diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 94bc9bb2ff835b4cdd36f589eafe7aeab3d1983b..53273023e6ec5e9573f0e2f3d35bf975cd517a9b 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.contrib.auth import views as auth_views
 from django.urls import include, path, reverse_lazy
 
@@ -37,7 +38,6 @@ public_urlpatterns = [
 urlpatterns = [
     path('account/', include([
         path('', AccountView.as_view(), name='account'),
-        path('become/', become, name='become'),
         path('password/', include([
             path('', EmailChangePasswordView.as_view(), name='email_change_confirm_password'),
             path(
@@ -94,3 +94,8 @@ urlpatterns = [
         path('oauth', oauth, name='oauth'),
     ])),
 ]
+
+if settings.HIJACK_ENABLE:
+    urlpatterns += [
+        path('account/become/', become, name='become'),
+    ]
diff --git a/hypha/apply/users/views.py b/hypha/apply/users/views.py
index 6bf3241b353e8be114120cc3ad00fb8d7cccfa76..7a520c64336ae74c2672dd8da1577b15964a9d97 100644
--- a/hypha/apply/users/views.py
+++ b/hypha/apply/users/views.py
@@ -89,7 +89,7 @@ class AccountView(UpdateView):
         return reverse_lazy('users:account')
 
     def get_context_data(self, **kwargs):
-        if self.request.user.is_superuser:
+        if self.request.user.is_superuser and settings.HIJACK_ENABLE:
             swappable_form = BecomeUserForm()
         else:
             swappable_form = None
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 8eb1f01fade095472701ffc1c85bd721e15fb794..845ef28b72e2c0ee0a2f5b115ce16612e3a3ea7b 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -143,10 +143,10 @@ MIDDLEWARE = [
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
     'django_otp.middleware.OTPMiddleware',
+    'hypha.apply.users.middleware.TwoFactorAuthenticationMiddleware',
 
     'hijack.middleware.HijackUserMiddleware',
 
-    'hypha.apply.users.middleware.TwoFactorAuthenticationMiddleware',
     'hypha.apply.users.middleware.SocialAuthExceptionMiddleware',
 
     'wagtail.contrib.redirects.middleware.RedirectMiddleware',
@@ -497,6 +497,7 @@ FILE_ALLOWED_EXTENSIONS = ['doc', 'docx', 'odp', 'ods', 'odt', 'pdf', 'ppt', 'pp
 FILE_ACCEPT_ATTR_VALUE = ', '.join(['.' + ext for ext in FILE_ALLOWED_EXTENSIONS])
 
 # Hijack Settings
+HIJACK_ENABLE = env.bool('HIJACK_ENABLE', False)
 HIJACK_LOGIN_REDIRECT_URL = '/dashboard/'
 HIJACK_LOGOUT_REDIRECT_URL = '/account/'
 HIJACK_DECORATOR = 'hypha.apply.users.decorators.superuser_decorator'