Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By JeremyL on
I want to secure Drupal and with other sites I have restricted access by an IP whitelist to admin directories and URLs using .htaccess and/or ISAPI Rewrites.
For my drupal site, since there is no dedicated admin directory, I'm having to restrict by individual URLs. So far I have restricted
/admin
/admin/*
/?q=admin
/?q=admin/*
/sites/default/settings.php
/cron.php
/install.php
/update.php
What other scripts, files, directories would you think should be restricted to only an IP and localhost?
Comments
I'm not sure why you need
I'm not sure why you need this? Your /admin paths are access controlled already; your settings.php file should be read-only; install.php can't be used once you're done installing -- and can even be removed; cron.php is harmless; and update.php can only be accessed by user 1.
In addition, you can restrict access by IP with several different third-party modules.
That's fine and dandy until
That's fine and dandy until a hacker finds an unknown exploit and uses it to become user #1. How many security updates does Drupal and every other open source CMS have to make a year? Not to mention all the modules, while necessary to have Drupal do what you want, don't get the scrutiny as far as security goes. It is VERY necessary on any mission critical website. If you are relying on an open source CMS as your only means of security you are just asking to get hacked.
is there a more modern way to
is there a more modern way to do this with Drupal 7 and/or Apache 2.2's .htaccess?
I don't have access to the httpd.conf options as my site is hosted on a shared server.
I need to restrict access to all those files (especially /admin and /user) to specific networks. (ip range)
Any solutions?
another curve ball, can this work based on the hostname/domain name as I'm running sub-sites as well?
Thanks
A Day In The Life