PHP Authentication Shield configuration

PHP Authentication shield (https://www.drupal.org/project/shield) is great for blocking access to dev and stage sites, so I thought I'd document how I have it setup.

I usually have it installed and enabled on the Dev and Stage environments by default, it can be disabled or uninstalled if needed, but i set up my config split to ensure it is install and enabled (for dev and stage) but completely uninstalled on Prod after a deployment thanks to drush config:import running automatically as a part of the deployment process.

My testing notes look like:
Login to the Site with an account that can administer the site
Visit the Extend section of the site via the admin menu toolbar or by going to: /admin/modules
Use the module filter to filter the list using the keyword shield or scroll down the list to the Administration section
Note that shield is ticked (on Dev and Stage) but unticked on Prod
Also visit the configuration page by following the Admin toolbar links to Configuration > System > Shield or visiting: /admin/config/system/shield
Note that under General the Enable Shield checkbox should be ticked.

Additional checks.
The username and password to bypass the shield should be unique to the client.
It is usual to set it to something generic and easily memorable for the client as it means the site cannot be easily accessed but is not meant to be a security barrier.
We can also set the Shield message to request getting in touch with the relevant Account manager if access is required.

Add new comment