Umbraco security should be a topic of huge importance for every website owner. Google blacklists over 20,000 websites each week and Cybercrime damages are expected to cost the world $6 trillion by 2021. If you are serious about your brand, your company and your website, then you need to consider some Umbraco security best practices.
It seems like every week there's a new update, framework, or design patterns being released and keeping up to date with good practices is a common challenge for web developers. With these new innovations come new vulnerabilities and threats. In this guide, I'll share some useful security advice to help you protect your website against hackers and malware.
Use HTTPS: HTTPS will create a secure connection between your client's browser and your website. HTTPS will prevent man-in-the-middle (MITM) attacks, where people try to intercept the data being sent from a customer to you. Getting HTTPS is relatively easy to set-up and the annual cost is minimal, so there really shouldn't be an excuse for not implementing it. HTTPS can also give you good SEO benefits, Umbraco SEO, HTTP or HTTPS?
Use Secure Cookies: Now your website's running over HTTPS you should also make sure that your cookies are secure. To make sure that your Cookies are secure, this can be done via your web.config.
Don't Leave Your Umbraco Editor URL Public: One massive vulnerability for hackers to try to ruin your brand, or steal data, is by logging into the Umbraco editor, and changing your content. When you release an Umbraco site, if anyone typed in www.website.com/umbraco browser they will see the Umbraco log-in screen. From here, they can attempt to brute-force their way into your website. One simple and quick way to secure your website is to disable the editor on your website. There are several ways to do this including, How To Change The Umbraco 7 Admin Url and How To Change The Umbraco Backend Url. My recommendation is to create a sub-domain like admin.website.com and only allow access to the Umbraco backend through this URL (see the second link above)
Do not use 'admin': Do not create a user account called 'Admin' for your main administrator account, as this will be the first account people will try and brute-force. Also, only add new user accounts with care. The least number of accounts that you allow access to Umbraco, the harder it will be to get into it. Also, don't use short and simple dictionary words for your password. Try to use random words with a mix of characters. In terms of passwords the longer they are the harder they are to crack, so a good minimum of 9 characters is a good recommendation.
User Permissions: If you have users that only update content, don't give everyone default 'admin' permissions. The more accounts you can lock down the more secure your website will become. The other benefit of locking Umbraco down is that if something goes wrong, it's a lot easier to figure out who did what.
Validate Any Form Data: One of the most common ways people can hack into your website is through forms. If you have a 'contact me' form, a log-in form, basically any form that a user can post information back to your server, you need to validate it. How you do this can vary, I always recommend using the default MVC anti-forgery token and attribute.
Validate Add Querystrings That Your Code Reads: The second easiest way to get into a system is via query string parameters. If you have custom code that reads query string data, then this is an area where people might be abe to use SQL injection to get data from your database. Any page that reads any type of query string, you also need to ensure these are locked down.
Software Architect, Programmer and Technologist Jon Jones is founder and CEO of London-based tech firm Digital Prompt. He has been working in the field for nearly a decade, specializing in new technologies and technical solution research in the web business. A passionate blogger by heart , speaker & consultant from England.. always on the hunt for the next challenge