Continuing the discussion from Security of Ghost:
what is the strong protection against SQL injection? is this refer to Bookshelf (ORM used by ghost blog) ?
what is mean by no visitor-facing forms? what if they come to the admin login page?
How to hide (or make it harder to guess where it is located) that admin page part . i.e create unique URL for admin login. For example ghost.org/chamberofsecret
i ask because for wordpress simply add wp-admin or wp-login we will be redirected to login page.
I can’t tell you exactly where or what yet, because I’m still experimenting in my free time with ghost. BUT, all you are asking is either in the documentation or if not implemented, you can do it in the backend.
See if this helps
i think that is not related to what i am asking.
what i am asking is something like,
for example if we want to login on wordpress we go to Mywpsite.com is for sale | HugeDomains.
so i want to know if ghost have something like that, maybe Ghost: The Creator Economy Platform.
can i change the URL to something else like Ghost: The Creator Economy Platform. well that will be hard to guess the admin login page. if i don’t put link to admin login page
I believe the SQL injection usually happen at admin login page.
that’s why i ask about the no visitor-facing forms because technically if ghost have standard URL for admin login page, that’s count as visitor-facing forms right?
i guess if Mr. @Kevin can answer that would help me. so that i am more confidence about this.
@eddie what @vikaspotluri123 has written is spot on.
/myrandomurl/ will not add any security. If you want to completely lock it down you could restrict access to a specific IP address or add HTTP Basic Auth at the web server level for
/ghost/. You could even lock things down with something like Cloudflare Access
However bear in mind everything Ghost’s admin does is via Ghost’s authenticated API which lives at
/ghost/api/v0.1/* so you’ll need to make sure any additional auth you add doesn’t interfere with that.
thanks Mr. @vikaspotluri123 for explanation. Quite convincing
i don’t mean to add any additional auth…
anyway thanks for the suggestion about restrict access to certain IP address.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.