Limit site access to logged in users

I’m experimenting with grav on public website. I don’t want users other than myself to be able to see the test pages, only the home page, or for them to see the naviation menu. I have created an administrators group, added the admin login I use to it, and also added a section for access. But a non-logged in user still sees all pages and all nav menu items. What am I doing wrong?

this is my groups.yaml

icon: users
readableName: ‘Registered Users’
description: ‘The group of registered users’
login: true

groupname: administrators
readableName: Administrators
description: ‘The group of administrators’
icon: child
login: true
login: true

administrators: true

@bolide Did you add the following frontmatter to the page(s) you want to be private?

    site.login: true

This will popup a login screen when the user in not yet authenticated.

If you want to lock out the whole site, the simplest is to just slap an .htpasswd on the whole site and be done with it. That way, when you’re ready to go live, you only have to change that one thing.

And long term, have a dev site that’s protected that Devs work on and then use GitHub or something similar to sync the dev with the prod site.

Thanks for all of that. I hadn’t figured out how to access the frontmatter property that I’d read about until now. So at least I can do the page by page setting.

I will check out the .htpasswd approach, it it more likely to be the more suitable approach.

I guess what I’m looking for is something parallel to what many other cms have with is putting the site into maintenence mode. An admin can get it but no one else. Grav doesn’t have a simple config setting like that, as far as I can see?

Be sure to explore the plugins page.

There is indeed a Maintenance mode plugin.

Right…the plugins page…I installed a bare bones Grav via
softalicious just to try it out quickly.

Thanks again for your help.


i got a similar problem.
the site should only be accessed by registered users.

I already installed the login-plugin and activatet it for some pages to validate its functionality.
unfortunately child folders are still accessable. Even if i set the “login: true” property for all pages, the corresponding media files are still accessable if the url is known.

is there any way to disable any access for non logged in users except the login screen itself?


1 Like

Have you tried to use the plugin “Private site”? This is working for me to protect page by page.

hi kostaslgr,
no , i haven’t - to be honest, this problem appeared with a project of a kolleague and i just try to help out.
for now the login plugin has to do the job - but on further sites, i will give the maintenance an the private plugin a try.


I’ve tried the private-site plugin but it also block access to forgot password which logically should be accessible from public. Anyone know any solution?

Thank you so much for your time

By looking at the Private Plugin docs there is no solution.

Actually I think the use of the Private Plugin and it’s successor Private Site Plugin should be discouraged since the latter is still in beta and has not been updated in the last 2 years.

Hi is there an actual solution? Beside “Private Plugin / Private Site Plugin” which still in beta and not been updated in the last 2 years…
Thank you

The standard login plugin already has this functionality.
Try Grav 1.7, you can easily create a new group, add users en limit content for this group.