Drupal coder

Drupal custom URL rewriting - Change the admin url to enhance security

The following tip can be used in multiple scenarios (being anywhere you need custom URL rewriting and want to do this without .htaccess), but I'll illustrate it for two specific purposes.

  1. At our company all urls beginning with /admin are blocked from outside by a firewall for content security reasons. This sucks, because Drupal administration is done on pages with a /admin url. So we need to find a way to rewrite all of the urls to something like /config (or something else).
  2. If someone knows your site is on Drupal, this gives him some knowledge on how the site is structured. For example does he know that all administration is done on /admin. To make it harder to guess this url, we want to rename it.

Both of these cases can be tackled by one hook (custom_url_rewrite) in Drupal that has to be specified in the settings.php file. You can find a descent explanation of how this hook works in the Drupal API.

In the following example I rewrite all admin urls to config (and vice versa).

function custom_url_rewrite($op, $result, $path) {

  if ($op == 'alias') {
    if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
      return 'config'. $matches[1];
    }
  }
  
  if ($op == 'source') {
    if (preg_match('|^config(/{0,1}.*)|', $path, $matches)) {
      return 'admin'. $matches[1];
    }
  }
  
  return $result;
  
}
March 10, 2008Drupal, security, url rewriting

Comments

Anonymous — November 02, 2011 at 22:35.

For Drupal 7, you can use this module : http://drupal.org/project/rename_admin_paths

fat cow — September 23, 2011 at 06:53.

I've truly went through write-up and uncovered interesting data educated me being to obtain the most beneficial result that we're trying to
find.

Ayesh — August 06, 2011 at 15:59.

I was searching this!!!
Thank you very much!

Roy — May 16, 2011 at 19:50.

Thank you!

Ryan Bayona — April 18, 2011 at 13:51.

Hi, im having a hard time understanding the difference between the inbound and outbound functions.. can someone clarify this to me? my goal is to have a custom alias for node editing forms and user editing pages

Thanks!

eric — March 06, 2011 at 01:06.

@Davy Van Den Bremt
Hey, could you be a little more clear on how to edit the php to get it to work properly?

Davy Van Den Bremt — January 31, 2011 at 07:22.

@Michael In Drupal 7 you can use http://api.drupal.org/api/drupal/modules--system--system.api.php/functio... and http://api.drupal.org/api/drupal/modules--system--system.api.php/functio...

Michael — January 31, 2011 at 06:01.

Any idea on how to do it with drupal 7 ?

pehari — December 11, 2010 at 10:17.

Fantastic post. Bookmarked this site and emailed it to a few friends, your post was that great, keep it up. Pehari

Anonymous — September 23, 2010 at 12:32.

This suggestion doesn't block or send the user a 404 page if they "guess" domain.com/admin. Any way to do that?

TLKern — August 18, 2010 at 00:15.

For a Drupal site that is behind a proxy server, we would like to hide /user and /admin from the outside world but allow it from inside our network. Can a check for known IP ranges against the x-forwarded-for header be included in the custom_url_rewrite function?

CAE — May 17, 2010 at 19:57.

The problem with 'Anonymous — May 01, 2009 at 18:27' suggestion is that the top Admin menu disappears. You can see in the recent logs these type of errors:

Type: page not found
Date: Monday, May 17, 2010 - 12:57
User: zzz
Location: http://www.zzz.org/config_menu
Referrer: http://www.zzz.org/config
Message: admin_menu
Severity: warning
Hostname: xx.xx.xx.xx
Operations

And the original suggestion does not block/404 the /admin URL.

ramones — May 02, 2010 at 21:47.

I'm lost here. Can you explain how to change "/user" and "/admin" to different urls and disable/forbid their usage, i.e. if someone tries to load mysite.com/user it will get an error, and certainly not a login form ?
Is it possible to do that for "/?q=user" as well and how? For example change it to "/?q=usrlogin" ?

What to change and where (in D6) ?

Thank you.

WebBanshee — April 25, 2010 at 02:12.

worked like a charme in Drupal 6 for me.Thanx

Marc Cepeda — January 25, 2010 at 18:57.

Yup.

Doing this to redirect to subdomains myself.

mobdev — January 11, 2010 at 20:36.

Echoing the previous comments, this is by far the best quickstart I’ve been able to find for changing the admin url to enhance security in Drupal. Thank you very much.

Anonymous — November 26, 2009 at 07:48.

my drupal version is 6,i want to koow how to make this in drupal 6?
thank you!

Anonymous — October 10, 2009 at 17:06.

Thanxxxxx a lot :)

Anonymous — June 15, 2009 at 12:41.

Examples for Drupal 6 using custom_url_rewrite_outbound and custom_url_rewrite_inbound


function custom_url_rewrite_outbound(&$path, &$options, $original_path) {
global $user;

if (preg_match('|^admin(/.*)|', $path, $matches)) {
$path = 'administration'. $matches[1];
}
if ($path == 'admin') {
$path = 'administration';
}
if (preg_match('|^user(/.*)|', $path, $matches)) {
$path = 'usr'. $matches[1];
}
if ($path == 'user') {
$path = 'usr';
}
}

function custom_url_rewrite_inbound(&$result, $path, $path_language) {
global $user;

if (preg_match('|^administration(/.*)|', $path, $matches)) {
$result = 'admin'. $matches[1];
}
if ($path == 'administration') {
$result = 'admin';
}
if (preg_match('|^usr(/.*)|', $path, $matches)) {
$result = 'user'. $matches[1];
}
if ($path == 'usr') {
$result = 'user';
}
}

Anonymous — May 01, 2009 at 18:27.

for drupal 6 use these as examplse for your sites/****/settings.php
note that it also redirects admin to 404 if you don't want anyone to access admin anymore

function custom_url_rewrite_outbound(&$path, &$options, $original_path) {
if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
$path = 'config'. $matches[1];
}
}

function custom_url_rewrite_inbound(&$result, $path, $path_language) {
if (preg_match('|^config(/{0,1}.*)|', $path, $matches)) {
$result = 'admin'. $matches[1];
}

if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
$result = '404'. $matches[1];
}
}

Anonymous — May 01, 2009 at 12:16.

Your max-allowed_packet=32M on your other page saved my from some hairpulling and this article rocks too. Thanks x20.

Zoran — March 18, 2009 at 02:15.

Fantastic post. Bookmarked this site and emailed it to a few friends, your post was that great, keep it up.

Anonymous — February 17, 2009 at 17:53.

How would you go about doing the same URL rewrite using the new fucntions in D6?

ie. custom_url_rewrite_inbound and custom_url_rewrite_outbound

Davy Van Den Bremt — December 12, 2008 at 23:05.

There's no setting. You need to get your hands dirty and write a bit of code.

Anonymous — December 12, 2008 at 05:15.

Any particular setting we have to put inside the drupal for changing the admin url.I want to change the admin url to some custom url.

Davy Van Den Bremt — November 30, 2008 at 21:11.

This code should work. It's for Drupal 5 though.

Anonymous — November 28, 2008 at 06:46.

Sorry.I am new in drupal.What I want is changing of admin url to some thing else but your code only create alias and It will not change the actual path i.e. http://example.com/?q=admin

How I can change the url of admin in drupal.

Davy Van Den Bremt — September 21, 2008 at 12:07.

Sorry Joe, this has to be settings.php. Changed it in my text. Thx!

Joe Love — September 17, 2008 at 16:34.

Where is this file located in drupal 5?

Mark Adams — July 15, 2008 at 10:14.

I used to do those kind of renames to my websites.Is not a big issue someone knows your admin location..but every every thing you hide will increase security/

Anonymous — July 15, 2008 at 10:10.

I'll try and change it in into my websites

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options