What are my options?

Migrating to Drupal 11

There are significant security benefits to staying with the Drupal community, and you could consider migrating your site to Drupal 11. You would continue to be supported by the Drupal community's expertise, and your site would also have access to any new features released.

This may initially seem daunting and a larger undertaking than you had planned for, yet it would ensure a much smoother upgrade path going forward and would future-proof your website.

Migrating your website is not always the answer. However, there is a strong argument for this approach, as remaining on Drupal 7 would essentially mean your website would have unsupported technology and security vulnerabilities.

Ok, so you have taken the plunge and decided that migrating to Drupal 11 is the best long-term solution for your business, and now the next big question is – how do I migrate to Drupal 11?

Luckily, there are many strategies available to you depending on your priorities. Perhaps you want to retain as much existing content as possible or ensure an easy editorial experience transition. Wherever the focus needs to lie, there are strategies available.

Decoupling your website can separate your frontend and backend and allow for flexibility to first of all establishing the solid foundations and then step-by-step making improvements. To understand more about alternative migration options, check out our recent ways to migrate blog.

Purchasing Drupal 7 extended support

If migrating away from Drupal 7 is not feasible for you at this current time, then another option would be to purchase extended support. This comes at a cost, but would also buy time for you to assess the options available or plan your migration for a later date.

Drupal.org offers a vetted list of certified vendors in the Extended Security Support Provider Program.

Practical steps for securing the backend of your website

While you are weighing up your options, it is also a good time to be proactive and protect your site by being more security conscious. Extra measures can be taken within the backend of your website to reduce vulnerabilities. These actions can’t fully prevent access but they add a layer of protection while you are thinking about your next move. Here are some options available to you and the associated benefits:

Add basic authentication (Basic Auth) requirements to backend or admin pages

• Hides Access Points: By requiring authentication, backend/admin pages are less accessible to unauthorised users and bots. This reduces exposure to automated attacks like web scraping or vulnerability scanning.
• Prevents Unauthorized Access: Basic Auth acts as an initial barrier, ensuring that only users with valid credentials can proceed further.

Restrict backend access to a certain IP - Such as office or VPN (IP Whitelisting)

• Restricts Unnecessary Exposure: By allowing access only from known IP addresses, the backend is effectively hidden from unauthorised users or networks.
• Blocks Untrusted Sources: Attackers cannot access the backend from outside the approved IP range, even if they discover the URL.

Enable 2FA to login pages - Two-factor Authentication (TFA)

• Mitigates Password Compromises: Even if an attacker obtains a user’s password through phishing, keylogging, or data breaches, they cannot access the account without the second authentication factor.
• Reduces Replay Attack Risk: Many 2FA systems use time-sensitive codes (e.g. OTPs) that expire quickly, making it difficult for attackers to reuse stolen credentials.

If you are interested in discussing the above approach or learning about other preventions available for your specific website, get in touch as we are always open and happy to talk.

Converting to static website

If you don’t regularly change your website and have very little dynamic content or forms, a potentially viable solution would be to make the site static.

By utilising available applications, you can run through all publicly accessible pages and save the HTML, making it quite an easy option.

Drupal has its own instructions on how to do this under Creating a static archive of a Drupal site.

In summary, this involves:

• Prepping Drupal by turning off any dynamic content
• Using one of a few tools to download the static data. You could also use one of the Drupal modules - HTML Export or Static Generator
• Confirm that everything looks and works well locally
• Publish the new static website and replace Drupal 7

As mentioned previously, this option is best suited to websites which don’t have regular content updates and you essentially want to bridge the security gap by freezing your website as it stands.

Putting your head in the sand and leaving it alone??

Finally, some businesses will want to risk the ‘leave-well-alone’ approach. In good faith, we cannot recommend this. Yes, your site could be ok for months, or even years, but at some point, your site’s security will be compromised or features will no longer work as there will be no support in place.

You may not be ready for a big change, but there are a wide range of options available to negate the risk of Drupal 7 coming to the end-of-life. If you are eager to find out more and want to discuss the best option for your organisation, please get in touch and we can talk through your specific needs and priorities.