The venerable website Content Management System (CMS) that’s been around since 2008 and is still running over 110,000 sites won’t stop working but, like Windows XP after April 2014, it’s now a 0-day waiting to happen.
If you have a Drupal 6 website then you won’t be receiving any more official security advisories or patches; from today your site is vulnerable to any new security issues discovered in Drupal 6 core or its modules, forever.
Drupal is the world’s second favourite CMS behind WordPress and about one in ten of the Drupal sites on the web are still running version 6.
It’s popularity makes it a massive and easily probed target for criminals.
Keeping enormous technology monocultures like the WordPress and Drupal installed bases secure relies on good quality code and quality assurance, vigilant security teams and the ability to produce and disseminate patches quickly.
Automated attacks can begin within hours of vulnerabilities being announced and if your site is on the public internet it will be put to the test routinely by criminals.
If you’re still running version 6 then there is one branch line you can continue to travel, for now at least.
In January, the Drupal community announced three vendors had qualified to provide paid Long Term Support for Drupal 6. Those vendors will themselves receive assistance from the Drupal Security team and are in turn obliged to abide by the same disclosure policy and release patches on drupal.org’s Long Term Support page.
You do have to pay for that support though and it remains to be seen if these organisations can match the Drupal Security team or how long it will be commercially viable for them to provide support.
Site owners would still be well advised to make upgrading an urgent priority.
Those who want to stick with Drupal have two newer versions to choose from:
"Drupal 8 core also provides a Migration path directly from Drupal 6 as an experimental feature, so sites can update directly to Drupal 8 using either a user interface or with Drush. See Executing a Drupal 6/7 to Drupal 8 upgrade for more details. The Migrate feature will be fully supported in a later minor release of Drupal 8."
"Drupal 7 remains fully supported, so Drupal 6 sites can also update to Drupal 7 using the core update feature when that is a better fit. Drupal 7 is estimated to be supported until Drupal 9 is released, or later. For more information follow: [policy, no patch] Drupal 7 (and 8) EOL timing."
Switching lines entirely is also an option – the popular open source CMSes tend to make importing and exporting data easy and there’s a wealth of tools to help you migrate to alternative platforms like WordPress and Joomla.
The more complex and customised your site is the more difficult the migration is likely to be though, no matter how you travel.
New major versions of Drupal tend to appear every few years and because the community only supports the two most recent versions of the software, the third oldest version normally goes out of support as soon as the new version is released.
New Drupal versions are released when they’re ready (rather than to a schedule) and are incompatible with each other and existing 3rd party plugins. This forces site owners in to running migration projects and makes planning the resources for those projects more difficult.
Mindful of this, and the number of users who’d immediately fall foul of the lack of support, the Drupal Community gave version 6 users a three month stay of execution after the release of Drupal 8 on 9 November 2015.
Drupal site owners have now had five years to upgrade to version 7 and yet one in ten still hasn’t.
There are very good reasons why the Drupal Community releases software in the way it does but it stands in contrast to the general trend towards smaller, more compatible, more frequent and automatically deployed software releases.
The number of sites left behind in this release cycle should be a concern to both the Drupal Community and everyone else because compromised sites don’t just affect the owner, they affect all of us.