At the DrupalCon Pittsburgh 2023 Security Team Panel, the Drupal Association officially announced the Drupal 7 end of life date. There won’t be any more extensions! As of January 5, 2025, Drupal 7 will no longer be supported by the Drupal security team.
Drupal 7 was released 14 years ago and three major versions have been released since then (including Drupal 8 which has already reached end of life.) So it’s time to say goodbye. This will free up resources for the Drupal security team, allowing them to better support Drupal 10 and subsequent versions.
So what does Drupal 7’s end of life mean for organizations that are still using this version? This guide sets out:
- What to expect before Drupal 7’s end of life
- What to expect after Drupal 7’s end of life
- The risks of staying on Drupal after January 5, 2025
- What your options are for moving on from Drupal 7
Remember, all websites and organizations are unique, so the following recommended actions are general suggestions only. You may want to do extra research or consult one of our experts first.
Changes to Expect Before January, 2025
There will be some upcoming changes to Drupal 7 before it reaches end of life. This will help reduce the burden on the Drupal security team, and encourage organizations and website owners to upgrade their existing Drupal 7 sites. Here’s what to expect and what you can do to prepare.
Unsupported Modules & Themes Will Stay That Way
After August 1, 2023, any Drupal 7 contributed modules or themes that are marked as unsupported cannot become supported again.
What’s more, there will be no security advisories for any unsupported libraries that Drupal 7 contributed modules or themes rely on (such as CKEditor 4.)
Recommended action: Adopt a project! If you or your clients rely on a D7 module or theme, consider applying to maintain it before it’s flagged as unsupported due to unresolved issues.
Non-Critical Drupal 7 Issues May Become Public
From August 1, 2023, the Drupal security team may decide to invite the open source community to help resolve non-critical Drupal 7 issues. These issues will be chosen based on security risk levels. Only issues that can’t be mass-exploited will be shared publicly.
If an issue affects both Drupal 7 and 10, a Drupal 10 security advisory may be issued without an accompanying Drupal 7 fix.
Recommended action: If you’re running a Drupal 7 site, monitor the public issue queue and consider helping to resolve any issues that may affect you.
PHP 5.5 and below will no longer be supported
From July 1, 2023, the Drupal security team will only release patches for PHP 5.6 and above. (They may adjust this policy before Drupal 7’s end of life with one month’s notice.)
Recommended action: PHP 5.6 and PHP 7 have already reached end of life, so we recommend updating to PHP 8 as soon as possible.
No More Security Fixes for Drupal 7 Windows-Only Issues
Windows will no longer be tested and Windows only security issues will no longer be fixed.
Recommended action: Look into migrating to another operating system if you’re running a Drupal 7 site on Windows.
Unsupported Third Party Libraries
Third party libraries that are used with Drupal 7 can be marked unsupported at any time based on their requirements or their deprecation (such as CKEditor and TinyMCE.)
Recommended action: Evaluate your use of third-party libraries in your Drupal 7 sites.
Changes to Expect After January, 2025
When Drupal 7 reaches end of life on January 5, 2023, any related infrastructure maintained by the Drupal Association will be turned off. This means that:
- Drupal.org will no longer perform packaging operations for Drupal 7 code or Drupal 7 branches/versions of contributed modules. This means that no more releases will be built from those git repositories.
- Drupal 7 branches for all projects will be marked as unsupported.
- Drupal 7 XML feeds of the module catalog for packaging will be shut off. This will break older versions of Drush and may prevent Drush from downloading packages.
- All drupal.org based testing infrastructure for Drupal 7 will be shut off.
Other changes to expect include:
- A message in the Admin UI to let Drupal 7 users know their website is insecure.
- Sites still on Drupal 7 may be flagged as insecure in third party scans.
- Drupal 7 issues—including highly critical ones—may be made public without a fix or prior notice.
- Unlike with Drupal 6, the Drupal Association will not promote any long term vendor support for Drupal 7 after end of life.
What Stays the Same After Drupal 7 End of Life?
Drupal 7’s end of life won’t affect anything related to Drupal 10+.
Also, the git repositories of Drupal 7 versions of core and contributed modules will be kept online.
The Drupal Association may choose to continue adding web application firewall rules to protect Drupal 7 sites. This will be done through Drupal Steward: a paid service delivered by the Drupal Association and the Drupal security team via its partners. Drupal Steward protects sites by blocking certain types of web requests (relating to vulnerabilities that are public and unresolved) before they hit your web server.
The Risks of Running Drupal 7 After End of Life
Maintaining Drupal 7 after its end of life isn’t a safe or practical option. It will:
- Expose you to security risks. Your site won’t receive updates from the Drupal security team. Unresolved critical vulnerabilities may be made public, putting your site at even greater risk. End-of-life software sometimes requires other components that aren’t secure, which will also increase risk.
- Limit your reach and partnerships. Your site will likely be flagged as insecure by security vulnerability scanners. Most large enterprises won’t allow end of life software to run internally, and security frameworks (PCI_DSS, FedRAMP, FISMA) forbid end of life software.
- Limited support and opportunities. Drupal.org will no longer support tasks related to Drupal 7 (including documentation, navigation, automated testing, and packaging.) Also, without access to the great new functionality being added to later versions of Drupal, your site will become less valuable to your audience.
Where to Go From Here: Moving on From Drupal 7
It’s important to take action on your Drupal 7 website, whether you want to keep it or not. Here are your main options:
- Migrate to Drupal 10. The latest major version of Drupal offers a fantastic array of features to help you build a flexible, engaging, secure site. We’re particularly excited about editing content with CKEditor 5, setting up automatic updates, and using the accessible default theme Olivero.
- Migrate to another open source CMS. While we’re passionate about Drupal, we know it’s not the right choice for every organization. Alternatives that we sometimes use include Backdrop and WordPress.
- Convert to a static website. This is an option if you’re no longer updating the content on your site.
- Move to a Software as a Service (SaaS) solution. This will eliminate the need for code maintenance and upgrades. It comes with some drawbacks though, such as higher uncertainty about the cost and the product evolution over the long run.
- Decommission your website. This is an option if you no longer need your website, or you don’t have the time or resources to keep it secure. It’s important not to keep an unused website, as it can become a target for hackers.
We Can Help You Plan and Implement Your Next Move
Every website is different and evaluating the various options to transition away from Drupal 7 can be challenging. Evolving Web has extensive experience performing site audits and migrations. As a Drupal Certified Platinum Partner, we can provide reliable recommendations tailored to your platforms and needs. Get in touch today.