Turning off Admin in production

Hello! I’m working on a microsite for a client who is very concerned about security. Their standard procedure is to run a copy of their CMS on a local server for editing, and then have a copy of the site on the production server with the admin area disabled in some way, depending on the CMS (for example, for Drupal and WordPress, they strip the users table on the prod db).

My idea for Grav is for the prod server to NOT have the admin plugin installed at all; If my understanding is correct, that will prevent anyone from editing the site (other than meddling with the files directly).

Is my understanding correct? Also, how would I (or they) set up a pipeline? Could we only maybe only push the pages folder from dev to prod when changes happen?

I feel like there’s not a lot of info about this topic out there, so any help would be greatly appreciated!

@gcasalett, You might want to have a look at the Git Sync plugin.

Git Sync is a Plugin for Grav CMS that allows to seamlessly synchronize a Git repository with your Grav site, and vice-versa.

You could also roll your own git sync procedure.

Or you can zip the /user folder on the local machine, scp to remote server, and unzip.

Or you could just disable the Admin panel by setting enabled: false in /user/config/plugins/admin.yaml


Awesome, thanks for the response! I’ll try these options and see which one best fits their current setup.

Are you running continuous deployment through an automation pipeline? If so you can simply ignore the user/accounts folder in your .gitignore file and set a different admin user in production which nobody knows the credentials for.