Drupal 6 has been around since 2008 and has been used by thousands of websites as a content management system (CMS). However, Naked Security reported that the version reached its end-of-life (EOL) mark and is now officially unsupported. No further security updates or patches will be supplied for the version 6 core or its modules as of Feb. 24, 2016.

The Implications

While WordPress is still the most popular CMS for websites, Drupal is the second. Figures show that about 1 in 10 of the sites on the Web that use it run version 6, according to Naked Security. Now that this version has reached the end of its supported life, those sites become targets for criminals. Like Windows XP, it will be unpatched and unsupported by the developers, becoming vulnerable to any exploits found in the future.

When Drupal version 8.0 was announced in 2013, the EOL date for version 6 was set. Even then, some wondered about this legacy situation and whether the version 6 sites that are out there — and are rather difficult to upgrade anyway due to significant amounts of custom code — would ever be maintained.

OSTraining noted that there are major differences in how version 6 and higher versions of the CMS operate. Even changing from version 6 to 7 is not as simple as an update; it’s more like a full migration.

Long-Term Outlook for Drupal Users

The program and its community found three vendors who have agreed to provide a form of long-term support, according to a Drupal announcement. The companies have agreed to post security patch notifications on a community page.

MyDropWizard is one of these vendors. It announced one-year support for older CMS versions for a sliding fee that depends on the complexity of the customer’s instance. Tag1 Consulting will also provide long-term support, but the pricing is at a fairly high level of about $2,000 a month.

Additionally, Acquia is asking interested parties to contact it for more information about security supports for the earlier CMS versions. These three companies will provide a form of support as long as they can be paid for their efforts, but they and others will help users migrate to the latest version of the CMS, Drupal 8.

The only true way out of the situation seems to be migrating away from version 6 to one of the newer, supported versions. That’s the best way for users to ensure they are staying ahead of threats and receiving the latest updates.