UserSpice 6.0.8 is out — Security Scanner inbound

Secure rapid application development.

UserSpice is the PHP foundation for shipping real apps fast — without re-inventing auth, permissions, rate limiting, passkeys, or a security dashboard. Drop it in, get out of the way, build the thing.

Download UserSpice Read the docs v6.0.8 · open source

protected.php

// auth, permissions, rate limiting, passkeys — already wired.
require_once 'users/init.php';
if (!securePage($_SERVER['PHP_SELF'])) { die(); }

// you're authenticated. now go ship.
echo "Welcome back, " . $user->data()->fname;

04/18/2026

New UserSpice 6.0.8 released. Adds compatibility with the offline UserSpice Security Scanner — industry-leading scan engines plus custom rulesets that understand UserSpice patterns. Update from Tools → Updates, or download the full version.

01/01/2026

Important — if you are stuck and unable to update from 5.9.4 or 5.9.9 to 6.0 or greater, download a patch to overwrite 2 files, OR temporarily set the permissions of usersc/includes/totp_key.php to 0755 during the update, then set it back to 0400.

03/08/2021

If you change or create a new API key after today you will lose API access to Spice Shaker and Updates unless you are on 5.2.6 or later. Users on version 5.x can also apply this patch if they are unwilling or unable to upgrade.

Install

Get running in minutes.

Four ways to get UserSpice up. Pick the one that fits your project — they all land in the same place.

01 Self-hosted
Download & install

Grab the latest release, unzip it on your web server, and point your browser at the folder. The installer takes you the rest of the way — database, admin user, done.
1. 1Download the latest UserSpice release zip.
2. 2Unzip into your web root, or any subfolder under it.
3. 3Visit the domain (or folder URL) in your browser — the installer loads automatically.
4. 4Walk through the installer.
Download UserSpice 6.0.8
02 Containerized
Docker

The official UserSpice container. One command and you have an isolated, reproducible environment — clean for local dev, ready for production.
```
$git clone https://github.com/mudmin/userspice-docker
$cd userspice-docker
$docker compose up -d
```
Docker setup guide
03 Managed
UserSpice managed hosting

Hosting tuned by the team that builds UserSpice. PHP, database, mail, and security settings are pre-configured, and the stack is kept current — so you can focus on the application instead of the server.
- Pre-installed & ready
- Tuned PHP / MySQL
- Free SSL
- Stack kept current
View hosting plans →
04 Done-for-you
Let us build it for you

Skip setup entirely. The team behind UserSpice will design, build, deploy, and maintain your application end-to-end — including custom features, integrations, and migrations from legacy stacks.
- Custom development
- Security analysis
- Migrations & upgrades
- Database optimization
- Ongoing support
Custom development →

Security, built in

The boring 30% — already done, and done right.

Not plugins or paid add-ons. Every feature below ships in the box, configured from a real admin panel.

Security Dashboard

A live posture score with one-click fixes for the things that are wrong. Watches PHP version and EOL date, security headers, CSP, HTTPS, cookie flags, passkey RP ID, TOTP encryption, and known-bad configurations — and tells you exactly what to flip and why.

Live posture score
PHP EOL tracking
5 security headers + CSP
One-click recommendations

Passkeys (WebAuthn)

Phishing-resistant, passwordless login on the WebAuthn / FIDO2 standard. Touch ID, Face ID, Windows Hello, or hardware keys. Each user manages up to 10 named credentials — and the dashboard auto-detects and writes the correct RP ID so it just works on every host.

FIDO2 / WebAuthn
Per-credential usage history
Up to 10 keys per user
RP ID auto-detect

2FA / TOTP

Standard TOTP that works with Google Authenticator, Authy, 1Password, Bitwarden — anything. Secrets are encrypted at rest with libsodium or AES-256-GCM, and re-encrypted automatically if your crypto engine changes. Backup codes included; enforce optional, required, or per login method.

Any TOTP app
Encrypted at rest
Backup codes
Per-method enforcement

Rate Limiting

Granular limits on every sensitive action — login, TOTP, passkey register/verify, password reset, registration, email verification. Each tracks per-IP, per-account, and a total-attempts circuit breaker, with trusted-proxy detection so limits hit the real client behind Cloudflare or nginx.

Per-action limits
IP + account + circuit breaker
Trusted proxy detection
Live health score

Audit & Security Logs

Every login, permission change, admin action, and unauthorized page hit is recorded with user, IP, cloak-from, type, and full payload. Searchable and filterable in the admin, with optional file-based mirroring for long-term retention and SIEM ingestion.

Per-action audit trail
Permission-denied log
Searchable + filterable
Optional file mirror

Permissions & Groups

Custom permission levels and user tags, with check-the-box admin UIs for assigning users and pages. Drop one line — securePage($_SERVER['PHP_SELF']) — at the top of any PHP file and access control is wired. Use hasPerm() for finer-grained checks anywhere in your code.

Per-page access rules
Custom permission levels
User tags / groups
One-line guard

What is UserSpice?

A secure rapid application development framework.

UserSpice handles the boring 30% — auth, sessions, permissions, password hygiene, rate limiting, 2FA, passkeys, audit logs, and a real admin panel — so you can spend your time on the parts that actually differentiate your app.

Auth, sessions & tokens
Passkeys & 2FA
Per-page permissions
Rate limiting
Security dashboard
Audit & security logs
User & group management
Safe DB layer (PDO)

How is UserSpice different?

It gets out of your way.

Most user-management frameworks force you into their templating engine, their routing, their conventions. UserSpice doesn't. One line at the top of any PHP file gates access — that's it. Use as much of the framework as you want, ignore the rest.

That hands-off design pairs unusually well with vibe coding and agentic workflows. Your AI assistant can generate plain PHP against a small, well-named API surface — and the security primitives are already in place to keep that generated code from shooting you in the foot.

UserSpice is in active development. New features ship as plugins to keep things modular — feature-rich without the bloat. And it's free. Always.

The future of UserSpice

Ten years in, and we're just getting started.

Thank you for being part of this community for the last 10+ years. UserSpice's goal has always been — and will always be — to handle the boring stuff so you can focus on building your application. The mission hasn't changed; the way we get there continues to evolve.

This is usually where most FOSS projects introduce a "pro tier" or a new subscription model. Not us.

As more developers embrace vibe coding and agentic workflows, we're focused on giving you the tools to do that securely, with a clear and sustainable upgrade path for the long term.

That starts with UserSpice 6.0.8, which introduces compatibility with our new offline UserSpice Security Scanner. This tool lets you scan your code using industry-leading engines, enhanced with custom rulesets that understand UserSpice patterns and best practices. You get scan history, actionable insights, and client-ready reports. (Full release alongside 6.1.0.)

Looking ahead, we're building:

Deeper Claude integrations and skills
A more AI-friendly, well-annotated codebase
AI-accessible documentation to guide smarter generation

And yes — all of this stays free. Always.

Need hands-on help? That's how I make my living.

Custom development Security analysis Human code review Project consulting (incl. migrations & upgrades) Database optimization VPS management

Get in touch

The Discord may have its ebbs and flows, but make no mistake — UserSpice is stronger than it has ever been. We're not just maintaining a framework anymore. We're building a foundation for how modern PHP apps get created — faster, smarter, and more securely than ever before.

— Dan Hoover, project lead

Heritage

Welcome, UserCake users.

The UserCake project was shut down in spring 2017. With many UserSpice users being former UserCake users (or at least appreciative of the project), some of our users chipped in to buy the domain and IP from the UserCake maintainers. Over time, we've built a full upgrade path from UserCake 2.0.2 all the way to our latest version. In the meantime, feel free to use our forums and check out UserSpice 2.5, a drag-and-drop upgrade for UserCake.

UserSpice 2.5 (UserCake-compatible)

Fully responsive Bootstrap design
Fully backwards-compatible with UserCake
Improved upgrade path to v3 / v4
New reCAPTCHA 2 system
Dynamic design options

Download 2.5

UserSpice 3.x

Improved password encryption
CSRF mitigation
Password migration for existing users
Improved responsive design
Many sample pages

Download 3.x