Accueil / Blog / Métier / Archives / How to prevent access to Drupal admin URL with Apache and mod_rewrite

How to prevent access to Drupal admin URL with Apache and mod_rewrite

Par Benoit Bryon — publié 15/04/2011, édité le 20/04/2017

In some Drupal sites, you want to disallow access to the administration interface at /admin. You can use Apache's mod_rewrite module to achieve this.

Let's say your Drupal website is available via two domain names, www.example.com and admin.example.com, where:

  • www.example.com is the public side of the website. Anonymous and authenticated users have access to it. They are untrusted users.
  • admin.example.com is a private area of the website. It uses SSL and may only be reachable by users within an intranet. Trusted users connect to the administration interface via the admin.example.com domain name.

Since there are no trusted users using www.example.com, you want to disallow access to some URL for that domain. As an example, you do not want /admin to be reachable on www.example.com. Site administrators have to connect through admin.example.com/user/login then be granted access to admin.example.com/admin.

First make sure you have separate virtual hosts for each domain. One for www.example.com, one for admin.example.com. Both hosts can reference the same Drupal document root.

Then add the following code in the www.example.com VirtualHost configuration:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{SCRIPT_FILENAME} index.php [NC]
    RewriteCond %{QUERY_STRING} (^|&)q=admin(/|&|$) [NC]
    RewriteRule .* - [F,L]
</IfModule>

Do not forget to restart your Apache server.

Now your server should return a 403 forbidden HTTP response for URL like those:

  • admin
  • admin/something
  • index.php?q=admin
  • index.php?something&q=admin

Notice that you may want to disallow access to update.php too.

ABONNEZ-VOUS À LA NEWSLETTER !