Planning for Drupal 7 End-of-Life

If you have a Drupal 7 website, you might have already heard that the official end-of-life date for Drupal 7 has been officially set for November 2021. Many organizations should upgrade their Drupal 7 sites before then. But that might not be required. Here’s how you figure out what you need to do.

“What if my site uses Drupal 8?”

This won’t apply to you if your site uses Drupal 8. The process for that is completely different (and much simpler). You can find out more about the Drupal 8 End-of-Life.

“What does Drupal 7 End-of-Life mean?”

First, let’s talk about what EOL means for Drupal. The main thing is security updates.

Drupal has a highly regarded security team that manages security for both core Drupal and thousands of public modules, themes, and distributions that add additional features. When a security problem is found, the team fixes the problem and publishes advisories that explain vulnerabilities, along with steps to mitigate them. All of this is contributed publicly and freely, just like you would expect from open-source software.

The security team supports versions of Drupal until they reach their end-of-life.

But after the EOL, the baton is passed along to an Extended Security Support team. This team is composed of pre-vetted Drupal agencies, and they are commercially funded by those clients who want to pay for extended security support. This team is mandated to publicly release fixes for most of the security vulnerabilities that they find.

“Hold on. What level of security support do I need?”

Before we talk about what you should do about D7 EOL, you first need to think about how important security is for your website.

  • Are there people who are actively trying to attack your website (maybe because of your strong stance on a particular issue)?
  • Does your website process commercial transactions? (Most non-profit websites these days use third-party websites to process donations and event registrations.)
  • Does your website collect a lot of personally identifiable information (PII)? This relates back to the first point: if there’s lots of valuable PII, an attacker will be more interested in trying to steal it. Don’t forget these parts of your website:
    • Online forms that collect email, name, and other PII
    • User accounts
    • Any private, log-in-only content

If you answered “yes” to any of these questions, then security is of extra importance for you.

“I won’t have the budget for a big website rebuild before November 2021.”

It’s going to be okay. There are a few options available. You’ll fall into one of the following categories:

  1. “Security is really important for our website, we need Extended Security Support.” November 2021 is still a long way off. Currently, the Drupal Security Team is accepting applications for vendors to apply to join the Extended Security Team. The list of approved vendors will not likely be published until 2021. Stay tuned to the official Drupal security channels for updates.
  2. “Security is just as important to our website as it is for every other website, but not in an extra special way.” If your website does not have a reason for someone to actively try to attack it, then you only need to be guarded against publicly known security vulnerabilities. That way you’re protected against the automated attacks that hit every website. Typically those kinds of automated attacks are either trying to use your web servers to mine bitcoin, or lock up your website and demand a ransom. When Drupal 6 reached end-of-life in 2016 many Drupal agencies continued to support Drupal 6 clients using the publicly released updates from the Extended Security Support team. That will again be possible when Drupal 7 reaches end-of-life. When a Drupal 7 update is released, your Drupal agency can update your website, just like any other security updates.
  3. “Help, I have no idea what I need!” No problem. There are hundreds of agencies that support non-profit Drupal websites. Just reach out.

If you can’t create a new website before Drupal 7 moves into retirement in November 2021, then you’ve still got options. You just need to consider whether or not your site requires a heightened level of security. We in the Drupal community can also help you navigate these waters.

A version of this post originally appeared on the Advomatic blog.

Dave Hansen-Lange
Director of Technical Strategy

Dave joined Advomatic in 2007 and has been developing websites since 2003. He is passionate about improving Drupal's performance, maintainability, and security. As Advomatic’s Director of Technical Strategy, he works to improve quality and process on all projects. He's been the Technical Strategist on many projects, including websites for The U.S. Department of State, Columbia University, The Clinton Foundation, the ACLU, and Stanford School of Humanities and Sciences. Dave has lived in places far and wide and has been very active with Drupal communities around the world.