Grav Updates Add 2-factor Authentication, Flood Protection

Two new ways to secure Grav...

4 mins

Grav 1.3.3 and Grav Admin Panel 1.6.0 are here, and so are two-factor authentication, a new gaussianBlur media method, flood protection, and more.

Grav has come a long way over the past two years. It has grown from a simple flat-file CMS to a modular powerhouse with over 200 freely-available plugins and nearly 80 free themes in the repository.

It's our goal to continue to make Grav more useful and secure. In addition to not being a database-driven CMS, we have now introduced core support for two-factor authentication and rate limiting (flood protection) for the Grav Admin Panel.

These are two great new ways to secure Grav.

2-Factor Authentication

Available with Grav 1.3.3 and Admin Panel 1.6.0, you can now activate 2-factor authentication on your Grav site.

2-factor authentication is an excellent security measure that uses a rolling-clock style authentication method that generates six-digit codes you can use in addition to your username and password to access the Grav Admin.

To take advantage of this feature, you'll want to download a 2FA-supporting app such as Authy or Google Authenticator. This app will act as a virtual key ring for authentication codes.

How to Set it Up

Setting 2-factor authentication up in Grav is easy. All you need to do is navigate to Plugins > Admin Panel > Basics in the Grav Admin.

Here, you will find 2-Factor Authentication. You can choose to turn this feature on by selecting Yes. This will enable users to set up 2-factor authentication on their accounts.

Now, you can select your avatar image to access your user profile settings. Next, you will want to set the 2FA Enabled option to Yes.

A QR code will appear along with a 2FA secret key. Write the key down and put it somewhere safe.

Using your authenticator app of choice, scan the QR code or enter the secret key to register your 2FA key. Save your profile page to lock in your 2FA settings.

A purple 2FA badge will now appear next to your name in the sidebar. This badge lets you know that 2FA is active on the account.

You can now log out and log back in. You will be greeted with the same username and password fields, but once you enter this information, you will be asked to provide an additional six-digit code. This code is in your authenticator app. It resets every 30 seconds, so the code is only good during that short period. A new code will generate to replace it.

That's it! You now have a more secure Grav site!

Oh, and if you want to change your 2FA key, all you need to do is hit the big red Regenerate button.

Flood Protection

Brute force attacks are a popular choice for website intruders. It could come in the form of someone you know trying to guess your password over and over until they are finally successful or a bot spamming your site with login attempts until eventually the password has been discovered.

Grav's new flood protection feature makes these kinds of attacks exceptionally difficult. It allows you to set a number of failed login attempts within a specific amount of time before the account gets temporarily locked out. Additionally, you can restrict the amount of password reset requests applied to accounts before locking this feature out.

How to Set it Up

The settings for Grav's flood protection are found in the Login plugin. Simply navigate to Admin > Plugins > Login and select the Security tab.

Here, you can set the following:

  • Maximum number of password resets before lockout
  • Password reset maximum interval
  • Maximum failed logins before lockout
  • Maximum failed logins interval

This will enable you to determine how many failed password resets or logins are allowed in a set amount of time before lockout occurs. This log out is temporary and lasts as long as your set interval.

Other Updates

The latest round of Grav updates has also introduced a number of visual improvements to the Admin Panel, additional support for Microsoft Edge browser, and a new gaussianBlur media tool that beautifully blurs images.

Do you have any ideas for future Grav updates? Feel free to pass them along on GitHub or join the ongoing conversation on Slack.