Grav is a flat-file PHP CMS. Security depends on admin plugin hardening, file upload restrictions, and controlled plugin and theme lifecycle.
¶ 1) Protect secrets and administrative access
- Enable and harden Grav Admin authentication with strong passwords
- Enable 2FA (two-factor authentication) plugin for admin accounts
- Disable admin plugin on public sites that do not need browser editing
- Set unique security salt in
user/config/security.yaml
- Restrict admin access by IP if possible
¶ 2) Control extensions and update cadence
- Keep Grav core, plugins, and themes updated with GPM (Grav Package Manager)
- Remove abandoned or unmaintained plugins
- Only download plugins/themes from official Grav repository
- Review plugin security before enabling
¶ 3) Harden runtime and deployment perimeter
- Block executable uploads and enforce web server deny rules for sensitive files
- Force HTTPS and secure session handling
- Set correct file permissions:
- Directories: 755
- Files: 644
- Writable dirs (cache, logs, images): 775
# Set directory permissions
find /var/www/grav -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/grav -type f -exec chmod 644 {} \;
# Writable directories (web server needs write access)
chmod 775 /var/www/grav/cache
chmod 775 /var/www/grav/logs
chmod 775 /var/www/grav/images
chmod 775 /var/www/grav/assets
# Set ownership
sudo chown -R www-data:www-data /var/www/grav
Apache (.htaccess in user/pages/ or uploads directory):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /user/pages/.*\.php$ {
deny all;
}
Consider installing these security modules:
- Two-Factor Authentication: MFA for admin accounts
- Login: Enhanced login security with rate limiting
- Admin Permissions: Granular admin access control
- Security Detection: Scans for security issues
- Regular updates: Apply security updates promptly via GPM
- Plugin audit: Regularly review enabled plugins and remove unused ones
- User permissions: Follow principle of least privilege
- Backup strategy: Regular backups with off-site storage
- Error handling: Disable debug mode in production
- HTTPS: Always use HTTPS for admin access
Disable debug mode in production (user/config/system.yaml):
errors:
display: 0 # 0 = disabled, 1 = enabled
debugger:
enabled: false
- Grav docs: https://learn.getgrav.org/
- Grav security guide: https://learn.getgrav.org/security
- Grav source: https://github.com/getgrav/grav
- Grav admin security: https://learn.getgrav.org/admin-panel