diff --git a/.gitignore b/.gitignore
index 9c09e58..13e46b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 www/secret.php
+www/_user.php
diff --git a/apache/Dockerfile b/apache/Dockerfile
index 469ca2e..68bdabb 100644
--- a/apache/Dockerfile
+++ b/apache/Dockerfile
@@ -4,7 +4,7 @@ FROM php:8.2-apache
 RUN a2enmod rewrite
 
 # PHP-Extensions für MariaDB
-RUN docker-php-ext-install pdo pdo_mysql
+RUN docker-php-ext-install mysqli pdo pdo_mysql
 
 # VHost kopieren
 COPY vhost.conf /etc/apache2/sites-available/000-default.conf
diff --git a/db/init/001_schema.sql b/db/init/001_schema.sql
index 880f6d5..662e4da 100644
--- a/db/init/001_schema.sql
+++ b/db/init/001_schema.sql
@@ -22,6 +22,7 @@ CREATE TABLE access_tokens (
     uuid CHAR(36) NOT NULL UNIQUE,
     expires_at DATETIME NULL,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    notes TEXT NULL,
     FOREIGN KEY (identity_id)
         REFERENCES identities(id)
         ON DELETE CASCADE
@@ -53,3 +54,13 @@ CREATE TABLE files (
         REFERENCES access_tokens(id)
         ON DELETE SET NULL
 ) ENGINE=InnoDB;
+
+CREATE TABLE admin_login_attempts (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    ip_address VARCHAR(45) NOT NULL,
+    attempts INT NOT NULL DEFAULT 1,
+    locked_until DATETIME NULL,
+    last_attempt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE KEY (ip_address)
+);
+
diff --git a/www/_user.php.example b/www/_user.php.example
new file mode 100644
index 0000000..13224f4
--- /dev/null
+++ b/www/_user.php.example
@@ -0,0 +1,3 @@
+<?php
+$admin_user = 'admin';
+$admin_password = 'password';
\ No newline at end of file
diff --git a/www/admin.php b/www/admin.php
index 57386ea..2215f93 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -1,36 +1,34 @@
 <?php
 require '_sql.php';
 require '_func.php';
+require '_user.php';
 
-session_start([
-    'use_strict_mode' => true,
-    'cookie_httponly' => true
-]);
+session_start();
 
 $ip = $_SERVER['REMOTE_ADDR'];
 
-/**
- * 🔒 IP-Sperre prüfen
- */
 if (isIpLocked($ip, $sql)) {
     http_response_code(403);
     exit('Zu viele Fehlversuche. IP für 1 Stunde gesperrt.');
 }
 
-/**
- * 🔐 LOGIN (wenn nicht eingeloggt)
- */
 if (!($_SESSION['is_admin'] ?? false)) {
-
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
         $user = $_POST['username'] ?? '';
         $pass = $_POST['password'] ?? '';
 
-        $admin = $sql->single(
-            "SELECT * FROM admin_users WHERE username = ?",
-            "s",
-            [$user]
-        );
+        if (
+            $user !== $admin_user ||
+            $pass !== $admin_password
+        ) {
+            registerFailedLogin($ip, $sql);
+            $error = 'Ungültige Zugangsdaten';
+        } else {
+            clearLoginAttempts($ip, $sql);
+            $_SESSION['is_admin'] = true;
+            header('Location: admin.php');
+            exit;
+        }
 
         if (!$admin || !password_verify($pass, $admin['password_hash'])) {
             registerFailedLogin($ip, $sql);
@@ -75,27 +73,15 @@ if (!($_SESSION['is_admin'] ?? false)) {
     exit;
 }
 
-/**
- * ✅ AB HIER: ADMIN EINGELOGGT
- */
-
 $uuid = $_GET['uuid'] ?? null;
 
-/**
- * 🧩 UUID-Editor
- */
 if ($uuid) {
-
-    // Token laden
     $token = $sql->single(
         "SELECT * FROM access_tokens WHERE uuid = ?",
         "s",
         [$uuid]
     );
 
-    /**
-     * 🆕 UUID existiert noch nicht → an feste Identität hängen
-     */
     if (!$token) {
         $sql->set(
             "INSERT INTO access_tokens (identity_id, uuid)
@@ -111,9 +97,6 @@ if ($uuid) {
         );
     }
 
-    /**
-     * 🔄 Speichern
-     */
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
         $issuedTo = $_POST['issued_to'] ?? '';
         $fields   = $_POST['fields'] ?? [];