If its an acceptable risk for your website to possibly go down at some stage in the future, or less likely, be defaced in some way, and you will just have a new website built when or if that time comes, then yes, it’s an option.
What other options are there?
For very small businesses or organisations, or for someone who isn’t interested in developing their website or doesn’t believe it’s a key asset to their business, they may decide to just run past November 2022 without doing anything and not worry about it unless something happens.
The reality is that for most businesses and organisations, their website is an important asset and even the risk of it going down for a prolonged period of time, or being defaced in some way (no matter how small the chance may be), is just not an acceptable risk.
So, what options do you really have?
1. Upgrade to Drupal 9
Drupal 9 is an excellent system with many improvements and is an extremely powerful and future-proof platform, but there are some considerations to bear in mind when moving to Drupal 9.
With version 8, Drupal introduced some radical changes and was basically a re-write of Drupal code, this means that Drupal 8 and 9 do not bear much resemblance to Drupal 7 in terms of the underlying system and therefore it is not possible to simply upgrade from Drupal 7 to a later version, instead your website must be migrated to Drupal 9.
Migrating as opposed to upgrading basically means that a new Drupal 9 website must be created and all of your content is then migrated to the new website.
All of your content types and pages must be built on your new Drupal 9 website before migrating your content.
Any contributed modules in use on your Drupal 7 website must be reviewed to determine availability of a Drupal 9 equivalent, and the functionality and configuration must be manually re-built on your new Drupal 9 website.
As you can see, an upgrade to the latest version of Drupal from a Drupal 7 website can be a lot more complex than upgrading a previous version, and is more akin to developing a new website from scratch, so the cost therefore is pretty much the same (or close to) developing a new website.
If you would like to discuss a migration to Drupal 9, get in touch.
2. Sign up with an official vendor from the D7 Vendor Extended Support (D7ES) program
After November 2022 a group of approved and vetted vendors will continue to provide security updates for Drupal 7 core and certain contributed modules under the Drupal 7 Vendor Extended Support program until November 2025.
D7ES vendors are not obligated to work every problem (for example, they probably will not work on obscure modules their customers do not use). Which problems the D7ES vendors will work on for their customers is up to the contract the vendors have with their customers.
Security patches that are worked on, will be made available to the public, for free, at the same time D7ES vendors can distribute the patches to their customers.
One thing to consider is that many of these vendors will require that your website is moved to their hosting platform, or in some cases you do have the option to remain on your existing hosting platform but the price is therefore much more expensive.
Generally, these vendors are enterprise vendors which means they charge enterprise pricing.
If your requirements are that every contributed module used on your website receives security coverage, then it is probably your best bet to engage with one of the five official vendors. However, be sure to enquire about the specific nature of the security coverage, e.g. are they performing proactive security checks and code reviews for your specific modules, because if not then you may as well just use the next option.
3. Sign up with an unofficial vendor who monitors releases from the D7 Vendor Extended Support (D7ES)
Other companies like ourselves are not precluded from providing Drupal 7 extended support despite not being official members of the D7 Vendor Extended Support (D7ES) program.
It is a condition of the program that all vendors publicly share security updates to the public code repository. It is a violation of the disclosure policy for any vendor to fix a security issue in Drupal core or a contributed module and not release the patch publicly.
The service we and others offer (post November 2022) is to utilise the work of the D7ES program by monitoring updates that are relevant to our clients and applying those updates. There is of course nothing to stop you from doing this yourself if you have the time and expertise to do so.
Note that prior to November 2022 we can provide securiy updates for your Drupal 7 website for both drupal core and contributed modules from the offical Drupal security advisories.
The key difference between this option and using an official D7ES vendor is that you do not receive security coverage for a specific list of contributed modules (but you do receive patches for Drupal core). A lot of commonly used contributed modules will receive security updates because they will inevitably be used by customers of the official five vendors, but if you have less common contributed modules installed on your site then they may not receive coverage.
In most cases this service can be provided without requiring you to move your website to a different hosting platform.
This option is certainly better than having no support, and you have peace of mind that Drupal core will be kept up to date with the latest security patches.
If you would like a quote from us for this option, get in touch.
4. Have a new website built on a different platform
You could just decide to move away from Drupal entirely to something like WordPress. We believe that would be a backwards step unless you are really scaling down what you want to do with your website.
We are big fans of Drupal! You can read more in our Drupal vs WordPress blog post.
This option will of course also incur the cost of having a completely new website developed.
5. Convert your Drupal 7 website to a static HTML site
If you don’t intend to frequently update your website with new content, there is also the option to convert the Drupal site to a static HTML website meaning that your website can stay online exactly as it is with no security concerns.
Basically, this involves converting the front-end output from your Drupal site into flat HTML files that remain static and never change. This does away with Drupal entirely, there is no longer any database or code running in the background so there are no security implications.
If your website deals with dynamic changing data, or you have users logging into your site and adding content etc then this will not be an option. However, if you don’t have these requirements then this can be an ideal low-cost solution.
Once converted, your website will look exactly the same as it did before, the only difference is that it is being served from static files instead of Drupal.
After the website is converted to static HTML, it is still possible to make changes to your site but they must be carried out by a web designer/developer, you no longer have the option to do it yourself. This can be fine if you only want to make an occasional change now and again.
Converting to static HTML can be a temporary solution to give you time to maybe plan building a new website, or if there won’t be much activity on your site it can even be a permanent solution.
We can convert your Drupal website to a static HTML site for you, if you would like a quote get in touch.
So which option is right for you?
If you are running a website with highly sensitive data or the function of your website is extremely critical, then you really should be seeking a dedicated service from one of the five D7ES official vendors, or seek the services of a company that will perform continuous security testing and penetration testing on your website.
If your website is still important but maybe not quite that critical, then using our extended support service or similar is a viable option.
It’s all about an assessment of risk, and an important thing to remember is that risk can never be fully eliminated. Even if you engage with one of the D7ES vendors or have dedicated security testing and penetration testing service there is no guarantee that your website will not be hacked. The best that anyone can promise you is that the risk will be lowered or mitigated.
If you don't intend to perfom many content updates to your website in future, then converting to static HTML could be the perfect low-cost solution for you.
If you have any questions or would like to talk to us about anything in this blog post, get in touch.