views:

91

answers:

3

I'm trying to add extra security to my drupal site. I removed the login block, but it can also be accessed through http://mydrupalsite.com/user

It's still needed to allow the admin account in, but is there a way to protect this single page with htaccess or something more robust than what drupal allows out of the box?

+5  A: 

How it can it possibly be more robust. If you have a strong password that should be enough. The only extra security you could add that would make sense is brute force protection. But if you have a strong password brute force should be impossible.

googletorp
Agreed--there's no reason to "protect" the login form if you have a strong password. You might also want to disable public registrations (in admin/user/settings), but if your permissions are set up correctly, that shouldn't even be a problem, since there would be nothing for a newly registered user to do once he or she was logged in.
peterjmag
+4  A: 

I agree with Googletorp that a strong password is the best protection, but you can do more. The restrict_by_ip module says to restrict access to the login page by IP address. The login_security module offers similar functionality and even more. I haven't used either of them, so I can't tell you if they work as advertised.

marcvangend
A: 

Is there a way to protect this single page with htaccess?

Yes. You can add an Apache Username and password to any path. It is a little tricky to set up and probably not worth it in this instance as a strong password will do the trick (as noted by others).

Have a look here, for what looks like a good how to.

Jeremy French