Adding & Removing Users on GetSimple CMS | OpsBlu Docs

Adding & Removing Users on GetSimple CMS

Adding & Removing Users on GetSimple CMS — setup, configuration, and best practices for GetSimple CMS.

GetSimple CMS is a flat-file CMS that stores all data as XML files. User accounts live in the data/users/ directory, with each user represented by a single XML file named after their username (e.g., jsmith.xml). GetSimple is designed as a single-user CMS by default -- multi-user support requires the Multi User plugin.

Single-User Mode (Default)

Out of the box, GetSimple has exactly one admin user. This account is created during installation and stored in data/other/user.xml:

<!-- data/other/user.xml -->
<item>
  <USR>admin</USR>
  <PWD>$2y$10$hashed_password_here</PWD>
  <EMAIL>admin@example.com</EMAIL>
  <HTMLEDITOR>1</HTMLEDITOR>
  <TIMEZONE>America/Chicago</TIMEZONE>
  <LANG>en_US</LANG>
</item>

To change the admin credentials:

  1. Log in to the GetSimple admin at https://your-site.com/admin/
  2. Click Settings in the top navigation
  3. Update the Username, Email, or Password fields
  4. Click Save Settings

Enabling Multi-User Support

To add multiple users, install the Multi User plugin:

  1. Download the Multi User plugin from the GetSimple Extend repository
  2. Extract and upload to plugins/ directory
  3. Log in to admin and go to Plugins
  4. Click Activate next to Multi User

Once activated, a new Users section appears in the admin navigation.

Adding a User with Multi User Plugin

  1. Go to Users in the admin navigation
  2. Click Add New User
  3. Fill in:
    • Username (alphanumeric, no spaces)
    • Email address
    • Password (and confirmation)
    • Permission Level:
      • Admin -- Full access to all settings, pages, files, and users
      • Editor -- Can create and edit pages, manage files; no access to settings or user management
      • View Only -- Can view pages in the admin but cannot edit anything
  4. Click Create User

Each user gets their own XML file in data/users/:

<!-- data/users/jsmith.xml -->
<item>
  <USR>jsmith</USR>
  <PWD>$2y$10$hashed_password_here</PWD>
  <EMAIL>jsmith@example.com</EMAIL>
  <PERMISSIONS>editor</PERMISSIONS>
  <HTMLEDITOR>1</HTMLEDITOR>
  <TIMEZONE>America/Chicago</TIMEZONE>
  <LANG>en_US</LANG>
</item>

Adding Users via the File System

Since GetSimple is flat-file, you can create users by adding XML files directly:

# Generate a bcrypt password hash
HASH=$(php -r "echo password_hash('NewUserPass123', PASSWORD_BCRYPT);")

# Create the user XML file
cat > data/users/jsmith.xml << XMLEOF
<?xml version="1.0" encoding="UTF-8"?>
<item>
  <USR>jsmith</USR>
  <PWD>$HASH</PWD>
  <EMAIL>jsmith@example.com</EMAIL>
  <PERMISSIONS>editor</PERMISSIONS>
  <HTMLEDITOR>1</HTMLEDITOR>
  <TIMEZONE>America/Chicago</TIMEZONE>
  <LANG>en_US</LANG>
</item>
XMLEOF

# Set proper file permissions
chown www-data:www-data data/users/jsmith.xml
chmod 644 data/users/jsmith.xml

Bulk User Creation Script

#!/bin/bash
# bulk-create-gs-users.sh -- Create multiple GetSimple users from CSV
# CSV format: username,email,password,role

USERS_DIR="data/users"

while IFS=',' read -r username email password role; do
  if [ -f "$USERS_DIR/$username.xml" ]; then
    echo "SKIP: $username already exists"
    continue
  fi

  HASH=$(php -r "echo password_hash('$password', PASSWORD_BCRYPT);")

  cat > "$USERS_DIR/$username.xml" << XMLEOF
<?xml version="1.0" encoding="UTF-8"?>
<item>
  <USR>$username</USR>
  <PWD>$HASH</PWD>
  <EMAIL>$email</EMAIL>
  <PERMISSIONS>$role</PERMISSIONS>
  <HTMLEDITOR>1</HTMLEDITOR>
  <TIMEZONE>America/Chicago</TIMEZONE>
  <LANG>en_US</LANG>
</item>
XMLEOF

  chown www-data:www-data "$USERS_DIR/$username.xml"
  chmod 644 "$USERS_DIR/$username.xml"
  echo "ADDED: $username ($role)"
done < users.csv

Removing Users

Removing via the Admin Panel

  1. Go to Users (requires Multi User plugin)
  2. Click the Delete icon next to the user
  3. Confirm the deletion

Removing via the File System

# Back up the user file first
cp data/users/jsmith.xml data/backups/jsmith.xml.bak

# Delete the user
rm data/users/jsmith.xml

echo "User jsmith removed"

What Happens to Their Content

When you remove a GetSimple user:

  • Pages remain intact -- all page XML files in data/pages/ are independent of user accounts
  • Page metadata may contain the original author's username, but GetSimple does not display per-page author info by default
  • Uploaded files in data/uploads/ remain untouched
  • Plugin settings that reference the user are not automatically cleaned up
  • There is no "deactivate" option unless the Multi User plugin supports it -- deletion is the only built-in removal method

Deactivation Workaround

Since GetSimple has no built-in deactivation, you can simulate it by mangling the password:

# "Deactivate" a user by invalidating their password
# Prefix the hash with "DISABLED_" so it never matches
sed -i 's|<PWD>|<PWD>DISABLED_|' data/users/jsmith.xml

# "Reactivate" by removing the prefix
sed -i 's|<PWD>DISABLED_|<PWD>|' data/users/jsmith.xml

Security Considerations

GetSimple has minimal built-in security features. Since all data is flat-file, file-system security is critical.

Protecting User Data Files

# Prevent direct HTTP access to data directory
# .htaccess in data/ directory
cat > data/.htaccess << 'EOF'
Deny from all
EOF

# Or via nginx
# location /data/ {
#   deny all;
#   return 404;
# }

# Set restrictive permissions on the users directory
chmod 750 data/users/
chown -R www-data:www-data data/users/

Brute-Force Protection

GetSimple does not include login rate limiting. Add it at the server level:

# .htaccess in admin/ directory
<IfModule mod_evasive24.c>
  DOSPageCount 5
  DOSPageInterval 10
  DOSBlockingPeriod 60
</IfModule>

Login Logging

GetSimple logs login attempts in data/other/logs/:

# View recent login attempts
cat data/other/logs/failedlogins.log

# Monitor in real-time
tail -f data/other/logs/failedlogins.log

No LDAP/SSO Support

GetSimple CMS does not support LDAP, SAML, OAuth, or any external authentication provider. All authentication is local via the XML user files. For environments requiring SSO, consider:

  • Placing the admin behind a reverse proxy with SSO (Cloudflare Access, Authelia, Keycloak proxy)
  • Using HTTP Basic Auth as an additional layer on the /admin/ path
  • Restricting admin access by IP address
# Restrict admin to specific IPs + basic auth
location /admin/ {
  allow 192.168.1.0/24;
  allow 10.0.0.0/8;
  deny all;

  auth_basic "GetSimple Admin";
  auth_basic_user_file /etc/nginx/.htpasswd;
}

Offboarding Checklist

  1. Delete the user XML file from data/users/ (or invalidate the password for soft deactivation)
  2. Review page content -- Check if any pages reference the departing user in content or metadata
  3. Check plugin data -- Some plugins store per-user preferences in data/other/
  4. Rotate the admin password if the departing user had admin access
  5. Audit file uploads -- Review data/uploads/ for any files the user added
  6. Back up before changes -- Copy the entire data/ directory before making user modifications
  7. Check server access -- Remove SSH keys and any IP-based allowlist entries for the departing user
返回顶部