Need some help with your project? Contact me

Cool Module: Shield

Shield is a cool module that lets you set up HTTP authentication for your Drupal site if you are running it on an Apache server.

Say you have a development site running on a remote server that can be accessed over the internet and you want it completely hidden from the public. The Shield module provides a closed platform kind of thing by which you can restrict access even to the site’s homepage with a simple GUI configuration.

Without this module you have another GUI option, albeit less useful. You can put your site in maintenance mode for the time you are not developing. But then people can still see the maintenance page and the entire site (anonymous user accessible) while you are developing.

Shield provides a nice PHP authentication mechanism that is easily configurable in the GUI. After you install and enable the module, navigate to admin/config/system/shield and you’ll be presented with some options. The most important are the credentials you have to set up in order to be able to access your site. You can even restrict command line access to the site by unticking the checkbox.

Additionally, you can specify a custom message you want to present the user in the login box that pops up on the screen. You can pass the credentials as tokens (which for some reason include also the password) but it would kinda defeat the purpose of having the authentication set up.

Please note that the authentication system this module puts in place has nothing to do with Drupal user accounts. If you set up the credentials, you will have to login regardless of what kind of user you are on the site.

Shield module

There was an another module out there offering similar functionality (HTPasswd protection) but due to the Drupal collaboration over competition mindset that we love so much, the 2 modules are merged into what is now the only proposed solution - Shield. Many thanks to the 2 maintainers of this handy module!


...otherwise I wouldn't recommend it, since the module will consume resources (memory and CPU) on every non-cached page access, for what is essentially a one-time setting. The HTTP Authentication setup can be done manually about as easily as installing the module, but without the extra overhead.

If you're not comfortable on the command line, or wary of messing with .htaccess, by all means go ahead, but be aware that there is a price to pay.

I don't think that Shiled consumes too much resources, this is a very small and quick module. Otherwise Shield is used for dev and staging environments and these sites don't have much visitors so it also shouldn't case problems.

If you use one codebase for dev, staging and production sites you always have to be careful to modify and set the htaccess file correctly, because if you miss something the dev site won't be protected or the live site will hidden from the visitors and these are big faults. With shield you can set the environments settings in custom.settings.php which is a protected solution and can't happen to show/hide your site.

We use Shield in big sites, such as Gardens sites and it never case problem with performance, this is a small and quick module which checks the availability in hook_boot() which is a very quick hook.

You do have to modify your .htaccess if your drupal site runs in a CGI or FastCGI environment. Those environments are common with shared hosting. See the Shield module's project page for details on modifying your .htaccess.

On the project page:

Since Drupal 7.23 you don't need any .htaccess modification for CGI (#670454: Support HTTP Authorization in CGI environment) but if you use plain old CGI you still need a modification...

That's great news Kalman! I'll have to take another look at using Shield.

I have a disclaimer popup which get displayed and allow to set cookie when user arrives for first time to the site. With shield it do display the basic authentication box first. With proper credentials it it get close and load disclaimer popup. But the ajax call added to the popup doesn't work.

Without shield the functionality work properly.

Add new comment

You can post comments in Markdown and basic HTML tags.
For code blocks, wrap your code within '~~~'. For example:
$var = 'my variable';