Drupal 7 is scheduled to reach end-of-life on November 1, 2023. Until then, the Drupal Security Team will continue to provide patches for the Drupal 7 core and contributed projects in case security threats arise. However, after that point, the Drupal Security Team will no longer support Drupal 7.
Is it safe to stay on Drupal 7?
If your organization is currently running Drupal 7, you are faced with the decision of upgrading to Drupal 9.
Creating a business plan can help with your decision because it contains projections of initial costs and ongoing costs to make the upgrade investment, as well as projections of income and savings. The business case exercise can further forecast the break-even point for your upgrade investment. However, in the case of future security threats, we cannot be sure what future ongoing costs will be, because we cannot predict when such security threats will arise, nor will we know their severity.
What can be done, however, is to make organizations using Drupal aware of the risks of not upgrading. There are three general areas of risk: security, integrations, and functionality.
Security risks
Once Drupal 7 reaches end of life, whenever security issues are identified in core or contributed modules, there will not be much support to fix them. Site maintainers may find themselves in the position of having to spend a lot of time finding and fixing security holes. This risk is exacerbated if there are many contributed modules in your Drupal setup.
There will be some agencies that will offer maintenance service for your Drupal 7 platform after the end of life. This will go a long way in securing your site if you are willing to invest in hiring such an agency. One of their primary tasks is to backport fixes for core issues and contribute. These fixes will of course not be included in the D7 upgrade path because there will be no upgrade path at all. As a point of reference, after Drupal 6 reached end of life, there was not a disproportionate amount of security fixes needed for its core or contributed modules. Still, the risk is not zero. All aspects of a Drupal application must be considered to ensure there are no security breaches.
Another aspect of going this route is that a lot of the time in maintaining a site like this is spent managing and mitigating security risks rather than making improvements or implementing new features. For many developers, this is not a rewarding job.
In the history of previous Drupal security fixes, some have been fairly small (one-line changes that take an hour to review and fix) while others have taken days or even weeks of development time to analyze and produce a fix. .
One advantage of choosing to upgrade a site from Drupal 7 to Drupal 9 is that you get all the benefits of the security improvements that were included in Drupal 8 and every subsequent feature update. In this blog post, Acquia's Peter Wolanin details some significant security improvements included in the initial release of Drupal 8. Drupal 9 has additional benefits such as support for PHP 8.0.
Integration risks
Certainly, security risks will arise, but another area of risk to maintaining the status quo is that key integrations will eventually start to break down. For example, your Drupal environment may be integrated with another platform, and a key API on that platform is becoming deprecated. Because the Drupal module that connects to it is no longer actively maintained, you (or an agency you hire) will have to update the module or write a new custom module to keep the integration working.
Functionality risks
As the Drupal community continues to decrease the amount of activity on Drupal 7 core and contributed modules, especially after the end of its life, you basically lose those "free" updates. This is especially true with bug fixes. This forces you to live with them or fix them, or again, hire an agency to do it. If you hire someone, that person won't be as familiar with the project as one of the maintainers would be, so you would have to take that additional investment into account. In fact, some of these risks can be so critical that you'll end up rewriting large chunks of code to deal with them.
Not only are you missing out on the Drupal 8/9 security improvements mentioned above, but not upgrading means you’re missing out on a ton of other improvements. Drupal 8 and 9 are both built around a modern PHP stack that includes features like Composer support, Symfony components, modern OOP coding techniques, and more. While Drupal 7 has served our community well, it is not built on the latest PHP libraries and development workflows that developers have come to expect. This allows Drupal 8/9+ site owners the advantage of further improving their security posture by adding the Guardr security module or distribution. While Drupal 8 and 9 have good security features, Guardr adds additional community-approved modules and configurations that meet industry security requirements.
Contact us
However, we can develop a plan for your existing Drupal 7 solution. We will take into account the number of modules you are using, their complexity, the nature of your integrations with external systems, and more. Please contact us for more information.
Taken and translated from: https://www.mediacurrent.com/blog/risks-staying-drupal-7-after-its-end-life/