Rename Admin Paths

Security module that allows renaming of Drupal's default /admin and /user paths to custom paths, helping protect against automated attacks targeting standard Drupal URLs.

rename_admin_paths
17,742 sites
61
drupal.org
gui utility
security admin path URL obscurity protection backend user path route
Drupal 8 Drupal 9 Drupal 10 Drupal 11

Install

Drupal 11, 10 v3.1.0
composer require 'drupal/rename_admin_paths:^3.1'
Drupal 9, 8 v8.x-2.3
composer require 'drupal/rename_admin_paths:8.x-2.3'

Overview

Rename Admin Paths is a security-focused module that helps protect Drupal sites by allowing administrators to customize the default administrative and user paths. Instead of using the standard /admin and /user paths that are well-known and targeted by automated bots and attackers, this module enables renaming these paths to any custom value.

The module works by intercepting Drupal's route building process through an event subscriber. When routes are being built, it dynamically rewrites any path starting with /admin or /user to use the configured replacement values. This happens at the routing level, ensuring that all admin and user paths throughout the entire site are consistently renamed.

This approach provides security through obscurity by making it harder for automated scripts to locate admin login pages, user registration forms, and other sensitive administrative interfaces. While not a complete security solution on its own, it serves as an effective additional layer of defense when combined with other security measures.

Features

  • Rename the /admin path prefix to a custom value (e.g., /admin becomes /backend)
  • Rename the /user path prefix to a custom value (e.g., /user becomes /member)
  • Enable/disable admin and user path renaming independently
  • Validates replacement values to ensure they contain only safe characters (letters, numbers, hyphens, underscores)
  • Prevents renaming paths to reserved names ('admin' or 'user') to avoid route conflicts
  • Automatically rebuilds routes when configuration is saved
  • Preserves the 'path-admin' CSS class on admin pages for theme compatibility
  • Integrates with Drupal's configuration management system for easy export/import

Use Cases

Protect admin pages from automated attacks

Enable admin path renaming to change /admin to a custom value like /backend or /manage. This prevents automated bots that scan for standard Drupal admin paths from finding your administrative interface. For example, after renaming, /admin/content becomes /backend/content.

Hide user registration from spam bots

Many spam bots target /user/register to create spam accounts. By renaming the user path to something like /member or /account, the standard registration path becomes a 404, blocking automated registration attempts while legitimate users can still register at /member/register.

Compliance with security policies

Some organizations require that default administrative paths be obscured as part of security hardening policies. This module provides a simple way to meet such requirements without modifying core Drupal files.

Multi-site configurations with different admin paths

When managing multiple Drupal sites, you can configure different admin paths for each site. This makes it easier to distinguish between sites when working and adds an extra layer of protection since attackers can't use the same path across all your sites.

Tips

  • Always save or document your renamed paths somewhere secure before enabling the module, in case you need to access them later
  • Test path renaming on a development environment before applying to production
  • Consider using memorable but non-obvious path names - something meaningful to your organization but not easily guessable
  • The module preserves the 'path-admin' CSS class on admin pages, so theme styling based on this class will continue to work
  • Configuration can be exported and imported using Drupal's configuration management, making it easy to deploy path settings across environments
  • Combine this module with other security measures like fail2ban, rate limiting, and strong passwords for comprehensive protection

Technical Details

Admin Pages 1
Rename Admin Paths /admin/config/system/rename-admin-paths

Configuration page for setting custom replacements for the default /admin and /user paths. This page allows administrators to enable path renaming and specify the replacement values for each path type.

Permissions 1
Administer admin paths

Allows users to rename admin paths (/admin/..) to custom values (/something/..) and user paths (/user/..) to custom values (/something_else/..). This permission is marked as restricted access due to the security implications of modifying administrative paths.

Drush Commands 2
drush cget rename_admin_paths.settings

View the current path renaming configuration, useful if you've forgotten what you renamed paths to

drush cset rename_admin_paths.settings admin_path 1

Enable admin path renaming via Drush

Troubleshooting 5
Another module breaks after enabling path renaming

The broken module likely uses hard-coded paths instead of paths generated by Drupal's router with route names. This cannot be fixed by Rename Admin Paths. Open an issue in the affected module's issue queue requesting they use router-generated paths instead of hard-coded ones.

Forgot what the admin path was renamed to

Use Drush to view the configuration: drush cget rename_admin_paths.settings. Alternatively, check the database directly: in the 'config' table, look for the row with name 'rename_admin_paths.settings'.

Links in admin reports don't get rewritten

This is a known limitation. Admin report links are generated by Views with hard-coded paths, which this module cannot modify. There is an open core issue (https://www.drupal.org/project/drupal/issues/2939986) tracking this problem.

Cannot access admin after renaming paths

If you've locked yourself out, you can reset the configuration by directly modifying the database. In the 'config' table, find 'rename_admin_paths.settings' and set admin_path to 0, or update admin_path_value to a value you know. Clear caches afterward.

Validation error when saving configuration

Path replacement values must contain only letters (a-z, A-Z), numbers (0-9), hyphens (-), and underscores (_). Additionally, you cannot use 'admin' or 'user' as replacement values as this would conflict with default paths.

Security Notes 6
  • This module provides security through obscurity, which should be used as an additional layer of protection rather than the sole security measure
  • The permission 'administer path admin' is marked as restricted access because changing admin paths has significant security implications
  • Users with this permission could potentially lock out other administrators by changing paths without communication
  • Always ensure at least one administrator knows the configured paths
  • Path validation prevents using reserved names and special characters to avoid route conflicts and potential security issues
  • The module does not hide the existence of admin functionality from authenticated users who have appropriate permissions