Why is it not worth to stay with Drupal 7 until 2021?

According to the announcements on Dries Buytaert’s blog, as well as his speech at Drupal Europe 2018, we can expect Drupal 9 in 2020. This is an extremely important message for people using services based on Drupal 7 or 8, mostly because Dries has also determined the dates when these versions will stop being supported. But what does it really mean? What steps should I take, if I have a site built with Drupal 7/8? Will the site be more vulnerable to hacker attacks? The following article is the answer to these questions.

Good and bad news from Dries Buytaert

In September 2018 I had the pleasure to participate in the Drupal Europe 2018 event, where Dries Buytaert (the founder/creator of Drupal) presented some important dates during his presentation (the so-called Driesnote), that will be “milestones” in the further development of this CMS.

The first of them was the Symfony 3 end-of-life in November 2021. This means, that Symfony 3 will no longer be supported and there will not be any subsequent updates related to the performance improvement or security. Because of the fact, that Drupal 8 is dependent on Symfony 3 – Drupal 8 support is also stopped in November 2021.

In this situation, the need for releasing a new version is quite obvious, that is why Dries informed us about a new, improved version – Drupal 9. To provide site owners at least a year to migrate their CMS, “Drupal 9 release” is scheduled for 2020. According to Dries’s announcement, it will happen on June 3, 2020.

Because of the end of Drupal 8 support, previously supported Drupal 7 becomes end-of-life at the same time as 8, i.e. in November 2021.

Why is everyone affected?

End-of-life (EOL) means no more support for the aforementioned versions. Drupal Security Team makes every effort to improve the security of Drupal by implementing corrections related to the reported bugs, which results in “security updates”. Because of the EOL, Drupal 7 and Drupal 8 will not be included in subsequent security updates. So, will the site on Drupal 7 or 8 work after November 2021? Yes. How long? Nobody knows that :)

First of all, you should get out of your mind thoughts like:

  • “My site doesn’t seem to be interesting for any hacker”
  • “Maybe we won’t be affected”
  • “Why change when it works”
  • “It’s not really urgent”
  • “My team still has a lot of time”

Right after the publication of the security update information, those interested in breaking security can investigate these changes included in the update and will be able to find the way to break the security by using backwards engineering. At this point, only the ignorance of the existence of our site separates us from being targeted by the hacker – and it will be found without much effort by scanning the network to find servers and sites where the security has not been updated yet.

What should I do to make my site live happily ever after?

The answer is: migrate Drupal to a newer version as soon as possible. Let us consider two options (depending on the base version):

  • Migration from version 8 to 9, according to Dries’s promises, should be quite pleasant. Drupal core does not change too much, mostly it is the deprecated code that is removed. Most likely, the migration will be limited to content migration and getting rid of deprecations in the custom code.
  • Migration from version 7 to 8 may be more harmful, because of the changes to Drupal core architecture. To perform this type of manoeuvre, it is necessary to migrate not only the content but also the code.

Code migration can be especially time-consuming because it consists of custom modules, themes and templates. The workload is much larger in this situation than in the case of migration from version 8 to 9, but it is inevitable.

If you use Drupal 7, you should consider 2 options:

  • Less stressful option: take care of migrating to Drupal 8 now. This approach will give you much more time to move smoothly through migration to Drupal 9.
  • Slightly more stressful option: wait for the release of Drupal 9 and spend a year on migration from 7 to 9 (during that time you will be exposed to the actions of people interested in breaking the security).

If you are not a Drupal Developer, you should also take into consideration the fact, that in 2020 it may be harder to find a specialist who will take up such a challenge.

It is good to consider this decision now.

The clock is ticking.

Write comment