Setting up a Drupal 7 website for the very first time, one of the features that is bound to make website owners nervous is visibility of the default login block. By leaving an obvious and very public path to login to your website you are inviting unwanted logins.
There is a simple solution for Drupal newcomers to remove this block…
In the admin menu go to Structure > Blocks and look for the User Login block.
By default this block will be configured to display in the First Sidebar or Second Sidebar region of your Drupal theme but, to ensure it does not show at all, select – None- from the dropdown and click Save Blocks at the foot of the admin page.
That’s the first step to allowing unwanted accounts.
However, this is not quite enough. When you need to login yourself, you will probably go to the page http://yourdomain.com/user/login and be presented with a login screen with a tab labelled Create new account. Even if you’ve removed your user login block, determined people (and bots) will still look for the URL http://yourdomain.com/user/login and attempt to get in that way. The result, as we found out for ourselves, is that you will receive regular emails with a subject line like this:
Account details for random9899873634 at Your Website Name (pending admin approval)
So, despite removing the default login block, your login page provides a clear and obvious invitation.
To get rid of this tab, in the admin navigate to Configuration > People > Account Settings and look for the box titled Registration and Cancellation. By default, the option for Who can register accounts? is set to “Visitors, but administrator approval is required”. You want to select the radio button that says “Administrators only”, scroll to the foot of the page and click the “Save configuration” button.
And that’s it. You have now stopped displaying the default Drupal login block and have removed the option for casual visitors to your site to attempt to login.