Blocking unwanted users on your Drupal website

Unfortunately, when you build a Drupal website, there are actors who want to take advantage and try to find vulnerabilities in the website. When you install a Drupal website, the default settings (as of September 25th, 2024) allow all visitors to create accounts on your Drupal website. These accounts require administrators to approve the account, but I've noticed that once your Drupal site is discovered, people (or more likely bots) will continuously create more useless accounts on your site.

The ultimate goal is unclear. Are they just looking for vulnerabilities? Are they trying to create so many accounts that your Drupal installation crashes so they can find other vulnerabilities? The answer is not very clear. However, most Drupal sites don't really require a lot of user interaction (imagine a Drupal website for a business that is just providing information about the business). So, many Drupal website owners can probably just disable visitors from creating accounts on their Drupal websites.

The process is extremely simple. This process worked on Drupal 11.04 on September 25th, 2024. I'll give the instructions in shorthand format. If you are logged into Drupal as an Administrator, these shorthand instructions will be very easy for you to follow. Thank you for reading this short article!!!

Configuration => Account settings => Who can register accounts? => Administrators only => Save Configuration