Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • aadesh12 1 post 71 karma points
    Jan 04, 2021 @ 16:09

    Is it safe to expose Umbraco to the public internet?

    My team is working on a proposal for replacing an in-house built CMS with Umbraco for a client.

    The client has people working remotely without a VPN, so the CMS must be exposed to the public internet.

    My experience with Umbraco is limited and I would like to know if the general consensus is that Umbraco is / isn't safe to be exposed over the public internet.

    We'll be using SSL and each user will have an individual account. But we're worried about vulnerabilities and preventing brute-force attacks.

  • Huw Reddick 699 posts 2300 karma points
    Jan 05, 2021 @ 09:06
    Huw Reddick

    I would say it is a safe as any other website :)

    As long as you follow the best practices for securing a .Net website it will be OK.

  • Rodolphe Toots 29 posts 130 karma points
    Jan 07, 2021 @ 13:15
    Rodolphe Toots

    A good way to put up an extra security layer is to remove /umbraco from the public web and instead set it up on another site that is only accessible for selected networks/IP-adresses.

  • Patrick van Kemenade 97 posts 325 karma points
    Jan 07, 2021 @ 14:21
    Patrick van Kemenade


    Do you mean put an IP restriction on the /umbraco folder in IIS. Or put Basic Authentication on this folder, or how do you do this.

    Or have you found a way to rename /umbraco to /umbraco_

    @Huw In general Umbraco uses the .Net framework which has already some protection in place for sql injection via url and things.

    But indeed most Umbraco websites by default have an easy to guess login page which results in exposure to brute force login attempts by bot networks. Also very curious what are the best practices to protect against this.

  • Rodolphe Toots 29 posts 130 karma points
    Jan 07, 2021 @ 15:49
    Rodolphe Toots

    I mean that on the normal site, remove the /umbraco folder. Then configure another site where /umbraco is available. On that site, set up IP-restriction, or even better, dont make it available on public internet.

    Yeah, .NET have protection in place for various things, but passwords can get stolen, hacked etc.

    Also, the umbraco admin users are in fact not .NET membership users, but I guess they have set up protectio against brute force attacks (i.e. lock accounts after too many failed attempts).

  • [email protected] 396 posts 2073 karma points MVP 6x c-trib
    Jan 08, 2021 @ 06:58

    Hi all,

    here is some documentation how you can harden your security:

    And during Codegarden 2018 I've given a presentation about hardening your security. The slides are over here:

    Somethings may be changed a bit in Umbraco 8, but I think most of it is still relevant!

    Kind regards,


  • mattou07 15 posts 109 karma points MVP c-trib
    Jan 16, 2021 @ 08:10

    I have a blog post on this:

    Tips 3 and 4 are probably the most relevant to this post where you can use rewrite rules to restrict access to the back office based on IP address or what domain the back office is accessed by.


Please Sign in or register to post replies

Write your reply to: