Securing your admin

Information on hiding your admin, preventing dictionary attacks, installing SSL certificates, keeping track of logins and more.

Hiding your admin URL

The default ProcessWire admin URL is If you want to hide the location of your admin URL, you can rename it. You have the option of doing this during the installation process. You can also do it from the ProcessWire admin. Here's how:

  1. Login to your ProcessWire admin. In the page tree, click and edit the Admin page.
  2. Click the Settings tab and change the Name field to something different. After changing it, save.
  3. You will get a 404 error–this is normal, because your admin no longer lives at the previous URL.
  4. In your browser address bar, enter your new admin URL and you are good to go.

Preventing dictionary attacks

You'll be glad to know that your ProcessWire admin login is secured automatically from dictionary attacks by the Session Login Throttle module, which is installed by default. This module throttles repeated login attempts, preventing the same username from being attempted for login more than once in 5 seconds. Every failed login attempt increases that waiting period exponentially, making rapid-fire dictionary attacks nearly impossible.

You can further lock down the settings of this module by configuring it (in Modules > Core > Session > Login Throttle). If your admin doesn't have simultaneous users coming from the same shared IP address, we recommend checking the box to enable throttling by IP address. When checked, not only will attempts for the same username be throttled, but any attempts (regardless of username) will be throttled by IP address as well.

The only reason that we don't have this "throttle by IP" box checked by default is because some clients have multiple users coming from the same IP address. In that instance, one person forgetting their password could temporarily prevent other people from logging in.

Install an SSL certificate and require https for your admin

Web traffic is inherently insecure and everything sent to and from the server is unencrypted. This includes any login information you use to get into your admin, as well as cookies used to maintain your session. By installing an SSL certificate, you drastically reduce the potential for this information to be intercepted over the network by 3rd parties. As a result, installing an SSL certificate is one of the best security upgrades you can make for your site.

Once you've got an SSL certificate installed on your server, you need to make sure that it is put to use. At minimum, we recommend locking down your "admin" template to only allow https traffic. However, make sure that your site is accessible via before you do this, otherwise you could lock yourself out of the admin.

Once confirmed that your site is accessible via https, login to your admin (using the https URL), and do the following:

  1. Click "Setup" then "Templates" (click the Templates label rather than a specific template).
  2. Click the "Filters" box, then "Show system templates", and choose "Yes".
  3. When the page reloads, you'll have a "System" section where you will see an "admin" template. Click "admin".
  4. Click the "URLs" tab and scroll to the "Scheme/Protocol" section. Click "HTTPS only" and Save.

Keep track of logins

A good security practice is to keep track of who is using the ProcessWire admin. It can be helpful to keep track of both successful and failed logins, and may serve as an early warning when someone is snooping around. You can access the built-in session log via Setup > Logs > session.

If you'd like more information or options than what the default session log includes, take a look at the Login Notifier module by Ryan Cramer or the Login History module by Teppo Koivula.

Don't install the "forgot password" module unless you need it

ProcessWire comes with a module called Process Forgot Password, which can be installed in your admin under Modules > Core > Process > Forgot Password. This can be very handy for many installations. But if it's something that your installation doesn't need, then don't install it.

While we've gone to great efforts to ensure our forgot password module is secure (and in fact, more secure than any other we've seen), it still involves emailing the user a time-limited link to reset their password. As you may already know, email is not the safest way to transport confidential information, so limiting what can happen with email [when you can] is worthwhile.

It's worth noting that ProcessWire's forgot password function only works if the session that requested the reset is the same session that clicks the email link and performs the reset. That provides an additional layer of security over other password reset functions that we've seen. But if your email account is compromised, then all bets are off: your ProcessWire password then has the potential to be compromised as well. So if your site doesn't absolutely need a forgot password function, then don't install it.

Choose strong passwords

This goes without saying, but regardless of how well your admin URL is hidden, you should make sure you (and any other ProcessWire user accounts) have good passwords that aren't used elsewhere.

Install 2-factor (or multi-factor) authentication

See this page for more details on two-factor authentication in ProcessWire

Twitter updates

  • ProcessWire 3.0.153 (dev) focuses on comments field updates, significant refactoring/improvements to ProcessWire’s core Template class and PagesLoader class (which is used by the pages API variable), and we introduce a useful new pages API method— More
    20 March 2020
  • ProcessWire 3.0.152 core updates— This week we have some major improvements to our core date/time Inputfield, as well as a new ability to specify your own custom classes for Page objects— More
    6 March 2020
  • This week we’ve got a couple of really useful API-side improvements to the core in 3.0.151, including predefined image settings and static language translation improvements— More
    21 February 2020

Latest news

  • ProcessWire Weekly #307
    In the 307th issue of ProcessWire Weekly we're going to check out the latest dev branch updates, introduce some new third party modules, and more. Read on! / 28 March 2020
  • ProcessWire 3.0.153 core updates
    This latest version of the core on the dev branch focuses on comments field updates, significant refactoring/improvements to ProcessWire’s core Template class and PagesLoader class (which is used by the $pages API variable), and we introduce a useful new $pages API method.
    Blog / 20 March 2020
  • Subscribe to weekly ProcessWire news

“I am currently managing a ProcessWire site with 2 million+ pages. It’s admirably fast, and much, much faster than any other CMS we tested.” —Nickie, Web developer