Issues Arising with Drupal 6 & 7: What You Need to Know to Stay Secure

Share this post

There is so much involved in growing and sustaining a business. From marketing to sales to accounting to inventory to meetings to projections to… you know – it’s constant hustle and upkeep, right? If you are like many business owners, you have your actual business to focus on, and maybe you have been putting off your site upgrades until it becomes inevitable.

Well, we’re sorry (but not sorry) to tell you – If you are running Drupal 6, it’s absolutely the time to bite the bullet and upgrade with more urgency and take the time to consider how vulnerable your site has become without support. 

If you happen to be running Drupal 7, you got lucky in that the end-of-life for support got pushed out a bit, but D7 (and D8) support is getting very little focus now that developers are nurturing Drupal 9. 

The Drupal 6 Crossroads of Obsoletion

If you happen to be running D6, we’d like to take a moment to worry with you. Why? Drupal 6 has not been supported by its own developers since 2016! This leaves your site open to vulnerabilities beyond the bad guys’ wildest dreams.

To Summarize:

  • Drupal 6 is no longer supported by the Drupal community at all. The community at large will no longer be creating new projects, fixing bugs in existing projects, writing documentation, etc… around Drupal 6.
  • There are no more core commits on Drupal 6.x to the official tree.
  • The security team no longer provides support or Security Advisories for Drupal 6.
  • All Drupal 6 releases on project pages are now flagged as “not supported.”
  • Update status is non-existent to ‘spotty at best’ for Drupal 6 sites.

Now, don’t get us wrong. There ARE rogue development teams who will charge you a pretty penny for long-term D6 Support, but they are few and far between.


Drupal 7’s End of Life is Nigh.

In November 2022, after a D7 decade and then some, Drupal 7 will reach its end of life (EOL). Official community support will end, along with support provided by the Drupal Association on This means that automated testing services for Drupal 7 will be closed down, and there will be no more updates provided by the Drupal Security Team. Drupal 7 will be marked end-of-life in the update manager, while updates, security fixes, and enhancements will no longer be provided by the community, (but, like D6, extended support may be available on a limited basis from external third-party vendors who are happy to bill you a premium.)

What This Means For Your Drupal 7 Site Vulnerability:

  • The Drupal Security Team will end support and Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. Reports about Drupal 7 vulnerabilities will likely become public, creating 0-day exploits¹ from untrusted sources.
  • Drupal 7 will cease to be supported by the Drupal community. *Gasp! The community at large will no longer write documentation, develop new projects, fix bugs in existing projects, etc… regarding Drupal 7, which also makes this a perfect opportunity for you to upgrade.
  • There will be no more core commits to Drupal 7 at all.
  • All Drupal 7 releases on all project pages will be flagged as “not supported”. Third-party maintainers can change that flag if they desire, but they are not obligated to provide support.
  • After November 2022, using Drupal 7 may be flagged as insecure in third-party scans since it no longer will receive support.
  • On Drupal 7 sites with the update status module, Drupal Core will show up as “unsupported.”

Let’s Talk About Outdated Themes, Outdated Security, Obsolete Algorithms, and Maybe Even Gremlins.


Outdated D6 & D7 Themes:

Instability is the first word that comes to mind here. Lack of continued testing and support makes way for an unstable environment if there are a need for any (even minor) changes, and this instability can potentially ‘break’ your theme! This ‘breakage’ can result in non-compliance with regulations, demoting of search results due to poor user experience, and other less-than-desirable consequences.

Outdated Security:

Major content management systems, like Drupal, that power millions of sites – release critical security updates in response to new types of malware or newly discovered flaws in their code. Plain and simple: Running old, unsupported, or out-of-date versions will leave your site exposed to hackers. “Ohh, I want to be hacked!” Said no legitimate site owner ever.

Sometimes the greatest risks to your site’s performance are not immediately related to the theft of your data, but go hand-in-hand with functionality issues. By using software that is unsupported or outdated, you’re essentially gambling – because your unstable software can fail at any time.

Obsolete algorithms:

Just like everything else in technology, algorithms also have a limited lifetime. Algorithms that provide cryptographic hashes, encryption, and cryptographic protocols have a finite lifetime. After their End of Life, they are considered either too risky to use or just plain insecure.


Weird to call them that, right? But it’s accurate if you think about it. Data loss ‘gremlins’ can come about with outdated site vulnerabilities. Little bits of data can be stolen here and there without your knowledge, errors in code may ‘break’ your site with each minor visual or content update, vulnerabilities may let in malware (very gremlin-y) and lead to unauthorized phishing that looks like it’s coming from you to your contacts. Eek.

Now is a great time to start planning your migration to Drupal 8 or 9.

If you are unable to migrate to Drupal 8 or 9 by the time version 7 reaches the end of life, there will be a select number of organizations that will provide Drupal 7 Vendor Extended Support for their paying clients (yes, you will be charged a premium for this third-party service). If your migration does not NEED to wait, we certainly advise you don’t wait.

Need more time to think before you upgrade? When you have a moment, check out our reasons Why You Should Update to Drupal 9, and give us a call to find out how we can provide you the support or assistance you may need to get started. 


1. A zero-day exploit is a cyber-attack targeting software vulnerability that occurs on the same day a weakness is discovered. At the weak point, it is exploited before a fix becomes available.



CTA Website Security Checklist

Related Posts

The Dilemma of Estimates

The Dilemma of Estimates

Estimates serve as the cornerstone of any website project, providing clients with a roadmap for budgeting, planning, and expectation management. They offer a glimpse into the intricate tapestry of tasks, timelines, and resources needed to bring a website to life.

Config Sync Overview

Config Sync Overview

When Drupal 8 was released, it came with Configuration Syncing functionality. This has been a staple ever since for Drupal 9, Drupal 10, and beyond. Configuration Syncing was a game changer and one of my favorite features in Drupal Core.The days before config sync...