Securing your admin

Information on hiding your admin, preventing dictionary attacks, installing SSL certificates, keeping track of logins and more.

Hiding your admin URL

The default ProcessWire admin URL is domain.com/processwire/. If you want to hide the location of your admin URL, you can rename it. You have the option of doing this during the installation process. You can also do it from the ProcessWire admin. Here's how:

  1. Login to your ProcessWire admin. In the page tree, click and edit the Admin page.
  2. Click the Settings tab and change the Name field to something different. After changing it, save.
  3. You will get a 404 error–this is normal, because your admin no longer lives at the previous URL.
  4. In your browser address bar, enter your new admin URL and you are good to go.

Preventing dictionary attacks

You'll be glad to know that your ProcessWire admin login is secured automatically from dictionary attacks by the Session Login Throttle module, which is installed by default. This module throttles repeated login attempts, preventing the same username from being attempted for login more than once in 5 seconds. Every failed login attempt increases that waiting period exponentially, making rapid-fire dictionary attacks nearly impossible.

You can further lock down the settings of this module by configuring it (in Modules > Core > Session > Login Throttle). If your admin doesn't have simultaneous users coming from the same shared IP address, we recommend checking the box to enable throttling by IP address. When checked, not only will attempts for the same username be throttled, but any attempts (regardless of username) will be throttled by IP address as well.

The only reason that we don't have this "throttle by IP" box checked by default is because some clients have multiple users coming from the same IP address. In that instance, one person forgetting their password could temporarily prevent other people from logging in.

Install an SSL certificate and require https for your admin

Web traffic is inherently insecure and everything sent to and from the server is unencrypted. This includes any login information you use to get into your admin, as well as cookies used to maintain your session. By installing an SSL certificate, you drastically reduce the potential for this information to be intercepted over the network by 3rd parties. As a result, installing an SSL certificate is one of the best security upgrades you can make for your site.

Once you've got an SSL certificate installed on your server, you need to make sure that it is put to use. At minimum, we recommend locking down your "admin" template to only allow https traffic. However, make sure that your site is accessible via https://yourdomain.com before you do this, otherwise you could lock yourself out of the admin.

Once confirmed that your site is accessible via https, login to your admin (using the https URL), and do the following:

  1. Click "Setup" then "Templates" (click the Templates label rather than a specific template).
  2. Click the "Filters" box, then "Show system templates", and choose "Yes".
  3. When the page reloads, you'll have a "System" section where you will see an "admin" template. Click "admin".
  4. Click the "URLs" tab and scroll to the "Scheme/Protocol" section. Click "HTTPS only" and Save.

Keep track of logins

A good security practice is to keep track of who is using the ProcessWire admin. It can be helpful to keep track of both successful and failed logins, and may serve as an early warning when someone is snooping around. You can access the built-in session log via Setup > Logs > session.

If you'd like more information or options than what the default session log includes, take a look at the Login Notifier module by Ryan Cramer or the Login History module by Teppo Koivula.

Don't install the "forgot password" module unless you need it

ProcessWire comes with a module called Process Forgot Password, which can be installed in your admin under Modules > Core > Process > Forgot Password. This can be very handy for many installations. But if it's something that your installation doesn't need, then don't install it.

While we've gone to great efforts to ensure our forgot password module is secure (and in fact, more secure than any other we've seen), it still involves emailing the user a time-limited link to reset their password. As you may already know, email is not the safest way to transport confidential information, so limiting what can happen with email [when you can] is worthwhile.

It's worth noting that ProcessWire's forgot password function only works if the session that requested the reset is the same session that clicks the email link and performs the reset. That provides an additional layer of security over other password reset functions that we've seen. But if your email account is compromised, then all bets are off: your ProcessWire password then has the potential to be compromised as well. So if your site doesn't absolutely need a forgot password function, then don't install it.

Choose strong passwords

This goes without saying, but regardless of how well your admin URL is hidden, you should make sure you (and any other ProcessWire user accounts) have good passwords that aren't used elsewhere.

Install 2-factor (or multi-factor) authentication

See this page for more details on two-factor authentication in ProcessWire

Twitter updates

  • New post: With ProcessWire 3.0.130, this week we’ll take a detailed look at a few useful new API additions made in the last few weeks, along with examples of each—More
    12 April 2019
  • New post: This week ProcessWire ProMailer has been released, plus we’ve got a nice upgrade in our community support forum, and more— More
    15 March 2019
  • New post: This week we look at the latest version of ProcessWire, 3.0.127 with nearly 30 new commits resolving dozens of older issue reports and a couple useful new features— More
    1 March 2019

Latest news

  • ProcessWire Weekly #257
    In the 257th issue of ProcessWire Weekly we'll walk you through the new features in ProcessWire 3.0.130, introduce two new third party modules, and showcase the elegant new website of the QFMA. Read on!
    Weekly.pw / 13 April 2019
  • ProcessWire 3.0.130 core updates
    This week we’ll take a detailed look at a few useful new API additions made in the last few weeks, along with examples of each.
    Blog / 12 April 2019
  • Subscribe to weekly ProcessWire news

“The end client and designer love the ease at which they can update the website. Training beyond how to log in wasn’t even necessary since ProcessWire’s default interface is straightforward.” —Jonathan Lahijani