Security should be the main concern for all web developers. One of the most common website attacks is the classic brute-force password attack. A hacker finds the Umbraco admin URL and then runs a dictionary attack trying to get access to the site.
One simple way to make this a lot harder to detect is to change the default admin Url so hackers can’t as easily find your log-in page. In today’s guide, I’m going to cover how to change your admin Url from ‘Umbraco’ to secret.
Configuring Your Website
First, load up your web.config and look for the two app settings entries below:
<add key="umbracoReservedPaths" value="~/umbraco,~/install/" /> <add key="umbracoPath" value="~/umbraco" />
In here, change the ‘Umbraco’ parts in the value to the new admin Url you want to use (it’s still a web Url so don’t put invalid characters in there!). My web.config now looks like this:
<add key="umbracoReservedPaths" value="~/secret,~/install/" /> <add key="umbracoPath" value="~/secret" />
Next, in file explorer go to your webroot and find the Umbraco folder, rename it to the new admin URL prefix. In my example this is secret.
Now, load your website and add the new URL prefix to your website’s URL. The Umbraco admin back-end should now load 🙂
I should warn you that, over the years, this admin URL change seems to cause certain issues on some installs. If you have issues with the approach above you can try using a Url re-write. In your ‘/config/urlrewriting.config’ file, add this rule:
<add name="adminrewrite" virtualUrl="^~/secret/" rewriteUrlParameter="ExcludeFromClientQueryString" destinationUrl="~/umbraco/umbraco.aspx" ignoreCase="true" />
In today’s guide, we’ve talked about the security issues of keeping the default Umbraco back-end Url. We’ve covered two ways of changing this default Url, one through the web.config and renaming the Umbraco folder. The other by adding a re-write rule.
I personally recommend using the first approach, but over the years, a number of people have had issues implementing this, so for your project it’s probably worth seeing what works for you and just go with it.