The Ambiguously Administrative Duo

Here at Isovera, we manage quite a few Drupal sites. Many that we’ve built ourselves, soup-to-nuts so to speak, and plenty of others that we’ve inherited from other agencies or in-house teams. It is always interesting to see how other shops approach basic aspects of site building.

One of the first tasks you’ll encounter when building a Drupal site is setting up the first user account (UID1). We see it commonly given a username with some variation of "admin". This user account should be handled with care since it is supremely powerful, having all available site permissions. It is eqivalent to the root user or sudo (superuser do) command in the unix/linux world. If a malicious user is able to obtain access to this account, it’s ALL YOUR DATABASE ARE BELONG TO US time.

So access to UID1 should be guarded with care. Its use is really reserved for performing database updates and worst case troubleshooting. Routine site administration tasks such as adding users and moderating content should be performed with other user accounts. For this reason, we recommend using a clear username to distinguish UID 1 from other administrative roles. My preferred username for UID 1 is superuser. Another option mentioned earlier is root, but this connotes access to a directory structure, not permissions, which isn’t as relevant. In any case, I’m not alone in preferring superuser, as a casual google search confirms.

So now that UID 1 is done, we move along and create some additional user accounts to work on the site. To simplify the development process, out-of-the-box Drupal creates an Administrator role that conveniently has access to every permission on the site. While that’s quite handy when configuring URL alias patterns and accessing devel output, it’s often not appropropriate for routine administrative tasks. Sound familiar? Once again, it makese sense to override Drupal’s default naming conventions and change the administrator role to developer. On some occasions, I’ve found myself disabling the built-in “Administrator role” feature entirely, since I specifically don’t want certain permissions assigned to the developer role.

For better or worse, out-of-the-box Drupal tends to assume that the site administrator is also the site builder. While this developer-centricity endears Drupal to us developers, it can be confusing and even dangerous on larger projects. Fortunately, Drupal is flexible and easily changed to suit these needs.

Update: we now recommend appending a random string to the UID 1 account to obscure access to this critical account, for example, "superuser-?4LRHWZ8+D". This username might not be short, but the superuser prefix is descriptive to other users and it's sufficently random to thwart a concerted attack on your site.