February 25, 2016 By Larry Loeb 2 min read

Drupal 6 has been around since 2008 and has been used by thousands of websites as a content management system (CMS). However, Naked Security reported that the version reached its end-of-life (EOL) mark and is now officially unsupported. No further security updates or patches will be supplied for the version 6 core or its modules as of Feb. 24, 2016.

The Implications

While WordPress is still the most popular CMS for websites, Drupal is the second. Figures show that about 1 in 10 of the sites on the Web that use it run version 6, according to Naked Security. Now that this version has reached the end of its supported life, those sites become targets for criminals. Like Windows XP, it will be unpatched and unsupported by the developers, becoming vulnerable to any exploits found in the future.

When Drupal version 8.0 was announced in 2013, the EOL date for version 6 was set. Even then, some wondered about this legacy situation and whether the version 6 sites that are out there — and are rather difficult to upgrade anyway due to significant amounts of custom code — would ever be maintained.

OSTraining noted that there are major differences in how version 6 and higher versions of the CMS operate. Even changing from version 6 to 7 is not as simple as an update; it’s more like a full migration.

Long-Term Outlook for Drupal Users

The program and its community found three vendors who have agreed to provide a form of long-term support, according to a Drupal announcement. The companies have agreed to post security patch notifications on a community page.

MyDropWizard is one of these vendors. It announced one-year support for older CMS versions for a sliding fee that depends on the complexity of the customer’s instance. Tag1 Consulting will also provide long-term support, but the pricing is at a fairly high level of about $2,000 a month.

Additionally, Acquia is asking interested parties to contact it for more information about security supports for the earlier CMS versions. These three companies will provide a form of support as long as they can be paid for their efforts, but they and others will help users migrate to the latest version of the CMS, Drupal 8.

The only true way out of the situation seems to be migrating away from version 6 to one of the newer, supported versions. That’s the best way for users to ensure they are staying ahead of threats and receiving the latest updates.

More from

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today