Documentation

MonoCMS 3.0

MonoCMS has been published since 2016 as 'MonoCMS beta', MonoCMS 1.0. This has been the first period of development, which was finished in 2018-19  and is known as MonoCMS 1.0 even though we didn't specifically stated that all these versions are part of 1.0. Many of these versions had names like "monocms 2.0" , but they should not be confused with the subsequent versions from 2021(see a full list).

The first version of 2021 was at the moment the biggest update and is named MonoCMS 2.0. MonoCMS 2.0 dropped theme support and menu builder as basic features, supported a new simple plugin and extensions system, added some more xml based configurations and is targeted to a range of users, such as programmers, designers, students and simple users who need to build their personal website.


MonoCMS 3.0 is a more mature and complete version suitable for everyone. Plugins and Extensions are not supported anymore and categories have been upgraded with additional publishing options. A new function, print_posts() allows the users to publish multiple post feeds in addition to the standard index, posts and pages content. Designers can use this function to create content sections that could be managed through the control panel.




Login and security

session_name('MON');
session_start();
if (session_name() == 'MON')
if ( !isset($_SESSION['username'])) {
 ...
The user identification starts with the session_start() function, which initiates a new or continues an existing session. A name is used so that the system can maintain a safe single user connection. PHP always stores a corresponding cookie in the browser of the user, which includes a unique ID. Similarly, the session must be distinct from any session that might exist on the same domain or website. Sessions are saved inside 'monofiles/session'.
See also the cryptograpfy section below for more security information.


SimpleXML

Using SimpleXML is very common when working with xml files, like the example below
$monousers = new simpleXMLElement('filesinfo/log.xml',null,true);

This way we gather up all user data to a SimpleXML element and continue to user identification and data saving in the log file. If the combination of username and password given by the user, exists in the file, the user is allowed to enter the control panel. Note that while the username is stored in the session and saved in the log file, the user's password is never stored, either in session or the log file. User identification is based on password_hash function which reads the hashed password as a parameter. Hashed paswords are saved inside the 'monofiles/filesinfo/log.xml' file.


Use of functions

It is easy to use some of the system functions, to write your own code and pages. Some examples:

Load the xml file of a page and print the title$page = simplexml_object('filename','l','page');
echo $page->pageinfo->page->title;


Load the settings using getXMLSettings function

$settings = getXMLSettings();

This will load an array() with the results$settings = ['ownerid' => ...
                    'title' => ...
                    'description' => ...
                     ... => ...
                ];

Print a post titleecho getxmlpost('path_to_xmlfile_of_post')['title'];
These functions and many more can be found in monofiles/log.php file.


The print_posts() function

The print_posts function is introduced in monocms 3.0. It will publish posts based on parameters and it can be called as many times as we want. The parameters are saved inside monofiles/filesinfo/print_content.xml
Posts will be included in the final results, if these parameters are found in them, while also limiting or modifying the results.

Usage is very simple print_posts('example') where 'example' is the name of an entry inside the xml file.
Read the xml file for more details on how this function can be used.



Cryptography - User login

Password_hash is used for password encryption. The password hash is saved and compared to the hash of the password given by the user, using password_verify
password_verify($_POST['password'],$password);

Using password_needs_rehash, PHP checks whether or not password needs to be re-encrypted, which, usually, happens in two cases:
- When a different version of PHP, that has a different default encryption algorithm, has been installed.
- When set-cost.php gives us a different cost result than the previous value. The cost is a parameter of password_hash and password_needs_rehash functions and regulates the complexity of encryption by delaying the execution of these functions.

In our case the value of cost depends on the server performance. MonoCMS follows the PHP example of automatically finding a good cost. In case of a hardware upgrade or the system is transferred to another server, or even just a usual login, it is possible that the cost will change and force password_needs_rehash to re-hash the user password. This is done while the user is logging in
password_needs_rehash($password, PASSWORD_DEFAULT, ["cost" => $cost]);
In the line above, if the new value of $cost is not the same as the value of cost contained in $password, the password is going to be re-encrypted.

Re-hashing starts in set-cost.php
$phtime = 0.5; // 500 ms

for ($cost = 4; ; $cost++){

#password_hash speed test

...
Here time is set at 500 milliseconds, which is a good option for an admin panel. We test password_hash speed, starting from cost = 4. If the test is completed in less than the given time, the cost value increases by 1 and the test is repeated. If completion time is more than given time, it is terminated and we save the result.


If a password_hash test lasts more than 1 second, the cost and encrypted password, remain the same.
Below is an example of manually applying a cost
password_needs_rehash($password, PASSWORD_DEFAULT, ["cost" => 11]);


User block

A user is blocked after a few failed login attempts, by blocking the user's ip address. A blocked user is prevented from reaching the login page. You can change the values of this function by modifiyng the next lines inside data_connect.php
# Failed login attempts before blocking a user
$block = 8;
# Minutes passed to unblock a user
$unblock = 15;

log.php and saved data

Most of the control panel data is saved in /monofiles/filesinfo folder. Many of the actions performed to manage this data can be found in log.php

- Gather general information like the total number of posts, the total number of pages, the date of the last failed login attempt and the last modification date of any of the above. 

This is how to get the total number of pages
include 'log.php';
get_log('pages');


- Load personal account information. We do this by using either the username or the userID as a parameter. The userID is a unique code which is stored along with other account information
include 'log.php';
get_account($_SESSION[userID])['rights'];

In the example above, we get the user's account type, using the userID that we have previously saved in the session.
Note: Despite the fact that the userID is saved alongside the username, it is not password and it doesn't grant any access to the user.

- Update user account or log.xml info. For example, this is how we can change the total number of posts to 12

include 'log.php';
update_log(posts,12);

Update an account
include 'log.php';
update_account($id,'set');

We can also delete an account in a similar way
include 'log.php';
update_account($id,'delete');

The $id variable contains the userID.


Saving data in MonoCMS is basically done by writing to xml files.
Saving in session is also a method of storing information, mainly used for control panel needs and all of the data is deleted as soon as the user is logged out. Xml and htm files are useful when we want to store posts and pages data, like text, titles, images etc. You save most of the posts information inside xml files, except for the main body of a post, which is saved in a separate htm file. Xml is used for the majority of data storing such as user accounts info and logging activity.

User accounts

Account management allows multiple users to have access to the control panel, using their username and password. There are two differrent types of accounts: Administrator and author. The main account which is used to install the CMS is also an administrator but also has owner rights, allowed only to a single account each time. Owners cannot be deleted and other administrators cannot edit their account.

As an administrator, the user has complete access to control panel. Authors can only create their own posts and also have access to some personal account settings.

In general:

- Only administrators havw access to account manager.
- Every administrator can create or delete accounts of other administrators and authors.
- An administrator account rights can be changed to author and backwards.
- Administrators can delete their own account as well.



Backup

Most web servers are usually configured to keep your website backup, but it is really easy with MonoCMS as well. More specifically:

/monofiles/autosaves/: Contains all posts.
/monofiles/savedpages/: Contains all pages.
/monofiles/filesinfo/: Contains all user accounts, log info and system settings.

Posts are also saved inside folders using the current year as a name, like 2025, 2026 etc, in home directory.




Last update on 31 Oct, 2025.