Drupal 7 Security Support Extension: What You Need to Know?

| | 4 min read

In DrupalCon Pittsburgh, 2023 Drupal Security Team announced the final extension date for the Drupal 7 security updates. It is now official with the PSA-2023-06-07. The team will provide critical security updates for Drupal 7 till January 5, 2025.

Key Takeaways

  1. This will be the final extension for the date when Drupal 7 reach the end of life. Those who are using Drupal 7 should migrate to the latest version of Drupal before Jan 5th, 2025. Or they will not receive any official support from the security team. Also, the modules, themes etc., will not be updated on Drupal.org
  2. The Security team is only fully committed to releasing critical security patches for this extension. For moderately critical issues affecting Drupal 7, they may release the issue in a public issue queue for resolution. The security risk levels are defined here.
  3. For contributed modules, if any contributed modules are marked as unsupported after 1st Aug, 2023, They will not be eligible for new maintainership or will not get marked as supported again. The security team will not also handle any unsupported libraries, like CKEditor4.
  4. After August 1, 2023, the team will not support PHP versions below 5.6. 
  5. If the security issues only affect Windows hosting, the team will not support that after August 1, 2023. 
  6. Drupal.org build system will not automatically build Drupal 7 distributions after Aug 1, 2023. The maintainers can manually build and upload the distributions. 



What Does This Means to a Drupal 7 Site Owner?

The security team is committed to supporting critical vulnerabilities in Drupal 7, but the service levels of security support for Drupal 7 have been reduced. If you keep your website on Drupal 7, the security risk increases. Please migrate to the latest version of Drupal as soon as possible.

Options Available for Drupal 7 Site Owner

  1. Migrate to Drupal 10 - This is the best option available. Drupal 10 migration is essentially rebuilding the website in Drupal 10 and migrating the data with the Migration API. The tools to support this are mature, and the features available in Drupal 10 help you build a modern Digital Experience Platform for your needs. Tools like ECA help Drupal 7 site owners that use Rules extensively. Also, projects like Drupal Retrofit offer workarounds supporting Drupal 7 code. 
  2. Create a static HTML version of your Drupal 7 website. If you are planning to archive your Drupal 7 website, i.e. do not want any more updates to the content, but want to keep the site as it is for historical and SEO reasons, the best option is to create a static HTML version of the website and host in a low-cost hosting plan without PHP or MySQL. Forms can be embedded in the static sites to capture leads. Let us know if you want to explore this option.
  3. Migrate to BackDrop - BackDrop is a fork of Drupal 7 that supports Drupal 7 API; the migration will be smoother. If the site is less important/business critical and simple, and you do not have the budget to migrate to Drupal 10, this would be a good option. This is not recommended for websites that should be transformed into Digital Experience Platforms, and the marketing and communication teams have agile plans to enhance the website and grow digitally. 

What Are the Risks Involved If I Continue to Use Drupal 7?

  1. Running software part end-of-life is risky.
  2. The Security Team will no longer provide any coordination for the end-of-life software. This means you will not receive any vulnerability updates, new versions, new modules, new features etc.
  3. Large enterprises won't allow end-of-life software to run internally; Scans will flag it.
  4. Many security frameworks (PCI-DSS, FedRAMP, FISMA) forbid end-of-life.
  5. End-of-life software sometimes requires other components that are not secure. Eg. JS Libraries, PHP etc.
  6. Drupal.org will no longer provide Drupal 7 module/theme downloads.
  7. All Drupal.org-based testing infrastructure for Drupal 7 will be shut off.
  8. Drupal 7 issues that are reported to the security team, even highly critical ones, maybe made public without a fix or prior notice.

How Can Zyxware Help You?

Over 15 years of experience in the Drupal niche have given Zyxware a natural edge in the industry. To date, we have successfully delivered over 200 projects to over 100 clients across the globe.

More than 50,000 websites have used the modules we have contributed to www.drupal.org. The  upgrade_audit module we have developed helps any Drupal 7 website owners to easily capture information for their Drupal 7 website, which helps the tech team to come up with an accurate estimate to migrate your Drupal 7 website to Drupal 10.

If you have a Drupal 7 website and need help keeping it secure and transforming it to a Digital Experience Platform (DXP) that supports personalization and more, do contact us, and we work with you to make that happen.