Organizations leveraging Drupal need to consider the ongoing maintenance and upgrades required to keep Drupal secure and enable your authors with new features and modules.
Patching Drupal to prevent vulnerabilities
Regardless of the major version of Drupal, it’s important to continue to quickly apply patches associated with security bulletins. These security advisories are put out by the Drupal community security team and identify potential risks in the core Drupal project. The release schedule outlined by the Drupal community addresses both bug fixes and security vulnerabilities in your current major version.
Managed hosting platforms for Drupal, like Acquia, offer this level of patching as an automated part of the maintenance. If you are managing your own Drupal hosting architecture, monitoring of Drupal security bulletins and a cadence for application must be set up as a part of your site maintenance schedule. If your site is utilizing a minimum of Drupal 8, the use of Composer as a package and dependency manager can help your team make this process more efficient.
Updating Drupal major versions
The current major version of Drupal is Drupal 9, released in June 2020. Implementations that launched before that date are likely on Drupal 7 or Drupal 8, which are both scheduled for end of life by the Drupal community. Given the need for Drupal implementations to stay current to address security vulnerabilities, working within a supported version of Drupal is critical.
Drupal 7, first released back in 2011, will continue under support until November 2022, a decision that the community made to recognize the impact of COVID-19 on organization plans. While Drupal 7 sites will be supported longer than Drupal 8 sites, modules and themes for Drupal 7 are significantly different than Drupal 8 implementations. This increases the complexity of upgrades and can limit organizations with only modules and integrations built before the community began moving to Drupal 8.
Drupal 8, first released in 2015, will reach end of life in November 2021, due to a dependence on Symphony 3, which the Drupal community cannot control. Drupal 8 was a major shift in architecture for Drupal with the intention of making it easier to build, author and maintain these sites. As a part of this new upgrade plan, Drupal 8 sites are built in a way that can be easily updated over time to stay compliant with an eventual move to Drupal 9. Sites that utilize modules and custom code that in Drupal 8 that has been approved for Drupal 9 have a very easy migration path to Drupal 9.
Why upgrade to Drupal 9?
The primary benefit of Drupal 9 is ongoing support. Drupal 9 will be supported through November 2023, ensuring that your implementation will continue to be supported into the future. Drupal 10 is currently estimated to be released in 2022, giving your organization plenty of time to prepare. Drupal 9 continues to make upgrade and maintenance easier and more automated, reducing the work to stay current on your Drupal version in the future.
Depending on the version and implementation you had on Drupal previously, a migration to Drupal 9 may be a chance to implement a true component system for your Drupal site, rather than the more traditional field and page based architecture. Through Layout Builder, Paragraphs or Acquia Site Studio, your authors can utilize a toolbox of available components to build pages, rather than working within existing themed page structures. This ensure that your site can continue to evolve and change in ways the original design may not have expected.