CMS Security for ProcessWire

Security is our number one priority with ProcessWire. Make it your number one priority too. In this section we attempt to cover some of the more important aspects in maintaining a secure installation.

Beyond just using ProcessWire to power your site or application, a big part of maintaining good security involves securing your web server and file system, writing secure code in your template files, installing only the modules/plugins that you need, securing your admin panel, and adhering to security best practices. In this section we attempt to cover some of the more important aspects in maintaining a secure installation.

  • Securing file permissions

    Getting your file permissions right is one of the most important factors in maintaining the security of your ProcessWire installation, particularly in non-dedicated/shared environments.
  • Securing your admin

    Information on hiding your admin, preventing dictionary attacks, installing SSL certificates, keeping track of logins and more.
  • Web hosting security

    When possible, your production sites running ProcessWire (or any CMS) should ideally be in a dedicated environment. This doesn't necessarily mean a dedicated server…
  • Migrating to production

    Unless the production server is a completely dedicated environment, don't assume that what was safe on your development server will also be safe on the production server.
  • Remove unnecessary files

    ProcessWire comes with several files that you will no longer need after installation.
  • Database-driven sessions

    Database-driven sessions offer potentially better security since the session information is not stored on the file system.
  • Running ProcessWire alongside other software

    ProcessWire will happily run alongside almost any other PHP application, including other CMSs. However, security on your site will only be as good as the weakest link.
  • Third party modules

    We can vouch for the security of the code that we write in the ProcessWire core, but we can't vouch for the security of third party modules. Follow these guidelines to maximize your security with third party modules.
  • Template files

    While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.
  • 2-factor authentication

    Two factor authentication gives you an extra layer of account security relative to just using a password. ProcessWire comes built-in with support for 2-factor authentication, and this page provides more information on how to enable and use it.

Twitter updates

  • New post: Version 3.0.135 of ProcessWire on the dev branch focuses on some .htaccess updates, adds clarity to debug mode, and improves upon the installer— More
    5 July 2019
  • ProcessWire 3.0.133 adds a useful new Page::meta() method for a new type of page-specific persistent data storage, adds the ability for users to create their own bookmarks in Lister, and has a handy and time saving update for the asmSelect input type— More
    14 June 2019
  • New post: This week we’ll take a look at 3 different WEBP image strategies that you can use in ProcessWire 3.0.132+. Then we’ll dive into a major update for the Google Client API module, and finish up by outlining some useful new updates in FormBuilder— More
    31 May 2019

Latest news

  • ProcessWire Weekly #270
    This week in the 270th issue of ProcessWire Weekly we're going to cover the SearchEngine module, feature some recent support forum highlights, and introduce a brand new site of the week. Read on!
    Weekly.pw / 13 July 2019
  • ProcessWire 3.0.135 core updates
    Version 3.0.135 of ProcessWire on the dev branch focuses on .htaccess updates, adds additional layers of security, adds clarity to debug mode, and improves upon the installer.
    Blog / 3 July 2019
  • Subscribe to weekly ProcessWire news

“Indeed, if ProcessWire can be considered as a CMS in its own right, it also offers all the advantages of a CMF (Content Management Framework). Unlike other solutions, the programmer is not forced to follow the proposed model and can integrate his/her ways of doing things.” —Guy Verville, Spiria Digital Inc.