How to secure your Sitecore CMS platform

A 10 point plan to help secure your Sitecore platform

24 Jan 2017
Jump to article

Chris Bainbridge

Our initial look at the topical and very important issue of website security took you through the security threats we face, and then onto our first platform specific article of how to secure your Kentico platform.

Next on our radar is a 10 point plan on how to secure your Sitecore platform. Even as the leader in the Gartner Magic Quadrant for CMS, they experience vulnerabilities. This just goes to show it is important to stay on top on your technology and be aware of any issues requiring hotfixes.

Just to reiterate, don’t get caught on your heels, even the biggest software vendors are susceptible to attacks. In the same tone of the Kentico article, the following steps that are outlined are specifying best practice and considerably lowering the percentage risk of your platform being compromised.

1. Defining Sitecore Timeouts

The Sitecore Client Timeout Setting

This setting prolongs the timeout being logged out of Sitecore. By default, this is usually set at 60 minutes and this can be increased/decreased after a period of inactivity within the web.config file.

<setting name="Authentication.ClientSessionTimeout" value="180" />

Forms Authentication Timeout

As Sitecore authentication uses the .NET membership provider, the forms authentication timeout will also apply to Sitecore. To change this find the following tag in your web.config.

<authentication mode="None">
<forms name=".ASPXAUTH" cookieless="UseCookies" timeout="180"/>

Session Timeout

The last time out configuration change that you may need to change is the session timeout. The Session timeout will only affect your website if you have enabled manage session by database instead of a cookie.

<sessionState mode="InProc"
sqlConnectionString="data source=;user id=sa;password="
cookieless="false" timeout="180" />

2. Securing MongoDB

If your site is using MongoDB, this can be secured at the network level by default. However, you should follow MongoDB’s best practices to harden the security of your Sitecore installation.

For more information about MongoDB security, visit:

MongoDB Security Best Practices
MongoDB Security Documentation

3. Turn-off auto complete of login ‘usernames’

You can specify that Sitecore should not complete the username of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log into Sitecore on a shared or public computer. In addition, you can disable the ‘Remember me’ checkbox.

4. Specify your password policy

Passwords can be painful to remember, we have all done it where we generally take the easy route in making the password as easy as possible to remember. This in-turn makes it easier for this password to be compromised, read the top common passwords for 2016

Configuring the rules below can help avoid common passwords from being used:

  • The minimum number of characters that a password must contain.
  • The minimum number of non-alphanumeric characters that a password must contain.
  • Non-alphanumeric characters are any characters that do not contain the value of a number or a letter, for example, !@#$%&*()

5. Lock account after X password attempts

Sitecore allows a certain amount of incorrect attempts, if you pass this threshold the account becomes ‘locked’. Subsequently, If you have forgotten your password, on the login page, you can submit a request to have your current password sent to you in an email. 

However, if you have entered the wrong password a number of times and your account has been locked, the email will not be sent to you. In this case, you must ask your system administrator to unlock your account and create a new password for you.

6. IP and ISS Restrictions

Restricting access to certain interfaces can be done on IP-based restriction. To setup and configure reading IIS.NET is a great resource to set you on your way.

Another way to restrict access to the users is by disabling ‘Anonymous IIS’ access to files in your Website\sitecore folder, good examples to start with are:

  • Admin folder
  • Login folder
  • Shell folder

7. Use an SSL for the login page

A good idea is to configure the Sitecore Experience Platform to use only SSL requests for the Sitecore login page. Sitecore allows a custom redirect that redirects from http://website/sitecore/login to https://website/sitecore/login.

8. The User/Role Manager

You can assign access rights to both users and roles. However, if you make your users members of roles and assign the access rights to the roles instead of the user, you simplify maintenance. 

In this way, you can assign and revoke access rights to multiple users by assigning or removing memberships to roles instead of having to do this for each individual user account.

9. Keeping system up-to-date

Sitecore keep the product up-to-date and provide updates to deal with issues depending on the severity(Critical, Important, Moderate, Low). You can locate the Sitecore severity definitions for security vulnerabilities with definitions for the four levels here. An example of a hotfix which Sitecore recently released has information on the versions affected, step-by-step installation and validating the fix.

A good idea is to keep an eye on any security issue articles posted on the Sitecore knowledgebase.

10. Leverage “The Sitecore Publishing Service”

You should be using a workflow to make sure published content is on brand and approved by appropriate members to keep errors to an absolute minimum. Using a workflow does come with a few pain points, some of these have been addressed and overhauled in the latest 8.2 Sitecore release, through a completely new add-on named “Sitecore Publishing Service”.

Three main areas where you should look at using this add-on over the standard ‘Publishing System’ are:

  1. User Experience - A user doesn’t need to wait for the publishing to end, in other words, the publishing dialogue doesn’t hold the user. It sends you to the “Publishing Dashboard” where you can check the publishing status.
  2. Performance - The publishing speed is greatly improved, you need to be eagle-eyed to catch a ‘Publish’ in the ‘Active Jobs’ list. Good thing there is a Recent Jobs list, that’ll be handing to see how keeps kicking off a publish.
  3. Permissions -You can’t grant permission to perform a ‘Full-site publish’ via a user/role via the Security Roles in Sitecore anymore. This is a good thing! As this should mean we should get less rogue Content Editors needlessly completing a ‘full publish’ if they changed only a single item.

Consultation and a Security Review

Doing these 10 points above should help secure your Sitecore site and is a great starting point. Moving forward you may want to do more and do your due-diligence that your platform is as secure it could be.

Quba can review your current site to illustrate your strengths and weaknesses.
We can provide recommendations that will increase security and ensure best practice is adhered to, and if required physically perform the upgrades and execute delivery. 

Call: 0114 279 7779 or Email: to speak to a Quban if you require any guidance on this topic.