Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Varbase FAQs 9.2.1 Minor update available for module varbase_faqs (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module enhances Drupal's security by controlling who can log in, from where, and under what conditions. It also manages user sessions post-login with features like IP restriction, adaptive security, automatic logout, and real-time monitoring to prevent unauthorized access and session abuse. It's ideal for enterprise or security-sensitive applications needing robust access control.

The Login & Access Security module is designed to add safeguards to Drupal Login in a split phase manner-

  • Security checks to govern pre-login security - Defines who can log in, from where, from which device, and under what conditions.
  • Security checks to govern users activity, post login - Control user sessions, Limit their activity, define auto-logout and zero-trust policies.

The module combines user access control, session management, IP restriction, adaptive login security, and real-time monitoring into a single solution.

Benefits - It helps prevent unauthorized access, session abuse, brute-force attacks, and suspicious login behavior, making it ideal for enterprise and security-sensitive Drupal applications.

Know more Setup Guides

This module is well suited for enterprise portals, CRMs, HR systems, finance platforms, and regulated Drupal applications where access control and session oversight are critical.

When combined with Identity and Access Security elements like SSO and MFA; it will transform into a full fledged enterprise Access Gateway solution within Drupal, something similar to what we have already done for one of our customers.

What can it do?

  • Login Audit and Brute Force Protection: Protect against unauthorized login attempts by tracking failed logins at both user and IP levels. Administrators can define limits for the number of failed login attempts and automatically block users and/or IP addresses when thresholds are exceeded - this protects against Brute Force and DDOS attacks.
  • IP Based Restriction / Blocking & Network-Level Protection: Manually or Automatically block malicious IP addresses. The module supports blocking individual IPs as well as IP ranges. Active user sessions can be automatically terminated if an unusual change in IP address or geographic location is detected.
  • Geofencing (Location Based Access Control): Admins can restrict or allow access to their drupal site originating from specific countries / locations. It can also automatically trigger a force logout if a change in location is detected.
  • Session Management, Monitoring & Auditing: Control user sessions by configuring custom session lifetimes, limiting concurrent sessions, and managing active sessions. Users can view and terminate their active sessions, while admins enforce global or role-based session policies. Detailed session and login activity - including timestamps, IP address, device, browser, and status - can be monitored and exported in CSV format for auditing and compliance.
  • Honeypotting for Bot Detection: Detect and block automated bots using honeypot techniques that identify non-human behavior during login and access attempts. This adds an additional layer of protection without affecting legitimate users.
  • Automatic Logout:
    • Logout after inactivity - Automatically log out users after a configured period of inactivity.
    • Logout after fixed time interval - End user sessions after a specified time limit, regardless of activity, to enforce maximum session duration.
  • IP Whitelisting / Blacklisting: Allow trusted IP addresses through allowlisting to ensure uninterrupted access for internal networks and partners, while blocking malicious or unwanted IPs using denylisting to prevent unauthorized access.
  • Time-Based Access Control: Assign access to users or roles for a specific time period. Once the configured duration expires, access is automatically revoked. This is especially useful for scenarios which involve sensitive environments like banking, healthcare or PII data processing.


Need any help?

If you face any issues or need any help in configuration, please feel free to reach out to us at [email protected]. You can also connect with us on the Drupal Slack channel.

 Contact Us Join Our Slack Channel

Activity

Total releases
7
First release
Jun 2025
Latest release
1 week ago
Releases (12 mo)
6 ▲ from 1
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.2.0 Stable Jul 8, 2026
1.1.0 Stable Apr 2, 2026
1.0.7 Stable Jan 14, 2026
1.0.6 Stable Dec 15, 2025
1.0.5 Stable Oct 14, 2025
1.0.4 Stable Sep 2, 2025
1.0.3 Stable Jun 13, 2025