Boilerplate default access rules for Silverstripe websites

Installs: 3 857

Dependents: 1

Suggesters: 0

Security: 0

Stars: 1

Watchers: 2

Forks: 1

Open Issues: 0



This module provides a standard set of rules for defining access to Silverstripe sites:

  • password validation configuration per NIST standards
  • password handling and management
  • password checking via pwnedpasswords API
  • multi-factor authentication setup (MFA)
  • security extensions
  • security reports
  • pending profiles

This module is under active development and should not be considered production-ready just yet

We welcome testing and feedback via the Github issue tracker


  • silverstripe/totp-authenticator - for MFA via a Time-based One-time Password
  • nswdpc/silverstripe-pwnage-hinter - provides pwned password/breached account assistance
  • silverstripe/security-extensions - provides features including sudo mode, password change on next sign in
  • silverstripe/securityreport - "Users, Groups and Permissions" report in the administration area for Administrators
  • spomky-labs/otphp - TOTP base library

See composer.json for details


See _config/config.yml

Note that this module provides the ability to configure the MFA secret key via per-project YAML rather than in .env

More: Multi Factor Authentication


Password validator

If you are setting a PasswordValidator in project configuration like so:

$validator = \SilverStripe\Security\PasswordValidator::create();

This will replace the password validator provided in this module.






We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.

Please review the code of conduct prior to opening a new issue.

Development and contribution

If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.

Please review the code of conduct prior to completing a pull request.