First boot and admin login

What this covers

You finished Install Scriptor. The site renders; the editor is reachable. This page walks the very first login and the one-step you should not skip: change the seed password if you used the documented demo one.

Plan for five minutes.

Walkthrough

Step 1: Visit the editor

The editor lives at /editor/ under whatever URL your site is served from. Concretely:

  • Docker quickstart: http://localhost:8080/editor/
  • Local PHP server: http://127.0.0.1:8080/editor/
  • Production: https://your-domain/editor/

A login form appears with two fields (username and password) and a submit button labeled Login. If you see a 404 instead, re-check the install step. The editor only mounts after the database is seeded.

Step 2: Log in

Use the credentials you set during install:

  • Username: admin (always, on first boot)
  • Password: what you typed when bin/scriptor install asked for it, or gT5nLazzyBob for the bundled Docker demo.

After a successful login the editor redirects to its home: a short "Dashboard" page with the message "Pick a module from the sidebar to start editing." The sidebar on the left lists the three default modules (Pages, Settings, Plugins); the top-right has your Profile and a Logout action.

If you see "Authentication failed" instead, see the troubleshooting section below before retrying.

Step 3: Change the seed password (Docker quickstart only)

If you used the Docker quickstart and logged in with gT5nLazzyBob, change that password now. The credential is public (documented in this guide, the Scriptor README, and the demo container's entrypoint). Anyone who can reach your editor URL knows it.

From the top-right menu, click Profile. The form shows your email, password, and (optionally) other profile fields. Type a new password in the Password field (8 characters minimum, same floor as the install command), confirm it in Confirm password, and click Save.

The password change takes effect immediately. The next login prompt will reject the old one.

If you used the native install path and set your own password during bin/scriptor install, you can skip this step; the password is already yours.

Step 4: Confirm everything works

You should now be able to:

  • Click Pages in the sidebar and see at least one row (the seed Home page).
  • Click Settings and see the site-wide configuration form.
  • Click Plugins and see at least one row (the core editor plugin); more if you installed any.
  • Click Logout in the top-right and land back on the login form.

If all four work, the editor is fully booted. The editor UI tour walks you through the rest of the chrome.

What to check after

  • The login form rejects the old seed password (if you changed it).
  • The editor home shows "Pick a module from the sidebar to start editing" (the placeholder until you click something).
  • The site frontend (/) still renders as before; logging into the editor does not change what visitors see.

Troubleshooting

"Authentication failed" with the right credentials

Three common causes:

  1. Caps Lock. The password field suppresses echo, so a stray Caps Lock is invisible until the rejection.
  2. Trailing whitespace. Pasting from a password manager sometimes includes a newline. Re-type the password by hand.
  3. You used the install command but never confirmed. If you typed a password but never confirmed it on the second prompt, the install rolled back. Re-run bin/scriptor install (it refuses if seeding actually happened, so a quiet success means the issue is elsewhere).

Login form keeps redirecting back to itself

Sessions are not being persisted. The most common cause is a read-only data/ directory. The session store lives under data/sessions/ and the web server's user needs write access.

For Docker, this is handled by the image. For native installs:

chmod -R u+w data/
chown -R www-data:www-data data/   # or your web server's user

"Account locked" after a few wrong attempts

The login flow rate-limits failed attempts via LoginAttempts. The default is 5 attempts, then a 5-minute lockout. The lockout clears automatically; wait it out, then try again with the right password. The threshold is configurable through maxFailedAccessAttempts and accessLockoutDuration in data/settings/custom.scriptor-config.php, but the defaults are the recommended brute-force defence; relax them only if you have a good reason.

See also

  • Editor UI tour: what every sidebar item and top-bar action does
  • Users and access: add a second editor account, change passwords, role basics
  • Install Scriptor: if first boot fails, the issue is usually upstream of this page
  • docs/install.md in the Scriptor repo: full security rationale for the password floor and the rate-limiter