How to secure Sitefinity's Administrative UI

How to secure Sitefinity's Administrative UI

March 04, 2010 0 Comments
How to secure Sitefinity’s Administrative UI

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

Securing the Sitefinity LoginSitefinity’s Administrative Web Interface is accessed by adding /Sitefinity to the web site’s URL.  Users are then required to provide a valid username & password to gain entry to Sitefinity.  By default, Sitefinity’s administrative username is set to admin.

A few customers have expressed concern that this does not offer enough protection from malicious users or bots.  If an attacker knows a web site is using Sitefinity then they also know the login URL and the admin username. The only thing that remains is the admin password. 

This article explains how Sitefinity (and ASP.NET) help protect your web site.  This article also suggests a few techniques for adding additional layers of protection to Sitefinity’s Administrative UI.

Too Many Invalid Password Attempts

There are plenty of password cracking tools that will bombard a web login form with password variations.  These login attempts can stream as fast as the web server can accept them.  After several hours (or days) these automated tools eventually stumble onto a valid password.

The first line of defense to these brute force password attacks is to pick a reasonable password.  Dictionary attacks assume the password is a valid word or a common password.  Consequently, passwords containing common words are much easier to guess. 

Here are some very general password guidelines:

  • Passwords should be at least 8 characters longer.  The longer the better…
  • Passwords should be mixed-case
  • Passwords should contain a mixture of numbers & letters
  • Passwords should not use common words

A good password makes it difficult to randomly stumble into the right combination of numbers & letters.  To further discourage these brute force attacks, Sitefinity’s Membership Provider will (by default!) temporarily lock out accounts that have too many failed password attempts. 

Sitefinity’s Membership provider is configured in the ~/web.config file:

<membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType="">
    <add name="Sitefinity" 
      type="Telerik.DataAccess.AspnetProviders.TelerikMembershipProvider, Telerik.DataAccess" 

By default, Sitefinity is configured to limit password attempts (maxInvalidPasswordAttempts) to 5.  The lock out time (passwordAttemptWindow) for the account is set to 10 minutes.  Membership properties can be edited to provide different security settings.  This limits an attacker’s ability to bombard a login form with tons of password variations.

Discourage Brute Force Password Attacks with Captcha

Sitefinity comes included with RadControls for ASP.NET AJAX.  Included in this suite of controls is a Captcha control.  This control can be added to Sitefinity’s login to prevent bots from auto-submitting the login form.  Captcha discourages attackers from using automated brute force or dictionary attacks to discover the admin password.  Bypassing Captcha requires human intervention or a more sophisticated automated tool.

To enable RadCaptcha, insert the following code near the top of the ~/Sitefinity/Login.aspx page:

<%@ Register Assembly="Telerik.Web.UI" Namespace="Telerik.Web.UI"  TagPrefix="telerik" %>

Then add the RadCaptcha control to the Login control’s LayoutTemplate (just after the RememberMe checkbox):

        ErrorMessage="Invalid Captcha" 
        runat="server" />

Each login to Sitefinity will now also require Captcha.

Adding Captcha to Sitefinity's Login Screen

If needed, the Background Noise, Text Warp and Line Noise levels can be set to High.  These settings will make it even harder for computers to read this text.  However, it will also make it harder for your users to read this text.  RadCaptcha has a lot of interesting properties; feel free to experiment.

This tip is courtesy of our friends at Mallsoft. 

Disable the Admin User

By default Sitefinity’s administrative user is named admin.  Using Sitefinity’s Administrative UI a new administrative user can be created and the old admin user deleted.  This makes it harder to guess the administrative user login.

Renaming Sitefinity's Admin Account

1.  Create a new administrative user and make this user a member of the administrators role. 

2.  Log out and then login using this new administrative user. 

3.  Test thoroughly before removing the original admin user!

4.  Before the the old admin user can be deleted this account must be removed from the administrators role. 

5.  After this role has been removed the original admin user can be deleted.

Limit access to Sitefinity’s Administrative UI

Access to Sitefinity’s Administrative UI can also be limited using a custom HttpModule (as detailed here).  HttpModules can filter incoming HTTP requests before content is served.  Incoming content requests can be rejected or redirected based on custom parameters (for example, the user’s IP address).

The following example limits access to Sitefinity’s Administrative UI to a specific block of IP addresses.


using System;
using System.Web;

public class AdminIpFilter : IHttpModule
    public void Dispose()

    public void Init(HttpApplication context)
        context.BeginRequest += new EventHandler(context_BeginRequest);

    void context_BeginRequest(object sender, EventArgs e)
        HttpContext current = HttpContext.Current;

        string filePath = current.Request.AppRelativeCurrentExecutionFilePath.ToLower();

        if (filePath.StartsWith("~/sitefinity"))
            string userIp = current.Request.ServerVariables["REMOTE_ADDR"];

            if (userIp.StartsWith("127.0.0") == false)

This custom HttpModule can be installed in the ~/web.config file:

  <add name="AdminIpFilter" type="AdminIpFilter, App_Code"/>

Track Administrative Accesses Using Google Analytics

There is a Sitefinity KB article that describes how to add Google Analytics to a Sitefinity web site.  This article describes how to add Google Analytics to public Sitefinity pages (not Admin pages).  Thankfully, the same technique works for Backend Admin pages.

To add tracking to Sitefinity’s Administrative UI, the Google Analytics tracking code needs added to the Master Page Template used by Sitefinity’s Admin Pages: 


In addition, the Google Analytics tracking code also needs added to the Login Page:


Below is a sample Google Analytics tracking code.   Each web site will have its own unique tracking code.

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "' type='text/javascript'%3E%3C/script%3E"));
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-99992654-1");
} catch(err) {}</script>

Change Sitefinity’s Administrative Login URL

Sitefinity’s administrative login can be guessed because all Sitefinity web sites use the very same login URL.  The login URL can be changed by renaming Sitefinity’s Login page:

  1. Rename ~/Sitefinity/Login.aspx to ~/Sitefinity/ObscureLogin.aspx
  2. Rename ~/Sitefinity/Login.aspx.cs to ~/Sitefinity/ObscureLogin.aspx.cs
  3. Rename ~/Sitefinity/App_LocalResources/Login.aspx.resx to ~/Sitefinity/App_LocalResources/ObscureLogin.aspx.resx

Sitefinity’s Administrative UI can now only be accessed using a special login URL:

Any other URL will attempt to redirect to ~/Login.aspx (which no longer exists) and will throw a 404 error.  The user will need to know the login URL before they gain access to Sitefinity’s Admin. UI. 

This technique is known as security through obscurity; it certainly isn’t bullet-proof but might serve as a first line of defense.


In most cases Sitefinity’s default settings coupled with a good password will be enough to discourage most attackers.  However, if this does not provide sufficient protection the techniques described above will install several additional hurdles:

  1. The admin URL is not easily guessable
  2. The admin username is not easily guessable
  3. The admin password is not easily guessable
  4. Accounts with too many failed password attempts are temporarily locked out
  5. Captcha discourages automated scripts from submitting the login form
  6. Only specific IP addresses can access the admin pages
  7. Admin access can be monitored with Google Analytics

If you’ve discovered additional tips or tricks please post a comment below.


The Progress Team

View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments are disabled in preview mode.
Latest Stories in
Your Inbox
More From Progress
The New Mobile Development Landscape
Download Whitepaper
IDC Spotlight Sitefinity Thumbnail
Choosing the Right Digital Experience Platform to Improve Business Outcomes
Download Whitepaper
The Fastest Way to Build Mobile Apps With Cloud Data
Watch Webinar