@GravZahl, Grav is a flat-file CMS, which means all configs and content are stored in flat-files. These flat-files can be accessed by any text-editor or shell tool.
There is nothing Admin can do which cannot be done through the shell (locally or though ssh).
All Admin does, is giving you (or the end-user) a more convenient way of managing the site, nothing more…
For completeness sake, you can harden the security of Admin by:
- Renaming the url of Admin. This can be done by changing ‘/user/config/plugins/admin.yaml’ and setting:
Of course, this can also be set using the Admin plugin in the config section of the plugin.route: /my-hidden-admin-url - Enabling two-factor authentication for the user.
@bleutzinn, I’m not sure if your approach is a form of ‘security by obscurity’, because Admin cannot be accessed when renaming its folder.
Renaming the url for Admin sure is a form of ‘security by obscurity’