DecisionBlock the Drupal user 1 account in production environments
Table Of Contents
The Drupal admin account will be blocked on production environments. Individually named user accounts will be created and granted appropriate roles as needed. Even though users may have equivalent permissions by being granted the "Administrator" role, admin actions will be logged with the actioning user's identity.
The administrator user account will be unblocked as needed for staging, development, and local environments.
For example, using
drush user:unblock <username>
In Drush 11 and newer, the
--uid flag can be used:
drush user:unblock --uid=1
Otherwise for older versions of Drush and Drupal 8 or 9, and when the admin username is unknown, it can be determined with and unblocked with a subcommand:
drush user:unblock "$(drush user:information --uid=1 --fields=name --format=string)"
For Drupal 7 and older versions
drush sqlq can be used to get the user name:
drush sqlq 'SELECT name FROM users WHERE uid=1';
The administrator user account will have a long, random password set that is discarded. This will prevent exposing Administrator logins if the account is accidentally unblocked.
Teams may need to add a Drush command to unblock the administrator account when pulling production databases into environments like Tugboat. Local development tools also offer ways to automatically unblock accounts with Drush after a database import.