diff --git a/.editorconfig b/.editorconfig
index 2ec19b78..51499854 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -15,5 +15,5 @@ trim_trailing_whitespace = false
 [{composer.json,package.json}]
 indent_style = space
 
-[package.json]
+[{package.json, *.yml}]
 indent_size = 2
\ No newline at end of file
diff --git a/.gitattributes b/.gitattributes
index 40090cd9..0525e2d2 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -9,6 +9,5 @@ release.sh export-ignore
 # cypress
 cypress export-ignore
 cypress.config.js export-ignore
-cypress.env.json
 
 *.sh text eol=lf
diff --git a/admin/index.php b/admin/index.php
index f9c9af9a..2e0dcba8 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -30,11 +30,6 @@ if(!$db->hasTable('myaac_account_actions')) {
 	throw new RuntimeException('Seems that the table <strong>myaac_account_actions</strong> of MyAAC doesn\'t exist in the database. This is a fatal error. You can try to reinstall MyAAC by visiting <a href="' . BASE_URL . 'install">this</a> url.');
 }
 
-// event system
-require_once SYSTEM . 'hooks.php';
-$hooks = new Hooks();
-$hooks->load();
-
 $hooks->register('debugbar_admin_head_end', HOOK_ADMIN_HEAD_END, function ($params) {
 	global $debugBar;
 
diff --git a/admin/pages/accounts.php b/admin/pages/accounts.php
index 7f47b3d0..4d410f11 100644
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -13,10 +13,13 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Account editor';
+
+csrfProtect();
+
 $admin_base = ADMIN_URL . '?p=accounts';
 $use_datatable = true;
 
-if ($config['account_country'])
+if (setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
 $nameOrNumberColumn = 'name';
@@ -30,7 +33,7 @@ $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $hasTypeColumn = $db->hasColumn('accounts', 'type');
 $hasGroupColumn = $db->hasColumn('accounts', 'group_id');
 
-if ($config['account_country']) {
+if (setting('core.account_country')) {
 	$countries = array();
 	foreach (array('pl', 'se', 'br', 'us', 'gb') as $c)
 		$countries[$c] = $config['countries'][$c];
@@ -82,7 +85,7 @@ else if (isset($_REQUEST['search'])) {
 		$account = new OTS_Account();
 		$account->load($id);
 
-		if (isset($account, $_POST['save']) && $account->isLoaded()) {
+		if (isset($_POST['save']) && $account->isLoaded()) {
 			$error = false;
 
 			$_error = '';
@@ -266,6 +269,9 @@ else if (isset($_REQUEST['search'])) {
 						<li class="nav-item">
 							<a class="nav-link active" id="accounts-acc-tab" data-toggle="pill" href="#accounts-acc">Account</a>
 						</li>
+						<li class="nav-item">
+							<a class="nav-link" id="accounts-logs-tab" data-toggle="pill" href="#accounts-logs">Logs</a>
+						</li>
 						<li class="nav-item">
 							<a class="nav-link" id="accounts-chars-tab" data-toggle="pill" href="#accounts-chars">Characters</a>
 						</li>
@@ -286,6 +292,7 @@ else if (isset($_REQUEST['search'])) {
 					<div class="tab-content" id="accounts-tabContent">
 						<div class="tab-pane fade active show" id="accounts-acc">
 							<form action="<?php echo $admin_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+								<?php csrf(); ?>
 								<div class="form-group row">
 									<?php if (USE_ACCOUNT_NAME): ?>
 										<div class="col-12 col-sm-12 col-lg-4">
@@ -324,8 +331,8 @@ else if (isset($_REQUEST['search'])) {
 										<div class="col-12 col-sm-12 col-lg-6">
 											<label for="group">Account Type:</label>
 											<select name="group" id="group" class="form-control">
-												<?php foreach ($acc_type as $id => $a_type): ?>
-													<option value="<?php echo($id); ?>" <?php echo($acc_group == ($id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
+												<?php foreach ($acc_type as $_id => $a_type): ?>
+													<option value="<?php echo($_id); ?>" <?php echo($acc_group == ($_id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
 												<?php endforeach; ?>
 											</select>
 										</div>
@@ -335,8 +342,8 @@ else if (isset($_REQUEST['search'])) {
 										<div class="col-12 col-sm-12 col-lg-6">
 											<label for="group">Account Type:</label>
 											<select name="group" id="group" class="form-control">
-												<?php foreach ($groups->getGroups() as $id => $group): ?>
-													<option value="<?php echo $id; ?>" <?php echo($acc_group == $id ? 'selected' : ''); ?>><?php echo $group->getName(); ?></option>
+												<?php foreach ($groups->getGroups() as $_id => $group): ?>
+													<option value="<?php echo $_id; ?>" <?php echo($acc_group == $_id ? 'selected' : ''); ?>><?php echo $group->getName(); ?></option>
 												<?php endforeach; ?>
 											</select>
 										</div>
@@ -344,8 +351,8 @@ else if (isset($_REQUEST['search'])) {
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="web_flags">Website Access:</label>
 										<select name="web_flags" id="web_flags" class="form-control">
-											<?php foreach ($web_acc as $id => $a_type): ?>
-												<option value="<?php echo($id); ?>" <?php echo($account->getWebFlags() == ($id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
+											<?php foreach ($web_acc as $_id => $a_type): ?>
+												<option value="<?php echo($_id); ?>" <?php echo($account->getWebFlags() == ($_id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
 											<?php endforeach; ?>
 										</select>
 									</div>
@@ -400,8 +407,8 @@ else if (isset($_REQUEST['search'])) {
 									<div class="col-12 col-sm-12 col-lg-4">
 										<label for="rl_country">Country:</label>
 										<select name="rl_country" id="rl_country" class="form-control">
-											<?php foreach ($countries as $id => $a_type): ?>
-												<option value="<?php echo($id); ?>" <?php echo($account->getCountry() == ($id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
+											<?php foreach ($countries as $_id => $a_type): ?>
+												<option value="<?php echo($_id); ?>" <?php echo($account->getCountry() == ($_id) ? 'selected' : ''); ?>><?php echo $a_type; ?></option>
 											<?php endforeach; ?>
 										</select>
 									</div>
@@ -423,6 +430,34 @@ else if (isset($_REQUEST['search'])) {
 								<a href="<?php echo ADMIN_URL; ?>?p=accounts" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</a>
 							</form>
 						</div>
+						<div class="tab-pane fade" id="accounts-logs">
+							<div class="row">
+								<table class="table table-striped table-condensed table-responsive d-md-table">
+									<thead>
+										<tr>
+											<th>#</th>
+											<th>Date</th>
+											<th>Action</th>
+											<th>IP</th>
+										</tr>
+									</thead>
+									<tbody>
+										<?php
+											$accountActions = \MyAAC\Models\AccountAction::where('account_id', $account->getId())->orderByDesc('date')->get();
+											foreach ($accountActions as $i => $log):
+												$log->ip = ($log->ip != 0 ? long2ip($log->ip) : inet_ntop($log->ipv6));
+												?>
+											<tr>
+												<td><?php echo $i + 1; ?></td>
+												<td><?= date("M d Y, H:i:s", $log->date); ?></td>
+												<td><?= $log->action; ?></td>
+												<td><?= $log->ip; ?></td>
+											</tr>
+											<?php endforeach; ?>
+									</tbody>
+								</table>
+							</div>
+						</div>
 						<div class="tab-pane fade" id="accounts-chars">
 							<div class="row">
 								<?php
@@ -550,18 +585,20 @@ else if (isset($_REQUEST['search'])) {
 				<div class="row">
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
-							<label for="name">Account Name:</label>
+							<?php csrf(); ?>
+							<label for="search">Account Name:</label>
 							<div class="input-group input-group-sm">
-								<input type="text" class="form-control" name="search" value="<?php echo $search_account; ?>" maxlength="32" size="32">
+								<input type="text" class="form-control" id="search" name="search" value="<?= escapeHtml($search_account); ?>" maxlength="32" size="32">
 								<span class="input-group-append"><button type="submit" class="btn btn-info btn-flat">Search</button></span>
 							</div>
 						</form>
 					</div>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
-							<label for="name">Account ID:</label>
+							<?php csrf(); ?>
+							<label for="id">Account ID:</label>
 							<div class="input-group input-group-sm">
-								<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
+								<input type="text" class="form-control" id="id" name="id" value="<?= $id; ?>" maxlength="32" size="32">
 								<span class="input-group-append"><button type="submit" class="btn btn-info btn-flat">Search</button></span>
 							</div>
 						</form>
diff --git a/admin/pages/changelog.php b/admin/pages/changelog.php
index 3d5cad64..ae2fd7b0 100644
--- a/admin/pages/changelog.php
+++ b/admin/pages/changelog.php
@@ -13,30 +13,29 @@ use MyAAC\Models\Changelog as ModelsChangelog;
 
 defined('MYAAC') or die('Direct access not allowed!');
 
+$title = 'Changelog';
+
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }
 
-$title = 'Changelog';
 $use_datatable = true;
 const CL_LIMIT = 600; // maximum changelog body length
-?>
 
-<link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
-<script src="<?php echo BASE_URL; ?>tools/js/jquery.datetimepicker.js"></script>
-<?php
 $id = $_GET['id'] ?? 0;
 require_once LIBS . 'changelog.php';
 
 if(!empty($action))
 {
-	$id = $_REQUEST['id'] ?? null;
-	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
-	$create_date = isset($_REQUEST['createdate']) ? (int)strtotime($_REQUEST['createdate'] ): null;
-	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
-	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null;
-	$where = isset($_REQUEST['where']) ? (int)$_REQUEST['where'] : null;
+	$id = $_POST['id'] ?? null;
+	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
+	$create_date = isset($_POST['createdate']) ? (int)strtotime($_POST['createdate'] ): null;
+	$player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
+	$type = isset($_POST['type']) ? (int)$_POST['type'] : null;
+	$where = isset($_POST['where']) ? (int)$_POST['where'] : null;
 
 	$errors = array();
 
@@ -46,12 +45,13 @@ if(!empty($action))
 			$body = '';
 			$type = $where = $player_id = $create_date = 0;
 
-			success("Added successful.");
+			success('Added successful.');
 		}
 	}
 	else if($action == 'delete') {
-		Changelog::delete($id, $errors);
-		success("Deleted successful.");
+		if (Changelog::delete($id, $errors)) {
+			success('Deleted successful.');
+		}
 	}
 	else if($action == 'edit')
 	{
@@ -68,13 +68,14 @@ if(!empty($action))
 				$action = $body = '';
 				$type = $where = $player_id = $create_date = 0;
 
-				success("Updated successful.");
+				success('Updated successful.');
 			}
 		}
 	}
 	else if($action == 'hide') {
-		Changelog::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . " successful.");
+		if (Changelog::toggleHidden($id, $errors, $status)) {
+			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
+		}
 	}
 
 	if(!empty($errors))
@@ -113,7 +114,7 @@ if($action == 'edit' || $action == 'new') {
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.changelog.form.html.twig', array(
 		'action' => $action,
-		'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'new'),
+		'cl_link_form' => constant('ADMIN_URL').'?p=changelog',
 		'cl_id' => $id ?? null,
 		'body' => isset($body) ? escapeHtml($body) : '',
 		'create_date' => $create_date ?? '',
@@ -128,15 +129,3 @@ if($action == 'edit' || $action == 'new') {
 $twig->display('admin.changelog.html.twig', array(
 	'changelogs' => $changelogs,
 ));
-
-?>
-<script>
-	$(document).ready(function () {
-		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
-
-		$('.tb_datatable').DataTable({
-			"order": [[0, "desc"]],
-			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
-		});
-	});
-</script>
diff --git a/admin/pages/dashboard.php b/admin/pages/dashboard.php
index e24b98ad..73430456 100644
--- a/admin/pages/dashboard.php
+++ b/admin/pages/dashboard.php
@@ -10,7 +10,9 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Dashboard';
 
-if (isset($_GET['clear_cache'])) {
+csrfProtect();
+
+if (isset($_POST['clear_cache'])) {
 	if (clearCache()) {
 		success('Cache cleared.');
 	} else {
@@ -18,7 +20,7 @@ if (isset($_GET['clear_cache'])) {
 	}
 }
 
-if (isset($_GET['maintenance'])) {
+if (isset($_POST['maintenance'])) {
 	$message = (!empty($_POST['message']) ? $_POST['message'] : null);
 	$_status = (isset($_POST['status']) && $_POST['status'] == 'true');
 	$_status = ($_status ? '0' : '1');
diff --git a/admin/pages/login.php b/admin/pages/login.php
index 8bb25f36..eb6466d3 100644
--- a/admin/pages/login.php
+++ b/admin/pages/login.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Login';
 
+csrfProtect();
+
 require PAGES . 'account/login.php';
 if ($logged) {
 	header('Location: ' . (admin() ? ADMIN_URL : BASE_URL));
diff --git a/admin/pages/mailer.php b/admin/pages/mailer.php
index 7d12f14b..d9cf8888 100644
--- a/admin/pages/mailer.php
+++ b/admin/pages/mailer.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Mailer';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MAILER) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -20,7 +22,7 @@ if (!setting('core.mail_enabled')) {
 	return;
 }
 
-$mail_to = isset($_REQUEST['mail_to']) ? stripslashes(trim($_REQUEST['mail_to'])) : null;
+$mail_to = isset($_POST['mail_to']) ? stripslashes(trim($_POST['mail_to'])) : null;
 $mail_subject = isset($_POST['mail_subject']) ? stripslashes($_POST['mail_subject']) : null;
 $mail_content = isset($_POST['mail_content']) ? stripslashes($_POST['mail_content']) : null;
 
@@ -54,7 +56,7 @@ if (!empty($mail_content) && !empty($mail_subject) && empty($mail_to)) {
 	$failed = 0;
 
 	$add = '';
-	if (config('account_mail_verify')) {
+	if (setting('core.account_mail_verify')) {
 		note('Note: Sending only to users with verified E-Mail.');
 		$add = ' AND `email_verified` = 1';
 	}
diff --git a/admin/pages/mass_account.php b/admin/pages/mass_account.php
index 63bec54c..549310a5 100644
--- a/admin/pages/mass_account.php
+++ b/admin/pages/mass_account.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Mass Account Actions';
 
+csrfProtect();
+
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $freePremium = $config['lua']['freePremium'];
diff --git a/admin/pages/mass_teleport.php b/admin/pages/mass_teleport.php
index 5027fa1c..f2a7ee27 100644
--- a/admin/pages/mass_teleport.php
+++ b/admin/pages/mass_teleport.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Mass Teleport Actions';
 
+csrfProtect();
+
 function admin_teleport_position($x, $y, $z) {
 	if (!Player::query()->update([
 		'posx' => $x, 'posy' => $y, 'posz' => $z
diff --git a/admin/pages/menus.php b/admin/pages/menus.php
index a0b492df..4a908eb5 100644
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -13,19 +13,21 @@ use MyAAC\Models\Menu;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Menus';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }
 
-if (isset($_REQUEST['template'])) {
-	$template = $_REQUEST['template'];
+if (isset($_POST['template'])) {
+	$template = $_POST['template'];
 
-	if (isset($_REQUEST['menu'])) {
-		$post_menu = $_REQUEST['menu'];
-		$post_menu_link = $_REQUEST['menu_link'];
-		$post_menu_blank = $_REQUEST['menu_blank'];
-		$post_menu_color = $_REQUEST['menu_color'];
+	if (isset($_POST['menu'])) {
+		$post_menu = $_POST['menu'];
+		$post_menu_link = $_POST['menu_link'];
+		$post_menu_blank = $_POST['menu_blank'];
+		$post_menu_color = $_POST['menu_color'];
 		if (count($post_menu) != count($post_menu_link)) {
 			echo 'Menu count is not equal menu links. Something went wrong when sending form.';
 			return;
@@ -69,9 +71,10 @@ if (isset($_REQUEST['template'])) {
 		return;
 	}
 
-	if (isset($_REQUEST['reset_colors'])) {
+	if (isset($_GET['reset_colors'])) {
 		if (isset($config['menu_default_color'])) {
 			Menu::where('template', $template)->update(['color' => str_replace('#', '', $config['menu_default_color'])]);
+			success('Colors has been reset.');
 		}
 		else {
 			warning('There is no default color defined, cannot reset colors.');
@@ -93,6 +96,7 @@ if (isset($_REQUEST['template'])) {
 		</p>
 		<?php if (isset($config['menu_default_color'])) {?>
 		<form method="post" action="?p=menus&reset_colors" onsubmit="return confirm('Do you really want to reset colors?');">
+			<?php csrf(); ?>
 			<input type="hidden" name="template" value="<?php echo $template ?>"/>
 			<button type="submit" class="btn btn-danger">Reset Colors to default</button>
 		</form>
@@ -112,6 +116,7 @@ if (isset($_REQUEST['template'])) {
 	$last_id = array();
 	?>
 	<form method="post" id="menus-form" action="?p=menus">
+		<?php csrf(); ?>
 		<input type="hidden" name="template" value="<?php echo $template ?>"/>
 		<button type="submit" class="btn btn-info">Save</button><br/><br/>
 		<div class="row">
diff --git a/admin/pages/modules/templates/web_status.twig b/admin/pages/modules/templates/web_status.twig
index 2b0ec1e8..5b111a47 100644
--- a/admin/pages/modules/templates/web_status.twig
+++ b/admin/pages/modules/templates/web_status.twig
@@ -1,28 +1,32 @@
 <div class="col-12 col-md-6">
 	<div class="card card-warning card-outline">
-		<form action="?p=dashboard&maintenance" method="post" class="form-horizontal">
-			<div class="card-header">
-				<span class="m-0">Website Status<span class="float-right">
-				<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
-					<input type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
-					<label id="status-label" class="custom-control-label" for="status"> {% if is_closed %}Closed{% else %}Open{% endif %}</label>
-				</div></span>
-				</span>
+		<div class="card-header">
+			<span class="m-0">Website Status<span class="float-right">
+			<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
+				<input form="maintenance-form" type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
+				<label id="status-label" class="custom-control-label" for="status"> {% if is_closed %}Closed{% else %}Open{% endif %}</label>
+			</div></span>
+			</span>
+		</div>
+		<div class="card-body p-2">
+			<div class="col-sm-12">
+				<label for="message" class="col-form-label">Maintenance Message</label>
+				<textarea form="maintenance-form" name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
+				<small>(only visible if closed)</small>
 			</div>
-			<div class="card-body p-2">
-				<div class="col-sm-12">
-					<label for="message" class="col-form-label">Maintenance Message</label>
-					<textarea name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
-					<small>(only visible if closed)</small>
-				</div>
-			</div>
-			<div class="card-footer">
+		</div>
+		<div class="card-footer">
+			<form id="maintenance-form" method="post" action="?p=dashboard" class="float-left">
+				{{ csrf() }}
+				<input type="hidden" name="maintenance" value="1" />
 				<button type="submit" class="btn btn-info"><i class="far fa-update"></i> Update</button>
-				<a href="?p=dashboard&clear_cache" onclick="return confirm('Are you sure?');" class="float-right">
-					<span class="btn btn-danger"><i class="fas fa-clear"></i>Clear cache</span>
-				</a>
-			</div>
-		</form>
+			</form>
+			<form method="post" action="?p=dashboard" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="clear_cache" value="1" />
+				<button type="submit" onclick="return confirm('Are you sure that you want to clear cache?');" class="btn btn-danger" title="Clear Cache"><i class="fas fa-clear"></i>Clear cache</button>
+			</form>
+		</div>
 	</div>
 </div>
 
diff --git a/admin/pages/news.php b/admin/pages/news.php
index 66398b09..a7c739c5 100644
--- a/admin/pages/news.php
+++ b/admin/pages/news.php
@@ -9,12 +9,15 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+$title = 'News Panel';
+
+csrfProtect();
+
+$use_datatable = true;
+
 require_once LIBS . 'forum.php';
 require_once LIBS . 'news.php';
 
-$title = 'News Panel';
-$use_datatable = true;
-
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -23,25 +26,25 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 header('X-XSS-Protection:0');
 
 // some constants, used mainly by database (cannot by modified without schema changes)
-define('NEWS_TITLE_LIMIT', 100);
-define('NEWS_BODY_LIMIT', 65535); // maximum news body length
-define('ARTICLE_TEXT_LIMIT', 300);
-define('ARTICLE_IMAGE_LIMIT', 100);
+const NEWS_TITLE_LIMIT = 100;
+const NEWS_BODY_LIMIT = 65535; // maximum news body length
+const ARTICLE_TEXT_LIMIT = 300;
+const ARTICLE_IMAGE_LIMIT = 100;
 
 $name = $p_title = '';
 if(!empty($action))
 {
-	$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : null;
-	$p_title = isset($_REQUEST['title']) ? $_REQUEST['title'] : null;
-	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
-	$comments = isset($_REQUEST['comments']) ? $_REQUEST['comments'] : null;
-	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null;
-	$category = isset($_REQUEST['category']) ? (int)$_REQUEST['category'] : null;
-	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
-	$article_text = isset($_REQUEST['article_text']) ? $_REQUEST['article_text'] : null;
-	$article_image = isset($_REQUEST['article_image']) ? $_REQUEST['article_image'] : null;
-	$forum_section = isset($_REQUEST['forum_section']) ? $_REQUEST['forum_section'] : null;
-	$errors = array();
+	$id = $_POST['id'] ?? null;
+	$p_title = $_POST['title'] ?? null;
+	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
+	$comments = $_POST['comments'] ?? null;
+	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : 1;
+	$category = isset($_POST['category']) ? (int)$_POST['category'] : null;
+	$player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
+	$article_text = $_POST['article_text'] ?? null;
+	$article_image = $_POST['article_image'] ?? null;
+	$forum_section = $_POST['forum_section'] ?? null;
+	$errors = [];
 
 	if($action == 'new') {
 		if(isset($forum_section) && $forum_section != '-1') {
@@ -52,12 +55,13 @@ if(!empty($action))
 			$p_title = $body = $comments = $article_text = $article_image = '';
 			$type = $category = $player_id = 0;
 
-			success("Added successful.");
+			success('Added successful.');
 		}
 	}
 	else if($action == 'delete') {
-		News::delete($id, $errors);
-		success("Deleted successful.");
+		if (News::delete($id, $errors)) {
+			success('Deleted successful.');
+		}
 	}
 	else if($action == 'edit')
 	{
@@ -82,13 +86,14 @@ if(!empty($action))
 				$action = $p_title = $body = $comments = $article_text = $article_image = '';
 				$type = $category = $player_id = 0;
 
-				success("Updated successful.");
+				success('Updated successful.');
 			}
 		}
 	}
 	else if($action == 'hide') {
-		News::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . " successful.");
+		if (News::toggleHidden($id, $errors, $status)) {
+			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
+		}
 	}
 
 	if(!empty($errors))
@@ -114,12 +119,10 @@ if($action == 'edit' || $action == 'new') {
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.news.form.html.twig', array(
 		'action' => $action,
-		'news_link' => getLink(PAGE),
-		'news_link_form' => '?p=news&action=' . ($action == 'edit' ? 'edit' : 'new'),
 		'news_id' => $id ?? null,
 		'title' => $p_title ?? '',
 		'body' => isset($body) ? escapeHtml($body) : '',
-		'type' => $type ?? null,
+		'type' => $type,
 		'player' => isset($player) && $player->isLoaded() ? $player : null,
 		'player_id' => $player_id ?? null,
 		'account_players' => $account_players,
diff --git a/admin/pages/notepad.php b/admin/pages/notepad.php
index c18d837e..d6c6358b 100644
--- a/admin/pages/notepad.php
+++ b/admin/pages/notepad.php
@@ -13,6 +13,8 @@ use MyAAC\Models\Notepad as ModelsNotepad;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Notepad';
 
+csrfProtect();
+
 /**
  * @var $account_logged OTS_Account
  */
diff --git a/admin/pages/pages.php b/admin/pages/pages.php
index 6be569f3..0a4f4ade 100644
--- a/admin/pages/pages.php
+++ b/admin/pages/pages.php
@@ -9,11 +9,14 @@
  */
 
 use MyAAC\Models\Pages as ModelsPages;
+use MyAAC\Admin\Pages;
 
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Pages';
 $use_datatable = true;
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -29,31 +32,36 @@ $enable_tinymce = true;
 $access = 0;
 
 // some constants, used mainly by database (cannot by modified without schema changes)
-define('PAGE_TITLE_LIMIT', 30);
-define('PAGE_NAME_LIMIT', 30);
-define('PAGE_BODY_LIMIT', 65535); // maximum page body length
+const PAGE_TITLE_LIMIT = 30;
+const PAGE_NAME_LIMIT = 30;
+const PAGE_BODY_LIMIT = 65535; // maximum page body length
 
 if (!empty($action)) {
-	if ($action == 'delete' || $action == 'edit' || $action == 'hide')
-		$id = $_REQUEST['id'];
-
-	if (isset($_REQUEST['name']))
-		$name = $_REQUEST['name'];
-
-	if (isset($_REQUEST['title']))
-		$p_title = $_REQUEST['title'];
-
-	$php = isset($_REQUEST['php']) && $_REQUEST['php'] == 1;
-	$enable_tinymce = isset($_REQUEST['enable_tinymce']) && $_REQUEST['enable_tinymce'] == 1;
-	if ($php)
-		$body = $_REQUEST['body'];
-	else if (isset($_REQUEST['body'])) {
-		//$body = $_REQUEST['body'];
-		$body = html_entity_decode(stripslashes($_REQUEST['body']));
+	if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
+		$id = $_POST['id'];
 	}
 
-	if (isset($_REQUEST['access']))
-		$access = $_REQUEST['access'];
+	if (isset($_POST['name'])) {
+		$name = $_POST['name'];
+	}
+
+	if (isset($_POST['title'])) {
+		$p_title = $_POST['title'];
+	}
+
+	$php = isset($_POST['php']) && $_POST['php'] == 1;
+	$enable_tinymce = isset($_POST['enable_tinymce']) && $_POST['enable_tinymce'] == 1;
+	if ($php) {
+		$body = $_POST['body'];
+	}
+	else if (isset($_POST['body'])) {
+		//$body = $_POST['body'];
+		$body = html_entity_decode(stripslashes($_POST['body']));
+	}
+
+	if (isset($_POST['access'])) {
+		$access = $_POST['access'];
+	}
 
 	$errors = array();
 	$player_id = 1;
@@ -70,7 +78,7 @@ if (!empty($action)) {
 		if (Pages::delete($id, $errors))
 			success('Page with id ' . $id . ' has been deleted');
 	} else if ($action == 'edit') {
-		if (isset($id) && !isset($_REQUEST['name'])) {
+		if (isset($id) && !isset($_POST['name'])) {
 			$_page = Pages::get($id);
 			$name = $_page['name'];
 			$p_title = $_page['title'];
@@ -89,8 +97,9 @@ if (!empty($action)) {
 			}
 		}
 	} else if ($action == 'hide') {
-		Pages::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . ' successful.');
+		if (Pages::toggleHidden($id, $errors, $status)) {
+			success(($status == 0 ? 'Show' : 'Hide') . ' successful.');
+		}
 	}
 
 	if (!empty($errors))
@@ -107,7 +116,7 @@ $pages = ModelsPages::all()->map(function ($e) {
 	];
 })->toArray();
 
-$twig->display('admin.pages.form.html.twig', array(
+$twig->display('admin.pages.form.html.twig', [
 	'action' => $action,
 	'id' => $action == 'edit' ? $id : null,
 	'name' => $name,
@@ -117,136 +126,8 @@ $twig->display('admin.pages.form.html.twig', array(
 	'body' => isset($body) ? escapeHtml($body) : '',
 	'groups' => $groups->getGroups(),
 	'access' => $access
-));
+]);
 
-$twig->display('admin.pages.html.twig', array(
+$twig->display('admin.pages.html.twig', [
 	'pages' => $pages
-));
-
-class Pages
-{
-	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!isset($title[0]) || !isset($body[0])) {
-			$errors[] = 'Please fill all inputs.';
-			return false;
-		}
-		if(strlen($name) > PAGE_NAME_LIMIT) {
-			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($title) > PAGE_TITLE_LIMIT) {
-			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($body) > PAGE_BODY_LIMIT) {
-			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
-			return false;
-		}
-		if(!isset($player_id) || $player_id == 0) {
-			$errors[] = 'Player ID is wrong.';
-			return false;
-		}
-		if(!isset($php) || ($php != 0 && $php != 1)) {
-			$errors[] = 'Enable PHP is wrong.';
-			return false;
-		}
-		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
-			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
-			return false;
-		}
-		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
-			$errors[] = 'Enable TinyMCE is wrong.';
-			return false;
-		}
-		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
-			$errors[] = 'Access is wrong.';
-			return false;
-		}
-
-		return true;
-	}
-
-	static public function get($id)
-	{
-		$row = ModelsPages::find($id);
-		if ($row) {
-			return $row->toArray();
-		}
-
-		return false;
-	}
-
-	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		if (!ModelsPages::where('name', $name)->exists())
-			ModelsPages::create([
-				'name' => $name,
-				'title' => $title,
-				'body' => $body,
-				'player_id' => $player_id,
-				'php' => $php ? '1' : '0',
-				'enable_tinymce' => $enable_tinymce ? '1' : '0',
-				'access' => $access
-			]);
-		else
-			$errors[] = 'Page with this link already exists.';
-
-		return !count($errors);
-	}
-
-	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		ModelsPages::where('id', $id)->update([
-			'name' => $name,
-			'title' => $title,
-			'body' => $body,
-			'player_id' => $player_id,
-			'php' => $php ? '1' : '0',
-			'enable_tinymce' => $enable_tinymce ? '1' : '0',
-			'access' => $access
-		]);
-		return true;
-	}
-
-	static public function delete($id, &$errors)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->delete();
-			}
-			else
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-
-	static public function toggleHidden($id, &$errors, &$status)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->hidden = $row->hidden == 1 ? 0 : 1;
-				$row->save();
-				$status = $row->hidden;
-			}
-			else {
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-			}
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-}
+]);
diff --git a/admin/pages/players.php b/admin/pages/players.php
index 48b0f1f5..ff0e32c8 100644
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Player editor';
+
+csrfProtect();
+
 $player_base = ADMIN_URL . '?p=players';
 
 $use_datatable = true;
@@ -75,7 +78,7 @@ else if (isset($_REQUEST['search'])) {
 		$player = new OTS_Player();
 		$player->load($id);
 
-		if (isset($player) && $player->isLoaded() && isset($_POST['save'])) {// we want to save
+		if ($player->isLoaded() && isset($_POST['save'])) {// we want to save
 			$error = false;
 
 			if ($player->isOnline())
@@ -373,6 +376,7 @@ else if (isset($_REQUEST['search'])) {
 					</ul>
 				</div>
 				<form action="<?php echo $player_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+					<?php csrf(); ?>
 					<div class="card-body">
 						<div class="tab-content" id="tabs-tabContent">
 							<div class="tab-pane fade active show" id="tabs-home">
@@ -390,8 +394,8 @@ else if (isset($_REQUEST['search'])) {
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="group">Group:</label>
 										<select name="group" id="group" class="form-control custom-select">
-											<?php foreach ($groups->getGroups() as $id => $group): ?>
-												<option value="<?php echo $id; ?>" <?php echo($player->getGroup()->getId() == $id ? 'selected' : ''); ?>><?php echo $group->getName(); ?></option>
+											<?php foreach ($groups->getGroups() as $_id => $group): ?>
+												<option value="<?php echo $_id; ?>" <?php echo($player->getGroup()->getId() == $_id ? 'selected' : ''); ?>><?php echo $group->getName(); ?></option>
 											<?php endforeach; ?>
 										</select>
 									</div>
@@ -399,8 +403,8 @@ else if (isset($_REQUEST['search'])) {
 										<label for="vocation">Vocation</label>
 										<select name="vocation" id="vocation" class="form-control custom-select">
 											<?php
-											foreach ($config['vocations'] as $id => $name) {
-												echo '<option value=' . $id . ($id == $player->getVocation() ? ' selected' : '') . '>' . $name . '</option>';
+											foreach ($config['vocations'] as $_id => $name) {
+												echo '<option value=' . $_id . ($_id == $player->getVocation() ? ' selected' : '') . '>' . $name . '</option>';
 											}
 											?>
 										</select>
@@ -410,8 +414,8 @@ else if (isset($_REQUEST['search'])) {
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="sex">Sex:</label>
 										<select name="sex" id="sex" class="form-control custom-select">>
-											<?php foreach ($config['genders'] as $id => $sex): ?>
-												<option value="<?php echo $id; ?>" <?php echo($player->getSex() == $id ? 'selected' : ''); ?>><?php echo strtolower($sex); ?></option>
+											<?php foreach ($config['genders'] as $_id => $sex): ?>
+												<option value="<?php echo $_id; ?>" <?php echo($player->getSex() == $_id ? 'selected' : ''); ?>><?php echo strtolower($sex); ?></option>
 											<?php endforeach; ?>
 										</select>
 									</div>
@@ -424,8 +428,8 @@ else if (isset($_REQUEST['search'])) {
 												$configTowns[$player->getTownId()] = 'Unknown Town';
 											}
 
-											foreach ($configTowns as $id => $town): ?>
-												<option value="<?php echo $id; ?>" <?php echo($player->getTownId() == $id ? 'selected' : ''); ?>><?php echo $town; ?></option>
+											foreach ($configTowns as $_id => $town): ?>
+												<option value="<?php echo $_id; ?>" <?php echo($player->getTownId() == $_id ? 'selected' : ''); ?>><?php echo $town; ?></option>
 											<?php endforeach; ?>
 										</select>
 									</div>
@@ -436,8 +440,8 @@ else if (isset($_REQUEST['search'])) {
 										<select name="skull" id="skull" class="form-control custom-select">
 											<?php
 
-											foreach ($skull_type as $id => $s_name) {
-												echo '<option value=' . $id . ($id == $player->getSkull() ? ' selected' : '') . '>' . $s_name . '</option>';
+											foreach ($skull_type as $_id => $s_name) {
+												echo '<option value=' . $_id . ($_id == $player->getSkull() ? ' selected' : '') . '>' . $s_name . '</option>';
 											}
 											?>
 										</select>
@@ -554,22 +558,22 @@ else if (isset($_REQUEST['search'])) {
 							</div>
 							<div class="tab-pane fade" id="tabs-skills">
 								<?php
-								foreach ($skills as $id => $info) {
+								foreach ($skills as $_id => $info) {
 									?>
 									<div class="form-group row">
 										<div class="col-12 col-sm-12 col-lg-6">
-											<?php echo '<label for="skills[' . $id . ']" class="control-label">' . $info[0] . '</label>
-									<input type="text" class="form-control" id="skills[' . $id . ']" name="skills[' . $id . ']" maxlength="10" autocomplete="off" value="' . $player->getSkill($id) . '"/>'; ?>
+											<?php echo '<label for="skills[' . $_id . ']" class="control-label">' . $info[0] . '</label>
+									<input type="text" class="form-control" id="skills[' . $_id . ']" name="skills[' . $_id . ']" maxlength="10" autocomplete="off" value="' . $player->getSkill($_id) . '"/>'; ?>
 										</div>
 										<div class="col-12 col-sm-12 col-lg-6">
-											<?php echo '<label for="skills_tries[' . $id . ']" class="control-label">' . $info[0] . ' tries</label>
-									<input type="text" class="form-control" id="skills_tries[' . $id . ']" name="skills_tries[' . $id . ']" maxlength="10" autocomplete="off" value="' . $player->getSkillTries($id) . '"/>'; ?>
+											<?php echo '<label for="skills_tries[' . $_id . ']" class="control-label">' . $info[0] . ' tries</label>
+									<input type="text" class="form-control" id="skills_tries[' . $_id . ']" name="skills_tries[' . $_id . ']" maxlength="10" autocomplete="off" value="' . $player->getSkillTries($_id) . '"/>'; ?>
 										</div>
 									</div>
 								<?php } ?>
 							</div>
 							<div class="tab-pane fade" id="tabs-pos">
-								<?php $outfit = $config['outfit_images_url'] . '?id=' . $player->getLookType() . ($hasLookAddons ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet(); ?>
+								<?php $outfit = setting('core.outfit_images_url') . '?id=' . $player->getLookType() . ($hasLookAddons ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet(); ?>
 								<div id="imgchar" style="width:64px;height:64px;position:absolute; top:30px; right:30px">
 									<img id="player_outfit" style="margin-left:0;margin-top:0;width:64px;height:64px;" src="<?php echo $outfit; ?>" alt="player outfit"/>
 								</div>
@@ -622,7 +626,7 @@ else if (isset($_REQUEST['search'])) {
 										if ($outfitlist) { ?>
 											<select name="look_type" id="look_type" class="form-control custom-select">
 												<?php
-												foreach ($outfitlist as $id => $outfit) {
+												foreach ($outfitlist as $_id => $outfit) {
 													if ($outfit['enabled'] == 'yes') ;
 													echo '<option value=' . $outfit['id'] . ($outfit['id'] == $player->getLookType() ? ' selected' : '') . '>' . $outfit['name'] . ' - ' . ($outfit['type'] == 1 ? 'Male' : 'Female') . '</option>';
 												}
@@ -638,8 +642,8 @@ else if (isset($_REQUEST['search'])) {
 											<select name="look_addons" id="look_addons" class="form-control custom-select">
 												<?php
 												$addon_type = array("None", "First", "Second", "Both");
-												foreach ($addon_type as $id => $s_name) {
-													echo '<option value=' . $id . ($id == $player->getLookAddons() ? ' selected' : '') . '>' . $s_name . '</option>';
+												foreach ($addon_type as $_id => $s_name) {
+													echo '<option value=' . $_id . ($_id == $player->getLookAddons() ? ' selected' : '') . '>' . $s_name . '</option>';
 												}
 												?>
 											</select>
@@ -704,7 +708,7 @@ else if (isset($_REQUEST['search'])) {
 								<div class="form-group row">
 									<div class="col-12">
 										<label for="comment" class="control-label">Comment:</label>
-										<textarea class="form-control" name="comment" rows="10" cols="50" wrap="virtual"><?php echo $player->getCustomField("comment"); ?></textarea>
+										<textarea class="form-control" id="comment" name="comment" rows="10" cols="50" wrap="virtual"><?php echo $player->getCustomField("comment"); ?></textarea>
 										<small>[max. length: 2000 chars, 50 lines (ENTERs)]</small>
 									</div>
 								</div>
@@ -841,7 +845,7 @@ else if (isset($_REQUEST['search'])) {
 
 				<?php if($hasLookAddons): ?>
 				const $addonvalue = $('#look_addons');
-				$('#look_addons').on('change', () => {
+				$addonvalue.on('change', () => {
 					updateOutfit();
 				});
 				<?php endif; ?>
@@ -858,7 +862,7 @@ else if (isset($_REQUEST['search'])) {
 				<?php if($hasLookAddons): ?>
 				look_addons = '&addons=' + $('#look_addons').val();
 				<?php endif; ?>
-				$("#player_outfit").attr("src", '<?= $config['outfit_images_url']; ?>?id=' + look_type + look_addons + '&head=' + look_head + '&body=' + look_body + '&legs=' + look_legs + '&feet=' + look_feet);
+				$("#player_outfit").attr("src", '<?= setting('core.outfit_images_url'); ?>?id=' + look_type + look_addons + '&head=' + look_head + '&body=' + look_body + '&legs=' + look_legs + '&feet=' + look_feet);
 			}
 		</script>
 	<?php } ?>
@@ -870,18 +874,20 @@ else if (isset($_REQUEST['search'])) {
 			<div class="card-body row">
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
-						<label for="name">Player Name:</label>
+						<?php csrf(); ?>
+						<label for="search">Player Name:</label>
 						<div class="input-group input-group-sm">
-							<input type="text" class="form-control" name="search" value="<?php echo $search_player; ?>" maxlength="32" size="32">
+							<input type="text" class="form-control" id="search" name="search" value="<?= escapeHtml($search_player); ?>" maxlength="32" size="32">
 							<span class="input-group-append"><button type="submit" class="btn btn-info btn-flat">Search</button></span>
 						</div>
 					</form>
 				</div>
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
-						<label for="name">Player ID:</label>
+						<?php csrf(); ?>
+						<label for="id">Player ID:</label>
 						<div class="input-group input-group-sm">
-							<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
+							<input type="text" class="form-control" id="id" name="id" value="<?= $id; ?>" maxlength="32" size="32">
 							<span class="input-group-append"><button type="submit" class="btn btn-info btn-flat">Search</button></span>
 						</div>
 					</form>
@@ -892,7 +898,7 @@ else if (isset($_REQUEST['search'])) {
 </div>
 
 <script>
-	$(document).ready(function () {
+	$(function () {
 		$('.player_datatable').DataTable({
 			"order": [[0, "asc"]]
 		});
diff --git a/admin/pages/plugins.php b/admin/pages/plugins.php
index be9df2b0..6eb0862e 100644
--- a/admin/pages/plugins.php
+++ b/admin/pages/plugins.php
@@ -9,6 +9,9 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Plugin manager';
+
+csrfProtect();
+
 $use_datatable = true;
 
 require_once LIBS . 'plugins.php';
@@ -19,23 +22,23 @@ if (!getBoolean(setting('core.admin_plugins_manage_enable'))) {
 else {
 	$twig->display('admin.plugins.form.html.twig');
 
-	if (isset($_REQUEST['uninstall'])) {
-		$uninstall = $_REQUEST['uninstall'];
+	if (isset($_POST['uninstall'])) {
+		$uninstall = $_POST['uninstall'];
 
 		if (Plugins::uninstall($uninstall)) {
 			success('Successfully uninstalled plugin ' . $uninstall);
 		} else {
 			error('Error while uninstalling plugin ' . $uninstall . ': ' . Plugins::getError());
 		}
-	} else if (isset($_REQUEST['enable'])) {
-		$enable = $_REQUEST['enable'];
+	} else if (isset($_POST['enable'])) {
+		$enable = $_POST['enable'];
 		if (Plugins::enable($enable)) {
 			success('Successfully enabled plugin ' . $enable);
 		} else {
 			error('Error while enabling plugin ' . $enable . ': ' . Plugins::getError());
 		}
-	} else if (isset($_REQUEST['disable'])) {
-		$disable = $_REQUEST['disable'];
+	} else if (isset($_POST['disable'])) {
+		$disable = $_POST['disable'];
 		if (Plugins::disable($disable)) {
 			success('Successfully disabled plugin ' . $disable);
 		} else {
@@ -116,7 +119,7 @@ foreach (get_plugins(true) as $plugin) {
 	if (!$plugin_info) {
 		warning('Cannot load plugin info ' . $plugin . '.json');
 	} else {
-		$disabled = (strpos($plugin, 'disabled.') !== false);
+		$disabled = (str_contains($plugin, 'disabled.'));
 		$pluginOriginal = ($disabled ? str_replace('disabled.', '', $plugin) : $plugin);
 		$plugins[] = array(
 			'name' => $plugin_info['name'] ?? '',
diff --git a/admin/tools/settings_save.php b/admin/tools/settings_save.php
index 83be1de3..500c83bb 100644
--- a/admin/tools/settings_save.php
+++ b/admin/tools/settings_save.php
@@ -6,11 +6,18 @@ require SYSTEM . 'functions.php';
 require SYSTEM . 'init.php';
 require SYSTEM . 'login.php';
 
+// event system
+require_once SYSTEM . 'hooks.php';
+$hooks = new Hooks();
+$hooks->load();
+
 if(!admin()) {
 	http_response_code(500);
 	die('Access denied.');
 }
 
+csrfProtect();
+
 if (!isset($_REQUEST['plugin'])) {
 	http_response_code(500);
 	die('Please enter plugin name.');
@@ -23,7 +30,7 @@ if (!isset($_POST['settings'])) {
 
 $settings = Settings::getInstance();
 
-$settings->save($_REQUEST['plugin'], $_POST['settings']);
+$success = $settings->save($_REQUEST['plugin'], $_POST['settings']);
 
 $errors = $settings->getErrors();
 if (count($errors) > 0) {
@@ -31,4 +38,6 @@ if (count($errors) > 0) {
 	die(implode('<br/>', $errors));
 }
 
-echo 'Saved at ' . date('H:i');
+if ($success) {
+	echo 'Saved at ' . date('H:i');
+}
diff --git a/common.php b/common.php
index 13cdabb7..b2147460 100644
--- a/common.php
+++ b/common.php
@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '8.0', '<')) die('PHP version 8.0 or higher is required.');
 
 const MYAAC = true;
-const MYAAC_VERSION = '0.10.0-dev';
+const MYAAC_VERSION = '1.0-dev';
 const DATABASE_VERSION = 36;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
@@ -108,6 +108,13 @@ const TFS_FIRST = TFS_02;
 const TFS_LAST = TFS_03;
 
 // other definitions
+const MAIL_MAIL = 0;
+const MAIL_SMTP = 1;
+
+const SMTP_SECURITY_NONE = 0;
+const SMTP_SECURITY_SSL = 1;
+const SMTP_SECURITY_TLS = 2;
+
 const ACCOUNT_NUMBER_LENGTH = 8;
 
 if (!IS_CLI) {
@@ -136,7 +143,7 @@ if(!IS_CLI) {
 		}
 	}
 
-	define('SERVER_URL', 'http' . (isset($_SERVER['HTTPS'][0]) && strtolower($_SERVER['HTTPS']) === 'on' ? 's' : '') . '://' . $baseHost);
+	define('SERVER_URL', 'http' . (isHttps() ? 's' : '') . '://' . $baseHost);
 	define('BASE_URL', SERVER_URL . BASE_DIR . '/');
 	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/' . ADMIN_PANEL_FOLDER . '/');
 
@@ -147,6 +154,7 @@ if (file_exists(BASE . 'config.local.php')) {
 	require BASE . 'config.local.php';
 }
 
+/** @var array $config */
 ini_set('log_errors', 1);
 if(@$config['env'] === 'dev') {
 	ini_set('display_errors', 1);
@@ -165,3 +173,11 @@ if (!is_file($autoloadFile)) {
 }
 
 require $autoloadFile;
+
+function isHttps(): bool
+{
+	return
+		(!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
+		|| (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
+		|| (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
+}
diff --git a/composer.json b/composer.json
index 501c0326..0d227019 100644
--- a/composer.json
+++ b/composer.json
@@ -12,7 +12,8 @@
         "erusev/parsedown": "^1.7",
         "nikic/fast-route": "^1.3",
         "matomo/device-detector": "^6.0",
-        "illuminate/database": "^10.18"
+        "illuminate/database": "^10.18",
+        "peppeocchi/php-cron-scheduler": "4.*"
     },
     "require-dev": {
         "filp/whoops": "^2.15",
diff --git a/cypress/e2e/2-create-account.cy.js b/cypress/e2e/2-create-account.cy.js
index 9fc95cb0..2ee53d5d 100644
--- a/cypress/e2e/2-create-account.cy.js
+++ b/cypress/e2e/2-create-account.cy.js
@@ -14,7 +14,7 @@ describe('Create Account Page', () => {
 		cy.get('#email').type('tester@example.com')
 
 		cy.get('#password').type('test1234')
-		cy.get('#password2').type('test1234')
+		cy.get('#password_confirm').type('test1234')
 
 		cy.get('#character_name').type('Slaw')
 
diff --git a/index.php b/index.php
index 5ead45b9..c6e76919 100644
--- a/index.php
+++ b/index.php
@@ -71,10 +71,6 @@ if(!$db->hasTable('myaac_account_actions')) {
 	throw new RuntimeException('Seems that the table <strong>myaac_account_actions</strong> of MyAAC doesn\'t exist in the database. This is a fatal error. You can try to reinstall MyAAC by visiting <a href="' . BASE_URL . 'install">this</a> url.');
 }
 
-// event system
-require_once SYSTEM . 'hooks.php';
-$hooks = new Hooks();
-$hooks->load();
 require_once SYSTEM . 'template.php';
 require_once SYSTEM . 'login.php';
 require_once SYSTEM . 'status.php';
diff --git a/install/includes/schema.sql b/install/includes/schema.sql
index 2645d1a9..fbbcad37 100644
--- a/install/includes/schema.sql
+++ b/install/includes/schema.sql
@@ -127,11 +127,6 @@ CREATE TABLE `myaac_menu`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8;
 
-/* MENU_CATEGORY_SHOP tibiacom */
-INSERT INTO `myaac_menu` (`template`, `name`, `link`, `category`, `ordering`) VALUES ('tibiacom', 'Buy Points', 'points', 6, 0);
-INSERT INTO `myaac_menu` (`template`, `name`, `link`, `category`, `ordering`) VALUES ('tibiacom', 'Shop Offer', 'gifts', 6, 1);
-INSERT INTO `myaac_menu` (`template`, `name`, `link`, `category`, `ordering`) VALUES ('tibiacom', 'Shop History', 'gifts/history', 6, 2);
-
 CREATE TABLE `myaac_monsters` (
 	`id` int(11) NOT NULL AUTO_INCREMENT,
 	`hidden` tinyint(1) NOT NULL default 0,
diff --git a/install/index.php b/install/index.php
index 22440101..9c2e5048 100644
--- a/install/index.php
+++ b/install/index.php
@@ -12,7 +12,7 @@ require SYSTEM . 'functions.php';
 require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';
 require SYSTEM . 'clients.conf.php';
-require LIBS . 'settings.php';
+require LIBS . 'Settings.php';
 
 // ignore undefined index from Twig autoloader
 $config['env'] = 'prod';
diff --git a/login.php b/login.php
index c342a8e9..8be4d1f3 100644
--- a/login.php
+++ b/login.php
@@ -2,6 +2,8 @@
 
 use MyAAC\Models\BoostedCreature;
 use MyAAC\Models\PlayerOnline;
+use MyAAC\Models\Account;
+use MyAAC\Models\Player;
 
 require_once 'common.php';
 require_once SYSTEM . 'functions.php';
diff --git a/plugins/account-create-hint/hint.html.twig b/plugins/account-create-hint/hint.html.twig
index 5c31dfb1..ffc85434 100644
--- a/plugins/account-create-hint/hint.html.twig
+++ b/plugins/account-create-hint/hint.html.twig
@@ -1,3 +1,3 @@
 To play on {{ config.lua.serverName }} you need an account.
-All you have to do to create your new account is to enter an account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %}, password{% if config.account_country %}, country{% endif %} and your email address.
+All you have to do to create your new account is to enter an account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %}, password{% if setting('core.account_country') %}, country{% endif %} and your email address.
 Also you have to agree to the terms presented below. If you have done so, your account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %} will be shown on the following page and your account password will be sent to your email address along with further instructions. If you do not receive the email with your password, please check your spam filter.<br/><br/>
diff --git a/plugins/email-confirmed-reward/reward.php b/plugins/email-confirmed-reward/reward.php
index 107ab8d7..11af5b34 100644
--- a/plugins/email-confirmed-reward/reward.php
+++ b/plugins/email-confirmed-reward/reward.php
@@ -1,33 +1,37 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 
-$reward = config('account_mail_confirmed_reward');
+$reward = setting('core.account_mail_confirmed_reward');
 
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
-if ($reward['coins'] > 0 && $hasCoinsColumn) {
-	log_append('email_confirm_error.log', 'accounts.coins column does not exist.');
+$rewardCoins = setting('core.account_mail_confirmed_reward_coins');
+if ($rewardCoins > 0 && !$hasCoinsColumn) {
+	log_append('error.log', 'email_confirm: accounts.coins column does not exist.');
 }
 
 if (!isset($account) || !$account->isLoaded()) {
-	log_append('email_confirm_error.log', 'Account not loaded.');
 	return;
 }
 
-if ($reward['premium_points'] > 0) {
-	$account->setCustomField('premium_points', (int)$account->getCustomField('premium_points') + $reward['premium_points']);
+$rewardMessage = 'You received %d %s for confirming your E-Mail address.';
 
-	success(sprintf($reward['message'], $reward['premium_points'], 'premium points'));
+$rewardPremiumPoints = setting('core.account_mail_confirmed_reward_premium_points');
+if ($rewardPremiumPoints > 0) {
+	$account->setCustomField('premium_points', (int)$account->getCustomField('premium_points') + $rewardPremiumPoints);
+
+	success(sprintf($rewardMessage, $rewardPremiumPoints, 'premium points'));
 }
 
-if ($reward['coins'] > 0 && $hasCoinsColumn) {
-	$account->setCustomField('coins', (int)$account->getCustomField('coins') + $reward['coins']);
+if ($rewardCoins > 0 && $hasCoinsColumn) {
+	$account->setCustomField('coins', (int)$account->getCustomField('coins') + $rewardCoins);
 
-	success(sprintf($reward['message'], $reward['coins'], 'coins'));
+	success(sprintf($rewardMessage, $rewardCoins, 'coins'));
 }
 
-if ($reward['premium_days'] > 0) {
-	$account->setPremDays($account->getPremDays() + $reward['premium_days']);
+$rewardPremiumDays = setting('core.account_mail_confirmed_reward_premium_days');
+if ($rewardPremiumDays > 0) {
+	$account->setPremDays($account->getPremDays() + $rewardPremiumDays);
 	$account->save();
 
-	success(sprintf($reward['message'], $reward['premium_days'], 'premium days'));
+	success(sprintf($rewardMessage, $rewardPremiumDays, 'premium days'));
 }
diff --git a/system/bin/cronjob.php b/system/bin/cronjob.php
new file mode 100644
index 00000000..0bea2b03
--- /dev/null
+++ b/system/bin/cronjob.php
@@ -0,0 +1,19 @@
+<?php
+
+require_once __DIR__ . '/../../common.php';
+require_once SYSTEM . 'functions.php';
+require_once SYSTEM . 'init.php';
+require_once SYSTEM . 'hooks.php';
+
+$hooks = new Hooks();
+$hooks->load();
+
+use GO\Scheduler;
+
+// Create a new scheduler
+$scheduler = new Scheduler();
+
+$hooks->trigger(HOOK_CRONJOB, ['scheduler' => $scheduler]);
+
+// Let the scheduler execute jobs which are due.
+$scheduler->run();
diff --git a/system/bin/install_cronjob.php b/system/bin/install_cronjob.php
new file mode 100644
index 00000000..dff2604a
--- /dev/null
+++ b/system/bin/install_cronjob.php
@@ -0,0 +1,50 @@
+<?php
+
+require_once __DIR__ . '/../../common.php';
+require_once SYSTEM . 'functions.php';
+require_once SYSTEM . 'init.php';
+
+if(!IS_CLI) {
+	echo 'This script can be run only in command line mode.' . PHP_EOL;
+	exit(1);
+}
+
+if (MYAAC_OS !== 'LINUX') {
+	echo 'This script can be run only on linux.' . PHP_EOL;
+	exit(1);
+}
+
+$job = '* * * * * /usr/bin/php ' . SYSTEM . 'bin/cronjob.php >> ' . SYSTEM . 'logs/cron.log 2>&1';
+
+if (cronjob_exists($job)) {
+	echo 'MyAAC cronjob already installed.' . PHP_EOL;
+	exit(0);
+}
+
+exec ('crontab -l', $content);
+
+$content = implode(' ', $content);
+$content .= PHP_EOL . $job;
+
+file_put_contents(CACHE . 'cronjob', $content . PHP_EOL);
+exec('crontab ' . CACHE. 'cronjob');
+
+echo 'Installed crontab successfully.' . PHP_EOL;
+
+function cronjob_exists($command)
+{
+	$cronjob_exists=false;
+
+	exec('crontab -l', $crontab);
+	if(isset($crontab)&&is_array($crontab)) {
+
+		$crontab = array_flip($crontab);
+
+		if(isset($crontab[$command])){
+			$cronjob_exists = true;
+		}
+
+	}
+
+	return $cronjob_exists;
+}
diff --git a/system/clients.conf.php b/system/clients.conf.php
index b3ec18d5..a7d2bf0c 100644
--- a/system/clients.conf.php
+++ b/system/clients.conf.php
@@ -99,4 +99,10 @@ $config['clients'] = [
 	1291,
 
 	1300,
+	1310,
+	1311,
+	1312,
+	1316,
+	1320,
+	1321,
 ];
diff --git a/system/compat/config.php b/system/compat/config.php
index b6cf29f7..9d58f4d6 100644
--- a/system/compat/config.php
+++ b/system/compat/config.php
@@ -68,10 +68,12 @@ $deprecatedConfig = [
 	'status_ip',
 	'status_port',
 	'mail_enabled',
+	'mail_address',
 	'account_login_by_email',
 	'account_login_by_email_fallback',
 	'account_mail_verify',
 	'account_mail_unique',
+	'account_mail_change',
 	'account_premium_days',
 	'account_premium_points',
 	'account_create_character_create',
diff --git a/system/functions.php b/system/functions.php
index 451d50a3..afa5e969 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use MyAAC\Models\Config;
 use MyAAC\Models\Guild;
 use MyAAC\Models\House;
@@ -43,7 +44,10 @@ function warning($message, $return = false) {
 	return message($message, 'warning', $return);
 }
 function note($message, $return = false) {
-	return message($message, 'note', $return);
+	return info($message, $return);
+}
+function info($message, $return = false) {
+	return message($message, 'info', $return);
 }
 function error($message, $return = false) {
 	return message($message, ((defined('MYAAC_INSTALL') || defined('MYAAC_ADMIN')) ? 'danger' : 'error'), $return);
@@ -151,8 +155,7 @@ function getItemImage($id, $count = 1)
 	if($count > 1)
 		$file_name .= '-' . $count;
 
-	global $config;
-	return '<img src="' . $config['item_images_url'] . $file_name . config('item_images_extension') . '"' . $tooltip . ' width="32" height="32" border="0" alt="' .$id . '" />';
+	return '<img src="' . setting('core.item_images_url') . $file_name . setting('core.item_images_extension') . '"' . $tooltip . ' width="32" height="32" border="0" alt="' .$id . '" />';
 }
 
 function getItemRarity($chance) {
@@ -500,8 +503,8 @@ function template_place_holder($type): string
  */
 function template_header($is_admin = false): string
 {
-	global $title_full, $config, $twig;
-	$charset = $config['charset'] ?? 'utf-8';
+	global $title_full, $twig;
+	$charset = setting('core.charset') ?? 'utf-8';
 
 	return $twig->render('templates.header.html.twig',
 		[
@@ -866,9 +869,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 	else
 		$tmp_body = $body . '<br/><br/>' . $signature_html;
 
-	define('MAIL_MAIL', 0);
-	define('MAIL_SMTP', 1);
-
 	$mailOption = setting('core.mail_option');
 	if($mailOption == MAIL_SMTP)
 	{
@@ -879,10 +879,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->Username = setting('core.smtp_user');
 		$mailer->Password = setting('core.smtp_pass');
 
-		define('SMTP_SECURITY_NONE', 0);
-		define('SMTP_SECURITY_SSL', 1);
-		define('SMTP_SECURITY_TLS', 2);
-
 		$security = setting('core.smtp_security');
 
 		$tmp = '';
@@ -1046,14 +1042,36 @@ function get_browser_real_ip() {
 	return '0';
 }
 function setSession($key, $data) {
-	$_SESSION[config('session_prefix') . $key] = $data;
+	$_SESSION[setting('core.session_prefix') . $key] = $data;
 }
 function getSession($key) {
-	$key = config('session_prefix') . $key;
+	$key = setting('core.session_prefix') . $key;
 	return isset($_SESSION[$key]) ? $_SESSION[$key] : false;
 }
 function unsetSession($key) {
-	unset($_SESSION[config('session_prefix') . $key]);
+	unset($_SESSION[setting('core.session_prefix') . $key]);
+}
+
+function csrf(): void {
+	CsrfToken::create();
+}
+
+function csrfToken(): string {
+	return CsrfToken::get();
+}
+
+function isValidToken(): bool {
+	$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
+	return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
+}
+
+function csrfProtect(): void
+{
+	if (!isValidToken()) {
+		$lastUri = BASE_URL . str_replace_first('/', '', getSession('last_uri'));
+		echo 'Request has been cancelled due to security reasons - token is invalid. Go <a href="' . $lastUri . '">back</a>';
+		exit();
+	}
 }
 
 function getTopPlayers($limit = 5) {
@@ -1208,15 +1226,37 @@ function clearCache()
 		if ($cache->fetch('failed_logins', $tmp))
 			$cache->delete('failed_logins');
 
-		global $template_name;
-		if ($cache->fetch('template_ini' . $template_name, $tmp))
-			$cache->delete('template_ini' . $template_name);
+		foreach (get_templates() as $template) {
+			if ($cache->fetch('template_ini_' . $template, $tmp)) {
+				$cache->delete('template_ini_' . $template);
+			}
+		}
 
-		if ($cache->fetch('plugins_hooks', $tmp))
+		if ($cache->fetch('template_menus', $tmp)) {
+			$cache->delete('template_menus');
+		}
+		if ($cache->fetch('database_tables', $tmp)) {
+			$cache->delete('database_tables');
+		}
+		if ($cache->fetch('database_columns', $tmp)) {
+			$cache->delete('database_columns');
+		}
+		if ($cache->fetch('database_checksum', $tmp)) {
+			$cache->delete('database_checksum');
+		}
+		if ($cache->fetch('last_kills', $tmp)) {
+			$cache->delete('last_kills');
+		}
+
+		if ($cache->fetch('hooks', $tmp)) {
+			$cache->delete('hooks');
+		}
+		if ($cache->fetch('plugins_hooks', $tmp)) {
 			$cache->delete('plugins_hooks');
-
-		if ($cache->fetch('plugins_routes', $tmp))
+		}
+		if ($cache->fetch('plugins_routes', $tmp)) {
 			$cache->delete('plugins_routes');
+		}
 	}
 
 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
@@ -1280,7 +1320,7 @@ function getCustomPage($name, &$success): string
 			set_error_handler('error_handler');
 
 			global $config;
-			if($config['backward_support']) {
+			if(setting('core.backward_support')) {
 				global $SQL, $main_content, $subtopic;
 			}
 
@@ -1462,7 +1502,7 @@ function echo_success($message)
 function echo_error($message)
 {
 	global $error;
-	echo '<div class="col-12 alert alert-error mb-2">' . $message . '</div>';
+	echo '<div class="col-12 alert alert-danger mb-2">' . $message . '</div>';
 	$error = true;
 }
 
@@ -1537,8 +1577,8 @@ function right($str, $length) {
 }
 
 function getCreatureImgPath($creature){
-	$creature_path = config('monsters_images_url');
-	$creature_gfx_name = trim(strtolower($creature)) . config('monsters_images_extension');
+	$creature_path = setting('core.monsters_images_url');
+	$creature_gfx_name = trim(strtolower($creature)) . setting('core.monsters_images_extension');
 	if (!file_exists($creature_path . $creature_gfx_name)) {
 		$creature_gfx_name = str_replace(" ", "", $creature_gfx_name);
 		if (file_exists($creature_path . $creature_gfx_name)) {
@@ -1617,7 +1657,7 @@ function getGuildLogoById($id)
 
 	$guild = Guild::where('id', intval($id))->select('logo_name')->first();
 	if ($guild) {
-		$guildLogo = $query->logo_name;
+		$guildLogo = $guild->logo_name;
 
 		if (!empty($guildLogo) && file_exists(GUILD_IMAGES_DIR . $guildLogo)) {
 			$logo = $guildLogo;
diff --git a/system/hooks.php b/system/hooks.php
index 81bbeac9..df9e26df 100644
--- a/system/hooks.php
+++ b/system/hooks.php
@@ -68,12 +68,15 @@ define('HOOK_ADMIN_LOGIN_AFTER_ACCOUNT', ++$i);
 define('HOOK_ADMIN_LOGIN_AFTER_PASSWORD', ++$i);
 define('HOOK_ADMIN_LOGIN_AFTER_SIGN_IN', ++$i);
 define('HOOK_ADMIN_ACCOUNTS_SAVE_POST', ++$i);
+define('HOOK_ADMIN_SETTINGS_BEFORE_SAVE', ++$i);
+define('HOOK_CRONJOB', ++$i);
 define('HOOK_EMAIL_CONFIRMED', ++$i);
 define('HOOK_GUILDS_BEFORE_GUILD_HEADER', ++$i);
 define('HOOK_GUILDS_AFTER_GUILD_HEADER', ++$i);
 define('HOOK_GUILDS_AFTER_GUILD_INFORMATION', ++$i);
 define('HOOK_GUILDS_AFTER_GUILD_MEMBERS', ++$i);
 define('HOOK_GUILDS_AFTER_INVITED_CHARACTERS', ++$i);
+define('HOOK_TWIG', ++$i);
 
 const HOOK_FIRST = HOOK_STARTUP;
 define('HOOK_LAST', $i);
diff --git a/system/init.php b/system/init.php
index 3b92b5fe..f1ede3de 100644
--- a/system/init.php
+++ b/system/init.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(!isset($config['installed']) || !$config['installed']) {
@@ -39,6 +42,11 @@ if(isset($config['gzip_output']) && $config['gzip_output'] && isset($_SERVER['HT
 require_once SYSTEM . 'libs/cache.php';
 $cache = Cache::getInstance();
 
+// event system
+require_once SYSTEM . 'hooks.php';
+$hooks = new Hooks();
+$hooks->load();
+
 // twig
 require_once SYSTEM . 'twig.php';
 
@@ -138,12 +146,23 @@ require_once LIBS . 'Settings.php';
 $settings = Settings::getInstance();
 $settings->load();
 
+// csrf protection
+$token = getSession('csrf_token');
+if (!isset($token) || !$token) {
+	CsrfToken::generate();
+}
+
 // deprecated config values
 require_once SYSTEM . 'compat/config.php';
 
 date_default_timezone_set(setting('core.date_timezone'));
 
-$config['account_create_character_create'] = config('account_create_character_create') && (!setting('core.mail_enabled') || !config('account_mail_verify'));
+setting(
+	[
+		'core.account_create_character_create',
+		setting('core.account_create_character_create') && (!setting('core.mail_enabled') || !setting('core.account_mail_verify'))
+	]
+);
 
 $settingsItemImagesURL = setting('core.item_images_url');
 if($settingsItemImagesURL[strlen($settingsItemImagesURL) - 1] !== '/') {
diff --git a/system/libs/CreateCharacter.php b/system/libs/CreateCharacter.php
index a4a1f87a..994c4a61 100644
--- a/system/libs/CreateCharacter.php
+++ b/system/libs/CreateCharacter.php
@@ -140,8 +140,8 @@ class CreateCharacter
 		if(empty($errors))
 		{
 			$number_of_players_on_account = $account->getPlayersList(true)->count();
-			if($number_of_players_on_account >= config('characters_per_account'))
-				$errors[] = 'You have too many characters on your account <b>('.$number_of_players_on_account.'/'.config('characters_per_account').')</b>!';
+			if($number_of_players_on_account >= setting('core.characters_per_account'))
+				$errors[] = 'You have too many characters on your account <b>('.$number_of_players_on_account . '/' . setting('core.characters_per_account') . ')</b>!';
 		}
 
 		if(empty($errors))
diff --git a/system/libs/Settings.php b/system/libs/Settings.php
index 3ed320d2..60b2e58c 100644
--- a/system/libs/Settings.php
+++ b/system/libs/Settings.php
@@ -60,6 +60,16 @@ class Settings implements ArrayAccess
 		}
 
 		$settings = $this->settingsFile[$pluginName];
+
+		global $hooks;
+		if (!$hooks->trigger(HOOK_ADMIN_SETTINGS_BEFORE_SAVE, [
+			'name' => $pluginName,
+			'values' => $values,
+			'settings' => $settings,
+		])) {
+			return false;
+		}
+
 		if (isset($settings['callbacks']['beforeSave'])) {
 			if (!$settings['callbacks']['beforeSave']($settings, $values)) {
 				return false;
diff --git a/system/libs/changelog.php b/system/libs/changelog.php
index e612aa5b..f6d2011b 100644
--- a/system/libs/changelog.php
+++ b/system/libs/changelog.php
@@ -95,6 +95,7 @@ class Changelog
 				if (!$row->save()) {
 					$errors[] = 'Fail during toggle hidden Changelog.';
 				}
+				$status = $row->hidden;
 			} else {
 				$errors[] = 'Changelog with id ' . $id . ' does not exists.';
 			}
diff --git a/system/libs/forum.php b/system/libs/forum.php
index c7f303f7..3f80c927 100644
--- a/system/libs/forum.php
+++ b/system/libs/forum.php
@@ -10,13 +10,13 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-$configForumTablePrefix = setting('core.forum_table_prefix');
-if(null !== $configForumTablePrefix && !empty(trim($configForumTablePrefix))) {
-	if(!in_array($configForumTablePrefix, array('myaac_', 'z_'))) {
+$settingForumTablePrefix = setting('core.forum_table_prefix');
+if(null !== $settingForumTablePrefix && !empty(trim($settingForumTablePrefix))) {
+	if(!in_array($settingForumTablePrefix, array('myaac_', 'z_'))) {
 		throw new RuntimeException('Invalid value for forum_table_prefix in config.php. Can be only: "myaac_" or "z_".');
 	}
 
-	define('FORUM_TABLE_PREFIX', $configForumTablePrefix);
+	define('FORUM_TABLE_PREFIX', $settingForumTablePrefix);
 }
 else {
 	if($db->hasTable('z_forum')) {
diff --git a/system/libs/news.php b/system/libs/news.php
index 352b2a1e..b42fefc6 100644
--- a/system/libs/news.php
+++ b/system/libs/news.php
@@ -75,18 +75,20 @@ class News
 
 	static public function delete($id, &$errors)
 	{
-		if(isset($id))
-		{
+		if(isset($id)) {
 			$row = ModelsNews::find($id);
-			if($row)
+			if($row) {
 				if (!$row->delete()) {
 					$errors[] = 'Fail during delete News.';
 				}
-			else
+			}
+			else {
 				$errors[] = 'News with id ' . $id . ' does not exists.';
+			}
 		}
-		else
+		else {
 			$errors[] = 'News id not set.';
+		}
 
 		if(count($errors)) {
 			return false;
diff --git a/system/libs/plugins.php b/system/libs/plugins.php
index d06ddf41..c1d458e1 100644
--- a/system/libs/plugins.php
+++ b/system/libs/plugins.php
@@ -152,6 +152,10 @@ class Plugins {
 		foreach(self::getAllPluginsJson() as $plugin) {
 			if (isset($plugin['hooks'])) {
 				foreach ($plugin['hooks'] as $_name => $info) {
+					if (str_contains($info['type'], 'HOOK_')) {
+						$info['type'] = str_replace('HOOK_', '', $info['type']);
+					}
+
 					if (defined('HOOK_'. $info['type'])) {
 						$hook = constant('HOOK_'. $info['type']);
 						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
diff --git a/system/libs/usage_statistics.php b/system/libs/usage_statistics.php
index 0002c1c7..29afc51b 100644
--- a/system/libs/usage_statistics.php
+++ b/system/libs/usage_statistics.php
@@ -106,8 +106,8 @@ WHERE TABLE_SCHEMA = "' . $config['database_name'] . '";');
 		}
 		$ret['templates'] = get_templates();
 
-		$ret['date_timezone'] = $config['date_timezone'];
-		$ret['backward_support'] = $config['backward_support'];
+		$ret['date_timezone'] = setting('core.date_timezone');
+		$ret['backward_support'] = setting('core.backward_support');
 
 		$cache_engine = strtolower($config['cache_engine']);
 		if($cache_engine == 'auto') {
@@ -117,4 +117,4 @@ WHERE TABLE_SCHEMA = "' . $config['database_name'] . '";');
 		$ret['cache_engine'] = $cache_engine;
 		return $ret;
 	}
-}
\ No newline at end of file
+}
diff --git a/system/logout.php b/system/logout.php
index af443aa3..4f653ecb 100644
--- a/system/logout.php
+++ b/system/logout.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(isset($account_logged) && $account_logged->isLoaded()) {
@@ -15,6 +18,8 @@ if(isset($account_logged) && $account_logged->isLoaded()) {
 		unsetSession('password');
 		unsetSession('remember_me');
 
+		CsrfToken::generate();
+
 		$logged = false;
 		unset($account_logged);
 
diff --git a/system/migrations/17.php b/system/migrations/17.php
index 6ff83b84..8c7cf8a0 100644
--- a/system/migrations/17.php
+++ b/system/migrations/17.php
@@ -14,8 +14,9 @@ CREATE TABLE `myaac_menu`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8;
 ");
-
-	require_once LIBS . 'plugins.php';
-	Plugins::installMenus('kathrine', require TEMPLATES . 'kathrine/menus.php');
-	Plugins::installMenus('tibiacom', require TEMPLATES . 'tibiacom/menus.php');
 }
+
+require_once LIBS . 'plugins.php';
+Plugins::installMenus('kathrine', require TEMPLATES . 'kathrine/menus.php');
+Plugins::installMenus('tibiacom', require TEMPLATES . 'tibiacom/menus.php');
+
diff --git a/system/pages/account/change_email.php b/system/pages/account/change_email.php
index 3bc8edd7..90f5b54d 100644
--- a/system/pages/account/change_email.php
+++ b/system/pages/account/change_email.php
@@ -43,7 +43,7 @@ if($email_new_time < 10) {
 		}
 
 		if(empty($errors)) {
-			$email_new_time = time() + $config['account_mail_change'] * 24 * 3600;
+			$email_new_time = time() + setting('core.account_mail_change') * 24 * 3600;
 			$account_logged->setCustomField("email_new", $email_new);
 			$account_logged->setCustomField("email_new_time", $email_new_time);
 			$twig->display('success.html.twig', array(
@@ -92,18 +92,22 @@ else
 	<tr>
 		<td width="30">&nbsp;</td>
 		<td align=left>
-			<form action="' . getLink('account/email') . '" method="post"><input type="hidden" name="changeemailsave" value=1 >
+			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
+				<input type="hidden" name="changeemailsave" value=1 >
 				<INPUT TYPE=image NAME="I Agree" SRC="' . $template_path . '/images/global/buttons/sbutton_iagree.gif" BORDER=0 WIDTH=120 HEIGHT=17>
 			</form>
 		</td>
 		<td align=left>
 			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
 				<input type="hidden" name="emailchangecancel" value=1 >
 				' . $twig->render('buttons.cancel.html.twig') . '
 			</form>
 		</td>
 		<td align=right>
 			<form action="?subtopic=accountmanagement" method="post" >
+				' . csrf() . '
 				' . $twig->render('buttons.back.html.twig') . '
 			</form>
 		</td>
@@ -125,6 +129,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' .getLink('account/email') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							<input type="hidden" name="emailchangecancel" value="1" >
@@ -137,6 +142,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' . getLink('account/manage') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							' . $twig->render('buttons.back.html.twig') . '
diff --git a/system/pages/account/change_info.php b/system/pages/account/change_info.php
index 8b61ea1c..2a8d4a07 100644
--- a/system/pages/account/change_info.php
+++ b/system/pages/account/change_info.php
@@ -20,7 +20,7 @@ if(!$logged) {
 	return;
 }
 
-if($config['account_country'])
+if(setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
 $account = Account::find($account_logged->getId());
@@ -55,7 +55,7 @@ if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
 if($show_form) {
 	$account_rlname = $account->rlname;
 	$account_location = $account->location;
-	if ($config['account_country']) {
+	if (setting('core.account_country')) {
 		$account_country = $account->country;
 
 		$countries = array();
diff --git a/system/pages/account/change_password.php b/system/pages/account/change_password.php
index 95e15159..309c8dee 100644
--- a/system/pages/account/change_password.php
+++ b/system/pages/account/change_password.php
@@ -18,18 +18,18 @@ if(!$logged) {
 }
 
 $new_password = $_POST['newpassword'] ?? NULL;
-$new_password2 = $_POST['newpassword2'] ?? NULL;
+$new_password_confirm = $_POST['newpassword_confirm'] ?? NULL;
 $old_password = $_POST['oldpassword'] ?? NULL;
-if(empty($new_password) && empty($new_password2) && empty($old_password)) {
+if(empty($new_password) && empty($new_password_confirm) && empty($old_password)) {
 	$twig->display('account.change_password.html.twig');
 }
 else
 {
-	if(empty($new_password) || empty($new_password2) || empty($old_password)){
+	if(empty($new_password) || empty($new_password_confirm) || empty($old_password)){
 		$errors[] = 'Please fill in form.';
 	}
 	$password_strlen = strlen($new_password);
-	if($new_password != $new_password2) {
+	if($new_password != $new_password_confirm) {
 		$errors[] = 'The new passwords do not match!';
 	}
 
diff --git a/system/pages/account/create.php b/system/pages/account/create.php
index 2aa7c544..0f190bb6 100644
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@@ -11,7 +11,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Create Account';
 
-if($config['account_country'])
+if (setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
 if($logged)
@@ -20,7 +20,7 @@ if($logged)
 	return;
 }
 
-if(config('account_create_character_create')) {
+if(setting('core.account_create_character_create')) {
 	require_once LIBS . 'CreateCharacter.php';
 	$createCharacter = new CreateCharacter();
 }
@@ -50,7 +50,7 @@ if($save)
 
 	$email = $_POST['email'];
 	$password = $_POST['password'];
-	$password2 = $_POST['password2'];
+	$password_confirm = $_POST['password_confirm'];
 
 	// account
 	if(!config('account_login_by_email')) {
@@ -68,7 +68,7 @@ if($save)
 
 	// country
 	$country = '';
-	if($config['account_country'])
+	if (setting('core.account_country'))
 	{
 		$country = $_POST['country'];
 		if(!isset($country))
@@ -81,7 +81,7 @@ if($save)
 	if(empty($password)) {
 		$errors['password'] = 'Please enter the password for your new account.';
 	}
-	elseif($password != $password2) {
+	elseif($password != $password_confirm) {
 		$errors['password'] = 'Passwords are not the same.';
 	}
 	else if(!Validator::password($password)) {
@@ -93,7 +93,7 @@ if($save)
 		$errors['password'] = 'Password may not be the same as account name.';
 	}
 
-	if($config['account_mail_unique'])
+	if(setting('core.account_mail_unique'))
 	{
 		$test_email_account = new OTS_Account();
 		$test_email_account->findByEMail($email);
@@ -115,7 +115,7 @@ if($save)
 	}
 
 	if($account_db->isLoaded()) {
-		if (config('account_login_by_email') && !config('account_mail_unique')) {
+		if (config('account_login_by_email') && !setting('core.account_mail_unique')) {
 			$errors['account'] = 'Account with this email already exist.';
 		}
 		else if (!config('account_login_by_email')) {
@@ -134,7 +134,7 @@ if($save)
 		'email' => $email,
 		'country' => $country,
 		'password' => $password,
-		'password2' => $password2,
+		'password_confirm' => $password_confirm,
 		'accept_rules' => isset($_POST['accept_rules']) ? $_POST['accept_rules'] === 'true' : false,
 	);
 
@@ -150,7 +150,7 @@ if($save)
 		return;
 	}
 
-	if(config('account_create_character_create')) {
+	if(setting('core.account_create_character_create')) {
 		$character_name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : null;
 		$character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null;
 		$character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null;
@@ -191,27 +191,28 @@ if($save)
 		$new_account->setCustomField('created', time());
 		$new_account->logAction('Account created.');
 
-		if($config['account_country']) {
+		if(setting('core.account_country')) {
 			$new_account->setCustomField('country', $country);
 		}
 
-		if($config['account_premium_days'] && $config['account_premium_days'] > 0) {
+		$settingAccountPremiumDays = setting('core.account_premium_days');
+		if($settingAccountPremiumDays && $settingAccountPremiumDays > 0) {
 			if($db->hasColumn('accounts', 'premend')) { // othire
-				$new_account->setCustomField('premend', time() + $config['account_premium_days'] * 86400);
+				$new_account->setCustomField('premend', time() + $settingAccountPremiumDays * 86400);
 			}
 			else { // rest
 				if ($db->hasColumn('accounts', 'premium_ends_at')) { // TFS 1.4+
-					$new_account->setCustomField('premium_ends_at', time() + $config['account_premium_days'] * (60 * 60 * 24));
+					$new_account->setCustomField('premium_ends_at', time() + $settingAccountPremiumDays * (60 * 60 * 24));
 				}
 				else {
-					$new_account->setCustomField('premdays', $config['account_premium_days']);
+					$new_account->setCustomField('premdays', $settingAccountPremiumDays);
 					$new_account->setCustomField('lastday', time());
 				}
 			}
 		}
 
-		if($config['account_premium_points']) {
-			$new_account->setCustomField('premium_points', $config['account_premium_points']);
+		if(setting('core.account_premium_points') && setting('core.account_premium_points') > 0) {
+			$new_account->setCustomField('premium_points', setting('core.account_premium_points'));
 		}
 
 		$tmp_account = $email;
@@ -219,7 +220,7 @@ if($save)
 			$tmp_account = (USE_ACCOUNT_NAME ? $account_name : $account_id);
 		}
 
-		if(setting('core.mail_enabled') && $config['account_mail_verify'])
+		if(setting('core.mail_enabled') && setting('core.account_mail_verify'))
 		{
 			$hash = md5(generateRandomString(16, true, true) . $email);
 			$new_account->setCustomField('email_hash', $hash);
@@ -238,7 +239,7 @@ if($save)
 					'description' => 'Your account ' . $account_type . ' is <b>' . $tmp_account . '</b><br/>You will need the account ' . $account_type . ' and your password to play on ' . configLua('serverName') . '.
 						Please keep your account ' . $account_type . ' and password in a safe place and
 						never give your account ' . $account_type . ' or password to anybody.',
-					'custom_buttons' => config('account_create_character_create') ? '' : null
+					'custom_buttons' => setting('core.account_create_character_create') ? '' : null
 				));
 			}
 			else
@@ -249,7 +250,7 @@ if($save)
 		}
 		else
 		{
-			if(config('account_create_character_create')) {
+			if(setting('core.account_create_character_create')) {
 				// character creation
 				$character_created = $createCharacter->doCreate($character_name, $character_sex, $character_vocation, $character_town, $new_account, $errors);
 				if (!$character_created) {
@@ -258,7 +259,7 @@ if($save)
 				}
 			}
 
-			if(config('account_create_auto_login')) {
+			if(setting('core.account_create_auto_login')) {
 				if ($hasBeenCreatedByEMail) {
 					$_POST['account_login'] = $email;
 				}
@@ -266,14 +267,14 @@ if($save)
 					$_POST['account_login'] = USE_ACCOUNT_NAME ? $account_name : $account_id;
 				}
 
-				$_POST['password_login'] = $password2;
+				$_POST['password_login'] = $password_confirm;
 
 				require PAGES . 'account/login.php';
 				header('Location: ' . getLink('account/manage'));
 			}
 
 			echo 'Your account';
-			if(config('account_create_character_create')) {
+			if(setting('core.account_create_character_create')) {
 				echo ' and character have';
 			}
 			else {
@@ -281,7 +282,7 @@ if($save)
 			}
 
 			echo ' been created.';
-			if(!config('account_create_character_create')) {
+			if(!setting('core.account_create_character_create')) {
 				echo ' Now you can login and create your first character.';
 			}
 
@@ -291,10 +292,10 @@ if($save)
 				'description' => 'Your account ' . $account_type . ' is <b>' . $tmp_account . '</b><br/>You will need the account ' . $account_type . ' and your password to play on ' . configLua('serverName') . '.
 						Please keep your account ' . $account_type . ' and password in a safe place and
 						never give your account ' . $account_type . ' or password to anybody.',
-				'custom_buttons' => config('account_create_character_create') ? '' : null
+				'custom_buttons' => setting('core.account_create_character_create') ? '' : null
 			));
 
-			if(setting('core.mail_enabled') && $config['account_welcome_mail'])
+			if(setting('core.mail_enabled') && setting('core.account_welcome_mail'))
 			{
 				$mailBody = $twig->render('account.welcome_mail.html.twig', array(
 					'account' => $tmp_account
@@ -330,7 +331,7 @@ if(setting('core.account_country_recognize')) {
 if(!empty($errors))
 	$twig->display('error_box.html.twig', array('errors' => $errors));
 
-if($config['account_country']) {
+if (setting('core.account_country')) {
 	$countries = array();
 	foreach (array('pl', 'se', 'br', 'us', 'gb') as $c)
 		$countries[$c] = $config['countries'][$c];
@@ -353,7 +354,7 @@ $params = array(
 	'save' => $save
 );
 
-if($save && config('account_create_character_create')) {
+if($save && setting('core.account_create_character_create')) {
 	$params = array_merge($params, array(
 		'name' => $character_name,
 		'sex' => $character_sex,
diff --git a/system/pages/characters.php b/system/pages/characters.php
index 3411c043..2cb5e084 100644
--- a/system/pages/characters.php
+++ b/system/pages/characters.php
@@ -77,10 +77,10 @@ if($player->isLoaded() && !$player->isDeleted())
 	$rows = 0;
 
 	if($config['characters']['outfit'])
-		$outfit = $config['outfit_images_url'] . '?id=' . $player->getLookType() . ($db->hasColumn('players', 'lookaddons') ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet();
+		$outfit = setting('core.outfit_images_url') . '?id=' . $player->getLookType() . ($db->hasColumn('players', 'lookaddons') ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet();
 
 	$flag = '';
-	if($config['account_country']) {
+	if(setting('core.account_country')) {
 		$flag = getFlagImage($account->getCountry());
 	}
 
@@ -423,7 +423,7 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
 	if($db->hasColumn('players', 'deletion'))
 		$deleted = 'deletion';
 
-	$query = $db->query('SELECT `name`, `level`, `vocation`' . $promotion . ' FROM `players` WHERE `name` LIKE  ' . $db->quote('%' . $name . '%') . ' AND ' . $deleted . ' != 1 LIMIT ' . (int)config('characters_search_limit') . ';');
+	$query = $db->query('SELECT `name`, `level`, `vocation`' . $promotion . ' FROM `players` WHERE `name` LIKE  ' . $db->quote('%' . $name . '%') . ' AND ' . $deleted . ' != 1 LIMIT ' . (int)setting('core.characters_search_limit') . ';');
 	if($query->rowCount() > 0) {
 		echo 'Did you mean:<ul>';
 		foreach($query as $player) {
diff --git a/system/pages/creatures.php b/system/pages/creatures.php
index 1b0e0ae8..672ea1a8 100644
--- a/system/pages/creatures.php
+++ b/system/pages/creatures.php
@@ -17,7 +17,7 @@ $title = 'Creatures';
 
 if (empty($_REQUEST['name'])) {
 	// display list of monsters
-	$preview = config('monsters_images_preview');
+	$preview = setting('core.monsters_images_preview');
 	$creatures = Monster::where('hidden', '!=', 1)->when(!empty($_REQUEST['boss']), function ($query) {
 		$query->where('rewardboss', 1);
 	})->get()->toArray();
@@ -65,7 +65,7 @@ if (isset($creature['name'])) {
 		$item['name'] = getItemNameById($item['id']);
 		$item['rarity_chance'] = round($item['chance'] / 1000, 2);
 		$item['rarity'] = getItemRarity($item['chance']);
-		$item['tooltip'] = ucfirst($item['name']) . '<br/>Chance: ' . $item['rarity'] . (config('monsters_loot_percentage') ? ' ('. $item['rarity_chance'] .'%)' : '') . '<br/>Max count: ' . $item['count'];
+		$item['tooltip'] = ucfirst($item['name']) . '<br/>Chance: ' . $item['rarity'] . (setting('core.monsters_loot_percentage') ? ' ('. $item['rarity_chance'] .'%)' : '') . '<br/>Max count: ' . $item['count'];
 	}
 
 	$creature['loot'] = isset($loot) ? $loot : null;
diff --git a/system/pages/faq.php b/system/pages/faq.php
index f99a9fa8..1c7f5a29 100644
--- a/system/pages/faq.php
+++ b/system/pages/faq.php
@@ -153,7 +153,9 @@ class FAQ
 			$row = ModelsFAQ::find($id);
 			if ($row) {
 				$row->hidden = ($row->hidden == 1 ? 0 : 1);
-				$row->save();
+				if (!$row->save()) {
+					$errors[] = 'Fail during toggle hidden FAQ.';
+				}
 			} else {
 				$errors[] = 'FAQ with id ' . $id . ' does not exists.';
 			}
diff --git a/system/pages/forum/show_thread.php b/system/pages/forum/show_thread.php
index 263683ee..124928bc 100644
--- a/system/pages/forum/show_thread.php
+++ b/system/pages/forum/show_thread.php
@@ -57,7 +57,7 @@ foreach($posts as &$post) {
 	}
 
 	if($config['characters']['outfit']) {
-		$post['outfit'] = $config['outfit_images_url'] . '?id=' . $player->getLookType() . ($lookaddons ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet();
+		$post['outfit'] = setting('core.outfit_images_url') . '?id=' . $player->getLookType() . ($lookaddons ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet();
 	}
 
 	$groupName = '';
diff --git a/system/pages/guilds/change_description.php b/system/pages/guilds/change_description.php
index 9f6fc0dc..a1e7b1d7 100644
--- a/system/pages/guilds/change_description.php
+++ b/system/pages/guilds/change_description.php
@@ -43,7 +43,7 @@ if(empty($errors)) {
 		$saved = false;
 		if($guild_leader) {
 			if(isset($_REQUEST['todo']) && $_REQUEST['todo'] == 'save') {
-				$description = htmlspecialchars(stripslashes(substr(trim($_REQUEST['description']),0,$config['guild_description_chars_limit'])));
+				$description = htmlspecialchars(stripslashes(substr(trim($_REQUEST['description']),0, setting('core.guild_description_chars_limit'))));
 				$guild->setCustomField('description', $description);
 				$saved = true;
 			}
diff --git a/system/pages/guilds/change_logo.php b/system/pages/guilds/change_logo.php
index fea3005f..eee33582 100644
--- a/system/pages/guilds/change_logo.php
+++ b/system/pages/guilds/change_logo.php
@@ -42,7 +42,7 @@ if(empty($errors)) {
 
 		if($guild_leader)
 		{
-			$max_image_size_b = $config['guild_image_size_kb'] * 1024;
+			$max_image_size_b = setting('core.guild_image_size_kb') * 1024;
 			$allowed_ext = array('image/gif', 'image/jpg', 'image/pjpeg', 'image/jpeg', 'image/bmp', 'image/png', 'image/x-png');
 			$ext_name = array('image/gif' => 'gif', 'image/jpg' => 'jpg', 'image/jpeg' => 'jpg', 'image/pjpeg' => 'jpg', 'image/bmp' => 'bmp', 'image/png' => 'png', 'image/x-png' => 'png');
 			$save_file_name = str_replace(' ', '_', strtolower($guild->getName()));
@@ -62,7 +62,7 @@ if(empty($errors)) {
 					}
 				}
 				else {
-					$upload_errors[] = 'You didn\'t send file or file is too big. Limit: <b>'.$config['guild_image_size_kb'].' KB</b>.';
+					$upload_errors[] = 'You didn\'t send file or file is too big. Limit: <b>'.setting('core.guild_image_size_kb').' KB</b>.';
 				}
 
 				if(empty($upload_errors)) {
diff --git a/system/pages/guilds/change_motd.php b/system/pages/guilds/change_motd.php
index 84581485..7d546670 100644
--- a/system/pages/guilds/change_motd.php
+++ b/system/pages/guilds/change_motd.php
@@ -46,7 +46,7 @@ if(empty($errors)) {
 		$saved = false;
 		if($guild_leader) {
 			if(isset($_REQUEST['todo']) && $_REQUEST['todo'] == 'save') {
-				$motd = htmlspecialchars(stripslashes(substr($_REQUEST['motd'],0, $config['guild_motd_chars_limit'])));
+				$motd = htmlspecialchars(stripslashes(substr($_REQUEST['motd'],0, setting('core.guild_motd_chars_limit'))));
 				$guild->setCustomField('motd', $motd);
 				$saved = true;
 			}
diff --git a/system/pages/guilds/create.php b/system/pages/guilds/create.php
index d7319fce..dcecf988 100644
--- a/system/pages/guilds/create.php
+++ b/system/pages/guilds/create.php
@@ -28,8 +28,8 @@ if(empty($guild_errors))
 		$player_rank = $player->getRank();
 		if(!$player_rank->isLoaded())
 		{
-			if($player->getLevel() >= $config['guild_need_level']) {
-				if(!$config['guild_need_premium'] || $account_logged->isPremium()) {
+			if($player->getLevel() >= setting('core.guild_need_level')) {
+				if(!setting('core.guild_need_premium') || $account_logged->isPremium()) {
 					$array_of_player_nig[] = $player->getName();
 				}
 			}
@@ -39,7 +39,7 @@ if(empty($guild_errors))
 
 if(empty($todo)) {
 	if(count($array_of_player_nig) == 0) {
-		$guild_errors[] = 'On your account all characters are in guilds, have too low level to create new guild' . ($config['guild_need_premium'] ? ' or you don\' have a premium account' : '') . '.';
+		$guild_errors[] = 'On your account all characters are in guilds, have too low level to create new guild' . (setting('core.guild_need_premium') ? ' or you don\' have a premium account' : '') . '.';
 	}
 }
 
@@ -91,10 +91,10 @@ if($todo == 'save')
 	}
 
 	if(empty($guild_errors)) {
-		if($player->getLevel() < $config['guild_need_level']) {
-			$guild_errors[] = 'Character <b>'.$name.'</b> has too low level. To create guild you need character with level <b>'.$config['guild_need_level'].'</b>.';
+		if($player->getLevel() < setting('core.guild_need_level')) {
+			$guild_errors[] = 'Character <b>'.$name.'</b> has too low level. To create guild you need character with level <b>' . setting('core.guild_need_level') . '</b>.';
 		}
-		if($config['guild_need_premium'] && !$account_logged->isPremium()) {
+		if(setting('core.guild_need_premium') && !$account_logged->isPremium()) {
 			$guild_errors[] = 'Character <b>'.$name.'</b> is on FREE account. To create guild you need PREMIUM account.';
 		}
 	}
@@ -112,7 +112,7 @@ if(isset($todo) && $todo == 'save')
 	$new_guild->setName($guild_name);
 	$new_guild->setOwner($player);
 	$new_guild->save();
-	$new_guild->setCustomField('description', config('guild_description_default'));
+	$new_guild->setCustomField('description', setting('core.guild_description_default'));
 	//$new_guild->setCustomField('creationdata', time());
 	$ranks = $new_guild->getGuildRanksList();
 	$ranks->orderBy('level', POT::ORDER_DESC);
diff --git a/system/pages/guilds/list.php b/system/pages/guilds/list.php
index e91b644d..e8425dc4 100644
--- a/system/pages/guilds/list.php
+++ b/system/pages/guilds/list.php
@@ -26,7 +26,7 @@ if(count($guilds_list) > 0)
 
 		$description = $guild->getCustomField('description');
 		$description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
-		if ($count < $config['guild_description_lines_limit'])
+		if ($count < setting('core.guild_description_lines_limit'))
 			$description = nl2br($description);
 
 		$guildName = $guild->getName();
diff --git a/system/pages/guilds/show.php b/system/pages/guilds/show.php
index 8a519c61..58a4b45f 100644
--- a/system/pages/guilds/show.php
+++ b/system/pages/guilds/show.php
@@ -85,7 +85,7 @@ if(empty($guild_logo) || !file_exists(GUILD_IMAGES_DIR . $guild_logo))
 
 $description = $guild->getCustomField('description');
 $description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
-if($count < $config['guild_description_lines_limit'])
+if($count < setting('core.guild_description_lines_limit'))
 	$description = nl2br($description);
 //$description = $description_with_lines;
 
diff --git a/system/pages/highscores.php b/system/pages/highscores.php
index 090da010..e42e10dd 100644
--- a/system/pages/highscores.php
+++ b/system/pages/highscores.php
@@ -135,6 +135,7 @@ if($settingHighscoresOutfit) {
 $configHighscoresPerPage = setting('core.highscores_per_page');
 $limit = $configHighscoresPerPage + 1;
 
+$highscores = [];
 $needReCache = true;
 $cacheKey = 'highscores_' . $skill . '_' . $vocation . '_' . $page . '_' . $configHighscoresPerPage;
 
@@ -158,7 +159,7 @@ $query->join('accounts', 'accounts.id', '=', 'players.account_id')
 	->selectRaw('accounts.country, players.id, players.name, players.account_id, players.level, players.vocation' . $outfit . $promotion)
 	->orderByDesc('value');
 
-if (!isset($highscores) || empty($highscores)) {
+if (empty($highscores)) {
 	if ($skill >= POT::SKILL_FIRST && $skill <= POT::SKILL_LAST) { // skills
 		if ($db->hasColumn('players', 'skill_fist')) {// tfs 1.0
 			$skill_ids = array(
@@ -201,17 +202,17 @@ if (!isset($highscores) || empty($highscores)) {
 			$list = 'experience';
 		}
 	}
+
+	$highscores = $query->get()->map(function($row) {
+		$tmp = $row->toArray();
+		$tmp['online'] = $row->online_status;
+		$tmp['vocation'] = $row->vocation_name;
+		unset($tmp['online_table']);
+
+		return $tmp;
+	})->toArray();
 }
 
-$highscores = $query->get()->map(function($row) {
-	$tmp = $row->toArray();
-	$tmp['online'] = $row->online_status;
-	$tmp['vocation'] = $row->vocation_name;
-	unset($tmp['online_table']);
-
-	return $tmp;
-})->toArray();
-
 if ($cache->enabled() && $needReCache) {
 	$cache->set($cacheKey, serialize($highscores), setting('core.highscores_cache_ttl') * 60);
 }
@@ -239,7 +240,7 @@ foreach($highscores as $id => &$player)
 		$player['link'] = getPlayerLink($player['name'], false);
 		$player['flag'] = getFlagImage($player['country']);
 		if($settingHighscoresOutfit) {
-			$player['outfit'] = '<img style="position:absolute;margin-top:' . (in_array($player['looktype'], config('outfit_images_wrong_looktypes')) ? '-15px;margin-left:5px' : '-45px;margin-left:-25px') . ';" src="' . config('outfit_images_url') . '?id=' . $player['looktype'] . ($outfit_addons ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'] . '" alt="" />';
+			$player['outfit'] = '<img style="position:absolute;margin-top:' . (in_array($player['looktype'], setting('core.outfit_images_wrong_looktypes')) ? '-15px;margin-left:5px' : '-45px;margin-left:-25px') . ';" src="' . setting('core.outfit_images_url') . '?id=' . $player['looktype'] . ($outfit_addons ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'] . '" alt="" />';
 		}
 		$player['rank'] = $offset + $i;
 	}
diff --git a/system/pages/lastkills.php b/system/pages/lastkills.php
index b325f506..798d91c3 100644
--- a/system/pages/lastkills.php
+++ b/system/pages/lastkills.php
@@ -21,7 +21,7 @@ if($cache->enabled() && $cache->fetch('last_kills', $tmp)) {
 else {
 	if($db->hasTable('player_killers')) // tfs 0.3
 	{
-		$players_deaths = $db->query('SELECT `player_deaths`.`id`, `player_deaths`.`date`, `player_deaths`.`level`, `players`.`name`' . ($db->hasColumn('players', 'world_id') ? ', `players`.`world_id`' : '') . ' FROM `player_deaths` LEFT JOIN `players` ON `player_deaths`.`player_id` = `players`.`id` ORDER BY `date` DESC LIMIT 0, ' . $config['last_kills_limit']);
+		$players_deaths = $db->query('SELECT `player_deaths`.`id`, `player_deaths`.`date`, `player_deaths`.`level`, `players`.`name`' . ($db->hasColumn('players', 'world_id') ? ', `players`.`world_id`' : '') . ' FROM `player_deaths` LEFT JOIN `players` ON `player_deaths`.`player_id` = `players`.`id` ORDER BY `date` DESC LIMIT 0, ' . setting('core.last_kills_limit'));
 
 		if(!empty($players_deaths)) {
 			foreach($players_deaths as $death) {
@@ -82,9 +82,9 @@ else {
 			}
 		}
 	} else {
-		//$players_deaths = $db->query("SELECT `p`.`name` AS `victim`, `player_deaths`.`killed_by` as `killed_by`, `player_deaths`.`time` as `time`, `player_deaths`.`is_player` as `is_player`, `player_deaths`.`level` as `level` FROM `player_deaths`, `players` as `d` INNER JOIN `players` as `p` ON player_deaths.player_id = p.id WHERE player_deaths.`is_player`='1' ORDER BY `time` DESC LIMIT " . $config['last_kills_limit'] . ";");
+		//$players_deaths = $db->query("SELECT `p`.`name` AS `victim`, `player_deaths`.`killed_by` as `killed_by`, `player_deaths`.`time` as `time`, `player_deaths`.`is_player` as `is_player`, `player_deaths`.`level` as `level` FROM `player_deaths`, `players` as `d` INNER JOIN `players` as `p` ON player_deaths.player_id = p.id WHERE player_deaths.`is_player`='1' ORDER BY `time` DESC LIMIT " . setting('core.last_kills_limit') . ";");
 
-		$players_deaths = $db->query("SELECT `p`.`name` AS `victim`, `d`.`killed_by` as `killed_by`, `d`.`time` as `time`, `d`.`level`, `d`.`is_player` FROM `player_deaths` as `d` INNER JOIN `players` as `p` ON d.player_id = p.id ORDER BY `time` DESC LIMIT " . $config['last_kills_limit'] . ";");
+		$players_deaths = $db->query("SELECT `p`.`name` AS `victim`, `d`.`killed_by` as `killed_by`, `d`.`time` as `time`, `d`.`level`, `d`.`is_player` FROM `player_deaths` as `d` INNER JOIN `players` as `p` ON d.player_id = p.id ORDER BY `time` DESC LIMIT " . setting('core.last_kills_limit') . ";");
 		if(!empty($players_deaths)) {
 			foreach($players_deaths as $death) {
 				$players_deaths_count++;
@@ -114,4 +114,4 @@ else {
 
 $twig->display('lastkills.html.twig', array(
 	'lastkills' => $last_kills
-));
\ No newline at end of file
+));
diff --git a/system/pages/news.php b/system/pages/news.php
index db04092d..521017c9 100644
--- a/system/pages/news.php
+++ b/system/pages/news.php
@@ -13,6 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 require_once LIBS . 'forum.php';
 require_once LIBS . 'news.php';
 
+$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
 if(isset($_GET['archive']))
 {
 	$title = 'News Archive';
@@ -57,12 +58,17 @@ if(isset($_GET['archive']))
 				}
 			}
 
+			$admin_options = '';
+			if($canEdit) {
+				$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
+			}
+
 			$twig->display('news.html.twig', array(
 				'title' => stripslashes($news['title']),
-				'content' => $content_,
+				'content' => $content_ . $admin_options,
 				'date' => $news['date'],
 				'icon' => $categories[$news['category']]['icon_id'],
-				'author' => $config['news_author'] ? $author : '',
+				'author' => setting('core.news_author') ? $author : '',
 				'comments' => $news['comments'] != 0 ? getForumThreadLink($news['comments']) : null,
 			));
 		}
@@ -81,7 +87,7 @@ if(isset($_GET['archive']))
 	foreach($news_DB as $news)
 	{
 		$newses[] = array(
-			'link' => getLink('news') . '/archive/' . $news['id'],
+			'link' => getLink('news') . '/' . $news['id'],
 			'icon_id' => $categories[$news['category']]['icon_id'],
 			'title' => stripslashes($news['title']),
 			'date' => $news['date']
@@ -99,7 +105,6 @@ header('X-XSS-Protection: 0');
 $title = 'Latest News';
 
 $cache = Cache::getInstance();
-$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
 
 $news_cached = false;
 if($cache->enabled())
@@ -116,7 +121,7 @@ if(!$news_cached)
 		);
 	}
 
-	$tickers_db = $db->query('SELECT * FROM `' . TABLE_PREFIX . 'news` WHERE `type` = ' . TICKER .($canEdit ? '' : ' AND `hidden` != 1') .' ORDER BY `date` DESC LIMIT ' . $config['news_ticker_limit']);
+	$tickers_db = $db->query('SELECT * FROM `' . TABLE_PREFIX . 'news` WHERE `type` = ' . TICKER .($canEdit ? '' : ' AND `hidden` != 1') .' ORDER BY `date` DESC LIMIT ' . setting('core.news_ticker_limit'));
 	$tickers_content = '';
 	if($tickers_db->rowCount() > 0)
 	{
@@ -167,7 +172,7 @@ else {
 if(!$news_cached)
 {
 	ob_start();
-	$newses = $db->query('SELECT * FROM ' . $db->tableName(TABLE_PREFIX . 'news') . ' WHERE type = ' . NEWS . ($canEdit ? '' : ' AND hidden != 1') . ' ORDER BY date' . ' DESC LIMIT ' . $config['news_limit']);
+	$newses = $db->query('SELECT * FROM ' . $db->tableName(TABLE_PREFIX . 'news') . ' WHERE type = ' . NEWS . ($canEdit ? '' : ' AND hidden != 1') . ' ORDER BY date' . ' DESC LIMIT ' . setting('core.news_limit'));
 	if($newses->rowCount() > 0)
 	{
 		foreach($newses as $news)
@@ -180,18 +185,8 @@ if(!$news_cached)
 			}
 
 			$admin_options = '';
-			if($canEdit)
-			{
-				$admin_options = '<br/><br/><a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=edit&id=' . $news['id'] . '" title="Edit">
-					<img src="images/edit.png"/>Edit
-				</a>
-				<a id="delete" target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=delete&id=' . $news['id'] . '" onclick="return confirm(\'Are you sure?\');" title="Delete">
-					<img src="images/del.png"/>Delete
-				</a>
-				<a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=hide&id=' . $news['id'] . '" title="' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '">
-					<img src="images/' . ($news['hidden'] != 1 ? 'success' : 'error') . '.png"/>
-					' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '
-				</a>';
+			if($canEdit) {
+				$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
 			}
 
 			$content_ = $news['body'];
@@ -211,7 +206,7 @@ if(!$news_cached)
 				'content' => $content_ . $admin_options,
 				'date' => $news['date'],
 				'icon' => $categories[$news['category']]['icon_id'],
-				'author' => $config['news_author'] ? $author : '',
+				'author' => setting('core.news_author') ? $author : '',
 				'comments' => $news['comments'] != 0 ? getForumThreadLink($news['comments']) : null,
 				'hidden'=> $news['hidden']
 			));
diff --git a/system/pages/online.php b/system/pages/online.php
index 0ca74127..77f01a2a 100644
--- a/system/pages/online.php
+++ b/system/pages/online.php
@@ -15,7 +15,7 @@ use MyAAC\Models\ServerRecord;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Who is online?';
 
-if($config['account_country'])
+if (setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
 $promotion = '';
@@ -42,7 +42,7 @@ if($db->hasColumn('players', 'skull_time')) {
 
 $outfit_addons = false;
 $outfit = '';
-if($config['online_outfit']) {
+if (setting('core.online_outfit')) {
 	$outfit = ', lookbody, lookfeet, lookhead, looklegs, looktype';
 	if($db->hasColumn('players', 'lookaddons')) {
 		$outfit .= ', lookaddons';
@@ -50,7 +50,7 @@ if($config['online_outfit']) {
 	}
 }
 
-if($config['online_vocations']) {
+if (setting('core.online_vocations')) {
 	$vocs = array();
 	foreach($config['vocations'] as $id => $name) {
 		$vocs[$id] = 0;
@@ -67,7 +67,7 @@ $players = 0;
 $data = '';
 foreach($playersOnline as $player) {
 	$skull = '';
-	if($config['online_skulls'])
+	if (setting('core.online_skulls'))
 	{
 		if($player['skulltime'] > 0)
 		{
@@ -90,18 +90,18 @@ foreach($playersOnline as $player) {
 		'player' => $player,
 		'level' => $player['level'],
 		'vocation' => $config['vocations'][$player['vocation']],
-		'country_image' => $config['account_country'] ? getFlagImage($player['country']) : null,
-		'outfit' => $config['online_outfit'] ? $config['outfit_images_url'] . '?id=' . $player['looktype'] . ($outfit_addons ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'] : null
+		'country_image' => setting('core.account_country') ? getFlagImage($player['country']) : null,
+		'outfit' => setting('core.online_outfit') ? setting('core.outfit_images_url') . '?id=' . $player['looktype'] . ($outfit_addons ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'] : null
 	);
 
-	if($config['online_vocations']) {
+	if (setting('core.online_vocations')) {
 		$vocs[($player['vocation'] > $config['vocations_amount'] ? $player['vocation'] - $config['vocations_amount'] : $player['vocation'])]++;
 	}
 }
 
 $record = '';
 if($players > 0) {
-	if($config['online_record']) {
+	if( setting('core.online_record')) {
 		$result = null;
 		$timestamp = false;
 		if($db->hasTable('server_record')) {
diff --git a/system/pages/spells.php b/system/pages/spells.php
index 692df7cd..28bcbb23 100644
--- a/system/pages/spells.php
+++ b/system/pages/spells.php
@@ -71,7 +71,7 @@ $twig->display('spells.html.twig', array(
 	'post_vocation_id' => $vocation_id,
 	'post_vocation' => $vocation,
 	'spells' => $spells,
-	'item_path' => $config['item_images_url'],
+	'item_path' => setting('core.item_images_url'),
 ));
 ?>
 
diff --git a/system/pages/team.php b/system/pages/team.php
index b1fd15dc..ae0c9d93 100644
--- a/system/pages/team.php
+++ b/system/pages/team.php
@@ -11,7 +11,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Support in game';
 
-if($config['account_country'])
+if(setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
 $groups = new OTS_Groups_List();
diff --git a/system/router.php b/system/router.php
index a24a3b1b..ca5454ff 100644
--- a/system/router.php
+++ b/system/router.php
@@ -170,7 +170,7 @@ if(!empty($page) && preg_match('/^[A-z0-9\-]+$/', $page)) {
 		$_REQUEST['subtopic'] = $_REQUEST['p'];
 	}
 
-	if (config('backward_support')) {
+	if (setting('core.backward_support')) {
 		require SYSTEM . 'compat/pages.php';
 	}
 
@@ -220,9 +220,8 @@ else {
 					$content .= $tmp_content;
 					if (hasFlag(FLAG_CONTENT_PAGES) || superAdmin()) {
 						$pageInfo = getCustomPageInfo($pageName);
-						$content = $twig->render('admin.pages.links.html.twig', array(
-								'page' => array('id' => $pageInfo !== null ? $pageInfo['id'] : 0, 'hidden' => $pageInfo !== null ? $pageInfo['hidden'] : '0')
-							)) . $content;
+						$content = $twig->render('admin.links.html.twig', ['page' => 'pages', 'id' => $pageInfo !== null ? $pageInfo['id'] : 0, 'hidden' => $pageInfo !== null ? $pageInfo['hidden'] : '0']
+							) . $content;
 					}
 
 					$page = $pageName;
@@ -271,7 +270,7 @@ if($hooks->trigger(HOOK_BEFORE_PAGE)) {
 
 unset($file);
 
-if(config('backward_support') && isset($main_content[0]))
+if(setting('core.backward_support') && isset($main_content[0]))
 	$content .= $main_content;
 
 $content .= ob_get_contents();
@@ -282,7 +281,7 @@ if(!isset($title)) {
 	$title = ucfirst($page);
 }
 
-if(config('backward_support')) {
+if(setting('core.backward_support')) {
 	$main_content = $content;
 	$topic = $title;
 }
diff --git a/system/routes.php b/system/routes.php
index 53c121a5..3bb2a0df 100644
--- a/system/routes.php
+++ b/system/routes.php
@@ -12,6 +12,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 return [
 	['GET', '', 'news.php'], // empty URL = show news
 	['GET', 'news/archive/{id:int}[/]', 'news/archive.php'],
+	['GET', 'news/{id:int}[/]', 'news/archive.php'],
 
 	// block access to some files
 	['*', 'account/base[/]', '404.php'], // this is to block account/base.php
diff --git a/system/settings.php b/system/settings.php
index 83a1d85e..d95e16d7 100644
--- a/system/settings.php
+++ b/system/settings.php
@@ -65,6 +65,12 @@ return [
 			'default' => false,
 			'is_config' => true,
 		],
+		'csrf_protection' => [
+			'name' => 'CSRF protection',
+			'type' => 'boolean',
+			'desc' => 'Its recommended to keep it enabled. Disable only if you know what you are doing.',
+			'default' => true,
+		],
 		'google_analytics_id' => [
 			'name' => 'Google Analytics ID',
 			'type' => 'text',
@@ -1048,8 +1054,9 @@ Sent by MyAAC,<br/>
 			'default' => true,
 		],
 		'highscores_country_box' => [ // not implemented yet
+			'hidden' => true,
 			'name' => 'Display Country Box',
-			'type' => 'hidden',
+			'type' => 'boolean',
 			'desc' => 'Show player outfit?',
 			'default' => false,
 		],
@@ -1126,7 +1133,7 @@ Sent by MyAAC,<br/>
 			'name' => 'Display Quests',
 			'type' => 'boolean',
 			'desc' => 'Show characters quests. Can be configured below',
-			'default' => true,
+			'default' => false,
 		],
 		'quests' => [
 			'name' => 'Quests List',
@@ -1225,9 +1232,9 @@ Sent by MyAAC,<br/>
 		'team_style' => [
 			'name' => 'Style',
 			'type' => 'options',
-			'desc' => '',
-			'options' => ['normal table', 'in boxes, grouped by group id'],
-			'default' => 1,
+			'desc' => 'How to show groups',
+			'options' => [1 => 'normal table', 2 => 'in boxes, grouped by group id'],
+			'default' => 2,
 		],
 		'team_status' => [
 			'name' => 'Display Online Status',
@@ -1602,7 +1609,7 @@ Sent by MyAAC,<br/>
 					if ($key == 'server_path') {
 						$server_path = $values[$key];
 					}
-					elseif (strpos($key, 'database_') !== false) {
+					elseif (str_contains($key, 'database_')) {
 						$database[$key] = $values[$key];
 					}
 
diff --git a/system/src/Admin/Pages.php b/system/src/Admin/Pages.php
new file mode 100644
index 00000000..24efec00
--- /dev/null
+++ b/system/src/Admin/Pages.php
@@ -0,0 +1,134 @@
+<?php
+namespace MyAAC\Admin;
+
+use MyAAC\Models\Pages as ModelsPages;
+
+class Pages
+{
+	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!isset($title[0]) || !isset($body[0])) {
+			$errors[] = 'Please fill all inputs.';
+			return false;
+		}
+		if(strlen($name) > PAGE_NAME_LIMIT) {
+			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($title) > PAGE_TITLE_LIMIT) {
+			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($body) > PAGE_BODY_LIMIT) {
+			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
+			return false;
+		}
+		if(!isset($player_id) || $player_id == 0) {
+			$errors[] = 'Player ID is wrong.';
+			return false;
+		}
+		if(!isset($php) || ($php != 0 && $php != 1)) {
+			$errors[] = 'Enable PHP is wrong.';
+			return false;
+		}
+		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
+			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
+			return false;
+		}
+		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
+			$errors[] = 'Enable TinyMCE is wrong.';
+			return false;
+		}
+		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
+			$errors[] = 'Access is wrong.';
+			return false;
+		}
+
+		return true;
+	}
+
+	static public function get($id)
+	{
+		$row = ModelsPages::find($id);
+		if ($row) {
+			return $row->toArray();
+		}
+
+		return false;
+	}
+
+	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		if (!ModelsPages::where('name', $name)->exists())
+			ModelsPages::create([
+				'name' => $name,
+				'title' => $title,
+				'body' => $body,
+				'player_id' => $player_id,
+				'php' => $php ? '1' : '0',
+				'enable_tinymce' => $enable_tinymce ? '1' : '0',
+				'access' => $access
+			]);
+		else
+			$errors[] = 'Page with this link already exists.';
+
+		return !count($errors);
+	}
+
+	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		ModelsPages::where('id', $id)->update([
+			'name' => $name,
+			'title' => $title,
+			'body' => $body,
+			'player_id' => $player_id,
+			'php' => $php ? '1' : '0',
+			'enable_tinymce' => $enable_tinymce ? '1' : '0',
+			'access' => $access
+		]);
+		return true;
+	}
+
+	static public function delete($id, &$errors)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->delete();
+			}
+			else
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+
+	static public function toggleHidden($id, &$errors, &$status)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->hidden = $row->hidden == 1 ? 0 : 1;
+				if (!$row->save()) {
+					$errors[] = 'Fail during toggle hidden Page.';
+				}
+				$status = $row->hidden;
+			}
+			else {
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+			}
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+}
diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php
new file mode 100644
index 00000000..4a92baf2
--- /dev/null
+++ b/system/src/CsrfToken.php
@@ -0,0 +1,95 @@
+<?php
+/**
+ * CsrfToken
+ *
+ * @package   MyAAC
+ * @author    Znote
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2023 MyAAC
+ * @link      https://my-aac.org
+ */
+
+namespace MyAAC;
+
+class CsrfToken
+{
+	public static function generate(): void
+	{
+		$token = sha1(uniqid(time(), true));
+
+		setSession('csrf_token', $token);
+	}
+
+	/**
+	 * Displays a random token to prevent CSRF attacks.
+	 *
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function create(): void {
+		echo '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
+	}
+
+	/**
+	 * Returns the active token, if there is one.
+	 *
+	 * @access public
+	 * @static true
+	 * @return mixed
+	 **/
+	public static function get(): mixed
+	{
+		$token = getSession('csrf_token');
+		return $token ?? false;
+	}
+
+	/**
+	 * Validates whether the active token is valid or not.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return boolean
+	 **/
+	public static function isValid($post): bool
+	{
+		if (!setting('core.csrf_protection')) {
+			return true;
+		}
+
+		// Token doesn't exist yet, return false.
+		if (!self::get()) {
+			return false;
+		}
+
+		return ($post == getSession('csrf_token'));
+	}
+
+	/**
+	 * Destroys the active token.
+	 *
+	 * @access protected
+	 * @static true
+	 * @return void
+	 **/
+	protected static function reset(): void {
+		unsetSession('csrf_token');
+	}
+
+	/**
+	 * Displays information on both the post token and the session token.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function debug($post): void
+	{
+		echo '<pre>', var_export([
+			'post' => $post,
+			'token' => self::get()
+		], true), '</pre>';
+	}
+}
diff --git a/system/src/Models/AccountAction.php b/system/src/Models/AccountAction.php
new file mode 100644
index 00000000..d5cd531b
--- /dev/null
+++ b/system/src/Models/AccountAction.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace MyAAC\Models;
+use Illuminate\Database\Eloquent\Model;
+
+class AccountAction extends Model {
+
+	protected $table = TABLE_PREFIX . 'account_actions';
+
+	public $timestamps = false;
+
+	protected $fillable = ['account_id', 'ip', 'ipv6', 'date', 'action'];
+
+}
diff --git a/system/src/Models/GuildInvite.php b/system/src/Models/GuildInvite.php
index c95d629f..52654b53 100644
--- a/system/src/Models/GuildInvite.php
+++ b/system/src/Models/GuildInvite.php
@@ -3,7 +3,7 @@
 namespace MyAAC\Models;
 use Illuminate\Database\Eloquent\Model;
 
-class GuildInvites extends Model {
+class GuildInvite extends Model {
 
 	protected $table = 'guild_invites';
 
diff --git a/system/src/Models/Playeritem.php b/system/src/Models/PlayerItem.php
similarity index 100%
rename from system/src/Models/Playeritem.php
rename to system/src/Models/PlayerItem.php
diff --git a/system/status.php b/system/status.php
index 88a48917..d55f68e1 100644
--- a/system/status.php
+++ b/system/status.php
@@ -125,7 +125,7 @@ function updateStatus() {
 		$status['playersMax'] = $serverStatus->getMaxPlayers();
 
 		// for status afk thing
-		if($config['online_afk'])
+		if (setting('core.online_afk'))
 		{
 			$status['playersTotal'] = 0;
 			// get amount of players that are currently logged in-game, including disconnected clients (exited)
diff --git a/system/template.php b/system/template.php
index 0fbb0477..0a8775b0 100644
--- a/system/template.php
+++ b/system/template.php
@@ -54,7 +54,7 @@ if(file_exists(BASE . $template_path . '/index.php')) {
 elseif(file_exists(BASE . $template_path . '/template.php')) {
 	$template_index = 'template.php';
 }
-elseif($config['backward_support'] && file_exists(BASE . $template_path . '/layout.php')) {
+elseif(setting('core.backward_support') && file_exists(BASE . $template_path . '/layout.php')) {
 	$template_index = 'layout.php';
 }
 else {
@@ -77,7 +77,7 @@ if ($cache->enabled() && $cache->fetch('template_ini_' . $template_name, $tmp))
 else {
 	$file = BASE . $template_path . '/config.ini';
 	$exists = file_exists($file);
-	if ($exists || ($config['backward_support'] && file_exists(BASE . $template_path . '/layout_config.ini'))) {
+	if ($exists || (setting('core.backward_support') && file_exists(BASE . $template_path . '/layout_config.ini'))) {
 		if (!$exists) {
 			$file = BASE . $template_path . '/layout_config.ini';
 		}
diff --git a/system/templates/account.back_button.html.twig b/system/templates/account.back_button.html.twig
index e4ed6884..e2d784ca 100644
--- a/system/templates/account.back_button.html.twig
+++ b/system/templates/account.back_button.html.twig
@@ -2,5 +2,6 @@
 	<br/>
 {% endif %}
 <form action="{% if action is not defined %}{{ getLink('account/manage') }}{% else %}{{ action }}{% endif %}" method="post">
+	{{ csrf() }}
 	{{ include('buttons.back.html.twig') }}
 </form>
diff --git a/system/templates/account.change_comment.html.twig b/system/templates/account.change_comment.html.twig
index c69e3f6b..6c133d2b 100644
--- a/system/templates/account.change_comment.html.twig
+++ b/system/templates/account.change_comment.html.twig
@@ -1,6 +1,7 @@
 Here you can see and edit the information about your character.<br/>
 If you do not want to specify a certain field, just leave it blank.<br/><br/>
 <form action="{{ getLink('account/character/comment') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -99,6 +100,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_info.html.twig b/system/templates/account.change_info.html.twig
index 80be0bd2..067eabc5 100644
--- a/system/templates/account.change_info.html.twig
+++ b/system/templates/account.change_info.html.twig
@@ -1,5 +1,6 @@
 Here you can tell other players about yourself. This information will be displayed alongside the data of your characters. If you do not want to fill in a certain field, just leave it blank.<br/><br/>
-<form action="{{ getLink('account/info') }}" method=post>
+<form action="{{ getLink('account/info') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
@@ -31,7 +32,7 @@ Here you can tell other players about yourself. This information will be display
 									<input name="info_location" value="{{ account_location }}" size="30" maxlength="50" >
 								</td>
 							</tr>
-							{% if config.account_country %}
+							{% if setting('core.account_country') %}
 							<tr>
 								<td class="LabelV" >Country:</td>
 								<td>
@@ -88,6 +89,7 @@ Here you can tell other players about yourself. This information will be display
 </form>
 				<table border="0" cellspacing="0" cellpadding="0" >
 					<form action="{{ getLink('account/manage') }}" method="post" >
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
@@ -97,4 +99,4 @@ Here you can tell other players about yourself. This information will be display
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.change_mail.html.twig b/system/templates/account.change_mail.html.twig
index 1c0d1c12..f093fbff 100644
--- a/system/templates/account.change_mail.html.twig
+++ b/system/templates/account.change_mail.html.twig
@@ -1,5 +1,6 @@
-Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ config.account_mail_change }} days.</b><br/><br/>
+Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ setting('core.account_mail_change') }} days.</b><br/><br/>
 <form action="{{ getLink('account/email') }}" method="post">
+	{{ csrf() }}
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
 		<div class="CaptionContainer">
@@ -58,6 +59,7 @@ Please enter your password and the new email address. Make sure that you enter a
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border:0px;">
 							{{ include('buttons.back.html.twig') }}
@@ -67,4 +69,4 @@ Please enter your password and the new email address. Make sure that you enter a
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/account.change_name.html.twig b/system/templates/account.change_name.html.twig
index 76c038d4..2f38bb60 100644
--- a/system/templates/account.change_name.html.twig
+++ b/system/templates/account.change_name.html.twig
@@ -1,6 +1,7 @@
 To change a name of character select player and choose a new name.<br/>
 <span style="color: red">Change name cost {{ setting('core.account_change_character_name_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/name') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changenamesave" value="1">
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a name of character select player and choose a new name.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_password.html.twig b/system/templates/account.change_password.html.twig
index d801a733..89ccf592 100644
--- a/system/templates/account.change_password.html.twig
+++ b/system/templates/account.change_password.html.twig
@@ -1,6 +1,7 @@
 Please enter your current password and a new password. For your security, please enter the new password twice.<br/>
 <br/>
 <form action="{{ getLink('account/password') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -33,7 +34,7 @@ Please enter your current password and a new password. For your security, please
 									<span>New Password Again:</span>
 								</td>
 								<td>
-									<input type="password" name="newpassword2" size="30" maxlength="29">
+									<input type="password" name="newpassword_confirm" size="30" maxlength="29">
 								</td>
 							</tr>
 							<tr>
@@ -66,6 +67,7 @@ Please enter your current password and a new password. For your security, please
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
@@ -75,4 +77,4 @@ Please enter your current password and a new password. For your security, please
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.change_sex.html.twig b/system/templates/account.change_sex.html.twig
index 24141f61..7e7fff32 100644
--- a/system/templates/account.change_sex.html.twig
+++ b/system/templates/account.change_sex.html.twig
@@ -1,6 +1,7 @@
 To change a sex of character select player and choose a new sex.<br/>
 <span style="color: red">Change sex cost {{ setting('core.account_change_character_sex_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/sex') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changesexsave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a sex of character select player and choose a new sex.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig
index a43d6e7d..7611a0c2 100644
--- a/system/templates/account.create.html.twig
+++ b/system/templates/account.create.html.twig
@@ -1,5 +1,6 @@
 {{ hook('HOOK_ACCOUNT_CREATE_BEFORE_FORM') }}
 <form action="{{ getLink('account/create') }}" method="post" id="createaccount">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
@@ -59,13 +60,13 @@
 													<td></td><td><span id="email_error" class="FormFieldError">{% if errors.email is defined %}{{ errors.email }}{% endif %}</span></td>
 												</tr>
 
-												{% if setting('core.mail_enabled') and config.account_mail_verify %}
+												{% if setting('core.mail_enabled') and setting('core.account_mail_verify') %}
 													<tr><td></td><td><span><strong>Please use real address!<br/>We will send a link to validate your Email.</strong></span></td></tr>
 												{% endif %}
 
 												{{ hook('HOOK_ACCOUNT_CREATE_AFTER_EMAIL') }}
 
-                                                {% if config.account_country %}
+                                                {% if setting('core.account_country') %}
 													<tr>
 														<td class="LabelV" style="width: 150px">
 															<span{% if errors.country[0] is defined %} class="red"{% endif %}>Country:</span>
@@ -104,11 +105,11 @@
 														<span{% if errors.password is defined %} class="red"{% endif %}>Repeat password:</span>
 													</td>
 													<td>
-														<input type="password" name="password2" id="password2" value="" size="30" maxlength="29" />
-														<img id="password2_indicator" src="images/global/general/{% if not save or errors.password is defined %}n{% endif %}ok.gif" style="display: none;" />
+														<input type="password" name="password_confirm" id="password_confirm" value="" size="30" maxlength="29" />
+														<img id="password_confirm_indicator" src="images/global/general/{% if not save or errors.password is defined %}n{% endif %}ok.gif" style="display: none;" />
 													</td>
 												</tr>
-												<tr><td></td><td><span id="password2_error" class="FormFieldError">{% if errors.password is defined %}{{ errors.password }}{% endif %}</span></td></tr>
+												<tr><td></td><td><span id="password_confirm_error" class="FormFieldError">{% if errors.password is defined %}{{ errors.password }}{% endif %}</span></td></tr>
 
 												{{ hook('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS') }}
 												</tbody>
@@ -122,7 +123,7 @@
 
 							{{ hook('HOOK_ACCOUNT_CREATE_BETWEEN_BOXES_1') }}
 
-							{% if (not setting('core.mail_enabled') or not config.account_mail_verify) and config.account_create_character_create %}
+							{% if (not setting('core.mail_enabled') or not setting('core.account_mail_verify')) and setting('core.account_create_character_create') %}
 							<tr>
 								<td>
 									<div class="TableShadowContainerRightTop">
diff --git a/system/templates/account.create.js.html.twig b/system/templates/account.create.js.html.twig
index 74bfb8bf..61300039 100644
--- a/system/templates/account.create.js.html.twig
+++ b/system/templates/account.create.js.html.twig
@@ -17,7 +17,7 @@
 		$('#password').blur(function() {
 			checkPassword();
 		});
-		$('#password2').blur(function() {
+		$('#password_confirm').blur(function() {
 			checkPassword();
 		});
 		$('#SuggestAccountNumber a').click(function (event) {
@@ -150,11 +150,11 @@
 			return;
 		}
 
-		if(document.getElementById("password2").value == "")
+		if(document.getElementById("password_confirm").value == "")
 		{
-			$('#password2_error').html('Please enter the password again!');
-			$('#password2_indicator').attr('src', 'images/global/general/nok.gif');
-			$('#password2_indicator').show();
+			$('#password_confirm_error').html('Please enter the password again!');
+			$('#password_confirm_indicator').attr('src', 'images/global/general/nok.gif');
+			$('#password_confirm_indicator').show();
 			return;
 		}
 
@@ -172,24 +172,24 @@
 		}
 
 		var password = document.getElementById("password").value;
-		var password2 = document.getElementById("password2").value;
-		$.getJSON("tools/validate.php", { password: password, password2: password2, uid: Math.random() },
+		var password_confirm = document.getElementById("password_confirm").value;
+		$.getJSON("tools/validate.php", { password: password, password_confirm: password_confirm, uid: Math.random() },
 			function(data){
 				if(data.hasOwnProperty('success')) {
 					$('#password_error').html ('');
-					$('#password2_error').html ('');
+					$('#password_confirm_error').html ('');
 					$('#password_indicator').attr('src', 'images/global/general/ok.gif');
-					$('#password2_indicator').attr('src', 'images/global/general/ok.gif');
+					$('#password_confirm_indicator').attr('src', 'images/global/general/ok.gif');
 				}
 				else if(data.hasOwnProperty('error')) {
 					$('#password_error').html(data.error);
-					$('#password2_error').html(data.error);
+					$('#password_confirm_error').html(data.error);
 					$('#password_indicator').attr('src', 'images/global/general/nok.gif');
-					$('#password2_indicator').attr('src', 'images/global/general/nok.gif');
+					$('#password_confirm_indicator').attr('src', 'images/global/general/nok.gif');
 				}
 
 				$('#password_indicator').show();
-				$('#password2_indicator').show();
+				$('#password_confirm_indicator').show();
 			}
 		);
 
diff --git a/system/templates/account.create_character.html.twig b/system/templates/account.create_character.html.twig
index acb57f5c..a860a8b1 100644
--- a/system/templates/account.create_character.html.twig
+++ b/system/templates/account.create_character.html.twig
@@ -2,11 +2,12 @@ Please choose a name{% if config.character_samples|length > 1 %}, vocation{% end
 {% if config.character_towns|length > 1 %}, town{% endif %}
  and sex for your character. <br/>
 In any case the name must not violate the naming conventions stated in the <a href="?subtopic=rules" target="_blank" >{{ config.lua.serverName }} Rules</a>, or your character might get deleted or name locked.
-{% if account_logged.getPlayersList(true)|length >= config.characters_per_account %}
+{% if account_logged.getPlayersList(true)|length >= setting('core.characters_per_account') %}
 <b><span style="color: red"> You have maximum number of characters per account on your account. Delete one before you make new.</span></b>
 {% endif %}
 <br/><br/>
 <form action="{{ getLink('account/character/create') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="save" value="1">
 	<div class="TableContainer">
 		<table class="Table3" cellpadding="0" cellspacing="0">
@@ -135,6 +136,7 @@ In any case the name must not violate the naming conventions stated in the <a hr
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.delete_character.html.twig b/system/templates/account.delete_character.html.twig
index 4a481f3a..c5953cc7 100644
--- a/system/templates/account.delete_character.html.twig
+++ b/system/templates/account.delete_character.html.twig
@@ -1,5 +1,6 @@
 To delete a character enter the name of the character and your password.<br/><br/>
 <form action="{{ getLink('account/character/delete') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="deletecharactersave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0" >
@@ -54,6 +55,7 @@ To delete a character enter the name of the character and your password.<br/><br
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
@@ -63,4 +65,4 @@ To delete a character enter the name of the character and your password.<br/><br
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.generate_new_recovery_key.html.twig b/system/templates/account.generate_new_recovery_key.html.twig
index 6f3e5c50..9b28cebc 100644
--- a/system/templates/account.generate_new_recovery_key.html.twig
+++ b/system/templates/account.generate_new_recovery_key.html.twig
@@ -1,6 +1,7 @@
 To generate new recovery key for your account please enter your password.<br/>
 <span style="color: red"><b>New recovery key cost {{ setting('core.account_generate_new_reckey_price') }} Premium Points.</span> You have {{ points }} premium points. You will receive e-mail with this recovery key.</b><br/>
 <form action="{{ getLink('account/register/new') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="registeraccountsave" value="1">
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -47,6 +48,7 @@ To generate new recovery key for your account please enter your password.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.generate_recovery_key.html.twig b/system/templates/account.generate_recovery_key.html.twig
index c1193edd..cb69476c 100644
--- a/system/templates/account.generate_recovery_key.html.twig
+++ b/system/templates/account.generate_recovery_key.html.twig
@@ -1,5 +1,6 @@
 To generate recovery key for your account please enter your password.<br/><br/>
 <form action="{{ getLink('account/register') }}" method="post">
+	{{ csrf() }}
 <input type="hidden" name="registeraccountsave" value="1"/>
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
@@ -50,6 +51,7 @@ To generate recovery key for your account please enter your password.<br/><br/>
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border: 0px;">
 							{{ include('buttons.back.html.twig') }}
@@ -59,4 +61,4 @@ To generate recovery key for your account please enter your password.<br/><br/>
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/account.login.html.twig b/system/templates/account.login.html.twig
index 2431f1d1..aec1e222 100644
--- a/system/templates/account.login.html.twig
+++ b/system/templates/account.login.html.twig
@@ -1,6 +1,7 @@
 {{ hook('HOOK_ACCOUNT_LOGIN_BEFORE_PAGE') }}
 Please enter your account {{ account|lower }} and your password.<br/><a href="{{ getLink('account/create') }}">Create an account</a> if you do not have one yet.<br/><br/>
-<form action="{{ getLink('account/manage') }}" method="post" >
+<form action="{{ getLink('account/manage') }}" method="post">
+	{{ csrf() }}
 	{% if redirect is not null %}
 		<input type="hidden" name="redirect" value="{{ redirect }}" />
 	{% endif %}
@@ -66,6 +67,7 @@ Please enter your account {{ account|lower }} and your password.<br/><a href="{{
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/lost') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.account_lost.html.twig') }}
diff --git a/system/templates/account.lost.form.html.twig b/system/templates/account.lost.form.html.twig
index 33456fd0..9c29ccd8 100644
--- a/system/templates/account.lost.form.html.twig
+++ b/system/templates/account.lost.form.html.twig
@@ -1,5 +1,6 @@
 The Lost Account Interface can help you to get back your account name and password. Please enter your character name and select what you want to do.<br/>
-<form action="?subtopic=lostaccount&action=step1" method=post>
+<form action="?subtopic=lostaccount&action=step1" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="character" value="">
 	<table cellspacing="1" cellpadding="4" border="0" width="100%">
 		<tr>
@@ -32,4 +33,4 @@ The Lost Account Interface can help you to get back your account name and passwo
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/account.management.html.twig b/system/templates/account.management.html.twig
index 95fc0975..a648f28e 100644
--- a/system/templates/account.management.html.twig
+++ b/system/templates/account.management.html.twig
@@ -68,6 +68,7 @@
 		<div style="text-align:center">
 			You can register your account for increased protection. Click on "Register Account" and get your free recovery key today!<br/>
 			<form action="{{ getLink('account/register') }}" method="post">
+				{{ csrf() }}
 				{% set button_name = 'Register Account' %}
 				{% include('buttons.base.html.twig') %}
 			</form>
@@ -80,6 +81,7 @@
 				A request has been submitted to change the email address of this account to <b>{{ email_new }}</b>. After <b>{{ email_new_time|date("j F Y, G:i:s") }}</b> you can accept the new email address and finish the process. Please cancel the request if you do not want your email address to be changed! Also cancel the request if you have no access to the new email address!
 
 				<form action="{{ getLink('account/email') }}" method="post">
+					{{ csrf() }}
 					{% set button_name = 'Edit' %}
 					{% include('buttons.base.html.twig') %}
 				</form>
@@ -99,6 +101,7 @@
 				<td style="width: 90px;">Email Address:</td>
 				<td>{{ account_email ~ email_change }}
 					<form action="{{ getLink('account/email') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Change Email' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -137,6 +140,7 @@
 			</tr>
 		</table>
 		<form action="{{ getLink('account/info') }}" method="post">
+			{{ csrf() }}
 			{% set button_name = 'Change Info' %}
 			{% include('buttons.base.html.twig') %}
 		</form>
@@ -188,6 +192,7 @@
 			<tr>
 				<td>
 					<form action="{{ getLink('account/character/create') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Create Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -195,6 +200,7 @@
 				{% if setting('core.account_change_character_name') %}
 				<td>
 					<form action="{{ getLink('account/character/name') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Name' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -203,6 +209,7 @@
 				{% if setting('core.account_change_character_sex') %}
 				<td>
 					<form action="{{ getLink('account/character/sex') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Sex' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -210,6 +217,7 @@
 				{% endif %}
 				<td>
 					<form action="{{ getLink('account/character/delete') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Delete Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
diff --git a/system/templates/admin-bar.html.twig b/system/templates/admin-bar.html.twig
index 0825dd27..b14eb84e 100644
--- a/system/templates/admin-bar.html.twig
+++ b/system/templates/admin-bar.html.twig
@@ -98,6 +98,7 @@ html { margin-top: 32px !important; }
 			<div class="dropdown-content">
 				<a href="{{ constant('ADMIN_URL') }}?p=news&action=new">News</a>
 				<a href="{{ constant('ADMIN_URL') }}?p=pages&action=new">Page</a>
+				<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new">Changelog</a>
 			</div>
 		</li>
 		<li>
@@ -106,9 +107,11 @@ html { margin-top: 32px !important; }
 			</a>
 		</li>
 		<li>
-			<a class="ab-item" href="{{ constant('ADMIN_URL') }}?p=dashboard&clear_cache">
-				Clear Cache
-			</a>
+			<form method="post" action="{{ constant('ADMIN_URL') }}?p=dashboard">
+				{{ csrf() }}
+				<input type="hidden" name="clear_cache" value="1" />
+				<a class="ab-item" href="#" onclick="confirm('Are you sure that you want to clear cache?') && $(this).closest('form').submit()" title="Clear Cache">Clear Cache</a>
+			</form>
 		</li>
 	</ul>
 	<ul class="ab-top-secondary">
diff --git a/system/templates/admin.changelog.form.html.twig b/system/templates/admin.changelog.form.html.twig
index 99b90f7a..f0505644 100644
--- a/system/templates/admin.changelog.form.html.twig
+++ b/system/templates/admin.changelog.form.html.twig
@@ -4,6 +4,8 @@
 			<h5 class="m-0">{{ (action == 'edit') ? 'Edit' : 'Add' }}</h5>
 		</div>
 		<form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			<div class="card-body">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ cl_id }}"/>
diff --git a/system/templates/admin.changelog.html.twig b/system/templates/admin.changelog.html.twig
index 28ee35e4..7826a0fe 100644
--- a/system/templates/admin.changelog.html.twig
+++ b/system/templates/admin.changelog.html.twig
@@ -1,8 +1,11 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">News:
-			<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new" class="float-right"><span
-					class="btn btn-sm btn-success">New</span></a>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
 		</h5>
 	</div>
 
@@ -30,15 +33,26 @@
 						<td><img src="{{ constant('BASE_URL') }}images/changelog/{{ log.where }}.png" alt="icon" title="{{ log.where|capitalize }}"/> {{ log.where|capitalize }}</td>
 						<td>
 							<div class="btn-group">
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=edit&id={{ log.id }}" class="btn btn-success btn-sm" title="Edit">
-									<i class="fas fa-pencil-alt"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=delete&id={{ log.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-									<i class="fas fa-trash"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=hide&id={{ log.id }}" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}">
-									<i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i>
-								</a>
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="edit" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="delete" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="hide" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+								</form>
 							</div>
 						</td>
 					</tr>
@@ -53,3 +67,15 @@
 		</table>
 	</div>
 </div>
+<link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/jquery.datetimepicker.css"/ >
+<script src="{{ constant('BASE_URL') }}tools/js/jquery.datetimepicker.js"></script>
+<script>
+	$(document).ready(function () {
+		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
+
+		$('.tb_datatable').DataTable({
+			"order": [[0, "desc"]],
+			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
+		});
+	});
+</script>
diff --git a/system/templates/admin.links.html.twig b/system/templates/admin.links.html.twig
new file mode 100644
index 00000000..986133c3
--- /dev/null
+++ b/system/templates/admin.links.html.twig
@@ -0,0 +1,22 @@
+<br/><br/>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="edit" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-success btn-sm" title="Edit"><img src="images/edit.png"/> Edit</button>
+</form>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="delete" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"><img src="images/del.png"/>Delete</button>
+</form>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="hide" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-{{ (hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if hidden != 1 %}Hide{% else %}Show{% endif %}"><img src="images/{{ hidden != 1 ? 'success' : 'error' }}.png"/>{{ hidden != 1 ? 'Hide' : 'Show' }}</button>
+</form>
diff --git a/system/templates/admin.login.html.twig b/system/templates/admin.login.html.twig
index acbcf040..afba47e1 100644
--- a/system/templates/admin.login.html.twig
+++ b/system/templates/admin.login.html.twig
@@ -19,6 +19,7 @@
 				<p class="login-box-msg">Please login.</p>
 
 				<form method="post" action="{{ constant('ADMIN_URL') }}">
+					{{ csrf() }}
 					<div class="input-group mb-3">
 						<div class="input-group-prepend">
 							<span class="input-group-text"><i class="fa fa-lock"></i></span>
diff --git a/system/templates/admin.mailer.html.twig b/system/templates/admin.mailer.html.twig
index eaf32213..0b77ccb3 100644
--- a/system/templates/admin.mailer.html.twig
+++ b/system/templates/admin.mailer.html.twig
@@ -9,6 +9,7 @@
 		<h5 class="m-0">Mailer</h5>
 	</div>
 	<form id="form" method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group row">
 				<label for="mail_to">To: (enter email, or leave empty to all)</label>
diff --git a/system/templates/admin.menus.form.html.twig b/system/templates/admin.menus.form.html.twig
index da4c126b..ae5c4dd1 100644
--- a/system/templates/admin.menus.form.html.twig
+++ b/system/templates/admin.menus.form.html.twig
@@ -4,6 +4,7 @@
 	</div>
 	<div class="card-body">
 		<form method="post" action="?p=menus">
+			{{ csrf() }}
 			<p>Please choose template in which you want to edit menu items.</p>
 			<div class="col-md-6">
 				<div class="input-group input-group-sm">
diff --git a/system/templates/admin.news.form.html.twig b/system/templates/admin.news.form.html.twig
index ddad9dd9..a0acaf9e 100644
--- a/system/templates/admin.news.form.html.twig
+++ b/system/templates/admin.news.form.html.twig
@@ -1,9 +1,11 @@
 {% if action %}
 	<div class="card card-info card-outline">
 		<div class="card-header">
-			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} news</h5>
+			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} {% if type == constant('NEWS') %}News{% elseif type == constant('TICKER') %}Ticker{% else %}Article{% endif %}</h5>
 		</div>
-		<form id="form" role="form" method="post" action="{{ news_link_form }}">
+		<form id="form" role="form" method="post">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action == 'edit' ? 'edit' : 'new' }}" />
 			<div class="card-body " id="page-edit-table">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ news_id }}"/>
@@ -22,9 +24,9 @@
 				<div class="form-group row">
 					<label for="select-type">Type</label>
 					<select class="form-control" name="type" id="select-type">
-						<option value="{{ constant('NEWS') }}" {% if type is defined and type == constant('NEWS') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('NEWS') %} disabled{% endif %}>News</option>
-						<option value="{{ constant('TICKER') }}" {% if type is defined and type == constant('TICKER') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('TICKER') %} disabled{% endif %}>Ticker</option>
-						<option value="{{ constant('ARTICLE') }}" {% if type is defined and type == constant('ARTICLE') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('ARTICLE') %} disabled{% endif %}>Article</option>
+						<option value="{{ constant('NEWS') }}" {% if type == constant('NEWS') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('NEWS') %} disabled{% endif %}>News</option>
+						<option value="{{ constant('TICKER') }}" {% if type == constant('TICKER') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('TICKER') %} disabled{% endif %}>Ticker</option>
+						<option value="{{ constant('ARTICLE') }}" {% if type == constant('ARTICLE') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('ARTICLE') %} disabled{% endif %}>Article</option>
 					</select>
 				</div>
 
@@ -85,7 +87,7 @@
 				</div>
 			</div>
 			<div class="card-footer">
-				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button>
+				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {{ action == 'edit' ? 'Update' : 'Add' }}</button>
 				<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=news';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
 			</div>
 		</form>
diff --git a/system/templates/admin.news.html.twig b/system/templates/admin.news.html.twig
index 4436c262..c2931398 100644
--- a/system/templates/admin.news.html.twig
+++ b/system/templates/admin.news.html.twig
@@ -1,136 +1,6 @@
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">News:
-			<a href="?p=news&action=new&type=1" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for news in newses[constant('NEWS')] %}
-				<tr>
-					<td>{{ news.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ news.id }}">{{ news.title }}</a></i></td>
-					<td>{{ news.date|date(config.news_date_format) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ news.player_link }}">{{ news.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ news.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ news.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ news.id }}" class="btn btn-{{ (news.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if news.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (news.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
-
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">Tickers:
-			<a href="?p=news&action=new&type=2" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for ticker in newses[constant('TICKER')] %}
-				<tr>
-					<td>{{ ticker.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ ticker.id }}">{{ ticker.title }}</a></i></td>
-					<td>{{ ticker.date|date(config.news_date_format) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ ticker.player_link }}">{{ ticker.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ ticker.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ ticker.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ ticker.id }}" class="btn btn-{{ (ticker.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if ticker.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (ticker.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
-
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">Articles: <a href="?p=news&action=new&type=3" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for article in newses[constant('ARTICLE')] %}
-				<tr>
-					<td>{{ article.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ article.id }}">{{ article.title }}</a></i></td>
-					<td>{{ article.date|date(config.news_date_format) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ article.player_link }}">{{ article.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ article.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ article.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ article.id }}" class="btn btn-{{ (article.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (article.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
+{{ include('admin.news.table.html.twig', {type: 1, title: 'News'}) }}
+{{ include('admin.news.table.html.twig', {type: 2, title: 'Tickers'}) }}
+{{ include('admin.news.table.html.twig', {type: 3, title: 'Articles'}) }}
 
 <script>
 	$(function () {
diff --git a/system/templates/admin.news.table.html.twig b/system/templates/admin.news.table.html.twig
new file mode 100644
index 00000000..5e3633df
--- /dev/null
+++ b/system/templates/admin.news.table.html.twig
@@ -0,0 +1,64 @@
+<div class="card card-info card-outline">
+	<div class="card-header">
+		<h5 class="m-0">{{ title }}:
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<input type="hidden" name="type" value="{{ type }}" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
+		</h5>
+	</div>
+
+	<div class="card-body">
+		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
+			<thead>
+			<tr>
+				<th width="5%">ID</th>
+				<th>Title</th>
+				<th>Date</th>
+				<th>Player</th>
+				<th style="width: 150px;">Options</th>
+			</tr>
+			</thead>
+			<tbody>
+			{% for news in newses[type] %}
+				<tr>
+					<td>{{ news.id|raw }}</td>
+					<td>
+						<i>
+							<a href="{{ getLink('news') }}/{{ news.id }}" target="_blank">{{ news.title }}</a>
+						</i>
+					</td>
+					<td>{{ news.date|date(setting('core.news_date_format')) }}</td>
+					<td><a target="_blank" href="{{ news.player_link }}">{{ news.player_name }}</a></td>
+					<td>
+						<div class="btn-group">
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="edit" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="delete" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"><i class="fas fa-trash"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="hide" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-{{ (news.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if news.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (news.hidden != 1) ? '' : '-slash' }}"></i></button>
+							</form>
+						</div>
+					</td>
+				</tr>
+			{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
diff --git a/system/templates/admin.notepad.html.twig b/system/templates/admin.notepad.html.twig
index d3dc5000..43bac7f4 100644
--- a/system/templates/admin.notepad.html.twig
+++ b/system/templates/admin.notepad.html.twig
@@ -3,6 +3,7 @@
 		<h5 class="m-0">Notepad</h5>
 	</div>
 	<form method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group">
 				<label>This is your personal notepad. Be sure to save it each time you modify something.</label>
diff --git a/system/templates/admin.pages.form.html.twig b/system/templates/admin.pages.form.html.twig
index ae666294..499af4ee 100644
--- a/system/templates/admin.pages.form.html.twig
+++ b/system/templates/admin.pages.form.html.twig
@@ -3,7 +3,9 @@
 		<div class="card-header">
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
 		</div>
-		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}">
+		<form id="form" class="form-horizontal" method="post">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			{% if action == 'edit' %}
 				<input type="hidden" name="id" value="{{ id }}"/>
 			{% endif %}
diff --git a/system/templates/admin.pages.html.twig b/system/templates/admin.pages.html.twig
index ccf2e3ee..5ee6e1db 100644
--- a/system/templates/admin.pages.html.twig
+++ b/system/templates/admin.pages.html.twig
@@ -1,7 +1,12 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">Pages
-			<a href="?p=pages&action=new" class="float-right"><span class="btn btn-sm btn-success">New</span></a></h5>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
+		</h5>
 	</div>
 	<div class="card-body">
 		<table class="table table-striped table-bordered table-responsive d-md-table" id="tb_pages">
@@ -21,15 +26,26 @@
 					<td>{% if page.php %}Yes{% else %}No{% endif %}</td>
 					<td>
 						<div class="btn-group">
-							<a href="?p=pages&action=edit&id={{ page.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=pages&action=delete&id={{ page.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=pages&action=hide&id={{ page.id }}" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (page.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="edit" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="delete" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="hide" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+							</form>
 						</div>
 					</td>
 				</tr>
diff --git a/system/templates/admin.pages.links.html.twig b/system/templates/admin.pages.links.html.twig
deleted file mode 100644
index 459d0623..00000000
--- a/system/templates/admin.pages.links.html.twig
+++ /dev/null
@@ -1,14 +0,0 @@
-<div style="text-align: right;">
-	<a href="{{ constant('ADMIN_URL') }}?p=pages&action=edit&id={{ page.id }}" title="Edit in Admin Panel" target="_blank">
-		<img src="images/edit.png"/>Edit
-	</a>
-	<a id="delete" href="{{ constant('ADMIN_URL') }}?p=pages&action=delete&id={{ page.id }}" onclick="return confirm('Are you sure?');"
-	   title="Delete in Admin Panel" target="_blank">
-		<img src="images/del.png"/>Delete
-	</a>
-	<a href="{{ constant('ADMIN_URL') }}?p=pages&action=hide&id={{ page.id }}"
-	   title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %} in Admin Panel" target="_blank">
-		<img src="images/{% if page.hidden != 1 %}success{% else %}error{% endif %}.png"/>{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}
-	</a>
-	<br/>
-</div>
diff --git a/system/templates/admin.plugins.form.html.twig b/system/templates/admin.plugins.form.html.twig
index 8f43b908..3a049184 100644
--- a/system/templates/admin.plugins.form.html.twig
+++ b/system/templates/admin.plugins.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">Install plugin</h5>
 		</div>
 		<form enctype="multipart/form-data" method="post" action="{{ constant('ADMIN_URL') }}?p=plugins">
+			{{ csrf() }}
 			<div class="card-body">
 				<input type="hidden" name="upload_plugin"/>
 
diff --git a/system/templates/admin.plugins.html.twig b/system/templates/admin.plugins.html.twig
index d6ffe7b2..aaecdcd9 100644
--- a/system/templates/admin.plugins.html.twig
+++ b/system/templates/admin.plugins.html.twig
@@ -19,13 +19,17 @@
 				<tr>
 					<td>
 						{% if plugin.enabled %}
-						<a href="?p=plugins&disable={{ plugin.file }}" class="btn btn-success" onclick="return confirm('Are you sure you want to disable plugin {{ plugin.name }}?');" title="Disable">
-							<i class="fas fa-check"></i> Enabled
-						</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="disable" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-success" onclick="return confirm('Are you sure you want to disable plugin {{ plugin.name }}?');" title="Disable"><i class="fas fa-check"></i> Enabled</button>
+							</form>
 						{% else %}
-							<a href="?p=plugins&enable={{ plugin.file }}" class="btn btn-danger" onclick="return confirm('Are you sure you want to enable plugin {{ plugin.name }}?');" title="Enable">
-								<i class="fas fa-ban"></i> Disabled
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="enable" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-danger" onclick="return confirm('Are you sure you want to enable plugin {{ plugin.name }}?');" title="Enable"><i class="fas fa-ban"></i> Disabled</button>
+							</form>
 						{% endif %}
 					</td>
 					<td><b>{{ plugin.name }}</b><br>
@@ -38,9 +42,11 @@
 					<td>{{ plugin.file }}.json</td>
 					<td>
 						{% if plugin.uninstall %}
-							<a href="?p=plugins&uninstall={{ plugin.file }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure you want to uninstall {{ plugin.name }}?');" title="Uninstall">
-								<i class="fas fa-trash"></i>
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="uninstall" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure you want to uninstall {{ plugin.name }}?');" title="Uninstall"><i class="fas fa-trash"></i></button>
+							</form>
 						{% endif %}
 					</td>
 				</tr>
diff --git a/system/templates/admin.settings.html.twig b/system/templates/admin.settings.html.twig
index e5d3ef9b..89a38a95 100644
--- a/system/templates/admin.settings.html.twig
+++ b/system/templates/admin.settings.html.twig
@@ -74,6 +74,12 @@
 <link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/toastify.min.css">
 <script type="text/javascript" src="{{ constant('BASE_URL') }}tools/js/toastify.min.js"></script>
 <script>
+	$.ajaxSetup({
+		headers: {
+			'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	$('#settings').submit(function(e) {
 		e.preventDefault();
 
diff --git a/system/templates/admin.tools.account.html.twig b/system/templates/admin.tools.account.html.twig
index ee32fc99..7e79d38c 100644
--- a/system/templates/admin.tools.account.html.twig
+++ b/system/templates/admin.tools.account.html.twig
@@ -6,6 +6,7 @@
 				<h5 class="m-0">Give Premium Points</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Points</label>
@@ -28,6 +29,7 @@
 				<h5 class="m-0">Give Coins</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Coins</label>
@@ -50,6 +52,7 @@
 				<h5 class="m-0">Give Premium Days</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Days</label>
diff --git a/system/templates/characters.html.twig b/system/templates/characters.html.twig
index 9553d20c..b4d8b359 100644
--- a/system/templates/characters.html.twig
+++ b/system/templates/characters.html.twig
@@ -17,7 +17,7 @@
 		{% endif %}
 		<table border="0" cellspacing="1" cellpadding="4" width="100%">
 			{% if config.characters.outfit %}
-			<div style="width:64px;height:64px;border:2px solid #F1E0C6; border-radius:50px; padding:13px; margin-top:38px;margin-left:376px;position:absolute;"><img style="margin-left:{% if player.getLookType() in config.outfit_images_wrong_looktypes %}-0px;margin-top:-0px;width:64px;height:64px;{% else %}-60px;margin-top:-60px;width:128px;height:128px;{% endif %}" src="{{ outfit }}" alt="player outfit"/></div>
+			<div style="width:64px;height:64px;border:2px solid #F1E0C6; border-radius:50px; padding:13px; margin-top:38px;margin-left:376px;position:absolute;"><img style="margin-left:{% if player.getLookType() in setting('core.outfit_images_wrong_looktypes') %}-0px;margin-top:-0px;width:64px;height:64px;{% else %}-60px;margin-top:-60px;width:128px;height:128px;{% endif %}" src="{{ outfit }}" alt="player outfit"/></div>
 			{% endif %}
 
 			<tr bgcolor="{{ config.vdarkborder }}">
@@ -106,6 +106,7 @@
 							<td>{{ house.name ~ house.town ~ house.add }}</td>
 							<td>
 								<form action="?subtopic=houses&page=view" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="house" value="{{ house.name }}">
 									<input type="image" name="View" alt="View" src="{{ template_path }}/images/global/buttons/sbutton_view.gif" border="0" width="120">
 								</form>
@@ -402,7 +403,8 @@
 				<td>{% if player.isOnline() %}<b><span style="color: green">Online</span></b>{% endif %}</td>
 				<td>
 					<table border="0" cellspacing="0" cellpadding="0">
-						<form action="{{ getLink('characters') }}" method=post>
+						<form action="{{ getLink('characters') }}" method="post">
+							{{ csrf() }}
 							<tr>
 								<td>
 									<input type="hidden" name="name" value="{{ player.getName() }}"/>
diff --git a/system/templates/creature.html.twig b/system/templates/creature.html.twig
index 46e2e508..18828e0c 100644
--- a/system/templates/creature.html.twig
+++ b/system/templates/creature.html.twig
@@ -155,7 +155,7 @@
 					{% if (item.count > 1) %}
 						<span class="loot_amount">{{ item.count }}</span>
 					{% endif %}
-					<a href="{{ config.monsters_items_url }}{{ item.name|title }}"><img title="{{ item.tooltip }}" src="{{ config.item_images_url }}{{ item.id }}{{ config.item_images_extension }}" class="loot_image"/></a>
+					<a href="{{ setting('core.monsters_items_url') }}{{ item.name|title }}"><img title="{{ item.tooltip }}" src="{{ setting('core.item_images_url') }}{{ item.id }}{{ setting('core.item_images_extension') }}" class="loot_image"/></a>
 				</span>
 				{% endfor %}
 			</td>
diff --git a/system/templates/creatures.html.twig b/system/templates/creatures.html.twig
index 4c3f3c24..398fbc38 100644
--- a/system/templates/creatures.html.twig
+++ b/system/templates/creatures.html.twig
@@ -52,9 +52,8 @@
 				});
 			});
 		</script>
-		{{ generateLink('?creatures', 'All', false)|raw }} - <a href="?subtopic=creatures&boss=view">Bosses</a>
-		<div style="float: right;"><input id="cSearch" type="text" placeholder="Search.."></div>
-		<table width="100%">
+		{{ generateLink(getLink('creatures'), 'All', false)|raw }} - <a href="?subtopic=creatures&boss=view">Bosses</a>
+		<table width="100%" id="creaturestb">
 			<thead>
 			<tr>
 				<th>Name</th>
@@ -83,7 +82,15 @@
 			</tbody>
 		</table>
 	{% endif %}
-	<script src="tools/js/jquery.min.js"></script>
+	<script>
+		$(document).ready(function () {
+			$('#creaturestb').DataTable();
+		});
+
+	</script>
+
+	<script src="tools/js/datatables.min.js"></script>
+	<link rel="stylesheet" href="tools/css/datatables.min.css">
 {% else %}
 	<table width="100%">
 		<tr>
diff --git a/system/templates/faq.form.html.twig b/system/templates/faq.form.html.twig
index 8a62d2bd..7dbc4ad2 100644
--- a/system/templates/faq.form.html.twig
+++ b/system/templates/faq.form.html.twig
@@ -1,7 +1,8 @@
 <form method="post" action="{{ link }}">
-    {% if action == 'edit' %}
-        <input type="hidden" name="id" value="{{ id }}" />
-    {% endif %}
+	{{ csrf() }}
+	{% if action == 'edit' %}
+		<input type="hidden" name="id" value="{{ id }}" />
+	{% endif %}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><b>{% if action == 'edit' %}Edit{% else %}Add{% endif %} FAQ</b></td>
@@ -23,4 +24,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.add_board.html.twig b/system/templates/forum.add_board.html.twig
index f46d3a06..2dbfe963 100644
--- a/system/templates/forum.add_board.html.twig
+++ b/system/templates/forum.add_board.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit_board' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -44,4 +45,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.edit_post.html.twig b/system/templates/forum.edit_post.html.twig
index cd1e2a51..188bbaf6 100644
--- a/system/templates/forum.edit_post.html.twig
+++ b/system/templates/forum.edit_post.html.twig
@@ -1,5 +1,6 @@
 <br/>
 <form action="{{ getLink('forum') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="edit_post" />
 	<input type="hidden" name="id" value="{{ post_id }}" />
 	<input type="hidden" name="save" value="save" />
@@ -49,4 +50,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Save Post" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.move_thread.html.twig b/system/templates/forum.move_thread.html.twig
index 4188cb75..4a5981b2 100644
--- a/system/templates/forum.move_thread.html.twig
+++ b/system/templates/forum.move_thread.html.twig
@@ -25,6 +25,7 @@
 							<input type="submit" value="Move Thread">
 						</form>
 						<form action="{{ section_link }}" method="post">
+							{{ csrf() }}
 							<input type="submit" value="Cancel">
 						</form>
 					</td>
@@ -32,4 +33,4 @@
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/forum.new_post.html.twig b/system/templates/forum.new_post.html.twig
index 6220cddb..ac07c311 100644
--- a/system/templates/forum.new_post.html.twig
+++ b/system/templates/forum.new_post.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_post" />
 	<input type="hidden" name="thread_id" value=" {{ thread_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
diff --git a/system/templates/forum.new_thread.html.twig b/system/templates/forum.new_thread.html.twig
index 77efec37..3b5e080d 100644
--- a/system/templates/forum.new_thread.html.twig
+++ b/system/templates/forum.new_thread.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_thread" />
 	<input type="hidden" name="section_id" value="{{ section_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
@@ -45,4 +46,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Post Thread" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.show_thread.html.twig b/system/templates/forum.show_thread.html.twig
index 80985d43..ddcb3be5 100644
--- a/system/templates/forum.show_thread.html.twig
+++ b/system/templates/forum.show_thread.html.twig
@@ -24,7 +24,7 @@ Page: {{ links_to_pages|raw }}<br/>
 		{% set i = i + 1 %}
 		<td valign="top">{{ post.player_link|raw }}<br/>
 			{% if post.outfit is defined %}
-			<img style="margin-left:{% if post.player.getLookType() in config.outfit_images_wrong_looktypes %}-0px;margin-top:-0px;width:64px;height:64px;{% else %}-60px;margin-top:-60px;width:128px;height:128px;{% endif %}" src="{{ post.outfit }}" alt="player outfit"/>
+			<img style="margin-left:{% if post.player.getLookType() in setting('core.outfit_images_wrong_looktypes') %}-0px;margin-top:-0px;width:64px;height:64px;{% else %}-60px;margin-top:-60px;width:128px;height:128px;{% endif %}" src="{{ post.outfit }}" alt="player outfit"/>
 			<br />
 			{% endif %}
 			<span style="font-size: 10px">
diff --git a/system/templates/gallery.form.html.twig b/system/templates/gallery.form.html.twig
index 8b5b21e7..1c285ba2 100644
--- a/system/templates/gallery.form.html.twig
+++ b/system/templates/gallery.form.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -29,4 +30,4 @@
 		</tr>
 	</table>
 </form>
-<br/><br/>
\ No newline at end of file
+<br/><br/>
diff --git a/system/templates/guilds.accept_invite.html.twig b/system/templates/guilds.accept_invite.html.twig
index 8d174473..c3fde96c 100644
--- a/system/templates/guilds.accept_invite.html.twig
+++ b/system/templates/guilds.accept_invite.html.twig
@@ -8,6 +8,7 @@
 	<tr bgcolor="{{ config.darkborder }}">
 		<td>
 			<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{% set i = 0 %}
 				{% for player in invited_players %}
 				<input type="radio" name="name" id="name_{{ i }}" value="{{ player }}" /><label for="name_{{ i }}">{{ player }}</label>
@@ -24,9 +25,10 @@
 		<tr>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.back_button.html.twig b/system/templates/guilds.back_button.html.twig
index c1f009f8..d6ce0de4 100644
--- a/system/templates/guilds.back_button.html.twig
+++ b/system/templates/guilds.back_button.html.twig
@@ -3,6 +3,7 @@
 {% endif %}
 <div style="text-align:center">
 	<form action="{% if action is not defined %}{{ getLink('guilds') }}{% else %}{{ action }}{% endif %}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.change_description.html.twig b/system/templates/guilds.change_description.html.twig
index b6d43dd0..c9abc5dc 100644
--- a/system/templates/guilds.change_description.html.twig
+++ b/system/templates/guilds.change_description.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild description</h2></div>
 Here you can change description of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_description" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
-	<textarea name="description" cols="60" rows="{{ config.guild_description_lines_limit - 1 }}">{{ guild.getCustomField('description')|raw }}</textarea><br>
-	(max. {{ config.guild_description_lines_limit }} lines, max. {{ config.guild_description_chars_limit }} chars) <input type="submit" value="Save description"/></form><br/>
+	<textarea name="description" cols="60" rows="{{ setting('core.guild_description_lines_limit') - 1 }}">{{ guild.getCustomField('description')|raw }}</textarea><br>
+	(max. {{ setting('core.guild_description_lines_limit') }} lines, max. {{ setting('core.guild_description_chars_limit') }} chars) <input type="submit" value="Save description"/></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_logo.html.twig b/system/templates/guilds.change_logo.html.twig
index f8aa002e..9577b175 100644
--- a/system/templates/guilds.change_logo.html.twig
+++ b/system/templates/guilds.change_logo.html.twig
@@ -1,22 +1,24 @@
 <div style="text-align:center"><h2>Change guild logo</h2></div>
 Here you can change logo of your guild.<br/>Actuall logo: <img src="{{ constant('GUILD_IMAGES_DIR') }}{{ guild_logo }}" height="64" width="64"><br/><br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_logo" method="post" id="upload_form">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save" />
 	<input type="hidden" name="MAX_FILE_SIZE" value="{{ max_image_size_b }}" />
 	Select new logo: <input name="newlogo" id="newlogo" type="file" />
 	<input type="submit" value="Send new logo" />
 </form>
-Only <b>jpg, gif, png, bmp</b> pictures. Max. size: <b>{{ config.guild_image_size_kb }} KB</b><br>
+Only <b>jpg, gif, png, bmp</b> pictures. Max. size: <b>{{ setting('core.guild_image_size_kb') }} KB</b><br>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
 <script type="text/javascript">
 	$(function() {
 		$('#upload_form').submit(function (event) {
-			var max_img_size = {{ config.guild_image_size_kb * 1024 }};
+			var max_img_size = {{ setting('core.guild_image_size_kb') * 1024 }};
 			var input = document.getElementById("newlogo");
 			// check for browser support (may need to be modified)
 			if (input.files && input.files.length == 1) {
diff --git a/system/templates/guilds.change_motd.html.twig b/system/templates/guilds.change_motd.html.twig
index 89d7829f..ab91f67d 100644
--- a/system/templates/guilds.change_motd.html.twig
+++ b/system/templates/guilds.change_motd.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild MOTD</h2></div>
 Here you can change MOTD (Message of the Day, showed in game!) of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_motd" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
 	<textarea name="motd" cols="60" rows="3">{{ guild.getCustomField('motd')|raw }}</textarea><br/>
-	(max. {{ config.guild_motd_chars_limit }} chars) <input type="submit" value="Save MOTD" /></form><br/>
+	(max. {{ setting('core.guild_motd_chars_limit') }} chars) <input type="submit" value="Save MOTD" /></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_rank.html.twig b/system/templates/guilds.change_rank.html.twig
index a3011254..ee28bf3f 100644
--- a/system/templates/guilds.change_rank.html.twig
+++ b/system/templates/guilds.change_rank.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=change_rank&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	<table border="0" cellspacing="1" cellpadding="4" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}"><td class="white"><b>Change Rank</b></td></tr>
 		<tr bgcolor="{{ config.darkborder }}">
@@ -29,9 +30,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.create.html.twig b/system/templates/guilds.create.html.twig
index eb09ec2a..5def076b 100644
--- a/system/templates/guilds.create.html.twig
+++ b/system/templates/guilds.create.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=create&todo=save" method="post">
+	{{ csrf() }}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><B>Create a {{ config.lua.serverName }} Guild</b></td>
@@ -47,6 +48,7 @@
 			</td>
 			<td align="center">
 				<form  action="?subtopic=guilds" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
@@ -54,4 +56,4 @@
 				<img src="{{ template_path }}/images/general/blank.gif" width="120" height="1" border="0"><br>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/guilds.create.success.html.twig b/system/templates/guilds.create.success.html.twig
index 354a0300..c3f8900e 100644
--- a/system/templates/guilds.create.success.html.twig
+++ b/system/templates/guilds.create.success.html.twig
@@ -14,9 +14,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.delete_guild.html.twig b/system/templates/guilds.delete_guild.html.twig
index 063e3fdc..bd40f1e1 100644
--- a/system/templates/guilds.delete_guild.html.twig
+++ b/system/templates/guilds.delete_guild.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Are you sure you want delete guild <b>{{ guild.getName() }}</b>?<br/>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=delete_guild" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="submit" value="Yes, delete"/>
 								</form>
@@ -34,6 +35,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.delete_invite.html.twig b/system/templates/guilds.delete_invite.html.twig
index 771617e9..833086db 100644
--- a/system/templates/guilds.delete_invite.html.twig
+++ b/system/templates/guilds.delete_invite.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=delete_invite&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px; "></td>
 			<td>
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.invite.html.twig b/system/templates/guilds.invite.html.twig
index df822e59..9b10bf4e 100644
--- a/system/templates/guilds.invite.html.twig
+++ b/system/templates/guilds.invite.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=invite&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	Invite player with name:&nbsp;&nbsp;<input type="text" name="name">&nbsp;&nbsp;&nbsp;&nbsp;
 	{{ include('buttons.submit.html.twig') }}
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/guilds.kick_player.html.twig b/system/templates/guilds.kick_player.html.twig
index 881195be..00c02b25 100644
--- a/system/templates/guilds.kick_player.html.twig
+++ b/system/templates/guilds.kick_player.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=kick_player&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+					{{ csrf() }}
 					{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px;"></td>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.leave_guild.html.twig b/system/templates/guilds.leave_guild.html.twig
index 989e1134..7acfa253 100644
--- a/system/templates/guilds.leave_guild.html.twig
+++ b/system/templates/guilds.leave_guild.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name }}&todo=save" METHOD="post">
+	{{ csrf() }}
 <table border="0" cellspacing="1" cellpadding="4" width="100%">
 	<tr bgcolor="{{ config.vdarkborder }}">
 		<td class="white"><b>Leave guild</b></td></tr>
@@ -27,8 +28,9 @@
 </form>
 		<td>
 			<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.back.html.twig') }}
 			</form>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.list.html.twig b/system/templates/guilds.list.html.twig
index 1f7903a6..a95a2750 100644
--- a/system/templates/guilds.list.html.twig
+++ b/system/templates/guilds.list.html.twig
@@ -61,6 +61,7 @@
 																			<tr>
 																				<td style="border:0;">
 																					<form action="{{ guild.link }}" method="post">
+																						{{ csrf() }}
 																						{{ include('buttons.view.html.twig') }}
 																					</form>
 																				</td>
@@ -82,11 +83,10 @@
 															<td>
 																<table border="0" cellpadding="0" cellspacing="0" width="100%">
 																	<form action="?subtopic=guilds&action=create" method="post">
-																		<form action="?subtopic=guilds&action=create" method="post">
-																			{% set button_name = 'Found Guild' %}
-																			{% set button_image = '_sbutton_foundguild' %}
-																			{% include('buttons.base.html.twig') %}
-																		</form>
+																		{{ csrf() }}
+																		{% set button_name = 'Found Guild' %}
+																		{% set button_image = '_sbutton_foundguild' %}
+																		{% include('buttons.base.html.twig') %}
 																	</form>
 																</table>
 															</td>
@@ -128,6 +128,7 @@
 						{% if logged %}
 						No guild found that suits your needs?
 						<form action="?subtopic=guilds&action=create" method="post">
+							{{ csrf() }}
 							{% set button_name = 'Found Guild' %}
 							{% set button_image = '_sbutton_foundguild' %}
 							{% include('buttons.base.html.twig') %}
@@ -136,6 +137,7 @@
 						<b>Before you can create a guild you must login.</b>
 						<br/>
 						<form action="?subtopic=accountmanagement&redirect={{ getLink('guilds') }}" method="post">
+							{{ csrf() }}
 							{% include('buttons.login.html.twig') %}
 						</form>
 						{% endif %}
diff --git a/system/templates/guilds.manager.html.twig b/system/templates/guilds.manager.html.twig
index ff733be0..16dc6082 100644
--- a/system/templates/guilds.manager.html.twig
+++ b/system/templates/guilds.manager.html.twig
@@ -76,6 +76,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 							<td width="120" valign="top">New rank name:</td>
 							<td>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=add_rank" method="post">
+									{{ csrf() }}
 									<input type="text" name="rank_name" size="20"/>
 									<input type="submit" value="Add"/>
 								</form>
@@ -89,6 +90,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 </div>
 <div style="text-align:center"><h3>Change rank names and levels</h3></div>
 <form action="?subtopic=guilds&action=save_ranks&guild={{ guild.getName() }}" method="post">
+	{{ csrf() }}
 	<table style="clear:both" border="0" cellpadding="0" cellspacing="0" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}">
 			<td rowspan="2" width="120" align="center">
@@ -163,6 +165,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&action=show&guild={{ guild.getName() }}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.pass_leadership.html.twig b/system/templates/guilds.pass_leadership.html.twig
index 04d7d211..0524835d 100644
--- a/system/templates/guilds.pass_leadership.html.twig
+++ b/system/templates/guilds.pass_leadership.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Pass leadership to: </b><br>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=pass_leadership" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="text" size="40" name="player"/>
 									<input type="submit" value="Save">
@@ -35,6 +36,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.view.html.twig b/system/templates/guilds.view.html.twig
index f3da843e..a815379b 100644
--- a/system/templates/guilds.view.html.twig
+++ b/system/templates/guilds.view.html.twig
@@ -142,6 +142,7 @@
 																	<td>
 																		{% set playerName = player.getName() %}
 																		<form action="?subtopic=guilds&action=change_nick&name={{ playerName }}&guild={{ guild_name }}" method="post">
+																			{{ csrf() }}
 																			{{ getPlayerLink(playerName, true)|raw }}
 
 																			{% set showGuildNick = false %}
@@ -290,6 +291,7 @@
 													<tr>
 														{% if not logged %}
 															<form action="?subtopic=accountmanagement&redirect={{ getGuildLink(guild_name|url_encode, false) }}" method="post">
+																{{ csrf() }}
 																<td>
 																	{{ include('buttons.login.html.twig') }}
 																</td>
@@ -297,6 +299,7 @@
 														{% else %}
 															{% if show_accept_invite > 0 %}
 																<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		<input type="image" name="Accept Invite" alt="Accept Invite" src="{{ template_path }}/images/global/buttons/sbutton_acceptinvite.png" style="width: 120px; height: 20px;">
 																	</td>
@@ -305,6 +308,7 @@
 
 															{% if isVice %}
 																<form action="?subtopic=guilds&action=invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Invite Character' %}
 																		{% set button_image = '_sbutton_invitecharacter' %}
@@ -313,6 +317,7 @@
 																</form>
 
 																<form action="?subtopic=guilds&action=change_rank&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Edit Ranks' %}
 																		{% set button_image = '_sbutton_editranks' %}
@@ -323,6 +328,7 @@
 
 															{% if players_from_account_in_guild|length > 0 %}
 																<form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Leave Guild' %}
 																		{% set button_image = '_sbutton_leaveguild' %}
@@ -333,6 +339,7 @@
 														{% endif %}
 
 														<form action="{{ getLink('guilds') }}" method="post">
+															{{ csrf() }}
 															<td style="float: right">
 																{{ include('buttons.back.html.twig') }}
 															</td>
diff --git a/system/templates/highscores.html.twig b/system/templates/highscores.html.twig
index ddef7ef2..90a833c6 100644
--- a/system/templates/highscores.html.twig
+++ b/system/templates/highscores.html.twig
@@ -29,13 +29,13 @@
 			</table>
 			<table border="0" cellpadding="4" cellspacing="1" width="100%">
 				<tr bgcolor="{{ config.vdarkborder }}">
-					{% if config.account_country %}
+					{% if setting('core.account_country') %}
 					<td style="width: 11px" class="white">#</td>
 					{% endif %}
 
 					<td style="width: 10%" class="white"><b>Rank</b></td>
 
-					{% if config.highscores_outfit %}
+					{% if setting('core.highscores_outfit') %}
 					<td class="white"><b>Outfit</b></td>
 					{% endif %}
 
@@ -56,13 +56,13 @@
 					<tr bgcolor="{{ getStyle(row) }}">
 						{% set row = row + 1 %}
 
-						{% if config.account_country %}
+						{% if setting('core.account_country') %}
 						<td>{{ player.flag|raw }}</td>
 						{% endif %}
 
 						<td>{{ player.rank }}.</td>
 
-						{% if config.highscores_outfit %}
+						{% if setting('core.highscores_outfit') %}
 						<td>{{ player.outfit|raw }}</td>
 						{% endif %}
 
@@ -70,7 +70,7 @@
 							<a href="{{ player.link }}">
 								<span style="color: {% if player.online > 0 %}green{% else %}red{% endif %}">{{ player.name }}</span>
 							</a>
-							{% if config.highscores_vocation %}
+							{% if setting('core.highscores_vocation') %}
 							<br/><small>{{ player.vocation }}</small>
 							{% endif %}
 						</td>
diff --git a/system/templates/news.html.twig b/system/templates/news.html.twig
index 79c11b7e..fce8def7 100644
--- a/system/templates/news.html.twig
+++ b/system/templates/news.html.twig
@@ -1,9 +1,9 @@
 <div class="NewsHeadline">
 	<div class="NewsHeadlineBackground" style="background-image:url({{ template_path }}/images/news/newsheadline_background.gif)">
 		<img src="{{ constant('BASE_URL') }}images/news/icon_{{ icon }}.gif" class="NewsHeadlineIcon" />
-		<div class="NewsHeadlineDate">{{ date|date(config.news_date_format) }} - </div>
+		<div class="NewsHeadlineDate">{{ date|date(setting('core.news_date_format')) }} - </div>
 		<div class="NewsHeadlineText">{{ title }}</div>
-		{% if config.news_author and author is not empty %}
+		{% if setting('core.news_author') and author is not empty %}
 		<div class="NewsHeadlineAuthor"><b>Author: </b><i>{{ author }}</i></div>
 		{% endif %}
 	</div>
diff --git a/system/templates/online.html.twig b/system/templates/online.html.twig
index b7c9d916..b2090327 100644
--- a/system/templates/online.html.twig
+++ b/system/templates/online.html.twig
@@ -10,7 +10,7 @@
 			{% if not status.online %}
 			Server is offline.<br/>
 			{% else %}
-				{% if config.online_afk %}
+				{% if setting('core.online_afk') %}
 					{% set players_count = players|length %}
 					{% set afk = players_count - status.players %}
 					{% if afk < 0 %}
@@ -28,9 +28,9 @@
 </table>
 <br/>
 	{# vocation statistics #}
-	{% if config.online_vocations %}
+	{% if setting('core.online_vocations') %}
 <br/>
-		{% if config.online_vocations_images %}
+		{% if setting('core.online_vocations_images') %}
 	<table width="200" cellspacing="1" cellpadding="0" border="0" align="center">
 		<tr bgcolor="{{ config.darkborder }}">
 			<td><img src="images/sorcerer.png" /></td>
@@ -70,7 +70,7 @@
 	{% endif %}
 
 	{# show skulls #}
-	{% if config.online_skulls %}
+	{% if setting('core.online_skulls') %}
 <table width="100%" cellspacing="1">
 	<tr>
 		<td style="background: {{ config.darkborder }};" align="center">
@@ -84,10 +84,10 @@
 
 <table border="0" cellspacing="1" cellpadding="4" width="100%">
 	<tr bgcolor="{{ config.vdarkborder }}">
-		{% if config.account_country %}
+		{% if setting('core.account_country') %}
 		<td width="11px"><a href="{{ getLink('online?order=country') }}" class="white">#</A></td>
 		{% endif %}
-		{% if config.online_outfit %}
+		{% if setting('core.online_outfit') %}
 		<td class="white"><b>Outfit</b></td>
 		{% endif %}
 		<td width="60%"><a href="{{ getLink('online?order=name') }}" class="white">Name</A></td>
@@ -98,11 +98,11 @@
 	{% for player in players %}
 		{% set i = i + 1 %}
 		<tr bgcolor="{{ getStyle(i) }}">
-		{% if config.account_country %}
+		{% if setting('core.account_country') %}
 			<td>{{ player.country_image|raw }}</td>
 		{% endif %}
-		{% if config.online_outfit %}
-			<td width="5%"><img style="position:absolute;margin-top:{% if player.player.looktype in config.outfit_images_wrong_looktypes %}-20px;margin-left:-0px;{% else %}-45px;margin-left:-25px;{%  endif %}" src="{{ player.outfit }}" alt="player outfit"/></td>
+		{% if setting('core.online_outfit') %}
+			<td width="5%"><img style="position:absolute;margin-top:{% if player.player.looktype in setting('core.outfit_images_wrong_looktypes') %}-20px;margin-left:-0px;{% else %}-45px;margin-left:-25px;{%  endif %}" src="{{ player.outfit }}" alt="player outfit"/></td>
 		{% endif %}
 			<td>{{ player.name|raw }}{{ player.skull }}</td>
 			<td>{{ player.level }}</td>
diff --git a/system/templates/serverinfo.html.twig b/system/templates/serverinfo.html.twig
index 2202ba74..e16eceb8 100644
--- a/system/templates/serverinfo.html.twig
+++ b/system/templates/serverinfo.html.twig
@@ -47,7 +47,7 @@
     {%  if houseLevel %}
     <li>Houses: <b>{{ houseLevel }} level</b></li>
     {%  endif %}
-    <li>Guilds: <b>{{ config.guild_need_level }} level</b> (Create via website)</li>
+    <li>Guilds: <b>{{ setting('core.guild_need_level') }} level</b> (Create via website)</li>
     <br>
 
     <h2>Frags & Skull system</h2>
@@ -99,4 +99,4 @@
     <h2>Other</h2>
     <li>Respect our <a href="{{ getLink('rules') }}">rules</a>.</li>
     <li>Please report rule violations (Botters, players breaking rules etc) with <b>CTRL + R</b>.</li>
-</ul>
\ No newline at end of file
+</ul>
diff --git a/system/templates/team.html.twig b/system/templates/team.html.twig
index a979e670..6fa5155d 100644
--- a/system/templates/team.html.twig
+++ b/system/templates/team.html.twig
@@ -17,7 +17,7 @@
 			<td>
 				<div class="InnerTableContainer">
 					{% set i = 0 %}
-					{% if config.team_style == 1 %}
+					{% if setting('core.team_style') == 1 %}
 
 						<table border="0" cellpadding="4" cellspacing="1" width="100%">
 							<tr bgcolor="{{ config.vdarkborder }}">
@@ -63,12 +63,12 @@
 
 										{% if setting('core.team_outfit') %}
 										<td>
-											<img style="position: absolute; margin-top: {% if member.player.looktype in config.outfit_images_wrong_looktypes %}-16px;margin-left:-0px;{% else %} -45px; margin-left: -30px;{%  endif %}" src="{{ member.outfit }}" alt="player outfit"/>
+											<img style="position: absolute; margin-top: {% if member.player.looktype in setting('core.outfit_images_wrong_looktypes') %}-16px;margin-left:-0px;{% else %} -45px; margin-left: -30px;{%  endif %}" src="{{ member.outfit }}" alt="player outfit"/>
 										</td>
 										{% endif %}
 
 										<td>
-											{% if config.account_country %}
+											{% if setting('core.account_country') %}
 												{{ member.flag_image|raw }}
 											{% endif %}
 											{{ member.link|raw }}
@@ -100,7 +100,7 @@
 								{% endif %}
 							{% endfor %}
 						</table>
-					{% elseif config.team_style == 2 %}
+					{% elseif setting('core.team_style') == 2 %}
 						{% for group in groupmember|reverse %}
 							{% if group.members is not empty %}
 							<div style="text-align:center"><h2>{{ group.group_name|capitalize }}</h2></div>
@@ -141,12 +141,12 @@
 									<tr bgcolor="{{ getStyle(i) }}" style="height: 32px;">
 									{% if setting('core.team_outfit') %}
 									<td>
-										<img style="position: absolute; margin-top: {% if member.player.looktype in config.outfit_images_wrong_looktypes %}-16px;margin-left:-0px;{% else %} -45px; margin-left: -30px;{%  endif %}" src="{{ member.outfit }}" alt="player outfit"/>
+										<img style="position: absolute; margin-top: {% if member.player.looktype in setting('core.outfit_images_wrong_looktypes') %}-16px;margin-left:-0px;{% else %} -45px; margin-left: -30px;{%  endif %}" src="{{ member.outfit }}" alt="player outfit"/>
 									</td>
 									{% endif %}
 
 									<td>
-										{% if config.account_country %}
+										{% if setting('core.account_country') %}
 											{{ member.flag_image|raw }}
 										{% endif %}
 										{{ member.link|raw }}
diff --git a/system/templates/templates.header.html.twig b/system/templates/templates.header.html.twig
index 32c398f7..cded84de 100644
--- a/system/templates/templates.header.html.twig
+++ b/system/templates/templates.header.html.twig
@@ -1,12 +1,14 @@
 <meta charset="{{ charset }}">
 <meta http-equiv="content-language" content="{{ config.language }}" />
 <meta http-equiv="content-type" content="text/html; charset={{ charset }}" />
+<!-- CSRF Token -->
+<meta name="csrf-token" content="{{ csrfToken() }}">
 {% if not is_admin %}
 <base href="{{ constant('BASE_URL') }}" />
 <title>{{ title }}</title>
 {% endif %}
-<meta name="description" content="{{ config.meta_description }}" />
-<meta name="keywords" content="{{ config.meta_keywords }}, myaac, wodzaac" />
+<meta name="description" content="{{ setting('core.meta_description') }}" />
+<meta name="keywords" content="{{ setting('core.meta_keywords') }}, myaac, wodzaac" />
 <meta name="generator" content="MyAAC" />
 <link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/messages.css" />
 <script type="text/javascript" src="{{ constant('BASE_URL') }}tools/js/jquery.min.js"></script>
diff --git a/system/twig.php b/system/twig.php
index 5eb35c68..0222353a 100644
--- a/system/twig.php
+++ b/system/twig.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use Twig\Environment as Twig_Environment;
 use Twig\Extension\DebugExtension as Twig_DebugExtension;
 use Twig\Loader\FilesystemLoader as Twig_FilesystemLoader;
@@ -30,7 +31,7 @@ if($dev_mode) {
 }
 unset($dev_mode);
 
-$filter = new Twig_SimpleFilter('timeago', function ($datetime) {
+$filter = new TwigFilter('timeago', function ($datetime) {
 
 	$time = time() - strtotime($datetime);
 
@@ -118,9 +119,21 @@ $function = new TwigFunction('getCustomPage', function ($name) {
 });
 $twig->addFunction($function);
 
+$function = new TwigFunction('csrf', function () {
+	csrf();
+});
+$twig->addFunction($function);
+
+$function = new TwigFunction('csrfToken', function () {
+	return csrfToken();
+});
+$twig->addFunction($function);
+
 $filter = new TwigFilter('urlencode', function ($s) {
 	return urlencode($s);
 });
 
 $twig->addFilter($filter);
 unset($function, $filter);
+
+$hooks->trigger(HOOK_TWIG, ['twig' => $twig, 'twig_loader' => $twig_loader]);
diff --git a/templates/kathrine/menu.js.html.twig b/templates/kathrine/menu.js.html.twig
index 7cd25c59..adf7ceb0 100644
--- a/templates/kathrine/menu.js.html.twig
+++ b/templates/kathrine/menu.js.html.twig
@@ -1,7 +1,7 @@
 var list = new Array();
 {% set i = 0 %}
 {% for cat in categories %}
-	{% if cat.id != 'shops' or config.gifts_system %}
+	{% if cat.id != 'shops' or setting('core.gifts_system') %}
 	list[{{ i }}] = '{{ cat.id }}';
 	{% endif %}
 {% set i = i + 1 %}
diff --git a/templates/tibiacom/account.login.html.twig b/templates/tibiacom/account.login.html.twig
index d71ac78e..3e459a8b 100644
--- a/templates/tibiacom/account.login.html.twig
+++ b/templates/tibiacom/account.login.html.twig
@@ -115,14 +115,14 @@
 											<tr>
 												<td >
 													<div style="float: right; margin-top: 20px;" >
-														{% spaceless %}
+														{% apply spaceless %}
 														<form class="MediumButtonForm" action="{{ getLink('account/create') }}" method="post" >
 															<div class="MediumButtonBackground" style="background-image:url({{ template_path }}/images/global/buttons/mediumbutton.gif)" onMouseOver="MouseOverBigButton(this);" onMouseOut="MouseOutBigButton(this);">
 																<div class="MediumButtonOver" style="background-image:url({{ template_path }}/images/global/buttons/mediumbutton-over.gif)" onMouseOver="MouseOverBigButton(this);" onMouseOut="MouseOutBigButton(this);"></div>
 																<input class="MediumButtonText" type="image" name="Create Account" alt="Create Account" src="{{ template_path }}/images/global/buttons/mediumbutton_createaccount.png" />
 															</div>
 														</form>
-														{% endspaceless %}
+														{% endapply %}
 													</div>
 													<div id="LoginCreateAccountBox" >
 														<p><b>{{ config.lua.serverName }}...</b></p>
diff --git a/templates/tibiacom/account.management.html.twig b/templates/tibiacom/account.management.html.twig
index e1106e8c..b5195ce9 100644
--- a/templates/tibiacom/account.management.html.twig
+++ b/templates/tibiacom/account.management.html.twig
@@ -35,7 +35,7 @@
 			<td>
 				<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
 			</td>
-			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
+			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
 			<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
 		</tr>
 	</table>
diff --git a/templates/tibiacom/boxes/highscores.php b/templates/tibiacom/boxes/highscores.php
index 808bb237..a2f371fa 100644
--- a/templates/tibiacom/boxes/highscores.php
+++ b/templates/tibiacom/boxes/highscores.php
@@ -3,8 +3,8 @@
 $topPlayers = getTopPlayers(5);
 foreach($topPlayers as &$player) {
 	$outfit_url = '';
-	if($config['online_outfit']) {
-		$outfit_url = $config['outfit_images_url'] . '?id=' . $player['looktype']	. (!empty
+	if (setting('core.online_outfit')) {
+		$outfit_url = setting('core.outfit_images_url') . '?id=' . $player['looktype']	. (!empty
 			($player['lookaddons']) ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'];
 
 		$player['outfit'] = $outfit_url;
diff --git a/templates/tibiacom/boxes/templates/highscores.html.twig b/templates/tibiacom/boxes/templates/highscores.html.twig
index 0cac1f0a..c5eb5516 100644
--- a/templates/tibiacom/boxes/templates/highscores.html.twig
+++ b/templates/tibiacom/boxes/templates/highscores.html.twig
@@ -45,8 +45,8 @@
 	<div class="top_level" style="background:url({{ template_path }}/images/themeboxes/bg_top.png)" align="	">
     {% for player in topPlayers %}
 	    <div style="text-align:left"><a href="{{ getPlayerLink(player['name'], false) }} " class="topfont {% if player['online'] %}online{% else %}offline{% endif %}">
-			{% if config.online_outfit %}
-				<img style="position:absolute;margin-top:{% if player.looktype in config.outfit_images_wrong_looktypes %}-20px;margin-left:-0px;{% else %}-45px;margin-left:-25px;{%  endif %}" src="{{ player.outfit }}" alt="player outfit"/>
+			{% if setting('core.online_outfit') %}
+				<img style="position:absolute;margin-top:{% if player.looktype in setting('core.outfit_images_wrong_looktypes') %}-20px;margin-left:-0px;{% else %}-45px;margin-left:-25px;{%  endif %}" src="{{ player.outfit }}" alt="player outfit"/>
 			{% endif %}
 				<span style="color: #CCC; margin-left: 40px">{{ player['rank'] }} - </span>
 				{{ player['name'] }}
diff --git a/templates/tibiacom/buttons.base.html.twig b/templates/tibiacom/buttons.base.html.twig
index 6833a61d..fe8447dc 100644
--- a/templates/tibiacom/buttons.base.html.twig
+++ b/templates/tibiacom/buttons.base.html.twig
@@ -1,8 +1,8 @@
-{% spaceless %}
+{% apply spaceless %}
 <div class="BigButton" style="background-image:url({{ template_path }}/images/global/buttons/button_blue.gif)">
 	<div onMouseOver="MouseOverBigButton(this);" onMouseOut="MouseOutBigButton(this);">
 		<div class="BigButtonOver" style="background-image:url({{ template_path }}/images/global/buttons/{% if button_color is defined and button_color == 'green' %}button_green{% else %}button_blue_over{% endif %}.gif);" ></div>
 		<input class="BigButtonText" type="submit" value="{{ button_name }}">
 	</div>
 </div>
-{% endspaceless %}
+{% endapply %}
diff --git a/templates/tibiacom/index.php b/templates/tibiacom/index.php
index 6bb5f445..65f78018 100644
--- a/templates/tibiacom/index.php
+++ b/templates/tibiacom/index.php
@@ -28,7 +28,7 @@ if(isset($config['boxes']))
 		<?php
 			if(PAGE !== 'news') {
 				if(isset($_REQUEST['subtopic'])) {
-					$tmp = $_REQUEST['subtopic'];
+					$tmp = escapeHtml($_REQUEST['subtopic']);
 					if($tmp === 'accountmanagement') {
 						$tmp = 'accountmanage';
 					}
@@ -123,8 +123,8 @@ if(isset($config['boxes']))
 		  document.getElementById("submenu_"+activeSubmenuItem).style.color = "white";
 		  document.getElementById("ActiveSubmenuItemIcon_"+activeSubmenuItem).style.visibility = "visible";
 		  menus = localStorage.getItem('menus');
-		  if(menus.lastIndexOf("&") === -1) {
-			  menus = "news=1&account=0&community=0&library=0&forum=0<?php if($config['gifts_system']) echo '&shops=0'; ?>&";
+		  if(menus == null || menus.lastIndexOf("&") === -1) {
+			  menus = "news=1&account=0&community=0&library=0&forum=0<?php if (setting('core.gifts_system')) echo '&shops=0'; ?>&";
 		  }
 		  FillMenuArray();
 		  InitializeMenu();
@@ -329,7 +329,7 @@ if(isset($config['boxes']))
 $menus = get_template_menus();
 
 foreach($config['menu_categories'] as $id => $cat) {
-	if(!isset($menus[$id]) || ($id == MENU_CATEGORY_SHOP && !$config['gifts_system'])) {
+	if(!isset($menus[$id]) || ($id == MENU_CATEGORY_SHOP && !setting('core.gifts_system'))) {
 		continue;
 	}
 	?>
@@ -368,7 +368,7 @@ foreach($config['menu_categories'] as $id => $cat) {
 	?>
 	</div>
 	<?php
-	if($id == MENU_CATEGORY_SHOP || (!$config['gifts_system'] && $id == MENU_CATEGORY_SHOP - 1)) {
+	if($id == MENU_CATEGORY_SHOP || (!setting('core.gifts_system') && $id == MENU_CATEGORY_SHOP - 1)) {
 	?>
 		<div id='MenuBottom' style='background-image:url(<?php echo $template_path; ?>/images/general/box-bottom.gif);'></div>
 	<?php
diff --git a/templates/tibiacom/news.featured_article.html.twig b/templates/tibiacom/news.featured_article.html.twig
index fa704814..58b69a93 100644
--- a/templates/tibiacom/news.featured_article.html.twig
+++ b/templates/tibiacom/news.featured_article.html.twig
@@ -20,16 +20,7 @@
 						<b>
 							<p>{{ article.title|raw }}
 								{% if canEdit %}
-									<a href="{{ constant('ADMIN_URL') }}?p=news&action=edit&id={{ article.id }}" title="Edit">
-										<img src="images/edit.png"/>Edit
-									</a>
-									<a id="delete" href="{{ constant('ADMIN_URL') }}?p=news&action=delete&id={{ article.id }}" onclick="return confirm('Are you sure?');" title="Delete">
-										<img src="images/del.png"/>Delete
-									</a>
-									<a href="{{ constant('ADMIN_URL') }}?p=news&action=hide&id={{ article.id }}" title="{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}">
-										<img src="images/{% if article.hidden != 1 %}success{% else %}error{% endif %}.png"/>
-										{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}
-									</a>
+									{{ include('admin.links.html.twig', {page: 'news', id: article.id, hidden: article.hidden }) }}
 								{% endif %}
 							</p>
 						</b>
diff --git a/tools/news_preview.php b/tools/news_preview.php
index a1709e81..3330b0e8 100644
--- a/tools/news_preview.php
+++ b/tools/news_preview.php
@@ -85,9 +85,9 @@ if(isset($_GET['title'], $_GET['body'], $_GET['player_id'], $_GET['category'], $
 				'content' => $_GET['body'],
 				'date' => time(),
 				'icon' => $categories[$_GET['category']]['icon_id'],
-				'author' => $config['news_author'] ? $author : '',
+				'author' => setting('core.news_author') ? $author : '',
 				'comments' => null,
-				'news_date_format' => $config['news_date_format'],
+				'news_date_format' => setting('core.news_date_format'),
 				'hidden'=> 0
 			)));
 	}
diff --git a/tools/validate.php b/tools/validate.php
index ff9176e6..78140085 100644
--- a/tools/validate.php
+++ b/tools/validate.php
@@ -46,7 +46,7 @@ else if(isset($_GET['email']))
 	if(!Validator::email($email))
 		error_(Validator::getLastError());
 
-	if($config['account_mail_unique'])
+	if(setting('core.account_mail_unique'))
 	{
 		if(Account::where('email', '=', $email)->exists())
 			error_('Account with this e-mail already exist.');
@@ -75,9 +75,9 @@ else if(isset($_GET['name']))
 
 	success_('Good. Your name will be:<br /><b>' . (admin() ? $name : ucwords($name)) . '</b>');
 }
-else if(isset($_GET['password']) && isset($_GET['password2'])) {
+else if(isset($_GET['password']) && isset($_GET['password_confirm'])) {
 	$password = $_GET['password'];
-	$password2 = $_GET['password2'];
+	$password_confirm = $_GET['password_confirm'];
 
 	if(!isset($password[0])) {
 		error_('Please enter the password for your new account.');
@@ -86,7 +86,7 @@ else if(isset($_GET['password']) && isset($_GET['password2'])) {
 	if(!Validator::password($password))
 		error_(Validator::getLastError());
 
-	if($password != $password2)
+	if($password != $password_confirm)
 		error_('Passwords are not the same.');
 
 	success_(1);