Configurable Admin URL

Hello,

I’ve started using Ghost after testing and evaluating a lot of other CMS’s. I am very happy with my choice. For that reason I would have put a “Powered by Ghost” linking to ghost.org in the footer, if this was not telling the world where you can login to the admin pages.

I know there are several options to harden a ghost instance. However, I appreciate every bit of extra security. So I would like to have the possibility to configure the relative URL of the admin pages.

thx
Johan

Whilst there’s not currently an option to configure the path the admin lives on, you can configure the domain via the adminUrl config property. It’s not what you asked for, but it might help with your requirements in the meantime.

e.g. site hosted at site.com & admin hosted at some-non-advertised-domain.com/ghost

Although it is possible to change the domain that the admin lives on as @egg pointed out, it won’t immediately buy you what you asked for because there are still redirects in place to the real admin location.

https://example.com/ghost/
https://example.com/admin/
https://example.com/{post}/edit

There are also many ways to “fingerprint” a website to tell if it is running Ghost or some other software, whether or not you have a “Powered by Ghost” link in the footer.

If you want some real security (which obfuscation will never truly get you) the better approach would be to configure your webserver/proxy to limit access to the /ghost/* endpoints so that it’s only accessible by your IP address or with a particular certificate. Just be aware that the API also lives at /ghost/api/* so you would need to take that into consideration if you want to use any 3rd party integrations that utilise the API.

4 Likes

I should note that restricting the admin in such a way is an additional security measure that may well be overkill for the majority of sites. There have been no known exploits of the API authentication and we take security very seriously, you should feel safe when running a Ghost site as long as you follow good password practices and have a good server security setup around your site :slight_smile:

3 Likes

Exactly this idea came up to my mind today. So I’ll give it a try.

Thanks for the hint about the /ghost/api/* :+1:, I did not have that one on the radar

Not sure if other people have this concern but may have a few clients that are potentially “superstitious”. If they don’t see any reference to the word “ghost”, it’s fine. Can’t we make it configurable or just plain old ‘/admin’ or ‘/gadmin’ or something?

1 Like