It’s been standard Drupal policy for some time that only the current and the previous major versions are officially supported, at least as far as core security updates are concerned.
Drupal 8 was released in late 2015, and the official end-of-life date for Drupal 6 sites was set at 24 Feb 2016.
So as an owner of a Drupal 6 site, what to do?
Option 1: Do Nothing
Your Drupal 6 site is not going to collapse in a heap on 25 Feb 2016. As at 31 Jan 2016 you’re still in very good company, with over 100,000 sites worldwide still using Drupal 6, see: https://www.drupal.org/project/usage/drupal.
Although support might no longer be “official”, there will still be a great deal of unofficial support going on for Drupal 6 sites for some time to come. That said, especially where security updates are concerned, such support will likely take longer to deliver, and therefore be more expensive in terms of labour. This is because Drupal 6 developers are no longer going to be given free security updates through official channels, and therefore will have to work on patches for themselves, which may or may not get shared with the wider Drupal community.
Is your Drupal 6 website hosted by a reputable, good quality hosting provider? In the event that your Drupal 6 site gets hacked, a common sign is that it starts sending out spam. A good quality hosting provider will have the appropriate security controls and monitoring in place to ensure that malicious activity is detected and minimised quickly. Also, a good quality hosting provider will have multiple backups of your site in the event that your site needs to be restored.
How security sensitive is your website? Does it contain financial, personal, or otherwise confidential (e.g. client) information? If it does, then you should be more concerned about the reducing security profile of your Drupal 6 site.
How concerned are you that your Drupal 6 website should be upgradeable to play nicely with the latest industry standards and technologies, such as HTML5, mobile-friendly (“responsive”), web services, etc? The chances are the Drupal 6 will be either difficult (= expensive) or effectively impossible to upgrade. That’s nothing to do with the ending of official support. It’s all to do with the fact many of today’s standards and technologies weren’t even dreamt of when the core of Drupal 6 was being architectured. And compatible modules to extend the features and functionality of Drupal 6 will only take you so far.
Option 2: Rebuild your site in Drupal 8 (or Drupal 7, or another CMS)
If you have the budget, there’s absolutely no doubt that a rebuild of your site is highly recommended. You can go for an “as is” rebuild, i.e. the same as your current Drupal 6 site, which will keep costs down. Or you can take the opportunity to review every aspect of your current site (design, mobile-friendliness, functionality, content, etc.) with a view to making your next site a significant improvement over your current site.
Notice we deliberately used the work “rebuild” instead of “upgrade” or “migration”. The brutal reality is that Drupal, in common with many other CMS, doesn’t offer a smooth, quick, comprehensive upgrade path between major versions (5, 6, 7, etc.). There are valid reasons for this that are beyond the scope of this article, but the main reason is that the major versions are so significantly re-architectured that, unless your site is a really simple brochure site, all the features and functions will not naturally map from version 6 to version 7/8. Yes, there are Drupal modules and documentation that can assist with moving (primarily) content from Drupal 6 to Drupal 7 or 8… but moving content is typically only a small % of the overall effort.
As stable, popular and supported as Drupal 7 is, Drupal 8 truly is a major leap forward in all areas, so you really want to target Drupal 8 first for your new site. The only, and rapidly diminishing, reason why you might still consider rebuilding your Drupal 6 site in Drupal 7 is if Drupal 8 doesn’t (yet) include some critical functionality that your new site must have.
Of course Drupal isn’t the answer to all the world’s CMS needs. Although generally not considered to be as enterprise-grade as Drupal, WordPress is the world’s most popular CMS. So if your site doesn’t have sophisticated enterprise-grade requirements, you shouldn’t completely rule out other CMS. Do your own research (Google is your friend!), and/or chat with your favourite website development person or agency about this.
What Happens if You Keep Using Unsupported Software? (OSTraining)
Drupal 6 end-of-life announcement (Drupal.org)