Drupal is widely known as a free and open source CMS platform — but the word “free” really ought to have an asterisk.
For a small company, you could indeed download Drupal and host it on a relatively cheap server, accruing minimal costs to maintain a simple website. In that sense, Drupal is very much a free CMS.
But when you’re leveraging Drupal to build a large-scale omnichannel web presence spanning websites, native mobile apps, progressive web apps, and IoT devices, the additional work, development, and risk that comes with Drupal are far from free. In fact, at the enterprise level, Drupal can get very, very expensive.
Implementation Costs of Drupal
Drupal may be free to download, but if you’re a non-technical user coming from a non-technical company, you’re going to struggle with the implementation process. That’s because Drupal is geared more towards being a developer’s tool.
Sure, Drupal 8 now boasts a more user-friendly interface with drag-and-drop composition, but you’ll still require a team of full-stack developers (or the services of a full-stack agency) to help you develop, customize and implement your Drupal site.
The cost to implement and customize alone can cost anywhere between $15,000 to $100,000 depending on the scale of the project. For instance, if your Drupal site is going to utilize many content types and follows a complex workflow for content creation, this is going to cost more than having a simple site that has a limited number of content types and a fairly straightforward workflow.
For a standard Drupal project, with minimal custom development, it will take between 6 to 8 weeks to build at the cost of approximately $30,000 to $40,000. For Drupal sites with a large amount of custom development, various content types, and complicated workflows, the implementation cost can reach upwards of $100,000.
This is all assuming that you have a set of clearly defined requirements in terms of design criteria, features, and capabilities. Otherwise, you will lose more time and money making changes throughout the project and shopping through thousands of themes and extensions just to get your Drupal site’s desired look and functionality.
Ongoing Maintenance Costs for Drupal
Besides the substantial implementation costs, you also need to consider the costs of looking after your Drupal site once it’s up and running. Drupal is a maintenance-heavy CMS platform that requires a great deal of time and attention in the back end.
Drupal regularly releases core updates and security patches which you have to install manually. If you don’t have the technical expertise to do this, you can either set aside some time to learn how to do so or hire an experienced Drupal developer to take care of the maintenance. Either way, it will cost you. The former will cost you time (keeping Drupal updated is a never-ending task), while the latter will not come cheap.
But perhaps the most significant costly pain when it comes to looking after your Drupal site is migration. Drupal is a versioned software, and in order to get the latest features and support, you will have to migrate to the newest version when the time comes.
For example, when Drupal 8 was released back in 2015, developers found migrating from Drupal 6 or Drupal 7 to Drupal 8 to be extremely onerous and time-consuming. Some noted that their Drupal 8 migration required them to develop a new website from scratch because their old custom themes and custom modules in Drupal 6 and 7 were incompatible with Drupal 8’s Symfony framework.
According to MTech, migrating an average-sized Drupal site from Drupal 6 or Drupal 7 to Drupal 8 takes between 50 to 70 hours. For larger and more complex Drupal sites, it can take anywhere between 185 to 250 hours.
Drupal's Scaling Costs
As your company scales, your Drupal site will have to scale, too. You’ll need larger server space to accommodate traffic spikes, you’ll need to launch new websites and apps to serve different geographic locations, you’ll need to quickly build microsites and landing pages for events and conferences, and you may even decide you want to add new functionality, like eCommerce.
This all falls under the umbrella of scaling, and if you’re self-hosting your Drupal sites, the scaling process will be relatively slow and costly. The alternative is to use cloud-hosting for your Drupal sites, which makes a lot of sense, but will still burn a hole in your pocket. Plus, you’d be drafting another third party into the mix — which could get difficult to manage if you’re already working with different vendors for every dimension of your business.
The High Cost of Low Security
Drupal community is on constant alert when it comes to identifying and patching vulnerabilities — but as time goes on, you can’t help but feel they’re fighting against a raging tide.
A Drupal site is protected by manually installing the latest security updates on release, which sounds reasonable at first. But the time between hackers finding vulnerabilities and you applying a patch made by Drupal is a window of opportunities for any cyber attacker to steal data or maliciously manipulate your website. For many enterprises, that’s just too big of a risk — particularly with GDPR now in motion.
In recent years, two major Drupal security incidents have stood out. The first of these incidents was “Drupalgeddon”, which occurred in October 2014 when a single line of flawed coding in one of the modules on Drupal 7 enabled hackers to hijack a site and corrupt the files in the root directory. Drupal released an emergency security patch to resolve the flaw and published a public services announcement on their forum, that was marked as highly critical.
The second major security incident occurred in March 2018, affecting millions of Drupal sites. Despite releasing an emergency patch, Drupal users are still reeling from what the community called “Drupalgeddon2”. In fact, over a month later the patch, 115,000 Drupal sites were still vulnerable, including over 400 big-name Drupal sites such as Lenovo, San Diego Zoo, and the University of California, which were all cryptojacked.
A comparison of security threats to Drupal 7, Drupal 8, and Zesty.io since 2015.
You don’t need us to tell you how costly — both monetarily and in terms of brand reputation — a cyber attack can be. Drupal isn’t alone in dealing with the spike in cyber attacks around the world, but as mentioned previously, these recurring Drupal security issues are seen to be giant red flags by most enterprises.
The Drupal Time Suck
Last but certainly not least, is the time you and your developers will have to invest in maintaining, updating, migrating, and securing Drupal. And time — as the old saying goes — is money.
Firstly, your developers will need to keep their fingers on the pulse to get the latest Drupal news. Not for leisure, but for the security of your digital presence. For example, when Drupalgeddon2 hit, Drupal released a patch sometime after to fix the vulnerability. Developers who reacted quickly were able to minimize their risk by applying the update quickly (which is a time-consuming task in and of itself). Developers and brands who weren’t paying close attention were still vulnerable over a month later, as mentioned.
And let’s not forget about the number of hours you need to migrate to the latest version when the time comes. You could do this yourself, but you would be spending quite some time away from your core business objectives and potentially lose out on revenue. Or, you could hire an experienced, and therefore expensive, Drupal developer to look after your site. A less experienced Drupal developer might be cheaper, but their lack of experience may pose a risk to your digital presence.
Digital Transformation Doesn’t Have to be So Costly
Drupal has its uses, but after considering the true costs of maintaining a Drupal-powered web presence, I’m sure you agree that a growing enterprise company needs something more streamlined and more secure.
A Software-as-a-Service (Saas) solution is well worth considering, as it can help lower and consolidate your costs in a number of ways. For instance, implementation and deployment are a whole lot faster, getting you to market quicker. Meanwhile, closed-source SaaS solutions generally experience fewer security breaches, all while handling your hosting and scaling processes behind the scenes.
If that sounds interesting, we’d love to show you what Zesty.io can do. Try your first instance with Zesty for free.
By Gerry Widmer
Over the last 30 years Gerry has used his experience in marketing, strategy, and running web software industry companies to help brands achieve their goals.