Umbraco CMS Security Best Practices: Protecting Your Website from Cyber Threats and Attacks

Umbraco CMS Security Best Practices: Protecting Your Website from Cyber Threats and Attacks

Some facts and figures you need to know!

According to research, over 65% of small businesses suffer loss from at least one cyber-attack in a year, and around 30,000+ websites are hacked daily. The cost of a cyberattack for an average small business is $34,604, and 40+% of cyber-attacks are towards small businesses. Keeping all this in mind, we're here to discuss with you all the Umbraco website security practices you should follow to keep your website attack protection triggered all the time and stay away from cyber threats.

Let's get started!

Top 8 Best Practices you must follow to Protect Your Umbraco Website from Cyber Threats

Setting Up Vulnerability Scanning

For Umbraco web development, one of the best website security practices you must follow is setting up vulnerability scanning, as hackers highly consider it and use it to attack the site. So, to overcome this issue, we recommend using a vulnerability scanner like HackerGurardian PCI Scanning that reviews website code automatically, searches for other possible vulnerabilities, and fixes them before a hacker exploits them.

Keep several points in mind while looking for a vulnerability scanner:

  1. Look for a scanner whose database is updated on a daily basis for known vulnerabilities.
  2. Choose a scanner that checks your Content Management System.
  3. Use a vulnerability scanner that provides details about each vulnerability so you can know how severe it is and whether it needs to be fixed or is okay to overlook.
  4. Make sure that the scanner allows you to activate automated scanning through email alerts for all found vulnerabilities so you can stay alert when an issue occurs.


For your Umbraco website security, always use HTTPS, as it creates a secure connection between your website and your client's browser. It also guards your site against MITM attacks if someone attempts to intercept the data sent from a customer to the client's browser. There should not be any justification for not implementing HTTPS nowadays because it is an SEO bonus point that a website cannot neglect.

To implement HTTPS on your Umbraco website, you must have an SSL certificate to easily register it with IIS or Azure. Once you are done with your SSL certificate registration, go to web.config and enable theumbracoUseSSL setting:


                            <add key= “umbracoUseSSL” value= “true” /> 


Cache your Web Pages Correctly

Apart from performance, security is another critical aspect of any project. When planning to improve your website performance, you must consider caching. However, while caching web pages, add a new security concern that caches sensitive information and shows it to others.

For instance, if user A logs into your website account area, your server caches the page, and the request is processed. Then user B visits your website, tries to view the same page, and sees the cached page containing the private details of user A. I have seen this happening several times during production, so ensure your web pages are cached correctly and be aware!

protect your umbraco hire top talent from us

Minimize Repeated Login Attempts

This is one of the simplest and most effective defense mechanisms against brute force attacks. It allows you to block visitors who tried to log in multiple times by entering incorrect credentials.

For example, when a visitor makes multiple attempts to log in but fails, your website should block that user from trying to log in again, or they should wait for at least 5 minutes to retry.

Use Secure Cookies

As we mentioned earlier, use HTTPS for your website, so keeping that in mind, ensure all your cookies are secure and work with HTTPS. You can do this through your web.config file and then adding the following element in your system.web:

<httpCookies requireSSL= “true” /> 

Separate Accounts and Permissions

To keep your Umbraco website security high, reduce risk by limiting a person's access to the website according to their role. This way, if a hacker tries to get his hands on their account, they will only be able to access limited data and cannot damage the entire website.

For instance, the person who posts blogs on your site doesn't require access to the entire admin panel, so restrict the permissions accordingly depending on the roles and responsibilities.

Deploying a WAF (Web Application Firewall)

To make your Umbraco website highly secure, use a web application firewall to prevent DDOS attacks that take place on your website. It is a proven method to prevent your website from malicious attacks such as SQL injection and other new vulnerabilities before it reaches you. We assume you have a comprehensive in-house solution based on your setup; use a Cloudflare service that provides a WAF and a CDN solution.

There are numerous WAFs available, but you might find them complex and relatively expensive as it runs on a dedicated software device. But if you are a startup with a limited budget, you can still set up effective WAF for your Umbraco website.

Avoid Using HTML.RAW

If you are using MVC, avoid using @HTML.RAW. If you did, you're not encoding your outcome safely, which can leave you vulnerable to cross-site scripting attacks. Instead, render your data through properties, view models, and parse logic in backend code to stay on the safer side.

Final Thoughts

This post covered the best website security tips to keep your Umbraco website safe from commonly seen attacks. With every passing year, cyber-attacks are becoming more common. But now that you know how to keep your Umbraco website secure using the best practices, keep your site protected, or you can also hire umbraco developer from The One Technologies that can help you keep your platform secure and updated all the time to stay away from security breaches.

Certified By