On 7 June 2023, the Drupal Association announced a delay to the removal of support for Drupal 7, effectively pushing out its end of life (EOL) date.

Originally set for November 2023, that date is now pushed out to January 2025; a stay of execution of some 14 months. Whilst this comes as no great surprise to those of us who monitor these things, there are some tangible differences to previous extensions. Significantly, they say this will be the final extension (their emphasis).

You can read the full release here.

A time to rejoice? 

But, before all those stuck on Drupal 7 rejoice too gleefully, there are some important caveats to that extended support which could have a substantive impact on your legacy Drupal website. 

All the following reductions in the scope of ongoing support for Drupal 7 come into effect from 1st August 2023. 

D7 vulnerabilities may be announced before they are fixed

The Drupal Security Team may post Drupal 7 exploits in public issue queues before a resolution is in place, if they are not mass exploitable. This might be for edge case situations or risks that may be otherwise mitigated.  

Currently, the Drupal Security Team work with core and module maintainers to find a fix and then announce the issue alongside with the published fix.  

That means your website could be become vulnerable to attacks before anybody has even started looking to fix that vulnerability. In some instances, nobody may even care about your specific vulnerability, so this risk will never get fixed and will remain indefinitely. 

Gradual withdrawal of support for some modules 

If a Drupal 7 contributed module becomes unsupported, that module will no longer be eligible for a new maintainer to take over. Well-used modules regularly become unsupported as the maintainers lose interest in maintaining them. Maintainers are usually giving up their own time to support these modules and no longer want to support code they wrote some time since Drupal 7 was released in 2011 when Drupal 8 was launched in 2015. 

In practice, that means you might need to move away from modules that are currently unsupported or at risk of becoming unsupported or find somebody who will take over its maintenance before that date. If you don’t then any issues, whether security or more mundane, may never get fixed. 

Removal of support for older versions of PHP

PHP before version PHP5.6 will no longer be supported by Drupal. If you’re hosted on PHP5.5 or earlier, you might start experiencing PHP errors which could cause your website to stop functioning. Additionally, the Drupal Association might further reduce the support for increasingly recent versions of PHP as Drupal 7’s EOL approaches, and they may do that at any time. 

PHP is the programming language in which Drupal is written. You are already at risk if you are using a version of PHP that is no longer supported by PHP themselves, regardless of this change to Drupal’s stance. Support for PHP5.5 was withdrawn by PHP in 2016. Support for the final version of PHP7 was removed at the end of 2022. You should really be on PHP8.0 as a minimum whether you’re using Drupal 7, 9 or 10 and preferably on PHP8.1 as you prepare for the upgrade to Drupal 10. 

Withdrawal of Windows-hosted support

Whilst most Drupal websites are hosted on Linux based hosting solutions, a proportion are hosted on Windows. This support is being removed. 

This doesn’t mean your Drupal 7 site won’t work on Windows-based browsers, of course. That is still very much supported. 

It is worth noting that Drupal’s Internet Explorer support was withdrawn with the release of Drupal 10. Microsoft stopped supporting that browser in the middle of 2022. 

 

Summary  

This gradual withdrawal of full support for Drupal 7 before it eventually reaches EOL is a none-too-subtle hint for you to migrate away from Drupal 7, or risk the various functional and reputational risks of a broken or insecure website. This feels to us at Cyber-Duck like a “you have been warned” notification from Drupal. 

 

What to do if you’re stuck on a website using legacy Drupal 

Migrate to Drupal 9 or 10. There is no upgrade path, which is why so many sites remain on Drupal 7. You need to create a new Drupal website and migrate the content over. 

You can read more about the migration process in our white paper, Still Stuck on Drupal 7?

Check out our thoughts on the shift over to Drupal 10 in our previous article, Drupal 10: Don't Panic!