Adding & Removing Users on Bludit | OpsBlu Docs

Adding & Removing Users on Bludit

Adding & Removing Users on Bludit — setup, configuration, and best practices for Bludit.

Bludit is a flat-file CMS that stores user accounts as JSON files in the bl-content/databases/ directory. There is no database -- all user data lives in users.php as a serialized JSON structure. User management is handled through the admin panel at /admin/ or by directly editing the JSON files.

Adding Users via the Admin Panel

Creating a New User

  1. Log in to the Bludit admin at https://your-site.com/admin/
  2. Click Manage > Users in the sidebar
  3. Click the Add new user button
  4. Fill in the required fields:
    • Username (lowercase, alphanumeric only -- this cannot be changed later)
    • Password (minimum 6 characters)
    • Role: Admin, Editor, or Author
  5. Optionally fill in First name, Last name, Email, and Social media fields
  6. Click Save

The user can immediately log in at /admin/.

Understanding Bludit Roles

Role Capabilities
Admin Full access: manage users, change settings, install plugins/themes, create/edit/delete all content
Editor Create, edit, and delete all pages (including other users' content), manage categories and tags
Author Create new pages and edit/delete only their own pages

Adding Users via JSON Files

Since Bludit is flat-file, you can create users directly by editing the database file. This is useful for automated deployments or recovering from a locked-out admin.

<?php
// bl-content/databases/users.php
// This file starts with <?php to prevent direct browser access

{
    "admin": {
        "firstName": "Site",
        "lastName": "Admin",
        "nickname": "",
        "description": "",
        "role": "admin",
        "password": "$2y$10$hashed_password_here",
        "salt": "random_salt_string",
        "email": "admin@example.com",
        "registered": "2025-01-15 10:00:00",
        "tokenEmail": "",
        "tokenEmailTTL": "",
        "tokenAuth": "",
        "tokenAuthTTL": "",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "jsmith": {
        "firstName": "John",
        "lastName": "Smith",
        "nickname": "",
        "description": "",
        "role": "editor",
        "password": "$2y$10$...",
        "salt": "...",
        "email": "jsmith@example.com",
        "registered": "2025-06-20 14:30:00",
        "tokenEmail": "",
        "tokenEmailTTL": "",
        "tokenAuth": "",
        "tokenAuthTTL": "",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    }
}

Generating a Password Hash via CLI

Bludit uses password_hash() with PASSWORD_BCRYPT. Generate a hash from the command line:

# Generate a bcrypt hash for a new user password
php -r "echo password_hash('NewUserPassword123', PASSWORD_BCRYPT) . PHP_EOL;"

# Output: $2y$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Generate a random salt
php -r "echo bin2hex(random_bytes(16)) . PHP_EOL;"

Then insert the username block into bl-content/databases/users.php with the generated hash and salt.

Removing Users

Removing via the Admin Panel

  1. Go to Manage > Users
  2. Click on the username you want to remove
  3. Scroll to the bottom and click Delete
  4. Confirm the deletion

What Happens to Their Content

When you delete a user in Bludit:

  • All pages authored by that user are reassigned to the admin who deleted them
  • The original author attribution is lost -- there is no "previous author" record
  • Published pages remain live and unchanged in content
  • Draft pages are preserved and transferred
  • Scheduled pages are transferred but keep their scheduled date
  • There is no "deactivate" option -- deletion is permanent

Removing via File System

# To remove a user by editing the JSON file directly:
# 1. Back up the file first
cp bl-content/databases/users.php bl-content/databases/users.php.bak

# 2. Edit the file and remove the user's JSON block
# Use jq to remove a user (strip the PHP prefix first)
tail -n +2 bl-content/databases/users.php | \
  jq 'del(.jsmith)' | \
  (echo '<?php' && cat) > bl-content/databases/users.php.tmp && \
  mv bl-content/databases/users.php.tmp bl-content/databases/users.php

# 3. Reassign their pages manually
# Pages are stored in bl-content/pages/{slug}/index.txt
# Edit the "username" field in each page's index.txt

Bulk User Management

Bludit has no built-in bulk user management UI. For bulk operations, write a script that manipulates the JSON database:

<?php
// bulk-add-users.php -- Run from the Bludit root directory
// Usage: php bulk-add-users.php < users.csv

define('USERS_DB', 'bl-content/databases/users.php');

// Read existing users (skip PHP prefix)
$content = file_get_contents(USERS_DB);
$json = substr($content, strpos($content, "\n") + 1);
$users = json_decode($json, true);

// Read CSV: username,password,email,role,firstname,lastname
$handle = fopen('php://stdin', 'r');
while (($row = fgetcsv($handle)) !== false) {
    list($username, $password, $email, $role, $first, $last) = $row;

    if (isset($users[$username])) {
        echo "SKIP: $username already exists\n";
        continue;
    }

    $users[$username] = [
        'firstName'     => $first,
        'lastName'      => $last,
        'nickname'      => '',
        'description'   => '',
        'role'          => $role,
        'password'      => password_hash($password, PASSWORD_BCRYPT),
        'salt'          => bin2hex(random_bytes(16)),
        'email'         => $email,
        'registered'    => date('Y-m-d H:i:s'),
        'tokenEmail'    => '',
        'tokenEmailTTL' => '',
        'tokenAuth'     => '',
        'tokenAuthTTL'  => '',
        'twitter'       => '',
        'facebook'      => '',
        'instagram'     => '',
        'codepen'       => '',
        'linkedin'      => '',
        'github'        => '',
        'gitlab'        => '',
    ];
    echo "ADDED: $username ($role)\n";
}
fclose($handle);

// Write back with PHP prefix
file_put_contents(USERS_DB, "<?php\n" . json_encode($users, JSON_PRETTY_PRINT));
echo "Done. Total users: " . count($users) . "\n";

# Run the bulk import
echo "jsmith,Pass123!,j@example.com,editor,John,Smith
jdoe,Pass456!,jd@example.com,author,Jane,Doe" | php bulk-add-users.php

Security Considerations

Bludit does not support SSO, LDAP, or OAuth out of the box. Authentication is entirely local.

Hardening User Access

// bl-content/databases/site.php -- Relevant security settings
{
    "autosaveInterval": 2,
    "extremeFriendly": true,
    "timezone": "America/Chicago",
    // Login attempt brute-force protection
    "minutesOfBan": 5,
    "numberAttemptsOfBan": 10
}

For additional security, use a plugin or reverse proxy to enforce:

  • IP-based access control on /admin/ paths
  • HTTP Basic Auth as a secondary layer via .htaccess:
# .htaccess -- Protect admin directory
<Files "admin">
  AuthType Basic
  AuthName "Restricted"
  AuthUserFile /path/to/.htpasswd
  Require valid-user
</Files>

File Permissions

Since user data is stored in flat files, file permissions are critical:

# Set proper ownership and permissions on user database
chown www-data:www-data bl-content/databases/users.php
chmod 600 bl-content/databases/users.php

# Verify no world-readable permissions on content directory
find bl-content/ -type f -perm /o+r -exec chmod o-r {} \;

Offboarding Checklist

  1. Back up the users database before making changes
  2. Reassign content if you need to preserve author attribution
  3. Delete the user through the admin panel (simpler) or JSON file (scriptable)
  4. Check for uploaded media -- files uploaded by the user remain in bl-content/uploads/
  5. Rotate admin credentials if the departing user had admin access
  6. Review plugin access -- some plugins store per-user configuration
  7. Audit the users.php file to confirm the user block was fully removed
Nach oben