HowTo: Change the Query string variable ("?q=") to help hide that you are using Drupal.
Often, designers want to obscure which CMS they are using. Even though we are proud of Drupal, we don't necessarily want to advertise to a hacker how to attack our site, should a security vulnerability be found.
You can hide Drupal by removing drupal-specific files (css and javascript), using path aliases (PathAuto, too), theming your html, and "translating" identifiable text, but there is one thing that runs common on all Drupal sites: the query string.
If you're not sure whether or not a site uses drupal (even if they have clean urls enabled), all you have to do is add the "?q=" in front of your request, and you will know whether or not they are using Drupal (i.e., if the site is www.example.com/cool_stuff, just type in www.example.com?q=cool_stuff).
There is an easy way to change the expected query string, it requires three steps. (Remember, back up your files before you start hacking them!!!!)
1. Add this to the end of your settings.php file:
<?php
global $custom_query_string;
$custom_query_string = "hack_this";
$_GET['q'] = $_GET[$custom_query_string];
?>$custom_query_string is what will replace "q". I chose "hack_this", but you can change it to whatever you want. If you have clean urls enabled, then it won't be seen by your guests anyway. You're just trying to choose anything other than "q".
Now, if someone types in www.example.com?q=node, the "q" will be overwritten, and end up just returning your front page.
It should be noted that you can't use just anything for your new query string variable name. For example, the pager module often uses "page" as a value in the url, so don't try to use "page", or you'll have a naming conflict.
2. Second, you have to change your .htaccess file.
Near the end of the file, change:
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]To:
RewriteRule ^(.*)$ index.php?hack_this=$1 [L,QSA]Again, I used "hack_this", but you should change it to match the variable name you assigned to $custom_query_string in the first step.
At this point, your site will function quite well *IF* you have clean url's enabled. If not, then you need to make one more change for your site for it to be fully functional.
3. This last step involves hacking a core file, so the standard precautions apply: don't do it unless you know what you are doing.
Around lines 1186-1191 of common.inc (Drupal 5.x), you will see these lines:
<?php
if (isset($query)) {
return $base . $script .'?q='. $path .'&'. $query . $fragment;
}
else {
return $base . $script .'?q='. $path . $fragment;
}
?>Replace them with this:
<?php
global $custom_query_string;
if (isset($query)) {
return $base . $script .'?'.$custom_query_string.'='. $path .'&'. $query . $fragment;
}
else {
return $base . $script .'?'.$custom_query_string.'='. $path . $fragment;
}
?>This change makes Drupal use your query string variable (i.e., "hack_this") instead of the standard "q". Again, this change is only necessary when clean url's is disabled.
Google CSE
This also has the side benefit of making Google CSE work in Drupal, without having to make any ToS-violating changes to the code snippet that Google provides.