53% of Government Sites Run Drupal. Drupal 7 EOL'd in January.

The Drupal Government Problem

WebPulse confirmed at scale what security researchers have warned about for years: 53% of government web properties run Drupal. Drupal was the 'enterprise' CMS choice for the public sector — recommended by GSA, adopted by agencies worldwide. But Drupal 7 reached end-of-life in January 2025. Sites still running it receive no security patches from the core team.

53%

Government sites on Drupal

Source: WebPulse scan of government web properties across Tranco 100K + Common Crawl WARC. Confirmed at 10M-site scale.

1,200+

Drupal total CVEs

Source: NVD/NIST. Including 89 critical severity and 5 in CISA's Known Exploited Vulnerabilities catalog.

The Migration Options

The UK solved this. GOV.UK runs a custom Ruby on Rails application — purpose-built, API-first, and the global benchmark for government digital. Singapore followed a similar path. But most governments don't have GDS-level digital capability.

For the majority: Next.js with a headless CMS is the pragmatic path. It preserves the editorial workflow that non-technical staff depend on while eliminating the legacy CMS attack surface. Astro is the option for purely informational government sites — zero JavaScript, zero client-side attack surface, pennies to host.

$100B+

US federal IT spend

Source: White House FY2025 IT budget. A meaningful portion maintains legacy CMS infrastructure.

India Is Ahead of the US

WebPulse data revealed a counterintuitive finding: Indian government digital properties show higher modern framework adoption than their US counterparts. India's unified digital infrastructure push (Aadhaar, UPI, DigiLocker) drove adoption of modern API-first architectures. The US federal government, with 10x the budget, runs older stacks. Budget doesn't determine modernity — mandate does.

82/100

Next.js score

Security: 82. AI-Readiness: 88. The pragmatic government migration target. Source: WebPulse scoring engine.