Try Now
More in this section
Blogs RSS feed

How to secure Sitefinity’s Administrative UI

by Gabe Sumner

Securing the Sitefinity LoginSitefinity’s Administrative Web Interface is accessed by adding /Sitefinity to the web site’s URL.  Users are then required to provide a valid username & password to gain entry to Sitefinity.  By default, Sitefinity’s administrative username is set to admin.

A few customers have expressed concern that this does not offer enough protection from malicious users or bots.  If an attacker knows a web site is using Sitefinity then they also know the login URL and the admin username. The only thing that remains is the admin password. 

This article explains how Sitefinity (and ASP.NET) help protect your web site.  This article also suggests a few techniques for adding additional layers of protection to Sitefinity’s Administrative UI.

Too Many Invalid Password Attempts

There are plenty of password cracking tools that will bombard a web login form with password variations.  These login attempts can stream as fast as the web server can accept them.  After several hours (or days) these automated tools eventually stumble onto a valid password.

The first line of defense to these brute force password attacks is to pick a reasonable password.  Dictionary attacks assume the password is a valid word or a common password.  Consequently, passwords containing common words are much easier to guess. 

Here are some very general password guidelines:

  • Passwords should be at least 8 characters longer.  The longer the better…
  • Passwords should be mixed-case
  • Passwords should contain a mixture of numbers & letters
  • Passwords should not use common words

A good password makes it difficult to randomly stumble into the right combination of numbers & letters.  To further discourage these brute force attacks, Sitefinity’s Membership Provider will (by default!) temporarily lock out accounts that have too many failed password attempts. 

Sitefinity’s Membership provider is configured in the ~/web.config file:

<membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType="">
    <add name="Sitefinity" 
      type="Telerik.DataAccess.AspnetProviders.TelerikMembershipProvider, Telerik.DataAccess" 

By default, Sitefinity is configured to limit password attempts (maxInvalidPasswordAttempts) to 5.  The lock out time (passwordAttemptWindow) for the account is set to 10 minutes.  Membership properties can be edited to provide different security settings.  This limits an attacker’s ability to bombard a login form with tons of password variations.

Discourage Brute Force Password Attacks with Captcha

Sitefinity comes included with RadControls for ASP.NET AJAX.  Included in this suite of controls is a Captcha control.  This control can be added to Sitefinity’s login to prevent bots from auto-submitting the login form.  Captcha discourages attackers from using automated brute force or dictionary attacks to discover the admin password.  Bypassing Captcha requires human intervention or a more sophisticated automated tool.

To enable RadCaptcha, insert the following code near the top of the ~/Sitefinity/Login.aspx page:

<%@ Register Assembly="Telerik.Web.UI" Namespace="Telerik.Web.UI"  TagPrefix="telerik" %>

Then add the RadCaptcha control to the Login control’s LayoutTemplate (just after the RememberMe checkbox):

        ErrorMessage="Invalid Captcha" 
        runat="server" />

Each login to Sitefinity will now also require Captcha.

Adding Captcha to Sitefinity's Login Screen

If needed, the Background Noise, Text Warp and Line Noise levels can be set to High.  These settings will make it even harder for computers to read this text.  However, it will also make it harder for your users to read this text.  RadCaptcha has a lot of interesting properties; feel free to experiment.

This tip is courtesy of our friends at Mallsoft. 

Disable the Admin User

By default Sitefinity’s administrative user is named admin.  Using Sitefinity’s Administrative UI a new administrative user can be created and the old admin user deleted.  This makes it harder to guess the administrative user login.

Renaming Sitefinity's Admin Account

1.  Create a new administrative user and make this user a member of the administrators role. 

2.  Log out and then login using this new administrative user. 

3.  Test thoroughly before removing the original admin user!

4.  Before the the old admin user can be deleted this account must be removed from the administrators role. 

5.  After this role has been removed the original admin user can be deleted.

Limit access to Sitefinity’s Administrative UI

Access to Sitefinity’s Administrative UI can also be limited using a custom HttpModule (as detailed here).  HttpModules can filter incoming HTTP requests before content is served.  Incoming content requests can be rejected or redirected based on custom parameters (for example, the user’s IP address).

The following example limits access to Sitefinity’s Administrative UI to a specific block of IP addresses.


using System;
using System.Web;

public class AdminIpFilter : IHttpModule
    public void Dispose()

    public void Init(HttpApplication context)
        context.BeginRequest += new EventHandler(context_BeginRequest);

    void context_BeginRequest(object sender, EventArgs e)
        HttpContext current = HttpContext.Current;

        string filePath = current.Request.AppRelativeCurrentExecutionFilePath.ToLower();

        if (filePath.StartsWith("~/sitefinity"))
            string userIp = current.Request.ServerVariables["REMOTE_ADDR"];

            if (userIp.StartsWith("127.0.0") == false)

This custom HttpModule can be installed in the ~/web.config file:

  <add name="AdminIpFilter" type="AdminIpFilter, App_Code"/>

Track Administrative Accesses Using Google Analytics

There is a Sitefinity KB article that describes how to add Google Analytics to a Sitefinity web site.  This article describes how to add Google Analytics to public Sitefinity pages (not Admin pages).  Thankfully, the same technique works for Backend Admin pages.

To add tracking to Sitefinity’s Administrative UI, the Google Analytics tracking code needs added to the Master Page Template used by Sitefinity’s Admin Pages: 


In addition, the Google Analytics tracking code also needs added to the Login Page:


Below is a sample Google Analytics tracking code.   Each web site will have its own unique tracking code.

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-99992654-1");
} catch(err) {}</script>

Change Sitefinity’s Administrative Login URL

Sitefinity’s administrative login can be guessed because all Sitefinity web sites use the very same login URL.  The login URL can be changed by renaming Sitefinity’s Login page:

  1. Rename ~/Sitefinity/Login.aspx to ~/Sitefinity/ObscureLogin.aspx
  2. Rename ~/Sitefinity/Login.aspx.cs to ~/Sitefinity/ObscureLogin.aspx.cs
  3. Rename ~/Sitefinity/App_LocalResources/Login.aspx.resx to ~/Sitefinity/App_LocalResources/ObscureLogin.aspx.resx

Sitefinity’s Administrative UI can now only be accessed using a special login URL:


Any other URL will attempt to redirect to ~/Login.aspx (which no longer exists) and will throw a 404 error.  The user will need to know the login URL before they gain access to Sitefinity’s Admin. UI. 

This technique is known as security through obscurity; it certainly isn’t bullet-proof but might serve as a first line of defense.


In most cases Sitefinity’s default settings coupled with a good password will be enough to discourage most attackers.  However, if this does not provide sufficient protection the techniques described above will install several additional hurdles:

  1. The admin URL is not easily guessable
  2. The admin username is not easily guessable
  3. The admin password is not easily guessable
  4. Accounts with too many failed password attempts are temporarily locked out
  5. Captcha discourages automated scripts from submitting the login form
  6. Only specific IP addresses can access the admin pages
  7. Admin access can be monitored with Google Analytics

If you’ve discovered additional tips or tricks please post a comment below.


Leave a comment
  1. Josh Mar 04, 2010
    good stuff as usual gabe, will definitely be implementing some of these recommendations on our sites that need externall access to our admin panel...

    one thing I didn't see mentioned is locking down the admin section by IP. if your network assigns static IPs to internal machines, and only in-network machines will use the admin section, you can restrict access only to specific IPs via the IIS management tool. Just restrict the /sitefinity/admin folder and the /sitefinity/login.aspx page

    we do that for our websites, so only internal users can access the admin section. if you try to access it externally you get locked out.
  2. David Mar 05, 2010
    If you are using Sitefinity Admin section for controlling membership to a section on the frontside, how do you go about limiting public roles from seeing the sitefinity backend?

    I have notice during delevopment a user who should have access to the certain section of the website can also see the Sitefinity Dashboard?

  3. Jon Mar 16, 2010
    I attempted to implement the RadCaptcha item you listed and I'm getting an error:

    "The control with ID '' requires a ScriptManager on the page. The ScriptManager must appear before any controls that need it"

    Anyone else seeing this?
  4. Kevin Mar 25, 2010
    Great post! Many good ideas.

    We currently lock down the admin section by IP directly in IIS. We disallow all traffic on the Sitefinity/Admin folder and Sitefinity/Login.aspx page. We then allow access to a single IP - our public facing IP at our office. All staff can then access the site as needed. Anyone else gets a 403 error directly from the web server itself.
  5. Samson Sep 28, 2010

    I can't find a way to force a user to change their password upon first login.

    Also it would be ideal if users were required (forced) to change their password every 30 days or so.

    Is there a way to do this in Sitefinity 3.7?
  6. Devin Jul 19, 2011
    Hi Gabe,
    Are you planning a similar post for Sitefinity 4?

  7. ersin Apr 10, 2012

    Change Sitefinity’s Administrative Login URL

    When you trying to do this issue, you also have to change ObscureLogin.aspx file content like this:
    <%@ Page Language="C#" AutoEventWireup="true" CodeFile="ObscureLogin.aspx.cs" Inherits="Admin_Login" Theme="" %>
    And also you probably need to change web.config like this:
    <authentication mode="Forms">
          <forms name=".ASPNET" loginUrl="~/sitefinity/ObscureLogin.aspx" protection="All" timeout="1440" path="/"/>

  8. ersin Apr 10, 2012

    Change Sitefinity’s Administrative Login URL
    And when you click log-out, to go back proprer url, you have to change admin.master.cs like this:

        protected void logoutButton_Click(object sender, System.EventArgs e)





  9. Nic Apr 23, 2012

    Is it possible to use the Captcha steps for version 4? I'm not having luck finding any information on how to achieve that...I'm wondering why it's there in v3 but not in 4? Any help would greatly be appreciated. Thanks!

  10. Mike Feb 07, 2013

    Your link gives a 404 error:  http://www.sitefinity.com/support/forums/sitefinity-3-x/security/securing-the-administrator-module.aspx

    This is under the section:

    "Limit access to Sitefinity’s Administrative UI"

    Below that, there's a hot link showing "(as detailed here)".  That link points to the invalid URL above.

  11. Muhammad Umer Apr 29, 2015

    Hi Guys, 

    Is it possible to implement the Captcha into the sitefinity login. I am using version 6 and not having luck any success finding information on how to do it. I wonder the captcha implementation is possible in v3 but not in 4, 5 or 6 ?
    Any assistance would greatly be appreciated. Thanks!

    Leave a comment