Changing Some Drupal Defaults

Forums:

Module Ref: https://www.drupal.org/project/rename_admin_paths

If you watch your top logs on your site you will notice continuous hits to the standard pages.
These are due in part by scripts that are out there watching for the defaults and attempt to exploit them.

Here are a few things that you can do to help reduce this attack surface.

1. Create your site under a folder other than the default name of drupal. This minimally reduces your exposure on those who are looking for that specific software to exploit.
(Notice that I did not follow my own recommendation but it was after-the-fact) :)

2. Remove the reference to Drupal in the footer section but setting that block to none. This keeps the word drupal from showing on every page in your site.

3. Change your default error pages to anything other than the login form. By default, any failure on authentication will take you to the login form, therefore also redirecting
any nefarious activity to login as well. This is done under the site config under Site Information. You can set up a single page under content and use that for your redirect.
example Create a new page page. Under shortcuts call it "sorry" or whatever PC way you want to name it.

Default 403 (access denied) page ?q=sorry
Default 404 (not found) page ?q=sorry
Redirecting both to the same page is fine.

4. Use a module to change your default login and admin pages. I have been playing with this module: https://www.drupal.org/project/rename_admin_paths.
What this allows you to do is to rename your default landing pages which are usually the target of these nare-do-wellians.

If your site is set up to allow installation of modules, you can simply put in the correct tar.gz file name and it will install. If not you will have to go through
some manual processes of setting up a new module.
For version 7x use:
https://ftp.drupal.org/files/projects/rename_admin_paths-7.x-2.3.tar.gz
For version 8x use:
https://ftp.drupal.org/files/projects/rename_admin_paths-8.x-1.1.tar.gz

Once you have installed the modules you have to enable it. This is usually one of the check boxes available after installing the module. If not, simply go under modules in the admin section and it will be at the very bottom.

Redirection via the module is not turned on by default, you now have to turn them on and set the new names.
Configure the module by clicking on "configure" under the modules tab (below). Enter in the new names for the two default pages.
Click save to update the module and everything should start working.

Note:
a. If you have any links however pointing to the old locations, be sure to update them using your new paths (i.e. admin=blah).
If you have set up the default error paths in step 3, then anything hitting those old pages will now be redirected to your "sorry" page as well.
b. You will now need to point to a new location for login. Remember what you set the setting to or you yourself will not be able to login. If you have a login/registration link, be sure to update that as well.

This is not all inclusive but it is certainly a start to reducing exploits.

Pics: