Security & Umbraco Talk: How to Protect Yourself Against Hackers

El Codegarden It is an annual event where the Umbraco community you are here to improve your knowledge about the CMS. It takes place in Odense, Denmark, during the month of May. Part of our team at Novicell attended that event, and in this post we review the talk What did he teach Jeffrey Shoemaker about security.

Security & Umbraco: How to Protect Yourself Against Hackers

The importance of safety

Security is about multi-layered defense, not just having a good firewall or the right HTTP headers. Each protection layer It makes the task more difficult for a Potential hacker trying to enter the system, increasing the chances that he will decide to change his objective. It is important to remember that it's not necessary to have the most secure website in the world, but to be more secure than most sites.

In recent months they have come out differently News about major security flaws, which have compromised systems around the world. Now more than ever we must be aware of the vital importance of security in systems exposed to the Internet What are CMS like.

Steps to follow to improve security in Umbraco

La Umbraco default settings is designed to find a balance between safety and ease of use. As an initial step it's great, but there are some simple steps What can we do to increase security even more of our CMS.

1. Hide what technology you're using

This step can be apply to any CMS since it does not depend directly on Umbraco. The first step a hacker always takes is to detect what technology a potential target is using (including the version number).

With that information it is possible to go to security bug databases and find an entry to the system. These security flaws have probably been fixed several versions ago, but if you encounter a website that doesn't regularly update its system, the vulnerability it will still be there ready to be taken advantage of.

The first change we're going to make is limit access to the Umbraco login page to the client, using IIS rules so that only certain IP addresses can access /threshole/.
In case the customer has Dynamic IP, as is often the case, it is enough to limit IPs to the range of the country where that customer operates. Los defined ranges for each country they are very large, but thanks to this change we have already limited access to a large number of potential attackers.

This change will produce a error page when a user with a disallowed IP tries to log in to /threshole/, but if we see that error when we enter the page, we already know that you are most likely using Umbraco as a CMS.

For really hide the technology in use we must change the login page. Umbraco allows you to make this change very easily, you only have to change a few lines of app settings in the file web.config and rename the folder Umbraco from the project to the new name we have given it.

With this latest change, a user trying to log in to /threshole/ you will see a 404 error page: page not found, so it will be impossible for you to know if we are using Umbraco or not.

2. Hide which Umbraco packages you're using

The folders of the installed packages, for example Umbraco Forms, are always public by default. This makes any user of our website can, from outside the CMS, see the content of these files.

Given this, our next step is also Hide what packages we're using in our CMS. To do this we are going to make the same change as the previous step, but this time for the folders App_Plugins, Config And finally Umbraco_Client. These folders never serve content for the public web, only the CMS, so They don't have to be public.

3. Keep Umbraco & its packages up to date

In the event that all our protections fail and someone ends up accessing our system, The only way to protect ourselves is to not have any known vulnerabilities in our system. For this reason, it is crucial to keep not only Umbraco itself, but all your packages completely up to date. If this task is performed periodically it does not take much time, and It increases safety a lot from our site.

As an example, we can return to Umbraco Forms, one of the most used Umbraco packages. A critical security flaw was discovered in that package a few weeks ago, and it was immediately fixed in the next version. The update is very small, so it doesn't take long, and increases the security of the website against known threats.

Finally, we leave you the video of the entire talk”Safety - Let's have fun with Umbraco“so that you can enjoy it just like we did:

How can we help you?

If you need more information, do not hesitate to contact us.