Accueil / Blog / Métier / Archives / How to prevent access to Drupal admin URL with Apache and mod_rewrite

How to prevent access to Drupal admin URL with Apache and mod_rewrite

Par Benoit Bryon — publié 15/04/2011, édité le 20/04/2017

In some Drupal sites, you want to disallow access to the administration interface at /admin. You can use Apache's mod_rewrite module to achieve this.

Let's say your Drupal website is available via two domain names, and, where:

  • is the public side of the website. Anonymous and authenticated users have access to it. They are untrusted users.
  • is a private area of the website. It uses SSL and may only be reachable by users within an intranet. Trusted users connect to the administration interface via the domain name.

Since there are no trusted users using, you want to disallow access to some URL for that domain. As an example, you do not want /admin to be reachable on Site administrators have to connect through then be granted access to

First make sure you have separate virtual hosts for each domain. One for, one for Both hosts can reference the same Drupal document root.

Then add the following code in the VirtualHost configuration:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{SCRIPT_FILENAME} index.php [NC]
    RewriteCond %{QUERY_STRING} (^|&)q=admin(/|&|$) [NC]
    RewriteRule .* - [F,L]

Do not forget to restart your Apache server.

Now your server should return a 403 forbidden HTTP response for URL like those:

  • admin
  • admin/something
  • index.php?q=admin
  • index.php?something&q=admin

Notice that you may want to disallow access to update.php too.