How does Umbraco’s security stack up?

30 September 2021 Effect

Having a secure website is critical for both your customers and your organisation. Cyber security attacks are more and more common. This year 1350 cyber security incidents were recorded by Cert NZ between April and June alone, equating to $3.9 million in financial loss.

While the thought of cyber-attacks is scary, the good news is, prevention is the key and there are many easy steps you can take to reduce the risk your website and using Umbraco CMS is one of them.

Umbraco’s security standards

Umbraco is built on Microsoft .Net technology which means it benefits from a range of .Net security features not always inherent in PHP-based CMS systems like Word Press.

Umbraco’s security features:

  • Automated Security updates (Umbraco Cloud)

  • Automated HTTPS certificate (Umbraco Cloud & Azure)

  • Hashed passwords

  • Support for HTTPS

  • Support for OAuth login system

  • Possible to set-up password rules

  • Possible to implement two-factor authentication

  • Default log-out of back office due to inactivity  

  • Built-in security health-check

As well as doing regular internal testing, Umbraco HQ has an external security company doing thorough penetration testing of Umbraco CMS to detect possible risks. Once identified, Umbraco HQ remedies these and pushes out security patches and updates to the wider Umbraco community. These protection measures include those outlined in the OWASP top ten.

What about OWASP?

The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the security of software. It is an international collaboration between individuals and corporations that aims to standardise approaches to security and share knowledge.  

The OWASP top ten are globally recognised as the first step in securing your website or application – all of which can be met by using Umbraco.  The top 10 web application security risks* are: 

  1. Injection.  

  1. Broken Authentication.  

  1. Sensitive Data Exposure.  

  1. XML External Entities (XXE).  

  1. Broken Access Control.  

  1. Security Misconfiguration.  

  1. Cross-Site Scripting XSS.  

  1. Insecure Deserialization.  

  1. Using Components with Known Vulnerabilities.  

10.  Insufficient Logging & Monitoring.  

If your website or application is built on Umbraco you can rest assured that the technologies of Umbraco CMS, the oversight of Umbraco HQ and the wider Umbraco community, and the experienced team of developers here at Effect have got your back when it comes to web security.

*These are due to be updated in 2021 - you can view the draft ones here

If you found this article useful, sign up to our newsletter for tips, tricks and case studies from Effect.