We use cookies to make your viewing experience better. By accepting you consent, you agree to our Cookie policy
Gaining access to the Craft CMS control panel is critical for managing your site, but security is paramount. This article will cover securely logging into the admin area, best practices for locking it down, managing user accounts and permissions, and monitoring activity. With the right approach, you’ll learn how to safely access the full power of the Craft CMS dashboard to author content and tweak settings while keeping hackers at bay.
Gaining access to the Craft CMS control panel requires visiting yoursite.com/admin and logging in with admin credentials. Secure your access by enabling HTTPS, restricting IP addresses, requiring strong passwords, limiting login attempts, closely monitoring audit logs, and disabling the control panel when not in use. Proper configuration protects your content while allowing authorized users to manage the site.
One of the first things you'll want to do after installing Craft CMS is access the control panel. This is the administration area where you can manage your site's content, users, settings and more.
To reach the control panel, simply append /admin to your site's URL. For example, if your site is at www.example.com, you would visit www.example.com/admin to reach the login page.
On the login page, enter the username and password you created during the Craft installation process. If you don't remember your credentials, you may need to reset your password before logging in.
Once logged in, you'll be taken to the control panel dashboard. This overview page displays useful information like pending system updates, pending user accounts and draft entries. The main navigation runs down the left side, allowing you to access the different sections of the control panel.
If you're having trouble accessing the control panel, here are some things to check:
Verify the /admin URL: Double check that you're visiting the correct admin URL for your site. It should be yourdomain.com/admin.
Check your credentials: Make sure you're using the correct username and password. If needed, use the "Forgot your password" link to reset it.
Confirm cookie settings: Craft CMS requires cookies to be enabled to login. Ensure your browser is not blocking cookies.
Try another browser: Sometimes login issues are browser-specific. Try accessing the /admin URL in a different browser to see if that helps.
Check for maintenance mode: If maintenance mode is enabled, it will prevent admin login. You'll need to disable it in craft/config/general.php.
Look for login errors: Check your craft/storage/logs folder for any login-related errors that could point to the cause.
Resetting the admin account: As a last resort, you can reset the primary admin account details in the craft_users table of the database.
To protect login security, Craft CMS will lock out an account after a certain number of failed login attempts.
By default, accounts are locked out after 5 failed attempts within 10 minutes. The duration of the lockout is 1 hour initially but increases exponentially with each additional lockout.
As an admin, you can configure these settings under Settings > Users in the control panel. You can adjust:
Maximum login attempts
Lockout duration
Increase in lockout duration
Reducing the maximum attempts allowed is a good way to further secure your site against brute force login attacks.
You can also manage locked out accounts by going to Users > View locked out users. Here you can unlock users or adjust the remaining lockout duration.
Since the Craft CMS control panel grants access to your site's content and configuration, it's important to take steps to properly secure it:
Use strong passwords: Always set a strong, unique password for your admin account. Enable password policies to enforce complexity.
Limit admin users: Only create admin accounts for those who truly need back-end access. Review permissions.
Enable Two-Factor Authentication: Add an extra layer of login security by requiring 2FA for admin accounts.
Manage sessions: Set a session duration and use the "Sign out of all sessions" button to terminate other open sessions.
HTTPS: Use HTTPS on both the front and back end of your site for secure data transfer.
Limit login attempts: Adjust the max attempts and lockout duration to protect against brute force attacks.
Update Craft CMS: Keep your CMS and plugins updated to patch any vulnerabilities.
By taking a few key steps to properly configure access settings, permissions and passwords, you can help secure your Craft CMS control panel from unauthorized logins.
If you create additional user accounts in Craft CMS that aren't admins, they will also need control panel access to author content.
To allow this, go to Settings > Users > User Groups and choose a group. Click "Save group" to create it if needed.
Under settings, check the box for "Give this group permission to access the control panel". Choose which sections they can access.
Now assign any non-admin users to that group. They'll be able to log into the control panel with limited access.
You can create multiple groups with granular control panel permissions based on roles. For example, a "Content Editor" group with permissions for only managing entries.
User accounts are the building blocks for managing access and permissions within Craft CMS. They allow you to control who can access the system and what they are allowed to do. At a basic level, an account represents an individual person with a unique username and password used for logging into the control panel or front-end site. But accounts can serve different purposes depending on the type.
The main admin account has full access for managing everything in the CMS. You may create front-end accounts that allow users to log into parts of a public site, like a membership portal. Custom user groups allow you to assign limited roles and permissions for authors, editors, and other team members needing partial access.
All user accounts are created and managed within the Users section of the Craft control panel. This is where you can add new users, organize them into groups and teams, edit account details, and define access permissions. The global user settings are configured on the Users settings page, including password policies, session length, and overall permission defaults.
In summary, user accounts provide the framework for controlling CMS access and permissions by allowing you to securely grant only the needed access to content creators, admins, and external users according to their roles.
Out of the box, Craft CMS comes with predefined user roles that provide starter access levels and permissions: Administrator for full control, Developer for managing technical aspects, Author for creating and editing content, Editor for the same plus deletion powers, and Translator for localizing content.
Each role serves as a permission preset, granting access for common needs - for instance, the Author role gets default capabilities for managing entries but not site-wide options like users or settings.
For more advanced needs, you can also assign custom granular permissions beyond the standard roles: Site-wide permissions for managing users, fields, sections and so on; Section permissions for focused access like only managing blog entries or products; Entry permissions for capabilities like editing or publishing specific posts; and Plugin permissions for custom addons.
With both broad roles and discrete fine-grained permissions, Craft provides full control to tailor what each user and group can access and do throughout the CMS. For example, you can create an "Article Editor" group with permissions limited only to managing blog posts, excluding pages and data. Or only allow a proofreader permission to edit but not publish entries. Craft's flexibility supports virtually any permission scheme your team needs.
Day-to-day user management primarily occurs within the Users section of the Craft CMS control panel. The Users screen lists all accounts, allowing you to add new users, view and edit account details, disable/suspend users, and assign groups.
User groups streamline management by allowing collective permissions to be applied to multiple users. You can create new groups, add users to groups, and set permissions by group. The User Settings page controls global user policies including password requirements, default settings, login attempt lockouts, and control panel session duration. And the Permissions page is where you grant both general and section-specific access to users and groups.
When editing individual user accounts, key settings include username, email, name, preferred language, status, profile photo, user groups, user role (like Author or Editor), password reset, and more. Additional security policies can be applied as well such as requiring password changes after periods of inactivity.
With its robust user management options, the Craft control panel provides everything needed to fully control users, permissions, and access - critical capabilities for a secure CMS implementation.
The Craft CMS control panel is the gateway to managing your entire site and content. As such, properly securing access is crucial for any Craft site. Here are some tips for locking down your control panel:
SSL provides secure encrypted connections between the server and client. Enabling it for both the front-end and back-end of your site should be a top priority.
At minimum, install an SSL certificate and redirect all traffic to HTTPS. Even better, enable HSTS headers to tell clients to strictly use HTTPS for all connections.
For the /admin area specifically, enable the "Require a secure connection" setting under General Settings. This will force SSL for control panel access.
You can restrict control panel access to only certain IP addresses in the CMS settings. This bans all others.
While not foolproof, it can help reduce brute force attacks and unauthorized logins attempts.
Enter allowed IPs under Settings → General → Allowed IP Addresses. Use separate lines for each address.
Consider allowing only office and your own IP(s) to limit exposure. Update as your IP changes or new internal ones need access.
Enforce strong, complex passwords for all admin accounts via the password policy settings.
Require a minimum length of 12+ characters. Disable common passwords. Set expiration periods for password changes every 90 days. Craft CMS can also save passwords.
Enable "Prevent password reuse" and input history retention to prohibit reusing old passwords. Send expiration and change notifications to admins to facilitate updates.
Brute force login attacks try to guess passwords through repeated attempts.
Craft CMS can lock out accounts after a set number of failed logins, with increasing durations.
Under Settings → Users, enable "Limit number of password attempts" and start conservatively at 5 maximum attempts.
You can also set the initial lockout time and increase interval for each subsequent lockout.
Review any locked out accounts under Users → View locked out users.
The system stores detailed audit logs of all control panel activity under Utilities → Logs.
Review these regularly to look for any suspicious, unauthorized, or concerning activity.
Consider blocking problematic IP addresses that show repeated failed logins or odd activity.
For servers with frequent actions, use filters to zero in on specific events or date ranges.
When heads down in development, disable control panel access to prevent accidental exposure.
Under Settings → General, check the “Disable the Craft CMS Control Panel” box.
Uncheck to re-enable later.
Consider a plugin like Control Panel Disabler to automate this on a schedule.
Securing your Craft CMS control panel should always be a priority to prevent unauthorized access. Enabling complete SSL, restricting IPs, imposing password policies, and monitoring logs are key steps. Audit user activity, limit attempts, and disable the CP when not actively using it. With good habits, you can confidently access the control panel knowing your Craft site and content are protected.
Andy has scaled multiple businesses and is a big believer in Craft CMS as a tool that benefits both Designer, Developer and Client.