Skip to content
Grav 2.0 is officially stable. Read the announcement →

Community guidelines

Please keep discussions civil and on-topic. Repeated violations may lead to a temporary ban.

Log in Register
General

Disable Online Users / Admin

Solved by pamtbaau View solution

Started by Grav Zeutibert von Zahl 6 years ago · 6 replies · 1207 views
6 years ago

Hello,
I am quite pleased to have found this quick and lean cms.
Currently I am finishing a small web-application and I would like to make it as secure as possible.
Is there any way to completely remove the possibility of the web user login?
Preferably I would like to only allow access through ssh.

Thanks a lot!

👍 1
6 years ago

@GravZahl, Do you mean the login screen for Admin? If so, know that you can run Grav without the Admin plugin.

If you install Grav core only on your production machine, there will be no Admin plugin and no Admin login screen.
You might need to install some plugins like Form and Email manually if you make use of them.

Or, if Admin is already installed, you could remove folder '/user/plugins/admin'.

6 years ago

Possibly the most convenient and simple way is not to remove the /user/plugins/admin folder but rename it. Only when you want to use the Admin panel interface again simply temporarily rename it back to /user/plugins/admin.

I know this is security by obscurity and whether or not that's secure enough depends on you of course.

6 years ago Solution

@GravZahl, Grav is a flat-file CMS, which means all configs and content are stored in flat-files. These flat-files can be accessed by any text-editor or shell tool.

There is nothing Admin can do which cannot be done through the shell (locally or though ssh).

All Admin does, is giving you (or the end-user) a more convenient way of managing the site, nothing more...

For completeness sake, you can harden the security of Admin by:

  • Renaming the url of Admin. This can be done by changing '/user/config/plugins/admin.yaml' and setting:
    TXT
    route: /my-hidden-admin-url

    Of course, this can also be set using the Admin plugin in the config section of the plugin.

  • Enabling two-factor authentication for the user.
    image|690x341

@bleutzinn, I'm not sure if your approach is a form of 'security by obscurity', because Admin cannot be accessed when renaming its folder.
Renaming the url for Admin sure is a form of 'security by obscurity'

last edited 08/08/20 by pamtbaau
6 years ago

@pamtbaau, I agree with your comments on the use of the term ‘security by obscurity’.

Suggested topics

Topic Participants Replies Views Activity
Well done Grav Team
General · by Jerry Hunt, 4 days ago
2 125 19 hours ago
Grav 2, Admin Next, API and Migrate are now in production!
General · by pamtbaau, 1 day ago
1 89 24 hours ago
Welcome to the new Grav Forums!
General · by Andy Miller, 2 days ago
0 73 2 days ago
How active is Grav?
General · by Marcel, 12 months ago
6 382 5 days ago
Contents in bin folder delete itself during core updates
General · by Duc , 6 days ago
3 69 6 days ago