In this tutorial, you will learn how to how to disable Sitecore admin on your content delivery server. When you work with any CMS platform, in order for a content editor to access the CMS, they have to type in the back-end URL into a browser;. With Sitecore the default admin URL is this:
The issue with exposing your CMS editor over the internet is that anyone can access this URL. This means if some clever-dick typed /Sitecore to the end of your website's domain and correctly guessed a valid username and password, they would get access to the CMS. Guessing a username and password is highly unlikely, however, if they used a brute-forcing tool they could get access to the backend.
For this reason, it's always best practice to prevent a site visitor, or anyone external to your company, from accessing the admin login page. If you run your Sitecore environment in a staging/live environment then you should disable the Sitecore admin on the live nodes and keep it only keep it open in your auth/staging environment. Doing this is simple, so let's go over the steps!
The quick and easy way to lock an environment down is via IIS authentication. In IIS, open up your website and open the Sitecore folder:
Select the Admin folder and select Authentication:
From the authentication dialogue, make sure Anonymous Authentication is set to disabled. You also need to repeat this on the login folder:
After doing this, try to load your Sitecore admin and you should see this error:
When you try and view the back-end Sitecore login page you will now see 401.2 - Unauthorized error, instead of the Sitecore log-in page. Your admin is now secure from the world. Happy Coding 🤘
