Skip to main content

Renaming the admin folder

By default the admin SPA is deployed to /admin/ on Flexweg. You can rename that folder to anything you want — for example a random-looking string like /erf34f654GH3/ — to make it harder for crawlers and casual scanners to find the admin URL.

The admin auto-detects its folder name from the URL on every load and uses it as the prefix for every Flexweg API upload (config.js, plugin/theme bundle folders, etc.). No code change, no rebuild — just rename the folder via Flexweg's file manager.

How it works

When you open https://yoursite.flexweg.com/erf34f654GH3/, the admin's getAdminFolder() function reads window.location.pathname (/erf34f654GH3/), strips the trailing index.html if present, and returns "erf34f654GH3". From then on, every file upload is prefixed with that folder name.

The runtime loader fetches plugin / theme bundles via URLs relative to document.baseURI — so they resolve correctly regardless of the folder name. No change needed for that side either.

How to rename

  1. Open your Flexweg dashboard → File manager.
  2. Locate /admin/ and use the rename folder action.
  3. Enter the new name. Use only [a-z0-9-] characters for safety.
  4. Confirm. Flexweg renames the folder atomically — all sub-files move together.
  5. Open the admin at the new URL: https://yoursite.flexweg.com/<new-name>/. It should boot normally.

The admin doesn't need to be re-configured — Firestore data + Flexweg files moved together, and the admin auto-detects its new folder.

Two important rules

1. The admin must NOT be at the site root

If you put the admin at / (no subfolder), the setup form refuses to run. Mixing admin assets (config.js, plugin folders, theme bundles, external.default.json) with the public site's HTML pages would cause confusion and conflicts. Always keep the admin in a subfolder, even if you don't care about obscurity.

The setup form shows an amber banner explaining this when it detects a root deployment.

2. Rename atomically

Use Flexweg's "rename folder" action — it moves all the contents at once. If you copy + delete instead, you may end up with:

  • New name has all the files
  • Old name has stale files that 404 from the admin's perspective
  • Anyone with the old URL bookmarked still finds the admin (defeating the obscurity)

Atomic rename avoids all of this.

Update robots.txt

If you've configured the flexweg-sitemaps plugin to generate robots.txt, the default content includes Disallow: /admin/. If you renamed the admin folder, that line is out of date — crawlers will index the new path.

To fix:

  1. Open Settings → Sitemaps → robots.txt in the admin.
  2. Update the Disallow: line to match your new folder name.
  3. Click Save & regenerate robots.txt.

Or, since the new folder name is supposed to be obscure, you may prefer to remove the Disallow line entirely — including the path in robots.txt is itself a hint that there's something there. Without it, crawlers that don't know the URL won't try to index it. (The <meta name="robots" content="noindex"> tag in the admin's index.html still tells Googlebot not to index even if it stumbles upon the admin.)

Security through obscurity, not security

The random folder name only stops naive HTTP-level crawlers that try common paths (/admin, /wp-admin, /dashboard). It does NOT stop:

  • A targeted attacker who scrapes your site's HTML (which doesn't link to the admin, but social engineering can leak the URL)
  • Anyone who reads your browser history, bookmarks or notes
  • Insiders with admin / editor access

The real protection of the admin is:

  1. Firebase Authentication — strong password + optional MFA
  2. Firestore security rules — bootstrap admin email pinned, default-deny on all other collections
  3. Allowlist of authorised domains in the Firebase Console (Settings → Authentication → Sign-in method → Authorized domains) — Firebase only accepts auth requests from those domains

If you want stronger isolation, run the admin under a completely different domain (e.g. https://my-secret-admin.example.com/admin/) using Flexweg's custom domain feature. The CMS works the same way regardless of the URL.

Rolling back

Don't like the random name? Just rename the folder back. The admin will pick up the old name on the next load.

Continue