Securing your admin

Information on hiding your admin, preventing dictionary attacks, installing SSL certificates, keeping track of logins and more.

Hiding your admin URL

The default ProcessWire admin URL is domain.com/processwire/. If you want to hide the location of your admin URL, you can rename it. You have the option of doing this during the installation process. You can also do it from the ProcessWire admin. Here's how:

  1. Login to your ProcessWire admin. In the page tree, click and edit the Admin page.
  2. Click the Settings tab and change the Name field to something different. After changing it, save.
  3. You will get a 404 error–this is normal, because your admin no longer lives at the previous URL.
  4. In your browser address bar, enter your new admin URL and you are good to go.

Preventing dictionary attacks

You'll be glad to know that your ProcessWire admin login is secured automatically from dictionary attacks by the Session Login Throttle module, which is installed by default. This module throttles repeated login attempts, preventing the same username from being attempted for login more than once in 5 seconds. Every failed login attempt increases that waiting period exponentially, making rapid-fire dictionary attacks nearly impossible.

You can further lock down the settings of this module by configuring it (in Modules > Core > Session > Login Throttle). If your admin doesn't have simultaneous users coming from the same shared IP address, we recommend checking the box to enable throttling by IP address. When checked, not only will attempts for the same username be throttled, but any attempts (regardless of username) will be throttled by IP address as well.

The only reason that we don't have this "throttle by IP" box checked by default is because some clients have multiple users coming from the same IP address. In that instance, one person forgetting their password could temporarily prevent other people from logging in.

Install an SSL certificate and require https for your admin

Web traffic is inherently insecure and everything sent to and from the server is unencrypted. This includes any login information you use to get into your admin, as well as cookies used to maintain your session. By installing an SSL certificate, you drastically reduce the potential for this information to be intercepted over the network by 3rd parties. As a result, installing an SSL certificate is one of the best security upgrades you can make for your site.

Once you've got an SSL certificate installed on your server, you need to make sure that it is put to use. At minimum, we recommend locking down your "admin" template to only allow https traffic. However, make sure that your site is accessible via https://yourdomain.com before you do this, otherwise you could lock yourself out of the admin.

Once confirmed that your site is accessible via https, login to your admin (using the https URL), and do the following:

  1. Click "Setup" then "Templates" (click the Templates label rather than a specific template).
  2. Click the "Filters" box, then "Show system templates", and choose "Yes".
  3. When the page reloads, you'll have a "System" section where you will see an "admin" template. Click "admin".
  4. Click the "URLs" tab and scroll to the "Scheme/Protocol" section. Click "HTTPS only" and Save.

Keep track of logins

A good security practice is to keep track of who is using the ProcessWire admin. It can be helpful to keep track of both successful and failed logins, and may serve as an early warning when someone is snooping around. You can access the built-in session log via Setup > Logs > session.

If you'd like more information or options than what the default session log includes, take a look at the Login Notifier module by Ryan Cramer or the Login History module by Teppo Koivula.

Don't install the "forgot password" module unless you need it

ProcessWire comes with a module called Process Forgot Password, which can be installed in your admin under Modules > Core > Process > Forgot Password. This can be very handy for many installations. But if it's something that your installation doesn't need, then don't install it.

While we've gone to great efforts to ensure our forgot password module is secure (and in fact, more secure than any other we've seen), it still involves emailing the user a time-limited link to reset their password. As you may already know, email is not the safest way to transport confidential information, so limiting what can happen with email [when you can] is worthwhile.

It's worth noting that ProcessWire's forgot password function only works if the session that requested the reset is the same session that clicks the email link and performs the reset. That provides an additional layer of security over other password reset functions that we've seen. But if your email account is compromised, then all bets are off: your ProcessWire password then has the potential to be compromised as well. So if your site doesn't absolutely need a forgot password function, then don't install it.

Choose strong passwords

This goes without saying, but regardless of how well your admin URL is hidden, you should make sure you (and any other ProcessWire user accounts) have good passwords that aren't used elsewhere.

Install 2-factor (or multi-factor) authentication

See this page for more details on two-factor authentication in ProcessWire

Twitter updates

  • New post: A look at two new WireMail modules for sending email, plus details on how you can configure ProcessWire to use Gmail for sending email— More
    19 July 2019
  • New post: Version 3.0.135 of ProcessWire on the dev branch focuses on some .htaccess updates, adds clarity to debug mode, and improves upon the installer— More
    5 July 2019
  • ProcessWire 3.0.133 adds a useful new Page::meta() method for a new type of page-specific persistent data storage, adds the ability for users to create their own bookmarks in Lister, and has a handy and time saving update for the asmSelect input type— More
    14 June 2019

Latest news

  • ProcessWire Weekly #271
    In the 271st issue of ProcessWire Weekly we're going to introduce two brand new WireMail modules, a new Textformatter module from BitPoet, and a brand new markup module from Chris Thomson. Read on!
    Weekly.pw / 20 July 2019
  • Two new WireMail modules and using Gmail with PW
    A look at two new WireMail modules for sending email, plus details on how you can configure ProcessWire to use Gmail for sending email.
    Blog / 19 July 2019
  • Subscribe to weekly ProcessWire news

“…building with ProcessWire was a breeze, I really love all the flexibility the system provides. I can’t imagine using any other CMS in the future.” —Thomas Aull