Securing Drupal: Disabling Account Creation
Executive Summary
This article highlights a security concern for Drupal website owners: allowing all visitors to create accounts on their site, which can lead to the creation of numerous useless accounts by malicious actors. The default settings in Drupal allow this behavior. However, many Drupal sites don't require user interaction, making it possible to disable account creation altogether. To do so, follow these simple steps: go to Configuration > Account settings > Who can register accounts?, select "Administrators only", and save changes. This will prevent unwanted users from creating accounts on your Drupal website.
Keywords: Drupal, security concern, account creation, malicious actors, website vulnerabilities, administrators only, configuration, account settings, who can register accounts, Drupal 11.04, security best practices, website protection, unwanted users, useless accounts, bot activity
_____________________________________________________________________
Unfortunately, when you build a Drupal website, there are actors who want to take advantage and try to find vulnerabilities in the website. When you install a Drupal website, the default settings (as of September 25th, 2024) allow all visitors to create accounts on your Drupal website. These accounts require administrators to approve the account, but I've noticed that once your Drupal site is discovered, people (or more likely bots) will continuously create more useless accounts on your site.
The ultimate goal is unclear. Are they just looking for vulnerabilities? Are they trying to create so many accounts that your Drupal installation crashes so they can find other vulnerabilities? The answer is not very clear. However, most Drupal sites don't really require a lot of user interaction (imagine a Drupal website for a business that is just providing information about the business). So, many Drupal website owners can probably just disable visitors from creating accounts on their Drupal websites.
The process is extremely simple. This process worked on Drupal 11.04 on September 25th, 2024. I'll give the instructions in shorthand format. If you are logged into Drupal as an Administrator, these shorthand instructions will be very easy for you to follow. Thank you for reading this short article!!!
Configuration => Account settings => Who can register accounts? => Administrators only => Save Configuration
ASCII Tree:
```
Securing Drupal: Disabling Account Creation
|
+-- Problem: Malicious actors/bots create useless accounts
| +-- Motivation: Probing for website vulnerabilities
|
+-- Cause: Default setting allows any visitor to register
|
+-- Solution: Restrict account creation to administrators
|
+-- Path: Configuration -> Account settings -> "Who can register accounts?" -> Select "Administrators only" -> Save
```