Keeping the Umbraco back-office login secure and out of reach of potential unauthorized persons is essential. IP address filtering is one method to keep things safe.

It's required to have the IIS rewrite module installed before continuing.
The installation file can be downloaded here: https://www.iis.net/downloads/microsoft/url-rewrite

If you have the module up and running add the following snippet to the <system.webServer> node in the web.config file.

<rewrite>
<rules>
<rule name="Restrict UM login" stopProcessing="true">
<match url="^umbraco/?$" />
<conditions>
<add input="{Authorised IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="Authorised IPs">
<!-- add external IP addresses here -->
<add key="12.34.56.78.9" value="1" />
<!-- local -->
<add key="127.0.0.1" value="1" />
<add key="localhost" value="1" />
<add key="::1" value="1" />
</rewriteMap>
</rewriteMaps>
</rewrite>

Here a rewrite rule is added on path /umbraco, the default login URL of any Umbraco installation. If a client requests /umbraco and is not whitelisted in the "Authorised IPs" rewriteMap then status 403 is returned. The local IP addresses are self-evident and necessary to maintain access from your local machine.

Include a range of IP addresses.

If you want to include a range to the whitelist then use a input pattern and include it within the <conditions> node.

<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.[0-5]" negate="true"/>

In this example all addresses from 127.0.0.0 to 127.0.0.5 are included.

Alternative strategies

Sometimes IP address filtering won't work for you, because:

  • The set-up doesn't allow it.
  • You work from various different remote places so IP addresses change a lot.
  • You have a dynamic IP address which changes from time to time.

If this is the case then ultimately it's advisable to change the default login URL from /umbraco to something else. In this scenario any possible intruder has to guess what the correct login URL is.

Two undermentioned web.config entries need to be edited. Replace 'anything' with a value of your liking.

<add key="umbracoPath" value="/anything" />
<add key="umbracoReservedPaths" value="/anything/" />

Then change the /Umbraco directory name to this value as well. Bear in mind thought though that, when upgrading Umbraco, no account is taken of the fact that this folder name has been changed.

If you have any questions or remarks please feel free to contact FungyBytes via contact@fungybytes.com or give us a tweet @fungybytes

Developers hygiene. Some tips to stay on top.

Full Page Caching (FPC) for Umbraco websites

For proper functioning and anonymous analysis of our website, we place functional and analytical cookies that have no or minor consequences for your privacy. These cookies may collect data outside of our website. By using this website you agree to the placement of these cookies.