How to Make Sitefinity Backend More Secure
The Sitefinity Backend is accessed by adding /Sitefinity to the web site URL. Users are then required to provide a valid username and password.
In this blog we will learn how you can add extra layers of security to the Sitefinity CMS backend login page.
1- Enforce backend user to make a strong password
Here are some very general password guidelines
- Passwords should be at least 8 characters longer.The longer the better
- Passwords should be mixed-case
- Passwords should contain a mixture of numbers & letters
- Passwords should not use common words
We can control the password policy settings on a Membership provider level. This enables you to have different policies for the default provider. To navigate to these settings, go to Administration -> Settings -> Advanced -> Security -> Membership Providers. You will see a list of membership providers. Expand the Default membership provider and click on Parameters.
The Parameters menu presents various options for configuring password policy on a membership provider level. Here’s what it should look like:
To Design Your Password Strength Policy
- Change the minRequiredPasswordLength –The default value is 7 and it should be of minimum 8 characters.
- Set the minRequiredNonalphanumericCharacters to a value higher than 0. Having at least 1 special character in your password drastically changes the chances for someone to brute force it. The number you put here determines how many special (non-alphanumeric) characters are required in new users passwords
- Optionally, you can configure a passwordStrengthRegularExpression – this setting lets you put in a custom regex to enforce password strength.
2- By Allowing Certain IP Address Access to the Backend Login.
Because sitefinity CMS settings or working with the content are usually carried out by specific users in an organization, and most of the time these changes happen in an organization’s internal network.
3- SSL for the Login Page.
Serving your website under https:// brings you one step closer to providing a more secure browsing experience to your users. By that, you also get a ranking boost from Google as a reward. Because security is a top priority for Google.
Sitefinity CMS provides a flexibility when it comes to enforcing SSL. Of course, you can configure the backend login page to be served explicitly under https”//. You can configure different areas of the website to be served under SSL, the entire frontend, backend, and so on. The recommended way to go, though, is to enforce SSL for the entire website.
4- By Disable the backend UI for frontend nodes
This scenario is useful if you have a Sitefinity load balancing environment and you want to disable the backend on all frontend nodes, but leave it enabled on nodes used for development.
To disable the backend UI, perform the following:
- Click Administration Settings Advanced
- Select DisableBackendUI checkbox and click Save changes. This settings make a change to the file ~/App-Data/Sitefinity/Configurations/SystemConfig.config by adding disableBackendUI=”True”
- To enable the backend UI, open the SystemConfig.config and delete disableBackendUI=”True”