Drupal custom URL rewriting - Change the admin url to enhance security

The following tip can be used in multiple scenarios (being anywhere you need custom URL rewriting and want to do this without .htaccess), but I'll illustrate it for two specific purposes.

  1. At our company all urls beginning with /admin are blocked from outside by a firewall for content security reasons. This sucks, because Drupal administration is done on pages with a /admin url. So we need to find a way to rewrite all of the urls to something like /config (or something else).
  2. If someone knows your site is on Drupal, this gives him some knowledge on how the site is structured. For example does he know that all administration is done on /admin. To make it harder to guess this url, we want to rename it.

Both of these cases can be tackled by one hook (custom_url_rewrite) in Drupal that has to be specified in the settings.php file. You can find a descent explanation of how this hook works in the Drupal API.

In the following example I rewrite all admin urls to config (and vice versa).

function custom_url_rewrite($op, $result, $path) {

  if ($op == 'alias') {
    if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
      return 'config'. $matches[1];
    }
  }
  
  if ($op == 'source') {
    if (preg_match('|^config(/{0,1}.*)|', $path, $matches)) {
      return 'admin'. $matches[1];
    }
  }
  
  return $result;
  
}
Written on March 10, 2008 at 15:02, tagged as administration, Drupal, security, settings, tips, url rewriting
  • ""

Comments

Marc Cepeda (not verified) said on January 25, 2010 at 18:57.

Yup.

Doing this to redirect to subdomains myself.

mobdev (not verified) said on January 11, 2010 at 20:36.

Echoing the previous comments, this is by far the best quickstart I’ve been able to find for changing the admin url to enhance security in Drupal. Thank you very much.

Anonymous (not verified) said on November 26, 2009 at 07:48.

my drupal version is 6,i want to koow how to make this in drupal 6?
thank you!

Johnson (not verified) said on October 24, 2009 at 17:44.

Great tip! With the amount of hackers out there, adding this new level of security will really keep them out.

Anonymous (not verified) said on October 10, 2009 at 17:06.

Thanxxxxx a lot :)

Anonymous (not verified) said on June 15, 2009 at 12:41.

Examples for Drupal 6 using custom_url_rewrite_outbound and custom_url_rewrite_inbound


function custom_url_rewrite_outbound(&$path, &$options, $original_path) {
global $user;

if (preg_match('|^admin(/.*)|', $path, $matches)) {
$path = 'administration'. $matches[1];
}
if ($path == 'admin') {
$path = 'administration';
}
if (preg_match('|^user(/.*)|', $path, $matches)) {
$path = 'usr'. $matches[1];
}
if ($path == 'user') {
$path = 'usr';
}
}

function custom_url_rewrite_inbound(&$result, $path, $path_language) {
global $user;

if (preg_match('|^administration(/.*)|', $path, $matches)) {
$result = 'admin'. $matches[1];
}
if ($path == 'administration') {
$result = 'admin';
}
if (preg_match('|^usr(/.*)|', $path, $matches)) {
$result = 'user'. $matches[1];
}
if ($path == 'usr') {
$result = 'user';
}
}

Anonymous (not verified) said on May 01, 2009 at 18:27.

for drupal 6 use these as examplse for your sites/****/settings.php
note that it also redirects admin to 404 if you don't want anyone to access admin anymore

function custom_url_rewrite_outbound(&$path, &$options, $original_path) {
if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
$path = 'config'. $matches[1];
}
}

function custom_url_rewrite_inbound(&$result, $path, $path_language) {
if (preg_match('|^config(/{0,1}.*)|', $path, $matches)) {
$result = 'admin'. $matches[1];
}

if (preg_match('|^admin(/{0,1}.*)|', $path, $matches)) {
$result = '404'. $matches[1];
}
}

Anonymous (not verified) said on May 01, 2009 at 12:16.

Your max-allowed_packet=32M on your other page saved my from some hairpulling and this article rocks too. Thanks x20.

Zoran (not verified) said on March 18, 2009 at 02:15.

Fantastic post. Bookmarked this site and emailed it to a few friends, your post was that great, keep it up.

Anonymous (not verified) said on February 17, 2009 at 17:53.

How would you go about doing the same URL rewrite using the new fucntions in D6?

ie. custom_url_rewrite_inbound and custom_url_rewrite_outbound

Davy Van Den Bremt said on December 12, 2008 at 23:05.

There's no setting. You need to get your hands dirty and write a bit of code.

Anonymous (not verified) said on December 12, 2008 at 05:15.

Any particular setting we have to put inside the drupal for changing the admin url.I want to change the admin url to some custom url.

Davy Van Den Bremt said on November 30, 2008 at 21:11.

This code should work. It's for Drupal 5 though.

Anonymous (not verified) said on November 28, 2008 at 06:46.

Sorry.I am new in drupal.What I want is changing of admin url to some thing else but your code only create alias and It will not change the actual path i.e. http://example.com/?q=admin

How I can change the url of admin in drupal.

Davy Van Den Bremt said on September 21, 2008 at 12:07.

Sorry Joe, this has to be settings.php. Changed it in my text. Thx!

Joe Love (not verified) said on September 17, 2008 at 16:34.

Where is this file located in drupal 5?

Mark Adams (not verified) said on July 15, 2008 at 10:14.

I used to do those kind of renames to my websites.Is not a big issue someone knows your admin location..but every every thing you hide will increase security/

Anonymous (not verified) said on July 15, 2008 at 10:10.

I'll try and change it in into my websites

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

About

drupalcoder.com is a blog on all things Drupal in specific and LAMP on OS X in general. It is maintained by Davy Van Den Bremt, a Belgian (Drupal) web developer and designer living in Ghent. The goal of this blog is to log all interesting things that have crossed the writer's path while developing Drupal sites. You can read all about Davy's professional activities on his LinkedIn profile. If you want to get in touch, use the contact form.