In this tutorial, you will learn about some important concepts to help secure your Umbraco instance. Umbraco security should be a topic of huge importance for every website owner. Google blacklists over 20,000 websites each week and Cybercrime damages are expected to cost the world $6 trillion by 2021. If you are serious about your brand, your company and your website, you need to consider some Umbraco security best practices before launching your site. It seems like every week there's a new update, framework, or hotfix that is released to fix some issue or bug. Keeping up to date with all these changes is a common challenge for web developers. With new innovations come new vulnerabilities and threats. In this guide, I'll share some useful security advice to help you protect your website against hackers and malware 🔓⛓ .
Use HTTPS
HTTPS will create a secure connection between your client's browser and your website. HTTPS will prevent man-in-the-middle (MITM) attacks, where people try to intercept the data being sent from a customer to the client's browser. Enabling HTTPS on your website is relatively easy to set up and the annual cost is minimal. There really shouldn't be an excuse for not implementing HTTPS nowadays. To persuade you of the benefits even more. HTTPS can also give you SEO bonus points, Umbraco SEO, HTTP or HTTPS? 🧨️🧨️🧨️
Use Secure Cookies
Assuming your website is running over HTTPS and the backend is running over HTTPS (read here you will also need to make sure that your cookies are secure and work with HTTPS. Making Cookies are secure, this can be done via your web.config
. In the system.web
, add the following element:
Don't Leave Your Umbraco Editor URL Public
One way for hackers to try to ruin your brand is by logging into the Umbraco editor changing your content and publishing it. When you release a Umbraco site, if anyone in the world tried to view your website with the /umbraco
segment after it, they will see the Umbraco log-in screen and will learn that you are using Umbraco. With access to the CMS login page, they can then attempt to brute-force their way into your website. To make your website more secure you will need to fix this. There are several ways to do this including, How To Change The Umbraco 7 Admin Url and How To Change The Umbraco Backend Url.
My recommendation is to create a sub-domain like admin.website.com
and only allow access to the Umbraco backend through this URL (see the second link on how to do this 💥💥💥)
Do not use 'admin' as your username or password
Do not use the 'Admin' account for your main administrator account, as this will be the first account people will try and brute-force. Only add new user accounts with care. The fewer active accounts that you allow, the harder it will be for hackers to get into it. In typical good password advice, don't use short and simple dictionary words for your password. Try to use random words with a mix of characters. The longer a password is, the harder it is to crack. Forcing passwords to contain a minimum of 9 characters is a good practice.
User Permissions
If you have users that only update content, don't give everyone default 'admin' permissions, or, access to everything in the CMS. The more accounts you can lock down, the more secure your website will become. The other benefit of locking Umbraco down is that if something goes wrong, it's a lot easier to figure out who did what.
Validate Any Form Data
One of the more common ways people can do malicious things on your site is through badly written forms. Any form that allows a user to post information back to your server, you need to secure. How you do this can vary, I always recommend using the default MVC anti-forgery token and attribute (see example here)
Validate Add Querystrings That Your Code Reads
The second easiest way to compromise a system is via query string parameter attacks. If you have custom code that reads query string data, this is an area where people might be able to use SQL injection to get data from your database. Any controller that reads a value from a query string, you need to ensure are locked down and that the value is never passed directly into a SQL query!
Never use HTML.RAW
If you use MVC, you should avoid using @HTML.Raw
. Whenever you use @HTML.RAW
, you not encoding your output safely. This can leave you vulnerable to cross-site scripting attacks (XSS). Always render data via properties and view models instead! Do the HTML parsing logic in backend code to be more secure.
Don't Write Sensitive Data Into The Logs
If you use Log4Net for logging, make sure that you don't write any sensitive customer data, like username and password, as plain text in your logs. I've seen several companies do this now. All a hacker would need to do is get a copy of those log files, and they could log in as your customers. On that matter, turn off detailed
error mode in your logs on release as well!.
Do Not Use Debug Mode In Production
In your web.config
set the compilation mode to release
. Having your compilation mode set to debug
, allows trace outputting, and detailed error messages to be viewed remotely. Running a site in debug
mode is also less performant. On compile, more files will be created within your temporary ASP.NET files folder. With debug
enable, the output cache will also be disabled, so do not do it.
Don't Use App_data For Logging
Out of the box, Umbraco will write log files, and all the Lucene indexes required by Examine into the App_data
directory within your webroot. If these files are within your webroot, they can be publicly accessible. To make your site more secure, these files shouldn't live within your Umbraco webroot, but somewhere outside. When they live within the webroot, there is a slight chance that someone externally could access your log files.
Don't Use Your Default SQL 'SA' Account
When setting up SQL, do not use the sa
account for the website to access SQL in production. Create a specific database user account for your website and lock that SQL account down to only access your Umbraco database. In development, it's fine to use the sa
account, however, some developers seem to carry this bad habit over into production. If your SQL server contains multiple databases, if someone could got access to the 'sa' account details, they can then access all of your databases.
Don't Write Inline SQL
One way to prevent SQL injection within your website is to not try and query SQL yourself. Instead, use an ORM like Entity Framework. Using Entity Framework means you're never executing SQL scripts that have been concatenated with parameters back to the database.
Don't Send Passwords In Plain Text
We all understand there two points:
- Sending passwords as plain text is stupid
- Email isn't secure
When building a forgotten password feature, do not send the password in plain text. Send your users a link that allows them to reset their password instead! If a hacker can get access to a customer's email account, using the emails providers search feature, they can find the account's password and then compromise the account. If you run an e-commerce website, someone might be able to steal credit card details, or, make fraudulent transactions.
Keep Umbraco Updated
Umbraco regularly releases updates and patches via their Nuget feed. In most situations, upgrading can take minutes. These updates include all the latest security patches and updates, so making sure you keep your website regularly updated is crucial for the security and stability of your Umbraco site.
Set directory permissions carefully
Wrong directory permissions on your webroot can be fatal, especially if you’re working in a shared hosting environment. Don't use the everyone
permission and don't use the write
permissions on any accounts that do not need it. Only IIS needs write access to your files!
Don't Have Unused Ports Open On Your Server
In your firewall make sure that you lock down every port that isn't used. Open ports can be a hacker's entry into your server.
Ensure you Cache your web pages correctly
Asides from security, performance is another key aspect of any project. When planning on how to make your website performant, you will also need to think about caching. When you start caching your web pages, however, you can add a new security concern, accidentally caching sensitive information and showing it to other people. For example, user 1 logs into his account area on your website, your server processes the request and caches the page. User 2 then visits your website and tries to view the same page and ends up seeing the cached page that contains user 1's private details. I have seen this happen in production before, so be aware!
As I'm hoping this details, caching is a very complex and involved subject and the in's and out's cover more material than a single post can cover. If you want to cache your Umbraco pages, I would recommend starting here. On a similar note, search results pages should only index public content!
Use A Web Application Firewall (WAF)
A WAF can be used to prevent DDOS attacks on your website. The firewall blocks all malicious traffic before it even reaches your website. Depending on your set-up you might have an extensive in-house solution, you can also use service like Cloudflare, that not only provide a WAF but also provides a CDN solution.
If you follow all these tips, you will have a super-secure website. Happy Coding 🤘