Checklist of things to validate to make Sitecore instances better secured
- Do you use the latest version of Sitecore?
- Do you have installed all available service packs to your Sitecore?
- Do servers which you use have got installed all available updates?
- Have you deleted default admin user and created at least one new account with secure password?
- Have you changed configuration of membership provider to force users to use more secure passwords? Default settings are not secure enough.
- Are you sure that your Content Management servers are not visible and accessible for people outside your network/company?
- Do you use HTTPS to secure communication with your Content Delivery and Content Management servers?
- Have you got encrypted connectionStrings section in your config files?
- Are you registered on „security notification” maling list? Registration
- Have you set properly level of access to the App_Config, Sitecore and Admin directories on your servers?
- Have you changed the hash algorithm for passwords stored in Sitecore from default SHA1 into SHA512?
- Are you sure that you disabled (by adding .disabled extension) all administrative tools on Content Delivery servers (and Content Management servers if they are exposed to the internet)?
- If you do not use RSS Feeds you should remove from configuration handler responsible for feed generation – have you done that?
- If you do not use WebDav (Web Distributed Authoring and Versioning) you should disable that feature – have you done that?
- Have you changed permissions of upload directory to be sure that files cannot be executed there? All files in this directory should be readonly.
- Do you use Upload Filter tool to filter extensions of files uploaded by content authors? Upload Filter Tool
- Are you sure that /data and /indexes directories are stored outside website directory?
- Have you set limited access to the xml, xslt and mrt files?
- Have you disabled access to SQL Server from XSLT ?
- Do you have updated and set properly configuration for Telerik library? More about Telerik controls
- Have you removed phantomJS directory from Content Delivery server?
- Have you disabled getScreenshotForUrl pipeline on Content Delivery server?
- Have you changed Media.RequestProtection.SharedSecret to random string to protect media requests?
- Have you removed the X-Aspnet-Version HTTP header from responses sent by you servers?
- Have you removed the X-Powered-By HTTP header from responses sent by you servers?
- Have you removed the X-AspNetMvc-Version HTTP header from responses sent by you servers?
- Are you sure that all extensions like SPE (Sitecore PowerShell Extensions) or Unicorn are disabled on Content Delivery servers?
- Have you set correctly security rights & roles to ensure that users will be available to access and change only what was prepared for them?
- Have you got prepared and enabled custom error page which will hide real reasons of errors?
- Do you use client's license file?
- Have you turned off the debug mode of your application?
- Have you got set automatic backups and tested plan for recovery of environment?
- Are you sure that you know who has administrator status and they are the right people?
- ...
- Share with Sitecore community other points which are worth to check
To change that file into PDF please use following url:
To read more about all the points from the list please check following websites
If you would like to add anything to this list - please create pull request or contact me directly. If you are not sure how to format text on this page, please follow basic writing and formating syntax page