Security question (breakdown?)

Hey! I would like to ask how Grav is secured, in general and regarding the admin area / users.
I can understand having no database makes it much more secure already, but with the admin plugin, what is done against for example bruteforce attempts in the login?

It would be great to have a real, detailled breakdown of current and planned security measures and how it compares to wordpress / other cms.
I couldn’t find any such document, is there any?

And is Grav far enough to be used on a real production ready website, without having to worry about someone getting into the site? Or should I wait for another version?

Thanks (:

There is no protection currently against brute force attacks to the admin area. Some suggestions: use a login name that’s not easily guessed (not admin for example), use complex passwords, change the admin area route (not /admin) in the Admin Plugin settings, password-protect the whole folder via .htaccess or equivalent method if you’re not using Apache, limit access to the Admin route via IP filtering via .htaccess.

That’s just a start.

We do have some plans to add some logic to login that restricts repeated failed login attempts too. Just not gotten around to that yet.