Prevent users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page. ( default: http://example.com/?q=user/login&admin )

If your site has clean urls enabled you may use http://example.com/user/login?admin instead.

If a user does find out about the secret key they will still have their user account role checked during authentication. If they do not have the 'bypass disabled login' granted they will be refused access and displayed a customisable "denied" message.

This module is ideally suited for website content freezes during a migration or functionality upgrade.

Supporting organizations: 
Ixis - UK Drupal Support, Maintenance, Hosting and Development
Development & maintenance
Access (now GAIN)
Issue queue, maintenance and Drupal 9 development

Project information

  • caution Minimally maintained
    Maintainers monitor issues, but fast responses are not guaranteed.
  • caution Maintenance fixes only
    Considered feature-complete by its maintainers.
  • Project categories: Access control
  • chart icon497 sites report using this module
  • Created by budda on , updated
  • shieldStable releases for this project are covered by the security advisory policy.
    Look for the shield icon below.

Releases

2.1.3 Stable release covered by the Drupal Security Team released 3 February 2026
Works with Drupal: ^8.8 || ^9 || ^10 || ^11

Improve login logic. Expand automatic test coverage for login functionality

Install:

Development version: 2.1.x-dev updated 14 Mar 2026 at 19:08 UTC

Using Composer to manage Drupal site dependencies