Last updated 20 March 2017. Created on 20 October 2010.
Edited by NonProfit, wturrell, jp.stacey, DLBaker. Log in to edit this page.

The Drupal account created during installation (i.e. with user ID or UID=1) behaves differently from others. Primarily, it can bypass all access callbacks: it has permission to do everything by default. Failing to secure this account could result in potential security risks. Treat the UID=1 account as you would with root on Linux systems.

There are several options for recourse to secure this account:

Ensure repeated login attempts are rejected

Protection against brute-force attacks has been added to Drupal 7 core. For a configurable interface on Drupal 7, use the Flood Control module.

Do not name first account 'admin'

Do not use an obvious name like 'admin' or 'administrator' which are too easy to guess.

Disable it entirely

With the advent of Drush and the creation of the administer software updates permission, logging in as UID=1 is no longer required from day to day.

Disabling UID=1

With Drush, you can disable this account by running the following at a command prompt:

drush user-block 1

If you do not have access to Drush, you can run a SQL query instead. The table you must target is different, between Drupal 7 or older:

UPDATE users SET status = 0 WHERE uid = 1

and Drupal 8:

UPDATE users_field_data SET status = 0 WHERE uid = 1

Re-enabling UID=1

The following Drush command or SQL statement re-enables the account:

drush user-unblock 1

By default, unblocking a user will send them an Account activation email (configurable in /admin/config/people/accounts - Drupal 8)

UPDATE users SET status = 1 WHERE uid = 1 (Drupal 7)
UPDATE users_field_data SET status = 1 WHERE uid = 1 (Drupal 8)

Generate a randomly generated password for this account

Drupal's user_password() function can be used to generate a random alphanumeric password. Run the following Drush command:

drush php-eval 'print user_password();'

Note that there are other generators out there that will likely create more secure passwords, including symbols and other characters. Consider using those if you have access to them.

Use the Paranoia module to disable editing this account

The Paranoia module for Drupal 7 will disable editing of the UID=1 account, preventing someone with access to your site from re-enabling it and then using it to log in and escalate privileges.

Take care to evaluate all of the features of Paranoia: it performs several other security and good-practice functions, such as disabling the PHP input filter.

Use the Alert to Administrator modules to remind admins they have logged in as the super user

Alert to Administrator displays a configurable alert message above most forms on the site, reminding users they are logged in as an administrator.

Limit access by IP address to only trusted users

The Restrict Login or Role Access by IP Address module can prevent access from untrusted locations.

Legacy considerations for Drupal 6

Drupal 6 is no longer supported, but here is some legacy advice for such sites.

Brute-force attacks

Drupal 6 does not protect against brute-force login attempts by default. Instead, the Login Security module can be installed on Drupal 6 to add this functionality.

Disabling UID=1 entirely

Note that, in Drupal 6, this account was required for running update.php and some other vital user functions. You might therefore need to re-enable it temporarily for specific administrative tasks. Ensure you disable it again afterwards.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.