Drupal Maintenance: Your Open-Source CMS in Expert Hands
Drupal is the platform of choice for demanding websites, government portals and multilingual enterprise web presences. This strength brings complex maintenance requirements: core updates with database migrations, module compatibility across major versions, PHP version management and tailored security hardening all demand deep Drupal expertise.
from €199
SLA packages per month
50+
projects maintained
24 h
critical core patches
99.9 %
average uptime
Drupal stands apart from other content management systems through its extraordinary flexibility: thousands of configuration options, a powerful entity system, granular permission management and a vast module library make it the preferred platform for government websites, university portals, media platforms and complex B2B web presences. At the same time, this depth demands specialized care: Drupal core updates do not run at the push of a button, module dependencies must be carefully managed, and security configuration requires continuous attention. Our Drupal maintenance takes full technical responsibility, so you can focus on your content and core business.
Your Drupal control center
Why Drupal Requires Specialized Maintenance
Drupal follows a clear versioning scheme: each major version (Drupal 9, 10, 11) is actively maintained until the community sets an end-of-life date. Once end-of-life is reached, security patches stop and community support ends. For running websites this means: migration to the next major version is mandatory before security support expires. Drupal major migrations are technically more demanding than minor updates, because they bring API changes in the core, new system requirements and potentially incompatible contributed modules.
Then there is the module landscape: a typical Drupal installation uses 20 to 50 contributed modules from the drupal.org repository, plus often custom modules implementing specific business logic. Every module must be compatible with the installed Drupal core version. During a major version jump, all contributed modules must be checked for compatibility, custom modules may need to be adapted, and configuration must be transferred. Our maintenance teams know these dependencies and plan version transitions so your operations remain continuously secured. Additional requirements come from the Drupal Security Team, which publishes coordinated security advisories on a regular schedule and expects timely patch application.
Our Drupal Maintenance Services
Core and Minor Updates
Timely application of all Drupal core security patches and minor releases. Full compatibility checking on a staging environment before going live. Rollback-capable deployments with Composer.
Module Management
Inventory of all installed contributed and custom modules with compatibility status. Updates to secure versions. Identification of orphaned modules without active maintainers and migration to maintained alternatives.
PHP and Server Configuration
PHP version upgrades with Drupal compatibility verification. Composer-based dependency management for reproducible deployments. Web server configuration (Apache, nginx) for optimal Drupal performance.
Security Hardening
Securing the admin backend and update manager page. Configuration of security-relevant Drupal settings. HTTPS enforcement, Content Security Policy headers and regular vulnerability scans of the Drupal installation.
Performance and Caching
Configuration of the Drupal cache system: Internal Page Cache, Dynamic Page Cache and Render Cache. BigPipe for progressive page delivery. Varnish or Redis integration as external cache. Database optimization and index maintenance.
Backup and Recovery
Daily automated backups of database and filesystem. Separate backup of Drupal configuration (config/sync). Off-site storage in a separate data center. Monthly restore tests with documented recovery time.
Uptime Monitoring
Around-the-clock monitoring of availability and response times. Immediate alerting on outages. Monitoring dashboard with real-time status and monthly uptime reports.
Custom Module Maintenance
Maintenance and adaptation of custom Drupal modules to new core APIs. Fixing deprecation warnings. Code reviews and optimization of individually developed modules and themes.
Multilingualism and Configuration
Maintenance of multilingual Drupal installations with language modules, translation workflows and URL alias configuration. Consistent configuration management across all environments using the configuration management system.
Drupal Major Migration: Safety Before Time Pressure
Migrate in a structured way before support ends
Drupal major migrations are the most technically demanding maintenance event. We plan them well in advance as structured projects, not as emergency measures under time pressure. This protects your content, your configuration and your custom modules.
- Module inventory with compatibility check for the target version
- Migrate custom modules and themes to new core APIs
- Multi-stage staging tests before the live switchover
- Rollback plan in case of unexpected issues
Drupal Security: The Security Advisory System
Drupal has a particularly structured security ecosystem: the Drupal Security Team publishes coordinated security advisories for core and contributed modules. These advisories follow a scheduled Wednesday release cadence and evaluate vulnerability severity using a standardized scoring system. Critical core vulnerabilities are patched immediately, contributed modules receive security releases when patched versions are available. For Drupal website operators this means: structured update management that systematically monitors these advisories and applies patches promptly is essential.
Our Drupal maintenance process is aligned with this security advisory system. We monitor the official Drupal security channels daily and apply critical core security patches within 24 hours. Contributed modules with security advisories receive updates within 48 hours, after compatibility verification on the staging environment. This keeps your Drupal installation on a secure footing at all times, without requiring you to monitor the security ticker yourself. For especially security-critical installations we offer extended security update services with reduced response times.
Do not miss Drupal end-of-life
Maintenance Process for Drupal Websites
Inventory and Drupal Health Check
Analysis of the existing installation: core version and end-of-life status, module inventory with compatibility and security evaluation, PHP version, database configuration, cache setup, custom code condition and security posture. The result is a clear assessment with prioritized action recommendations.
Drupal Performance: Making the Caching System Work for You
Drupal has a multi-layered caching system that enables excellent load times when correctly configured. The Internal Page Cache stores complete pages for anonymous users, the Dynamic Page Cache enables personalized caching for logged-in users through placeholders, and the Render Cache speeds up reuse of individual page elements. Additionally, BigPipe provides progressive page delivery, where the Drupal core first sends the base layout and loads personalized content afterwards. This combination can significantly improve perceived load times, but requires careful configuration to avoid cache poisoning through personalized content.
For high-traffic Drupal websites we recommend supplementing with an external full-page cache such as Varnish or Redis. This caching layer intercepts requests before the PHP process and can serve static pages without starting Drupal at all. Integration requires Drupal-side configuration of cache tags and cache invalidation URLs so that the external cache is correctly purged when content is updated. Our performance optimization, as part of our broader maintenance offering, configures these layers in a coordinated way and measures the impact on TTFB and LCP.
Internal and Dynamic Page Cache
Correctly configure Drupal's built-in caching layers: fully cache content for anonymous visitors, optimize for logged-in users via Dynamic Page Cache.
Varnish and Redis Integration
External full-page cache drastically reduces PHP processes. Align cache tag invalidation, purge configuration and hot spots for maximum cache hit rate.
Database Optimization
Drupal databases grow over time through revisions, logs and cache tables. Regular cleanup, index optimization and query analysis keep backend performance high.
Module Management: Identifying Orphaned and Insecure Modules
The contributed module library on drupal.org contains over 50,000 modules. Not all of them are equally actively maintained: some modules have an active maintainer circle, receive regular updates and are developed forward with each new Drupal version. Others are effectively orphaned, even if no official "unsupported" label has been applied. The risks of orphaned modules are considerable: security vulnerabilities go unpatched, compatibility with future Drupal versions is uncertain, and the module surfaces as a blocker during the next major migration.
Our module management therefore goes beyond simply applying updates. We regularly evaluate the maintenance quality of installed modules: when was the last release? How many maintainers are active? Are there open security issues without a patch? Is a Drupal 10 or Drupal 11 compatible version available? This evaluation enables proactive planning: orphaned modules are replaced with maintained alternatives before they become a problem. For custom modules we check coding standards compliance and adapt code to deprecation warnings, so the next major migration does not fail on your own code.
- Complete module inventory with compatibility status for current and upcoming Drupal version
- Evaluation of maintainer activity and security history for each module
- Proactive replacement of orphaned modules with maintained alternatives
- Custom modules checked for coding standards and deprecation warnings
- Configuration management with config/sync for consistent environments
- Module deactivation and removal of unused extensions to reduce attack surface
Backup Strategy for Drupal Installations
The backup strategy for Drupal installations takes into account the specific architecture of the platform: alongside the database and filesystem, the Drupal configuration system plays a special role. Drupal 8 and later store the entire site configuration in YAML files in the config/sync directory. This configuration must be backed up consistently with the database so that a restore produces exactly the same system state. We create daily full backups with a documented recovery process and conduct monthly restore tests on an isolated environment.
Backups are stored in a geographically separate data center and automatically checked for integrity. For critical Drupal portals we offer hourly incremental backups that limit maximum data loss to one hour. In an emergency we know the exact recovery time for your installation and can execute the process in a structured way. The close connection between our backup strategy and our emergency support ensures that all information is immediately available in a crisis.
Configuration Management: What Others Overlook
config/sync: The third backup dimension
Drupal stores its complete site configuration in YAML files. Anyone who only backs up the database and filesystem is forgetting this configuration layer. Our backup strategy covers all three components and tests their combined recovery.
- Database dump: content, users, entities
- Filesystem: public/private files, custom code
- config/sync: site configuration as YAML snapshots
Drupal Maintenance as a Managed Service
Our Drupal maintenance is a managed service that takes full technical responsibility for your installation. From security advisories to module management and backup operations, we cover all technical aspects. You focus on your content and core business, we ensure the technical foundation stays stable, secure and performant. In an initial consultation we analyze your Drupal installation and put together a maintenance package that fits your system landscape and budget. Flexible SLA maintenance contracts without hidden costs enable a straightforward start.
For Drupal projects that need continuous development in addition to maintenance, we offer combined packages. Maintenance and development from a single provider avoids coordination problems between different service providers and ensures that new features do not jeopardize the stability and security of the existing installation. Particularly for Drupal portals with a complex custom module landscape, this holistic approach pays off: we know the architecture and can both maintain and develop it, without losing important context.
In a no-obligation initial consultation we analyze your Drupal installation, evaluate its technical condition and recommend a maintenance package that fits your requirements and budget. Reach us at +49 5123 9579000 or by email at mail@shop-wartung.de.
SLA maintenance contract for Drupal
- Basis €199 per month — first response within 8 hours
- Business €349 per month — first response within 4 hours
- Enterprise €699 per month — first response in 45 minutes
- Critical core advisories applied within 24 hours
Updates, security advisory handling, module care, backups and monitoring are part of every package. The SLA tier determines the response time, not the platform. Minimum term 6 months.
Key Takeaways
- Drupal maintenance as a managed service: core and module updates, security advisories, backups and monitoring from a single provider
- Critical core security patches within 24 hours, module advisories within 48 hours after the staging test
- Every update follows the documented path: backup, staging test, controlled deploy, rollback point
- config/sync is backed up as the third backup layer — not just the database and filesystem
- SLA packages from €199 per month; we plan the major migration to Drupal 11 before end-of-life