Drupal 6 Security - Everything Business Owners Need to Know

As of August 24th 2019, Drupal 6 has been in Long-Term Support (LTS) for 3.5 years. That’s right, three and a half YEARS years since Drupal 6 End-of-Life (EOL), and we’re still talking about it.

If you’re here you might be asking yourself:

  • Are there really that many people still on Drupal 6?
  • Why are people still driving around in their Drupal 6 Pintos, when they could be getting into a Supercharged Drupal 8?
  • What Drupal 6 LTS support options are still available?

To understand why web sites are still on Drupal 6, we should look at the data. Who is on Drupal 6, and how quickly are they moving away?

How Many People are Still on Drupal 6?

We are in the days of the final exodus. 6 months ago, our tools pointed to 54,799 websites still using Drupal 6 as of June 2019

Now, just 4 months later, we’re seeing a total of 38,807 sites as of October 16th, 2019. A reduction by 30%.

Some might ask: “Did that 30% all upgrade to Drupal 8?” Well, perhaps... that is the topic for another article. 

Drupalers in the web development industry might look to the Drupal usage statistics reported on Drupal.org, but for the sake of discussion we’ll do a little comparison against our own dataset.

In June 2019 Drupal.org reported 44,722 Drupal 6 sites, about 80% of our previous total. 

Now, Drupal.org reports 41,250 Drupal 6 sites in October 2019.

Why Are They Different?

  • The Drupal Usage Statistics only report on Drupal websites using the Update Status module.
  • Our dataset is sourced from Wappalyzer, and a few other lists that we purchased, but we revalidated the sites by checking common static files. 

In short: our dataset is not based on Update Status module, but forensic detection of the site’s metadata. We sniffed the CMS. Naughty, I know.

Drupal 6 Version Breakdown

However, since we detected and validated sites forensically— we can offer some insightful Drupal 6 statistics.

Here is the breakdown by range of versions, omitting specific versions and instead focusing on “how many people are up-to-date on minor releases vs. old releases?

  • 11,877 Severely out-of-date
  • 26,930 Up-to-date, or near up-to-date

We can’t give exact numbers because external detection only provides us a range. Fuzzy but effective.

Why is Drupal 6, like, Still a Thing?

Technology adoption rides the same, continuous tide for many organizations. 

Those with a fast adoption cycle will continue at the same speed. 

Those with a slow adoption cycle will take their time in upgrading.

As a Drupal services provider we often try to fight the tide of these adoption cycles. By and large, these cycles are outside of our control. Sometimes for good reason, and sometimes without reason. 

Regardless of reason, understanding why Drupal 6 still persists, and what business factors contribute, helps everyone at the table make better decisions.

Reasons to stay on Drupal 6 for Up-to-date Sites

Here are some common reasons we hear when an organization chooses to remain on their Drupal 6 platform:

1. “Our investment into Drupal 6 is too big to upgrade.”

The business’ investment into the platform outstripped the value it can gain from upgrading. Managing Total Cost of Ownership (TCO) can be a pain for any organization. Many organizations quite simply are not software companies, and it’s all too easy to follow your nose into overinvestment. 

If you’re a site owner and you’re facing down a bill and asking yourself: “How am I going to get this money back?” Then you’re asking the right question. 

2. “We’ve customized Drupal 6 too much.”

I think this is probably the best qualification for keeping a Drupal 6 site. In the Drupal industry, this translates to: “I’ve hacked Drupal core too much”. Once you’ve run so far down the tunnel of customizations you can’t see the light, you’re on your own. 

The path forward here isn’t an upgrade—it is a full rebuild. 

Once any organization is making the decision about a full rebuild, a whole array of additional questions start to slide into the top of your mind: is Drupal the right platform? How can we incrementally roll something out? How do I avoid this situation in the future?

There are many answers to these questions that typically relate to the architecture. You might want to talk to a Solutions Architect if you need help figuring it out.

3. “I’m not going to make money from upgrading.”

Creative innovation during the upgrade process drives revenue opportunities.

Those who don’t think in terms of driving value for their company at every turn, often get trapped in a maintenance mode mindset. Maintenance focuses on the costs. A value-driven mindset helps you focus on outcomes. 

What growth targets have you set for your company? I guarantee there is an integrated technology opportunity you haven’t heard of that could be instrumental to the next decade of your company’s business.

Get creative when considering upgrade options, and always put revenue first. Everyone else will understand. 

Now, all of the above reasons make sense for an organization overburdened by the costs of upgrading their Drupal platform, but what’s going on with these sites that are super out-of-date?

Why do Site Owners stay on Drupal 6 when significantly out-of-date?

4. “The guy who built this for us doesn’t do Drupal anymore.”

This is probably the most frequent excuse we hear. Someone built this for an organization with a limited budget, and—kind of like a forgotten project you still have sitting in your garage—it just sits there. It’s only a sore spot if you poke at it, and unfortunately site owners don’t pay attention until the site has been compromised—if ever.

5. “When we update the site, it breaks.”

This excuse we find is a sign of an ill-equipped Drupal developer, perhaps an IT support staff who strayed too far into the web world before they found their wings clipped. To be fair, we also find this excuse in Drupal 7. This happens when the original site build was supposed to be a short-term project, and the developer didn’t have enough forethought or experience into the ease of maintenance. 

Unfortunately, while there used to be some best practices in place for programmatic updates with drush make, it is no longer maintained. If you’re still on Drupal 6, building from a makefile is a quality, albeit complicated, option fraught with peril. Beware. 

The clear path forward is likely a site refresh and build.

If you’re on Drupal 7, drush make and composer allow for programmatic upgrade and build processes that allow Drupal developers to document pre-existing code, configuration, and patches—and through programmatic upgrades your site can be rebuilt anew on top of the most recent minor version release. 

What Drupal 6 Support Options are Still Available?

While Drupal 6 support might be claimed by a number of Drupal agencies, Drupal 6 Long Term Support (LTS) is only offered by two agencies who are approved Drupal 6 LTS vendors

Both companies continue to support and backport patches for Drupal 6 sites based on known issues in upstream Drupal 7 & Drupal 8 core and modules for their clients. 

Backported patches for Drupal 6 Long-Term Support are available for free here on GitHub.

So unless you’re signed up with one of these two vendors—or you’re lucky enough to have your patches covered for free from the open source repository—you’re flying blind into any potential security issues.

PS - We do note that others may offer Drupal 6 LTS, but they are not an approved vendor from the Drupal Association.

Don’t Drupal 6 Site Owners Know the Upgrade Options?

One would assume so, yes. If time is any indicator, and our conversations with other agency owners around prospecting site owners, likely every Drupal 6 site in the world has been contacted many times over. 

Understanding upgrade options doesn’t mean having the right solution in front of you. Business decisions are often about timing, as a website update and relaunch is typically a large undertaking for any business—and many take their time asking themselves: what can we do better?

At the end of the day, while Drupal 6 site owners know their options, they’re often plagued by the same things:

  • Competing priorities.
  • Lack of clear goals.
  • Lack of clear site ownership.
  • Unknown path between site as a cost center and site as a revenue center.

Where Do Drupal 6 Site Owners Go From Here?

Maintenance costs for staying on Drupal 6 are only going to go up. As Drupal continues to move forward, the path for upgrades may be less supported once Drupal 9 is released. Then upgrades will require and intermediary upgrade to Drupal 7 or Drupal 8.

But in the long-run, for many site owners the answer is simple: just rebuild when you have to!