Ghost Admin Security: Is there any way to redirect Admin-URL (Redirection Alternative)

Hello Ghosters and Dev. Team,

I am currently using the latest update version of Ghost v4 (self-hosted)

I want to ask if is there any way or alternative solution to secure and hide or redirect our admin URL? Since most of the people who know about Ghost, for sure, know exactly what the admin URL Path is, domain.com/ghost, anyone can enter that path easily. My concern is security reasons.

Thank you.

1 Like

This was asked in the past, and the answer is kind-of, and there’s even some suggestions in the thread :slight_smile:

Additionally, you can also require another layer of authentication using something like Cloudflare Access or subrequest authentication)

Hello @vikaspotluri123 , thank you for answering my question,

Yeah, I just remember that we can set rule access on Cloudflare as well for this.

For this moment, instead of configure the URL, the best option only to layer this. Hoping that Dev. team can do something for any future updates for this. Since I really love this Ghost CMS.

Thank you so much for your kind attention to help @vikaspotluri123 . Have a great day!

You can’t change the /ghost/ part but it’s possible to “hide” the admin using config.

{
    "url": "https://mysite.com/",
    "adminUrl": "https://secret.mysite.com/",
    "admin": {
        "redirects": false
    }
}

Your admin then lives at https://secret.mysite.com/ghost/ and https://mysite.com/ghost/ will 404 rather than redirect. However, if you are using the Content API via JS then your admin url will still be exposed because it’s where Ghost’s API lives.

None of this really changes the security of your site, Ghost is already secure, all it would be doing is obscuring things slightly. As @vikaspotluri123 said, if you want extra security you can place additional authentication mechanisms on top of your admin endpoints but it’s worth remembering that will also limit access for integrations which will typically not be built to handle any additional auth.

3 Likes

Hi Kevin,

If you don’t mind me asking, what config file are we talking about? I tried the above on a local install and on my production and http://localhost:2369/ghost and https://example.com/ghost/ still worked even after a restart adding the below to config.development.json

{
  "url": "http://localhost:2369/",
  "adminUrl": "http://secret.localhost:2369/",
  "admin": {
      "redirects": false
  },
  "server": {
    "port": 2369,
    "host": "127.0.0.1"
  
  },