How to Prepare Your Site for Drupal 10 End of Life

Drupal 10 end of life is confirmed for December 9, 2026, a fixed deadline all site owners need to plan for. This is the point at which the Drupal Security Team stops issuing patches, the community stops providing support, and your site starts accumulating unaddressed vulnerabilities with no official remedy. 

Right now, approximately 245,000 sites still run Drupal 10, compared to roughly 98,000 on Drupal 11. That is a ratio of 2.5 to 1. If your organisation is in that majority, the clock is already running. 

Here is what end of life means in practice, why it matters more than you might think, and how to prepare.

How OPTASY Can Help You Migrate Drupal 10 End of Life

OPTASY is a certified Drupal migration partner with a proven methodology for Drupal 10 to Drupal 11 upgrades. 

Rather than relying on in-place Composer upgrades that accumulate technical debt, OPTASY builds migrations on a clean Drupal 11 codebase, which reduces risk, improves maintainability, and future-proofs your digital infrastructure. 

The process begins with a deep discovery phase: module compatibility analysis, custom code review, third-party integrations audit, and stakeholder alignment before a single line is moved. 

From higher education institutions with 57 content types and 100+ view displays to enterprise platforms with complex API integrations, OPTASY has managed migrations of every scale and complexity. 

If you are on Drupal 10 and need a clear path forward, our Drupal 11 migration guide is a good place to start or get in touch with our team directly for a discovery conversation.

What Drupal 10 End of Life Actually Means

End of life is a hard stop., rather than a gradual wind-down. 

On December 9, 2026, support for Drupal 10 ceases entirely. The Drupal Security Team will no longer publish security advisories for Drupal 10 core or contributed modules. No patches will be issued and vulnerabilities discovered after that date will have no official fix path.

It is worth noting that this deadline applies regardless of whether Drupal 12 ships on time. The Drupal core team has confirmed the December 9, 2026 date as fixed, with Drupal 12's earliest stable release window currently set for mid-June 2026.

Not all Drupal 10 installations reach the same deadline at the same time. Drupal 10.5.x loses security support on June 17, 2026, nearly six months before the full EOL date. 

Drupal 10.6.x, the final minor release in the Drupal 10 series, is supported until December 9, 2026. Sites still running Drupal 10.4.x or older are already receiving no website security updates, as that support ended with the December 2025 release of Drupal 10.6.0.

If your site is on 10.4.x or earlier, you are already unsupported.

The Security Risks of Running Unsupported Software

The data on what happens to unpatched, unsupported software in production environments is unambiguous and the trend is moving in the wrong direction.

According to the Verizon 2025 Data Breach Investigations Report, vulnerability exploitation now accounts for 20% of all confirmed data breaches, a 34% year-over-year increase, following a 180% jump the year before. Exploitation has overtaken phishing as the second most common initial access vector. Sophos's State of Ransomware 2025 confirms that exploited vulnerabilities remain the number one root cause of ransomware attacks at 32% of all incidents for the third consecutive year.

What Happens to Software After Its Support Window Closes

End-of-life software becomes a documented target. Research from Qualys found that vulnerabilities in EOL systems are four times more likely to be weaponised by attackers, and that 48% of entries in CISA's Known Exploited Vulnerabilities catalog are found on end-of-support software. On average, an EOL software image accumulates 218 new vulnerabilities every six months after support ends with no patch path in sight.

IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million, the highest ever recorded. Running outdated technology makes that figure worse: a Kaspersky study found that enterprises using outdated software experience 47% greater losses per breach than those running current, supported versions.

In October 2014, a critical SQL injection vulnerability known as Drupalgeddon was disclosed. The Drupal Security Team issued an extraordinary public service announcement: automated attacks began compromising Drupal 7 websites within just seven hours of the advisory being published. Every site that had not been patched within that window should be assumed compromised. Roughly 900,000 websites were affected.

In 2018, Drupalgeddon 2 exposed over one million Drupal sites to remote code execution. Two months after patches were available, over 115,000 sites remained unpatched, including the University of Southern California, Arkansas Courts, and the Make-A-Wish International website, which was injected with a cryptomining script.

After Drupal 10 reaches EOL, the scenario becomes permanently worse: vulnerabilities will be disclosed publicly with no patch forthcoming, ever.

The Compliance Dimension Most Organisations Overlook

For many organisations, running an unsupported CMS creates direct compliance exposure. 

A Drupal 10 site running past its EOL date may be considered non-compliant with PCI DSS (which requires supported software for any cardholder data environment), HIPAA (which mandates regular software updates as part of technical safeguard requirements), FedRAMP, SOC 2, and GDPR. PCI DSS non-compliance carries fines of $5,000 to $100,000 per month. GDPR penalties can reach 4% of annual global turnover or €20 million, whichever is higher.

There is an insurance angle too. Teisoft's analysis of cyber insurance claim denials found that 22% of denied claims are tied to outdated systems that had known, unpatched vulnerabilities at the time of the breach. Running past EOL may void the coverage you are counting on to absorb the cost.

The Cost Case for Acting Now

The single most common reason organisations delay migrations is cost. It is understandable, but the financial logic runs in the opposite direction from what most assume.

Ponemon Institute research shows that reactive IT maintenance costs 2 to 5 times more than proactive approaches, with businesses spending 60% more on emergency fixes than they would on planned maintenance. HeroDevs estimates that running unsupported software consumes 10 to 20% of engineering capacity, value leakage of $200,000 to $400,000 per year on a $2 million engineering team.

A Drupal 10 to Drupal 11 migration, by contrast, is one of the more manageable version upgrades in Drupal's history. Because Drupal 11 was built on the same architectural foundation as Drupal 10, it is an incremental upgrade rather than a full rebuild. 

For a simple site with standard modules and no heavy custom code, the process can take days to a few weeks. Enterprise deployments with complex integrations typically run four to twelve weeks. The investment is finite and predictable, while the cost of a post-EOL breach is not.

The H1 2026 window, the period before Drupal 12 introduces additional migration complexity, is widely regarded by Drupal agencies as the optimal time to act. Waiting until Q3 or Q4 will mean competing for a shrinking pool of qualified Drupal developers as the December deadline approaches and demand spikes.

A Practical Checklist to Start Your Drupal 10 Migration

Getting from Drupal 10 to Drupal 11 is a structured process, but only if you start before the deadline. These are the five steps every organisation should take now.

Image

Step 1: Audit Your Current Installation

Run the Upgrade Status module to identify which contributed modules and custom code are compatible with Drupal 11 and which require updates. This report is the foundation of your migration plan and the first thing any migration partner will ask for.

Step 2: Identify Incompatible Modules

Not every contributed module has a Drupal 11-compatible version yet. Where a maintained alternative exists, plan the switch. Where one does not, assess whether the module is business-critical or can be replaced with core functionality. This step often surfaces the biggest surprises and the biggest reason to start early.

Step 3: Freeze New Feature Development on Drupal 10

New functionality built into your Drupal 10 codebase will not port cleanly and creates additional migration work. Lock the current state, build a backlog, and plan to address new development on Drupal 11 post-migration.

Step 4: Build and Test in a Staging Environment

A successful migration requires a staging environment that mirrors production, including database, configuration, and all integrations. Plan for automated testing, manual QA, and user acceptance testing before any go-live. Skipping this step is how migrations create downtime.

Step 5: Set a Timeline and Lock a Budget

Migrations stretch when they lack a committed deadline. Anchor your project to a go-live date no later than Q3 2026, giving yourself a buffer before the December cutoff and avoiding the end-of-year rush. If you want a structured overview of what the full process involves at each stage, OPTASY's guide to Drupal maintenance and ongoing support covers what responsible platform stewardship looks like beyond the migration itself.

Conclusion

Drupal 10 end of life is a fixed event on a known date, and the window to act responsibly is narrowing. Vulnerability exploitation is the fastest-growing breach vector, EOL software is four times more likely to be weaponised, and a single breach will cost far more than any planned migration. December 9, 2026 will arrive whether your organisation is ready or not. The difference between a smooth transition and a crisis response comes down to the decisions made in the months before it. 

Contact the OPTASY team to start your migration planning today.