Ghost Admin Security: Is there any way to redirect Admin-URL (Redirection Alternative)

georgie · April 16, 2021, 2:41am

Hello Ghosters and Dev. Team,

I am currently using the latest update version of Ghost v4 (self-hosted)

I want to ask if is there any way or alternative solution to secure and hide or redirect our admin URL? Since most of the people who know about Ghost, for sure, know exactly what the admin URL Path is, domain.com/ghost, anyone can enter that path easily. My concern is security reasons.

Thank you.

vikaspotluri123 · April 16, 2021, 2:53am

This was asked in the past, and the answer is kind-of, and there’s even some suggestions in the thread

Additionally, you can also require another layer of authentication using something like Cloudflare Access or subrequest authentication)

georgie · April 16, 2021, 3:00am

Hello @vikaspotluri123 , thank you for answering my question,

Yeah, I just remember that we can set rule access on Cloudflare as well for this.

For this moment, instead of configure the URL, the best option only to layer this. Hoping that Dev. team can do something for any future updates for this. Since I really love this Ghost CMS.

Thank you so much for your kind attention to help @vikaspotluri123 . Have a great day!

Kevin · April 16, 2021, 6:40am

You can’t change the /ghost/ part but it’s possible to “hide” the admin using config.

{
    "url": "https://mysite.com/",
    "adminUrl": "https://secret.mysite.com/",
    "admin": {
        "redirects": false
    }
}

Your admin then lives at https://secret.mysite.com/ghost/ and https://mysite.com/ghost/ will 404 rather than redirect. However, if you are using the Content API via JS then your admin url will still be exposed because it’s where Ghost’s API lives.

None of this really changes the security of your site, Ghost is already secure, all it would be doing is obscuring things slightly. As @vikaspotluri123 said, if you want extra security you can place additional authentication mechanisms on top of your admin endpoints but it’s worth remembering that will also limit access for integrations which will typically not be built to handle any additional auth.

thebear.dev · April 20, 2021, 8:52am

Hi Kevin,

If you don’t mind me asking, what config file are we talking about? I tried the above on a local install and on my production and http://localhost:2369/ghost and https://example.com/ghost/ still worked even after a restart adding the below to config.development.json

{
  "url": "http://localhost:2369/",
  "adminUrl": "http://secret.localhost:2369/",
  "admin": {
      "redirects": false
  },
  "server": {
    "port": 2369,
    "host": "127.0.0.1"
  
  },

Topic		Replies	Views
Changing Admin URL in Ghost CMS Self-hosting	4	1914	September 25, 2024
Configurable Admin URL Ideas 🚧-rejected	6	22421	June 10, 2020
How to default to /ghost (redirect)? Developer help	4	1257	February 19, 2019
Is there an option to change Admin Path URL in 2.0? Developer help	2	1334	October 22, 2018
Redirecting to /ghost with admin subdomain Developer help	2	1165	February 15, 2019

Ghost Admin Security: Is there any way to redirect Admin-URL (Redirection Alternative)

Related topics