Admin plugin security?

I’m just asking because I don’t think I know enough to really evaluate things, but is there a danger of having the admin plugin (with a plain text password in a config file) on a server somewhere? Seems like it might be a hole…


The plain text password you can optionally add to the user yaml is replaced at the first login with the hashed password. You can also entirely skip this step by using bin/grav newuser

Ah, so it is… I missed that it was hashed if you use the newuser (or after a login)!


Actually it’s not hashed in newuser command, but just like manually creating, it is hashed after first login.

Hello, I got an additional question to this thread. I am trying to find which algorithm is used to hash the password and whether it use a salt or not. Does anyone know or could point me toward the right php file ?

It’s the built-in PHP5.5+ password_hash function which is considered to be the most secure approach:

More info:,

Thx a lot for the quick reply.