The admin panel you left unlocked

Ghost, Craft, Umbraco, Statamic: is your CMS admin sitting at the URL everyone guesses?

A content management system has two faces: the public site your visitors read, and the admin panel where you write it. The admin is the powerful one, it edits content, manages users, often runs code or templates, and it's protected by a single login. The catch is that every CMS puts its admin at a predictable path. Ghost is at /ghost. Craft is at /admin. Umbraco is at /umbraco. Statamic is at /cp. OctoberCMS is at /backend. An attacker doesn't have to discover where your admin lives; the CMS told them by being that CMS.

That predictability isn't itself a vulnerability, the login still stands between a stranger and your content. But a reachable admin panel is a target with a known address, and that changes the math: it's where credential-stuffing, brute-forcing, and every CMS-specific exploit get aimed. The first thing the scanner does is tell you whether yours is answering the public internet at all.

yoursite.com/ghost
Ghostv
Email address
Password
Ghost ·admin login reachable
Reachable from any IP on earth
The path is the CMS's default. An attacker knows it before they visit. The only thing in the way is your login.

Five CMSes, five doors an attacker already has the address of

These five are distinct products, but the exposure is one shape: a content admin reachable without authentication.

  • Ghost (/ghost) - the publishing platform's admin. Behind the login: every post, every member's data, the integrations, and the theme/template layer.
  • Craft CMS (/admin) - a powerful PHP CMS. Its admin shares the /admin path with other tools, so the scanner disambiguates it using Craft's own Powered by Craft CMS markers and the X-Powered-By: Craft CMS header, so it doesn't confuse a Craft panel with a Strapi or Directus one.
  • Umbraco (/umbraco) - the .NET CMS backoffice. The full content tree, members, and the templating engine.
  • Statamic (/cp) - the flat-file Laravel CMS control panel. Content, users, and the addon surface.
  • OctoberCMS (/backend) - the Laravel-based CMS backend. Content, users, and its component system.

Each is gated on the product's own distinctive markup, not a path alone, so a hit means that specific CMS's admin is genuinely being served there, not that a path happens to 200.

Why a reachable admin is the start of the chain

A login page on the open internet is an invitation to attack the login. Three things follow naturally. Credential-stuffing: replay passwords from other breaches against your admin, and any reused password lets them in. Brute-forcing: a panel with no rate limit is an open guessing booth. CMS-specific exploits: every CMS accumulates CVEs, and many of them are only reachable once you can hit the admin surface, an outdated, exposed panel pairs a known door with a known hole. And the admin isn't a read-only view: most of these can edit templates or run plugins, which is a short path from "logged in" to "running code on your server."

$ scan yoursite.com
probing yoursite.com from outside, no credentials...
/ghostGhost admin login reachable
/umbracoUmbraco backoffice reachable
/cpStatamic control panel reachable
3 exposures visible to anyone. None required a login.
The panel being reachable is the finding. From here it's credential-stuffing, brute force, or a CMS-specific CVE.

Gate the panel, don't just trust the password

The password is your last line, not your only one. The strong move is to make the admin unreachable from the open internet in the first place.

# nginx: the admin path answers anyone
location /ghost   { proxy_pass http://app; }   # open
location /umbraco { proxy_pass http://app; }   # open
Restrict the admin path by IP or auth at the edge, then harden the login behind it.

Put an IP allowlist or VPN requirement in front of the admin path so only your team can even reach the login, an attacker who can't connect can't stuff credentials. Behind that, do the basics on the login itself: enforce two-factor, rate-limit attempts, ban weak passwords. And keep the CMS current, because an exposed and outdated panel is the combination that turns a guessable URL into a breach.

Reading it from outside

Whether your CMS admin answers the public internet is something a stranger settles by visiting the default path, which is exactly the check SurfaceCheckr runs, from outside, no credentials. Each probe requires the product's own content signatures to match, the Ghost app markers, Craft's powered-by header, Umbraco's backoffice markup, so it confirms the real panel rather than firing on any /admin that returns a page. It loads what the panel serves to an anonymous visitor and stops there; it never submits the login form or tries a password, that would cross from passive into active. The finding is simply: this admin is reachable from anywhere, here's where. For the heavier-duty cousins, the database and infra panels and the self-hosted backends in the same boat are the next reads.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.