I’m hoping to use Ghost to run a business website. However, I want to keep the admin part unaccessible to the public. I know that admin lives at /ghost, so my concern is that anyone can type in /ghost on the end of my post and just find the admin site. Are there ways around this currently?
@kxu the admin area is still protected by a username + password so none of the actual administration capabilities are “public” in that sense and there are no known vulnerabilities as long as you’re using a secure password. If you don’t plan on using the Content or Admin APIs via any external tools (they would still require credentials if you did, so again not “public”) then you can restrict the
/ghost route in your web server/proxy setup so that it’s only accessible via your IP address or using a custom certificate.