Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

disable_login

1,507 sites Security covered
View on drupal.org

Disable Login Page is a simple module that prevents access to the default Drupal Login Page to anonymous users without the use of a secret key. This is useful for sites that do not have any public user login requirements like in a corporate website or a personal blog.

The login page is protected with a secret key name value pair which can be set by the admin. When the default login page is accessed without the secret key-value pair, you get an access denied error.

The module also allows the secret key to be programmatically modified by any custom code by exposing an alter hook on the key. If you want to use a custom logic for generating the key you can implement the alter hook in your module.

Users who want to login to the site can bookmark the login page including the secret key.

Configuration

All settings for this module are on the Disable Login configuration page, under the Configuration section, in the Security sub menu. You can visit the configuration page directly at admin/config/security/disable-login.

In addition, you can also completely prevent access to /user/login when accessed without any querystrings, by configuring this at the webserver level.

For apache you can add the following before the section on the rediret
to index.php.

# Block access to /user/login when there are no querystrings
RewriteCond %{QUERY_STRING} ^$
RewriteCond %{REQUEST_URI} ^/user/login
RewriteRule ^.* - [F,L]

Other webservers can be configured similarly.

Examples

Admin user can set both the name of the QueryString and the value which will allow access to the login page.

Eg:

http://example.com/user/login

will give access denied.

http://example.com/user/login?key=secret

will allow the user to access the login page.

If you get locked out

If you are locked out of the system because you forgot the key-value pair

- If you have access to shell, run the following

drush -y config-set disable_login.settings disable_login 0

- If you don't have access to shell but have access to the file system via ftp

Edit disable_login/src/Access/DisableLoginAccessCheck.php file and find hasValidSecretToken function. Add return TRUE; as the first line in the function.

Activity

Total releases
1
First release
Dec 2025
Latest release
4 months ago
Release cadence
Stability
100% stable

Releases

Version Type Release date
1.1.3 Stable Dec 3, 2025