Securing Grav Admin

Grav CMS can be used with an additional admin plugin to be able to administer the website without access to the actual file system.

This comes with potential danger, because whoever gains access to the admin plugin has unrestricted access to your Grav installation.

.htaccess Rule

With the following .htaccess rule you can protect the admin area of Grav with a password.

Simply add the following content to your .htaccess file in the root directory of your Grav installation e.g. /home/username/public_html/.htaccess.

AuthType Basic
AuthName "login"
AuthUserFile "/home/ae4/passwd"
SetEnvIf REQUEST_URI "^/(admin)" PROTECTED

Deny from all
Satisfy any
Allow from env=!PROTECTED

Require valid-user

Create htpasswd file for authentication

In order to be asked for a password when accessing the admin page, you must first create an htpasswd file.

htpasswd -c /home/ae3/htpasswd username

username can be replaced by a user of your choice. This command will prompt to enter a random password.

The next time you visit the admin page at domain.tld/admin you will now be prompted to enter a user and password before the regular Grav login appears. Now we have an additional protection, which protects the complete admin area from unauthorized access.

.htaccess Rule#

Create htpasswd file for authentication#

.htaccess Rule

Create htpasswd file for authentication