Articles
Maintenance

What happens when a Drupal site is not updated

Nothing happens to an unmaintained Drupal site — until something does. Accumulating known vulnerabilities, ageing dependencies and rising remediation costs are real consequences, not theoretical risks.

An unmaintained site often runs for years with no visible problems. This creates a false sense of security: if everything works, why update? In reality, every unpatched month adds risk that is invisible until it materialises.

Security vulnerabilities accumulate

Drupal publishes security patches regularly — roughly once a month. Each patch resolves specific known vulnerabilities. When a patch is not applied, the vulnerability stays open.

What makes this especially critical is that security flaws are disclosed after the patch is released. This means attackers know exactly which versions and modules have the vulnerability — and they scan en masse for sites that have not been patched. Malicious bots continuously probe Drupal sites for known unpatched issues.

Drupal 7 and Drupal 9 are end-of-life — no more security patches will be issued for them. A site running on these platforms is permanently exposed to known vulnerabilities that will never be fixed.

PHP version ages out

Drupal requires specific PHP versions. PHP 7.4 support ended at the end of 2022, PHP 8.0 ended in 2023. Unsupported PHP versions no longer receive security fixes.

Running a server on an outdated PHP version is itself a security problem, independently of Drupal. Newer Drupal versions and modules also start requiring newer PHP, meaning that upgrades become progressively more complex over time.

Modules become incompatible

Drupal modules receive updates that require newer core versions. Modules running on outdated core cannot receive updates, which means their security issues also go unresolved.

At some point, module maintainers drop support for old versions entirely. If that module handles a critical function — payment, self-service, integration with an external system — there is sudden pressure to replace it quickly. Work done under pressure is more expensive and riskier than planned maintenance.

Remediation becomes more expensive

A site that has not been updated for two years is not simply "two years of updates" in scope. It is often significantly more, because the gap between updates creates dependency conflicts, module compatibility issues and PHP version changes, all of which need separate resolution.

In practice, the longer an update is postponed, the more expensive it becomes. Regular maintenance with monthly updates is cheaper in total than a single large catch-up effort.

What actually happens

Over the years, unmaintained Drupal sites have experienced:

  • site compromise with malware served to visitors;
  • data leaks, including customer contact information;
  • sites used to send spam, resulting in IP blacklisting;
  • Google warnings about the site being hacked, effectively removing the site from search results;
  • emergency remediation costing several times more than planned maintenance would have.

These are not rare edge cases. They are common outcomes for sites with known vulnerabilities and no active management.

What to do

The first step is to know where the site stands today. The Drupal platform assessment shows Drupal and PHP version traces and other publicly visible risk signals. From there, regular maintenance keeps security updates current and reduces next year's remediation cost.

Kaido Toomingas Kaido Toomingas WebPro Company OÜ

Need Drupal help?

If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.

Contact us