- Upgrade to Drupal 7
- Upgrade to Drupal 8
- Choose one of several options to limit your vulnerability (e.g. convert the site into a static HTML website, or close logins to all but a handful of trusted people and harden the security of the login form)
But that’s a big decision. What do you do until you’ve decided which path to choose? Now that Drupal 6 is past its sunset date, is your site suddenly vulnerable to having its data stolen and being turned into a spam factory?
The short answer
As long as you have someone keeping an eye on the security of your site, you’re just fine. Take some time to make your decision — just don’t wait too long.
Interested in our Drupal security services? Contact us to find out more.
The long answer
The long answer is a bit more nuanced. When the Drupal 6 end-of-life was approaching, the Drupal Security Team asked for vendors to apply to become recognized as official Drupal 6 Long Term Service Vendors. These LTS vendors have clients running Drupal 6 websites. As security vulnerabilities are found and fixed in Drupal 7 (and Drupal 7 modules) the vendors are committing to make those same fixes to the Drupal 6 versions, but only for the modules that their clients are using.
That exception has significance for other Drupal 6 sites and it all boils down to the question of:
How much security is enough?
Low risk websites
Many (most?) websites only need to be worried about automated security attacks: Villains and mischief makers will try to attack every website on the Internet using every known vulnerability. A tiny fraction of the time they’ll be successful and turn a website into a spam factory, or virus spreader. If they do their work well the site owner won’t even notice. There’s a very low success rate, but there’s a billion websites out there. You do the math.
High risk websites
Other websites have to worry about someone trying to actively hack their website. There’s usually three possible reasons for this:
- Your website has information worth stealing — Maybe your site has an e-commerce component, or a database of hundreds of thousands of membership records (with full names and e-mail addresses).
- Your website has a lot of visitors — This is really just a subset of the first point. If someone could infect all those visitors with a virus they could make a lot of money.
- Someone wants to shut your website down — Maybe your organization has a political bent that some people strongly disagree with.
So what does this mean for my Drupal 6 site?
If your site is in the low risk category, then nefarious individuals will be using the vulnerabilities fixed by the LTS vendors in their automated attacks. As long as your site continues to be updated with these fixes you are probably fine.
There is still some risk if:
- your site runs a module that the LTS vendors do not support,
- and a vulnerability is found in the Drupal 7 version of that module,
- and that vulnerability exists identically on the Drupal 6 version.
That’s possibly enough “ifs” to keep the risk at an acceptable level.
Also be aware that this support won’t last forever. As more sites get off of Drupal 6, the LTS Vendors will have fewer clients paying for those services, and the number of supported modules will diminish. Eventually your Drupal 6 site could be the last one standing with no one looking out for it. How long this support is “good enough” is impossible to say.
If your site is in the high risk category, then you need to take a more active role in preventing successful attacks. You could:
- Move the information worth stealing somewhere else.
- Move your site off of Drupal 6 faster.
- Become a client of a Drupal 6 LTS Vendor to ensure that all of your modules are supported (not just the ones that other LTS Vendor clients happen to be using).
If you need help figuring out what you need, just contact us.
Photo by Billie Grace Ward