It's the end of days…(well, End-of-Life) for Drupal 7. As of 1 November 2023, Drupal 7 will no longer receive official Drupal 7 support or security updates from the Drupal community. If you’re on Drupal 7 after this date, then your website and its visitors are at risk from a range of security vulnerabilities and risks, from malicious code injection to data breaches. In this article, we'll discuss the security risks of running Drupal 7 after End-of-Life (EOL), and provide advice on how to manage these risks.
The security risks of using Drupal 7 after End-of-Life
Running a website on Drupal 7 after its EOL can pose serious security risks. Without Drupal 7 security updates, your website will be vulnerable to new and emerging cybersecurity threats. The Drupal community will no longer be providing Drupal 7 security support. Cybercriminals and ‘bad-actors’ will be able to exploit any security vulnerabilities that are not patched in your website’s code, potentially leading to data loss, reputational damage or financial losses.
One of the most significant risks of running Drupal 7 after EOL is the potential for a cybersecurity breach. Hackers can exploit vulnerabilities in the outdated software to gain unauthorised access to your website. Once they gain access, they can steal sensitive data, install malware, use your system to run other programs on their behalf or cause other types of damage.
Another risk of running Drupal 7 after EOL is compliance issues. If your website stores or processes sensitive data, you may be required to comply with industry or government regulations. Running an outdated version of a CMS like Drupal 7 can put your compliance status at risk, which may lead to legal and financial penalties.
In the next sections, we'll discuss some strategies to mitigate these risks and keep your Drupal 7 website secure after EOL.
Drupal 7 EOL options
Without Drupal 7 security updates you have three traditional options:
Do nothing — while it may be tempting, this poses a serious security risk (see above)
Rebuild in Drupal 10 — this definitely mitigates the issues around Drupal 7 security support, but a traditional rebuild in Drupal 10 could cost you an arm and a leg (and sometimes a kidney!)
Rebuild in another content management system (CMS) — again, a big task, potentially with a hefty price tag
You can find out more about these options in our insight, Drupal 7 End-of-Life.
There are three other innovative options Salsa is recommending for Drupal 7 End-of-Life.
1. Leave Drupal by creating a static copy of your site
Generate and host a static version of your site, with a simple content editor for basic updates, then decommission (leave) your Drupal 7 site permanently once the static site is all setup, with no CMS to manage or maintain. This will eliminate the need for Drupal 7 security updates. By eliminating Drupal all together with a static replica and no CMS, you significantly reduce attack surface and security vulnerabilities.
In addition, Salsa's static web generator ( ) provides extra security protection.
2. Keep your Drupal 7 site locked for content editing while creating a static version of your site for public visitors
Generate and host a static version of your site for your public site visitors, while keeping a locked-down version of your Drupal 7 site for your content editors. This means public visitors only access a static copy of your site while only content editors can access your Drupal 7 website. It’s a one-way street from here allowing updates to be pushed to your site while also denying any unwanted access from the outside.
And once again, Salsa's static web generator ( ) provides extra security protection.
3. Rebuild on Drupal 10 with CivicTheme
Moving from Drupal 7 to Drupal 10 is a total rebuild, so traditional approaches like building with an existing design system or new bespoke design theme and /or design system, include a design phase, development cycles, testing and deployment — which all takes serious time and serious money.
But, one of Salsa’s innovative Drupal 7 EOL options is building your new Drupal 10 site using the low-code open source design system and Drupal 10 theme, . It will help you move from Drupal 7 to Drupal 10 quickly, easily and more affordably with its out-of-the-box, ready-to-use components.
Security risks are mitigated because you’ll be on Drupal 10 and getting all the official updates and security updates from the Drupal community. Plus, you can host the site on Salsa’s Drupal-hardened platform for extra security protection.
Next steps
Running a website on Drupal 7 after its End-of-Life can pose serious cybersecurity risks and potential reputational damage. Without Drupal 7 security updates, your website will be vulnerable to new and emerging security threats, and hackers can exploit vulnerabilities in the outdated software to gain unauthorised access to your website.
If you're currently running a website on Drupal 7, there are several options available to mitigate these risks. Salsa provides a range of innovative End-of-Life services, including rebuilding your website in Drupal 10 with , creating a static copy of your website, and generating a static version of your site for public visitors while keeping a locked-down version of your Drupal 7 site for content editors. By taking action to address the security risks of running Drupal 7 after End-of-Life, you can protect your website and ensure its continued success.
Remember, doing nothing is not a good option. Upgrading to Drupal 10 or using one of Salsa's innovative End-of-Life options can help you stay secure, compliant and ahead of the competition.
Contact us today to learn more about our Drupal 7 End-of-Life services and how we can help you secure your Drupal 7 site or rebuild in Drupal 10.