GetSimple CMS is a flat-file CMS that stores all data as XML files. User accounts live in the data/users/ directory, with each user represented by a single XML file named after their username (e.g., jsmith.xml). GetSimple is designed as a single-user CMS by default -- multi-user support requires the Multi User plugin.
Single-User Mode (Default)
Out of the box, GetSimple has exactly one admin user. This account is created during installation and stored in data/other/user.xml:
<!-- data/other/user.xml -->
<item>
<USR>admin</USR>
<PWD>$2y$10$hashed_password_here</PWD>
<EMAIL>admin@example.com</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE>America/Chicago</TIMEZONE>
<LANG>en_US</LANG>
</item>
To change the admin credentials:
- Log in to the GetSimple admin at
https://your-site.com/admin/ - Click Settings in the top navigation
- Update the Username, Email, or Password fields
- Click Save Settings
Enabling Multi-User Support
To add multiple users, install the Multi User plugin:
- Download the Multi User plugin from the GetSimple Extend repository
- Extract and upload to
plugins/directory - Log in to admin and go to Plugins
- Click Activate next to Multi User
Once activated, a new Users section appears in the admin navigation.
Adding a User with Multi User Plugin
- Go to Users in the admin navigation
- Click Add New User
- Fill in:
- Username (alphanumeric, no spaces)
- Email address
- Password (and confirmation)
- Permission Level:
- Admin -- Full access to all settings, pages, files, and users
- Editor -- Can create and edit pages, manage files; no access to settings or user management
- View Only -- Can view pages in the admin but cannot edit anything
- Click Create User
Each user gets their own XML file in data/users/:
<!-- data/users/jsmith.xml -->
<item>
<USR>jsmith</USR>
<PWD>$2y$10$hashed_password_here</PWD>
<EMAIL>jsmith@example.com</EMAIL>
<PERMISSIONS>editor</PERMISSIONS>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE>America/Chicago</TIMEZONE>
<LANG>en_US</LANG>
</item>
Adding Users via the File System
Since GetSimple is flat-file, you can create users by adding XML files directly:
# Generate a bcrypt password hash
HASH=$(php -r "echo password_hash('NewUserPass123', PASSWORD_BCRYPT);")
# Create the user XML file
cat > data/users/jsmith.xml << XMLEOF
<?xml version="1.0" encoding="UTF-8"?>
<item>
<USR>jsmith</USR>
<PWD>$HASH</PWD>
<EMAIL>jsmith@example.com</EMAIL>
<PERMISSIONS>editor</PERMISSIONS>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE>America/Chicago</TIMEZONE>
<LANG>en_US</LANG>
</item>
XMLEOF
# Set proper file permissions
chown www-data:www-data data/users/jsmith.xml
chmod 644 data/users/jsmith.xml
Bulk User Creation Script
#!/bin/bash
# bulk-create-gs-users.sh -- Create multiple GetSimple users from CSV
# CSV format: username,email,password,role
USERS_DIR="data/users"
while IFS=',' read -r username email password role; do
if [ -f "$USERS_DIR/$username.xml" ]; then
echo "SKIP: $username already exists"
continue
fi
HASH=$(php -r "echo password_hash('$password', PASSWORD_BCRYPT);")
cat > "$USERS_DIR/$username.xml" << XMLEOF
<?xml version="1.0" encoding="UTF-8"?>
<item>
<USR>$username</USR>
<PWD>$HASH</PWD>
<EMAIL>$email</EMAIL>
<PERMISSIONS>$role</PERMISSIONS>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE>America/Chicago</TIMEZONE>
<LANG>en_US</LANG>
</item>
XMLEOF
chown www-data:www-data "$USERS_DIR/$username.xml"
chmod 644 "$USERS_DIR/$username.xml"
echo "ADDED: $username ($role)"
done < users.csv
Removing Users
Removing via the Admin Panel
- Go to Users (requires Multi User plugin)
- Click the Delete icon next to the user
- Confirm the deletion
Removing via the File System
# Back up the user file first
cp data/users/jsmith.xml data/backups/jsmith.xml.bak
# Delete the user
rm data/users/jsmith.xml
echo "User jsmith removed"
What Happens to Their Content
When you remove a GetSimple user:
- Pages remain intact -- all page XML files in
data/pages/are independent of user accounts - Page metadata may contain the original author's username, but GetSimple does not display per-page author info by default
- Uploaded files in
data/uploads/remain untouched - Plugin settings that reference the user are not automatically cleaned up
- There is no "deactivate" option unless the Multi User plugin supports it -- deletion is the only built-in removal method
Deactivation Workaround
Since GetSimple has no built-in deactivation, you can simulate it by mangling the password:
# "Deactivate" a user by invalidating their password
# Prefix the hash with "DISABLED_" so it never matches
sed -i 's|<PWD>|<PWD>DISABLED_|' data/users/jsmith.xml
# "Reactivate" by removing the prefix
sed -i 's|<PWD>DISABLED_|<PWD>|' data/users/jsmith.xml
Security Considerations
GetSimple has minimal built-in security features. Since all data is flat-file, file-system security is critical.
Protecting User Data Files
# Prevent direct HTTP access to data directory
# .htaccess in data/ directory
cat > data/.htaccess << 'EOF'
Deny from all
EOF
# Or via nginx
# location /data/ {
# deny all;
# return 404;
# }
# Set restrictive permissions on the users directory
chmod 750 data/users/
chown -R www-data:www-data data/users/
Brute-Force Protection
GetSimple does not include login rate limiting. Add it at the server level:
# .htaccess in admin/ directory
<IfModule mod_evasive24.c>
DOSPageCount 5
DOSPageInterval 10
DOSBlockingPeriod 60
</IfModule>
Login Logging
GetSimple logs login attempts in data/other/logs/:
# View recent login attempts
cat data/other/logs/failedlogins.log
# Monitor in real-time
tail -f data/other/logs/failedlogins.log
No LDAP/SSO Support
GetSimple CMS does not support LDAP, SAML, OAuth, or any external authentication provider. All authentication is local via the XML user files. For environments requiring SSO, consider:
- Placing the admin behind a reverse proxy with SSO (Cloudflare Access, Authelia, Keycloak proxy)
- Using HTTP Basic Auth as an additional layer on the
/admin/path - Restricting admin access by IP address
# Restrict admin to specific IPs + basic auth
location /admin/ {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
auth_basic "GetSimple Admin";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Offboarding Checklist
- Delete the user XML file from
data/users/(or invalidate the password for soft deactivation) - Review page content -- Check if any pages reference the departing user in content or metadata
- Check plugin data -- Some plugins store per-user preferences in
data/other/ - Rotate the admin password if the departing user had admin access
- Audit file uploads -- Review
data/uploads/for any files the user added - Back up before changes -- Copy the entire
data/directory before making user modifications - Check server access -- Remove SSH keys and any IP-based allowlist entries for the departing user