In this article, I’m going to show you a few methods to separate your public site from the vulnerable parts of your administration area. What you need is an effective way to keep your site locked and secure, and protected from attacks, while still leaving your site editable for trusted users.
Methods for securing the admin section of your site
One of the things that is often overlooked when setting up and securing a Drupal site is the administrative sections. Sure, Drupal protects these paths with access controls but you can do a lot more to protect your site, especially if your site doesn’t require public login.
If the public has no business accessing /user, they shouldn’t be able to. This path is an attack vector for denial of service (DDoS), brute force password guessing, and it drastically increases attack surface of the site.