safest way to have an admin page on my site?

[MediocreMetastasis]

I want an admin page on my site to do stuff like post,edit,and delete blogs.I currently have it setup where the page requires you to input a password and then you get admin permission throughout the site during the session

Code

    
$ADMIN_PASS = password_hash("Password123", PASSWORD_DEFAULT); // hashed
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $pass = $_POST['password'];

    if (password_verify($pass, $ADMIN_PASS)) {
        $_SESSION['is_admin'] = true;
        header("Location: home.php");
        exit;
    } else {
        $error = "Invalid password hacker.";
    }
    }

Is this a safe method or am I asking to be hacked?

[Melooon]

If your site is running over HTTPS then this is perfectly safe; its the same method that's used by most sites with passwords.

That said! You can improve this a little; instead of rehashing your password with the first line; just hash it once using some other script/online harsher then store the hashed version instead of the plain text version on your site (just make sure your verifier is using the same hash type that you saved).
That way even if by some sort of bug the source code leaks or is shown to a visitor they still cant get your password easily ^^

You can also improve the hash by looking into hash salts - those are basically extra bits of text that are included in the hashing algorithm so someone cant brute force unhash your hash using a huge library of pre-calculated hashes of common passwords ^^ (this is a very good idea for a public site like a forum with many passwords stored, but frankly for your case its not super important if you use a good password)

[MediocreMetastasis]

Cool. I'll make sure not to have my password in plaintext in my code. Thanks.

[Dan Q]

Seconding everything Melooon said, including "don't both with salting" - a salt only exists to make it harder to reverse-engineer a password if you've got the hashed version: so long as the (one) password on this site isn't one that you use anywhere else, that's probably not a concern for you anyway! (And by the time somebody's gotten onto your server to see the hash, you've got bigger problems than them being able to log in to your admin area!)

Just don't forget to check for $_SESSION['is_admin'] on every single page that needs it. I see lots of people do things like make a login page (which checks a password and sets a session), then create a page that handles creating posts (which checks the session and then does things), and then create a page that handles deleting posts (which just deletes things without checking that the $_SESSION['is_admin'] is set and... uh-oh, that's a problem!).

Don't forget to add a logout link that goes to a page that unsets the session variable and then redirects back home, or whatever! You never know when you're going to need a logout link!

And finally - and for a small personal site you definitely don't need to think about this rightaway - down the line, consider the possibility of cross-site request forgery attacks. E.g. if you have a page that (a) checks you're logged in as an admin and then (b) deletes a post... is it possible for an attacker to put a malicious link in an email or on their own website that, (if you're logged-in when you're tricked into clicking it) goes to that page, resulting in a post deletion? The risk is infinitesimally small for a small personal site unless you've made a lot of enemies!

Love the direction you're going in, anyway. PHP empowers the world of the "mildly dynamic website", a particularly magical and special category that's close to my heart.