Security
Pebble includes built-in security features to protect your content and installation.
Authentication
Pebble supports two authentication methods:
Username/Password (Recommended)
- BCrypt password hashing for secure credential storage
- Rate limiting: 5 failed attempts triggers 15-minute lockout
- IP and user agent tracking for security logging
- Minimum 4 character password requirement
Auth Key
- Simple single-key authentication
- Stored in
config.php - Good for quick setups or API access
Session Security
- Session-based authentication with configurable timeout
- Auto-logout after inactivity (default: 30 minutes)
- IP address validation per session
- CSRF token protection on all mutations
Data Protection
- Flat-file storage (no database vulnerabilities)
- Content sanitization prevents XSS attacks
- Path traversal protection on all file operations
- .htaccess protection on data directories
Managing Credentials
Use the Security tab in the Control Panel to:
- Change your username or password
- Update your auth key
- View authentication activity logs
All credential changes require verification of your current credentials.
Best Practices
Use HTTPS
Always serve your site over HTTPS. This protects login credentials and session cookies from interception. Most hosts offer free SSL certificates via Let's Encrypt.
Strong Passwords
Use a password of at least 12 characters with a mix of letters, numbers, and symbols. Avoid dictionary words and common patterns. Consider using a password manager.
Unique Auth Keys
If using auth key authentication, generate a unique random key. Never reuse keys across sites. A good auth key is 64 hexadecimal characters generated by a secure random number generator.
Regular Backups
Use the Control Panel's backup feature regularly, especially before making major content changes. Store backup copies off-server for disaster recovery.
Keep Pebble Updated
Check for updates in the Control Panel and apply them promptly. Security patches are released as needed.
Secure File Permissions
- Directories: 755 (rwxr-xr-x)
- PHP files: 644 (rw-r--r--)
- Config files: 600 (rw-------) if your server allows
- Never use 777 permissions
Protect config.php
The config.php file contains your authentication credentials. Ensure it's:
- Not publicly accessible (the .htaccess file blocks this by default)
- Not committed to version control (add to .gitignore)
- Backed up separately and securely
Monitor Activity Logs
Regularly check the Activity Log in the Control Panel for unexpected access patterns or failed login attempts from unknown IPs.
Limit Access
Only give editing access to people who need it. With Pro's multi-user feature, use role-based permissions to limit what each user can do.
Security Features Summary
| Feature | Description |
|---|---|
| BCrypt Hashing | Passwords are hashed with BCrypt (cost factor 10) |
| Rate Limiting | 5 failed attempts = 15-minute lockout |
| CSRF Tokens | All mutations require valid session token |
| XSS Prevention | Content sanitized on save |
| Path Traversal | All file paths validated with realpath() |
| Session Security | httpOnly cookies, IP validation, auto-timeout |
| No localStorage | Auth credentials stored in session only, not browser |
Next Steps
- Troubleshooting - Common issues and solutions
- API Reference - Authentication endpoints
- Contact - Report security issues