Design and development techniques for everything web

securing wordpress, umbraco, drupal

Increase CMS security with URL rewrites & other methods


Hacking can be highly lucrative; in 2014 some of the worlds top websites and web-based services were hacked in order to steal data, make sites unusable or to prove a security flaw. However, hackers are also targeting small to mid sized websites for different purposes, such as link backs in order to improve their presence on search engines and spam.

If your business website is built using WordPress, Drupal, Umbraco or other content management systems then in most cases you’ll be using a standard login URL such as (WordPress login) or (Umbraco login).

Having a standard login URL means that your website is more vulnerable to attacks. This is because by using sophisticated attack methods, hackers are able to target specific content management systems and use their standard login procedures to attempt brute force attacks, dictionary attack, and other forms of hacking.

Brute force attacks are still very popular because people are still using weak passwords and usernames on their site. Brute force simply tries to guess what your password and username is by trying several thousand, millions or in extreme cases billions of username and password guesses per second in an attempt to guess the right combination and gain access.

Dictionary attacks are another popular method of hacking. While brute force attacks use random methods to generate usernames and password combination, dictionary attacks use specific sets of words chosen by the hacker or derived from a downloaded database.

A complex password containing 10+ characters with a combination of alphabets, numbers and symbols is considered to be a secure password today for many systems, you can check your password strength against a brute force attack using the Open Security Research calculator.

Nonetheless, when a website has a number of users it could be difficult to monitor and make sure that every user is using highly secure login credentials, and so we can attempt to improve the security of our CMS and reduce the risk of an attack by making it more difficult for the hacker to locate a login portal using URL rewrites.

URL rewrites

A URL rewrite will allow us to change the standard login URL to something more secure. However, it’s not always easy or possible to change the login path for a CMS.

Umbraco for example uses the /Umbraco path for other functions, changing the Umbraco login path can be very tricky and will require professional knowhow, changing the login path incorrectly may render the website useless.

On the other hand WordPress welcomes this process, and there are even plugins available that will not only change the login path, but also minify script and perform other tasks that will enable you to hide the fact that you’re using WordPress, making your website more secure.

Hide My WP is a plugin used to hide much of the WordPress identifiable script, this means that hackers won’t be able to tell if you’re using WordPress or not. The plugin can also disguise your login page, this means hackers searching for sites using standard WordPress login paths such as /wp-admin or /wp-login wont be able to locate your login page.

Similarly Drupal users can download the Login Disable module. This module will prevent users from logging in to your Drupal sites unless they know a secret key to add to the end of the login pages URL.

Other methods

Not every CMS has easy to use modules or plugins, as mentioned above Umbraco requires and experienced .net developer to perform similar tasks that plugin provide for other content management systems.

However, we can enforce different methods of security to an Umbraco site such as IP restrictions, making sure that password lengths and usernames are difficult to guess and SSL.

IP restrictions

IP restrictions allow you to allow access to the login page to one specific IP and block access to any other IP attempting to access the page. This method has positives and negatives. The positive is that your login will be highly secure restricting all access to the one specific chosen IP. The negatives are that you will require a purchase of static IP and admins will have restricted access.

A static IP is usually provided by your network provider and will require a monthly fee. Purchasing a static IP means that your IP will not change and so Umbraco may use it to allow access when required. A non-static IP however may change overtime and so you will lose access to your site. Another negative to the IP restriction method is that administrators won’t be able to gain access to the site on the go through mobile devices or any other device not connected to the network with the static IP.

Follow the method below to configure your admin access to use a specific IP.

  1. Make sure that URL Rewrite module is installed on the server.
  2. Create a page called “restricted_access” in Content section of Umbraco.
  3. If your server is behind the load balancer make sure you use {HTTP_X_FORWARDED} as an input otherwise just use {REMOTE_ADDR}
  4. Finally add the following snippet into the web.config in  <system.webServer> section.

If your IP address is then the code will look like below:



SSL certifications will protect users from man in the middle attacks when users visit your website via a public network. You can gain an SSL certificate by visiting your domain provider and purchasing SSL. Umbraco sites will require server configurations in order to work.

Top tips

  • If you’re using a CMS that makes use of plugins or modules make sure to explore security add-ons.
  • Use a password that contains 10+ characters with a mixture of letters, numbers and symbols
  • Make sure your username is difficult to guess
  • Login pages are an easy target; hide them using the methods mentioned above to make it more difficult for hackers to gain access.


London Umbraco developers / London web designers

Jade Masri

Leave a Reply

Translate »