Category Technology
Publication date
04 November 2022

Is staying on Drupal 7 worth the risk in 2023?

Time to read 5 minutes read

1 November 2023. This is the latest date set for end-of-life of Drupal 7. But what are the risks of staying on a version of Drupal that has reached end of life? 

Drupal 7 is still very popular. More than half of all websites on Drupal (900,861) were still on Drupal 7 (458,726 of them) at the beginning of October 2022. 

This is the main reason why its end of life has been postponed, and although it currently has been set for 1 November 2023, it won’t be postponed indefinitely.

Sooner or later, the risks of staying on Drupal 7 will far outweigh the costs of upgrading to a newer version of Drupal. 

There are various risks involved with staying on any platform which has reached end-of-life. End-of-life means that those who created the software (the Drupal community) will shift focus to newer versions of Drupal, so it will no longer be maintained and supported.

This means that, should a website running on Drupal 7 encounter some sort of issue down the line, it may be quite difficult to fix it

Once Drupal 7 reaches end-of-life, a Drupal 7 Extended Support programme may be put in place. D7 Extended Support will not be a long-term solution. It will be limited in both the number of vendors available to work on issues, and the type of issues upon which they will be working.   

Staying on a platform which has reached end-of-life has the following risks:

Security Vulnerabilities 

One of the biggest risks with staying on a version of a CMS that isn’t being maintained any more is security.

Drupal is regularly maintained and updated, and has a reputation for being a really secure content management system. However, once Drupal 7 reaches its end-of-life, this regular maintenance and updating will come to an end, and it may be vulnerable to exploits.  

An exploit is code that takes advantage of a software vulnerability or security flaw. Staying on a platform that isn’t maintained and updated can put your website at risk.

Some of the websites running Drupal 7 are owned by entities such as education institutes or non-governmental organisations, and although there is still a need for additional support to those still using Drupal 7, time is running out.  

Should an extended support programme be put in place, it means that security will still be monitored and patched. However, this will only be offered via a limited numbers of vendors. 

Integration risks

Your Drupal environment might be integrated with another platform.

Should, for example, a main API on that platform get deprecated, because the Drupal module that connects to it is no longer maintained, this will mean that it will need to be updated and a new custom module may need to be written in order to keep the integration working. 

Functionality risks 

After the end-of-life, the Drupal community reduces the amount of activity on Drupal 7 core and modules.

As a result, the free updates won’t be available any more. There will no longer be community-driven development of new functionality. Any bugs will have to either be fixed in-house or an agency will have to be brought in to resolve them, leading to additional expenses.


So what are the options for Drupal 7 sites? There are a few things to consider if your website is still running on Drupal 7.

You could:

  • Take the plunge and migrate, either to Drupal 9 or to another CMS. This takes time and costs money – which is the main reason website owners have been putting off the move. It should be seen as a core capital investment, rather than an inconvenient expense. Drupal 9 and beyond say goodbye to outdated platforms, with semantic versioning and upgrade paths for all major versions going forward.
  • Convert the Drupal 7 website to a static site. These sites are normally more simple sites that display the same content to all visitors in the same format, whereas a dynamic website presents different information to different visitors. A static website is more simple and easier to maintain. If your content will not change, a static site can let you keep your content online with little hassle.
  • Engage a Drupal 7 Extended Support vendor. The normal process, once a platform has reached its end-of-life date, is to have a list of experts at hand who are still available to work on critical issues for a limited time. If this programme is put in place, it can buy time for site owners, but should not be considered a permanent solution.
  • Continue to use Drupal 7 unsupported. This is not recommended.

The Open Web 

Drupal is an important player in the preservation and growth of the Open Web. It was the topic of a keynote given at Drupal’s annual conference, DrupalCon, in September this year.

During his presentation, Drupal’s founder Dries Buytaert noted that some of the things he appreciates about a web that is open, i.e. not closed to licence fees, are: 

  • Being in control of his own data, including his backups 
  • Not being bound by the creative limitations of proprietary platforms, and 
  • Not being subject to the invasive tracking used by many of these platforms.  

“All of these are reasons why I want both Drupal and the Open Web to win. We don't want to live in a world where proprietary platforms reign supreme. We need more ‘Good Software’; Software that is open, flexible, secure, accessible, and pro-privacy,” he said. 

Buytaert believes that making security, privacy, accessibility, multilingual capabilities, usability and ease of maintenance top priorities is hard work, but it's worth it.  

Part of making the web open is keeping these legacy iterations of the Drupal CMS alive for as long as they’re needed, but also as long as they’re feasible.

As mentioned before, towards the end of the community support, the owners of those websites that are still running on Drupal 7 will be given the facility of signing up with vendors providing support until 2025. 

The reason for this is to buy these websites a bit more time while their migrations are under way. It is advisable to start the migration process sooner, rather than later. 

Still on Drupal 7? 

We can walk you through the options available, and help you decide on your next move. 

Profile picture for user Anthony Lindsay

Anthony Lindsay Director of Managed Services

With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.