Is it safe to expose Umbraco to the public internet?
My team is working on a proposal for replacing an in-house built CMS with Umbraco for a client.
The client has people working remotely without a VPN, so the CMS must be exposed to the public internet.
My experience with Umbraco is limited and I would like to know if the general consensus is that Umbraco is / isn't safe to be exposed over the public internet.
We'll be using SSL and each user will have an individual account. But we're worried about vulnerabilities and preventing brute-force attacks.
A good way to put up an extra security layer is to remove /umbraco from the public web and instead set it up on another site that is only accessible for selected networks/IP-adresses.
Do you mean put an IP restriction on the /umbraco folder in IIS.
Or put Basic Authentication on this folder, or how do you do this.
Or have you found a way to rename /umbraco to /umbraco_
@Huw
In general Umbraco uses the .Net framework which has already some protection in place for sql injection via url and things.
But indeed most Umbraco websites by default have an easy to guess login page which results in exposure to brute force login attempts by bot networks. Also very curious what are the best practices to protect against this.
I mean that on the normal site, remove the /umbraco folder.
Then configure another site where /umbraco is available. On that site, set up IP-restriction, or even better, dont make it available on public internet.
Yeah, .NET have protection in place for various things, but passwords can get stolen, hacked etc.
Also, the umbraco admin users are in fact not .NET membership users, but I guess they have set up protectio against brute force attacks (i.e. lock accounts after too many failed attempts).
Tips 3 and 4 are probably the most relevant to this post where you can use rewrite rules to restrict access to the back office based on IP address or what domain the back office is accessed by.
Is it safe to expose Umbraco to the public internet?
My team is working on a proposal for replacing an in-house built CMS with Umbraco for a client.
The client has people working remotely without a VPN, so the CMS must be exposed to the public internet.
My experience with Umbraco is limited and I would like to know if the general consensus is that Umbraco is / isn't safe to be exposed over the public internet.
We'll be using SSL and each user will have an individual account. But we're worried about vulnerabilities and preventing brute-force attacks.
https://jiofilocalhtml.co.in/
https://router-network.uno/
I would say it is a safe as any other website :)
As long as you follow the best practices for securing a .Net website it will be OK.
A good way to put up an extra security layer is to remove /umbraco from the public web and instead set it up on another site that is only accessible for selected networks/IP-adresses.
@Rodolhpe
Do you mean put an IP restriction on the /umbraco folder in IIS. Or put Basic Authentication on this folder, or how do you do this.
Or have you found a way to rename /umbraco to /umbraco_
@Huw In general Umbraco uses the .Net framework which has already some protection in place for sql injection via url and things.
But indeed most Umbraco websites by default have an easy to guess login page which results in exposure to brute force login attempts by bot networks. Also very curious what are the best practices to protect against this.
I mean that on the normal site, remove the /umbraco folder. Then configure another site where /umbraco is available. On that site, set up IP-restriction, or even better, dont make it available on public internet.
Yeah, .NET have protection in place for various things, but passwords can get stolen, hacked etc.
Also, the umbraco admin users are in fact not .NET membership users, but I guess they have set up protectio against brute force attacks (i.e. lock accounts after too many failed attempts).
Hi all,
here is some documentation how you can harden your security: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/.
And during Codegarden 2018 I've given a presentation about hardening your security. The slides are over here: https://www.perplex.nl/en/blog/2018/security-umbraco-codegarden-2018/.
Somethings may be changed a bit in Umbraco 8, but I think most of it is still relevant!
Kind regards,
Jeffrey
I have a blog post on this: https://mattou07.net/posts/six-ways-to-secure-your-umbraco-back-office/
Tips 3 and 4 are probably the most relevant to this post where you can use rewrite rules to restrict access to the back office based on IP address or what domain the back office is accessed by.
Matt
is working on a reply...