Latest from the umbraco blog RSS Feed for the Umbraco Blog

We're more transparent than glass. Follow us on twitter and our blog.


Tuesday, October 25, 2016 by vera

Security has been a hot topic the past month with Morten Von Seelen of Deloitte presenting at the Umbraco DK Festival and just recently, well-known Australian security expert, Troy Hunt ran a two-day security workshop in Copenhagen. We sent three of the HQ developers to join Troy and learn all about securing your websites, through the art of hacking yourself. We’ll let Mikkel tell you what it was like to be a hacker for two days, and how we can apply Troy’s lessons to Umbraco, for the better health and security of your web projects. Mikkel will also give you some tips on securing your site!

The workshop was structured in such a way, that in order to teach the attendees security, they had to act like hackers. That way, we were able to figure out exactly how a site could be exploited, and how this can be prevented. The workshop was a great mixture of hands-on exercises and real world examples of where the things we had just hacked ourselves, have been exploited.

Over the two days, we covered subjects such as Cross Site Scripting(XSS), Sql Injection, Https, Brute force attacks and Content Security Policy(CSP). With these different subjects, the workshop didn't just teach us the exploitation methods but perhaps more importantly, the prevention methods to avoid these hacks from happening in the first place.

One of the main takeaways was that when developing a new site, security is often thought of as the last thing you do. At that point, both the budget and time for the project is usually spent, leaving security behind. Security therefore needs to be something that is built into the development process early on.

Keeping Umbraco Secure

Keeping Umbraco secure is one of our top priorities as we want you to be confident in all our systems, services and products. One of the things we do to ensure this is to have a third party security firm do penetration tests on a regular basis. These are tests where the firm acts like a hacker, and tries every possible way to break into the systems. If a security hole is reported we make sure to fix it straight away.

In Umbraco HQ we have most of this covered, and we are trying to encourage developers to also keep their code up to date. One of the ways we do this is through the Health Check dashboard in the backoffice. With this Health Check feature you can check whether the current site is configured properly. Among these checks are ensuring it runs Https, and whether you are sending too many headers along with the requests.

We have added the new Health Check dashboard to give you a better overview of the security needs of your site. Most of the security fixes can be handled with a single click - if not, then there’ll be a guide to help you. Security is important so that’s why we want to make it as hassle free for developers as possible. We will be extending the security checks on the dashboard in the coming versions, and pull-requests are already rolling in for new Health Checks options.  

It is important for Umbraco HQ to keep our developers at the cutting edge of security, and attending workshops like these helps further our education, and improve the products we make, ensuring they are up-to-date on the latest security requirements. For more information about how we handle security in Umbraco, check

Security tips for you


Throughout the workshop, a lot of time was spent talking about passwords and how to manage these. Everyone needs passwords in their daily life. And when you, as a developer, create a site where the user needs to create a login, you take on the responsibility of storing these personal credentials however, indirectly, you also take on the responsibility to store their personal credentials for all their accounts, that being banking, social media, shopping etc. The reason for this is that most people tend to use the same password across all of the services they sign up for. This is a huge responsibility that you need to be aware of as a developer.
From a developer's point of view, you should therefore calculate whether it is worth the risk, and if you do decide on saving the passwords, you need to do it as securely as possible.
For the end user, the lesson is that you really need to have different passwords for all the places you have logins. This can be easily managed by a password manager such as 1password or LastPass which helps you generate unique passwords that only the program knows.


This part will be a bit technical. When implementing password storing in your systems there are multiple ways of doing so. At the workshop we had a look at different ways and how difficult it would be to decrypt a password. The idea is never to store the password itself, but instead store a hash of the password. This takes away some of the risk, being that only the user knows the full password and the system just knows a hash. An example would be the password: kitten2016 which hashes to “$2a$06$QWZybVPc7nIfhkngieOTBeQ1P9bU1clokxMSNudQyuApkNLjFos5W”
Hashing of a password is done by applying a hashing algorithm to the password. For this purpose we have previously relied on SHA-1 with a salt. During the workshop we were shown just how vulnerable that algorithm is - it was even called useless. Instead, a more modern algorithm like bcrypt or PBKDF2 is a requirement. 

Enumeration attacks

An enumeration attack is identified when registering a user, retrieving a password or the likes, and from the response messages, the hacker can figure out whether an account exists or not. This is especially important for sites where you might not want other people to know that you have an account, like a dating site for adultery (think Ashley Madison).
Many sites will implement the “reset password” page making an enumeration possible. The page will have an input field where the user can insert their email, and if the email exists, the page will write something like: “Instructions for resetting your password has been sent to your email”. And likewise, if the email doesn’t exist, it will let the user know, e.g.: “The email wasn’t found in our systems”. That last message is the problem, as the hacker (or wife ;) ) now knows whether that email has an account on the system or not. Based on this information the hacker can start entering all known emails in order to get an insight into the site’s user base.
The fix for this issue is to use the same feedback message to the users, whether the email exists or not. This message then won’t reveal anything to a potential hacker.

As you can see, we really came away with a lot of interesting input from this two-day course with Troy Hunt. Some of the things were even quite easy to implement once we got back to the office, which makes the takeaway even more satisfying. I hope that this blog post will inspire you to focus more on security on your website - perhaps you’ll even handle the security holes I mention above straight away ;)

Take care and stay safe

- Mikkel Holck Madsen



Thursday, October 20, 2016 by vera

Welcome to the second of Jim's Tips and Tricks. This tip might save you 40€ ! Let me ask you this, do you know how the licenses for Umbraco Forms (formerly known as Contour) and Umbraco Courier work? And do you know how to add additional domains? Not 100% sure? Allow me to explain...

In order for you to use Umbraco Forms or Courier with a live domain, you need to buy a license. To get a license you must purchase it directly from the website; here for Forms and here for Courier

When the license order has been processed, the license file will be available for configuring and downloading from your personal account on You’ll find it by logging in and clicking here:

Each license file consist of one live domain and two development domains. An important thing to mention, is that you can add additional domains to any license file simply by purchasing them from the webshop right here for Forms and here for Courier

Make sure that you do not mistake a full license for an additional domain!

Otherwise you might end up wasting 40€. How? Well, Umbraco Forms and Courier licenses are both priced at 99€ each. An additional domain for Forms is 59€ (thus, 40€ less than the Forms license itself) and an additional domain for Courier is 99€. These are all one time flat fees.

But note, before being able to add an additional domain you have to have the license first. Makes sense since it’s additional, right? But right now we know it’s not quite that easy and we’re sorry about that (a solution is coming, see below!). In our webshop, currently a license is not called a license, and it’s the same story for the additional domain. As you may have noticed, the different licenses in our webshop are called “Umbraco Forms (Contour)” and “Umbraco Courier 2 Express”/“Umbraco Courier 2” and the additional domains are called: “Umbraco Forms/Contour Domain” and “Umbraco Courier Domain”. We know this might be a bit unclear, and we are working on making it more logical by simply adding the words “additional” and “license” where appropriate. But until then, I hope this blog post has made it a bit clearer for you.


If you have any questions or need help to either configure or reconfigure an existing license, please feel free to contact me or any of my awesome colleagues.That’s it from me this time. In two weeks time I’ll reveal another handy Umbraco tip, so stay tuned!

Smooth sailing!

-Jim :) … oh wait, did you miss “Jim's Tips and Tricks, no. 1” ? No worries, you can read it right here.

Friday, October 14, 2016 by vera

October 2016: A routine security audit conducted by Umbraco’s third party security analyst, Dionach has identified a vulnerability in our add-on product Umbraco Forms. This issue has been immediately patched and the latest version of Forms is available for download today. If you do not currently use Umbraco Forms to accept form submissions, then your site is not at risk. If you are running Umbraco as a Service (Umbraco Cloud), you will have been patched automatically and no update is required. We recommend that you update all installations running Umbraco Forms. Please note, this affects all versions of Umbraco Forms but does not affect Contour.

Issue details

Under certain circumstances the issue could allow people logged into the Umbraco Back Office to view unauthorised files by guessing file paths and filenames.


We estimate that for the majority of sites, the likelihood of the issue being exploited is low because users need to have authorised access to the Umbraco Back Office. With properly configured servers and the correct file permissions applied, gaining access to files outside of the website root is unlikely.

How to update Umbraco Forms

You can update your installation in various number of ways, such as an Umbraco package install, Nuget package or manual zip file as the fix is found in the DLLs.

Depending on your current version of Forms installed 4.1.5, 4.2.1 or 4.3.2 there is an associated patch release version as follows:

4.1.5 → 4.1.6

4.2.1 → 4.2.2

4.3.2 → 4.3.3

If you plan to accept form submissions through Umbraco Forms in the future, then be sure to use the latest version of Umbraco Forms to at least version 4.3.3.

Umbraco’s third party security analyst, Dionach, will be releasing a public security bulletin on this discovery in 2 weeks time.

We apologies for any inconvenience and if you have any follow-up questions, please let us know by sending us a support request through your profile page


Friday, October 14, 2016 by vera

Two weeks ago we attended the Umbraco DK Festival in Aarhus, hosted by the awesome people at Kraftvaerk. We thoroughly enjoyed the day, but then again, we’re a bit biased ;) Let's hear what other attendees thought of the day, who their favourite speakers were, and what they thought about the new set-up consisting of two separate speaker tracks: Tech Track and Business Track

First and foremost, we’re handing the mic over to the COO at Kraftvaerk’s Aarhus division, Christian Holst Færch, to hear his take on the day:

For this year’s Umbraco DK Festival we made a small twist by adding a Business Track - and when you make changes, you are always extra excited to see how it turns out. Luckily, it seems it was a success:

The feedback has been positive, and our experience is that the participants enjoyed themselves, were inspired and found the presentations relevant. Several participants changed between the two tracks, and guests enjoyed talking and networking during the breaks.

The atmosphere was happy and friendly as it is whenever you meet the Umbraco Community. We hoped to attain this feeling even though we moved the festival to a greater venue than previous years.

That said, the Umbraco DK Festival 2016 is the biggest so far, and we learned a lot. Next year we promise chairs for the keynotes and coke for lunch, and we hope that the Danish Umbracians will continue to support the festival!

Insider scoop from two attendees  

René Pjengaard, Tech Lead & Webdeveloper at Tech Track

Rene is a dedicated Umbraco DK Festival visitor, having been to all of them. He’s therefore the perfect man to ask what he thinks of this year’s festival and the new set-up of two speaker tracks:
Unlike the previous Umbraco DK Festivals, this year there’s two tracks which means that the festival has gotten more commercial and it’s therefore not so tech-nerdy, which is really good. There’s been some excellent talks this year - on both tracks. I must admit that even though I was signed up for the Tech Track I did manage to sneak into a few talks on the Business Track. I came away with some really interesting and relevant learnings from both tracks, so that’s really awesome.  

What was your favourite talk of the day?:
I can’t decide on one specific favourite talk, but when it comes to the biggest eye-opener of the day, it was definitely the final key-note by Morten Von Seelen from Deloitte about Security. During his talk he did these live questionnaires with the people in the audience and that was really cool. That really helped support his key-message, being that we all need to prioritise and structure the way we handle security. Everyone in our industry needs to focus a lot more on security, as it’s such an important element in what we do. 
Another great talk was the one by Benjamin Grundgaard from CustomerSense on Mobile Conversion Optimisation. It was really interesting to see how you can improve sale on mobile devices just by implementing a few simple functions.

Anything from today you’ll implement when you get back to the office?
“Yes definitely, especially regarding security. We need to be more aware of this and work with it more efficiently. I also found it very interesting to discuss the implementation of Umbraco as a Service together with people from similar businesses as ours. We’re not 100% sure on how to implement UaaS into our business, but it’s definitely something I’ll go home and think more about. I’m convinced that it’s only a matter of time before we’ll start using UaaS for our projects - it’s smarter than what we do now, but we still need to figure out how to merge it into our current workflow” 

What did you enjoy the most about the Umbraco DK Festival 2016?
“I’ve met up with people from the Umbraco community, old as well as new ones. It’s a great opportunity to network and because of the new Business Track I’ve also talked to new people which is really nice. To summaries the day: Good specific information and community. And like all Umbraco events; festivals, CodeGarden, Meetups, there’s such a great atmosphere and everybody trust each other - you can leave your laptop unattended and there’s no need to worry - it’s an incredible place to be.

Michael Nielsen, Production Manager at Ørskov Web: Business Track  

It was Michael's second time at Umbraco DK festival, and he also had some interesting things to say about the new two-track set-up:
“It’s really great that there’s two tracks this time, because most of the things on the Tech Track I’ve already heard about at CodeGarden. That’s why I decided to sign up for the Business Track even though someone with my profile probably were meant for the Tech Track. I’ve definitely found it a good track to follow even though I don’t directly work with business development.”

What was your favourite talk of the day?
“I found all talks on the Business Track both good and relevant. I particularly liked Laura Vilsbaek’s presentation on Design Thinking. Her talk was a bit abstract and completely non-technical, but it made you think of how to structure your project from the beginning by thinking about the customer’s journey on your website and identifying peaks and valleys (highs and lows).
I also really enjoyed Benjamin Grundgaard’s talk about Mobile Conversion Optimisation and Rolf Pedersen’s talk on HotJar. Both of them gave very specific tips and tools which meant that you could go home and implement their advice straight away and they both used really good examples in their presentations.”  

Anything from today you’ll implement when you get back to the office ?
“Yes, I think that the method that Laura talked about is definitely something I want to try and use when we start on a new big project. And the very specific tools and tips that Benjamin and Rolf talked about is something we will go home and implement straight away, absolutely.
In general, with all the talks today, whether being abstract or more practical, they force you to re-think the way you do things and that’s really great. The talk by Morten Von Seelen from Deloitte about Security also made me aware that we need to focus more on security, implement regular security checks and such. And even though all the talks have been very versatile throughout the day, I’ve come away with one main theme to focus on: User Experience”

What did you enjoy the most about the Umbraco DK Festival 2016?
The new division of tracks because it’s so relevant. It’s important for developers because it is good to gain an understanding into why you’re told to do a project in a specific way, and likewise, it is nice that our consultants and our bosses get a greater understanding of what we do and what these festivals are all about. To them, Umbraco is all about coding but with a Business Track like at this festival, it becomes much more. I’ll definitely try to sell the festival a bit better to my business orientated co-workers next time!
It’s also really great that it’s a one-day festival - it’s easy to make room for in our calendars. It’s a nice break from our everyday routine - sometimes you just need to get away from your desk, get some new input and sometimes you learn a lot, sometimes not. But at the very least you get inspired and you get to meet interesting people from the industry.”


H5YR! to René, Michael, Christian and the whole Kraftvaerk-gang!

Tuesday, October 11, 2016 by vera

As you might know, Umbraco HQ is growing. Just about three months ago, HQ increased with 30% staff wise and the 1st October 2016, we were happy to welcome yet another new face to Unicorn Square in Odense. Say hello to Martin - our new Online Communications Dragoon who comes with a ton of useful experience, a positive attitude and a tractor license…

My new job at Umbraco HQ

Hi, I am Martin and I am the new OCD in Umbraco. OCD, or Online Communications Dragoon, is a very suitable title for someone like me, as I have been working with online communications most of my career. I enjoy analysing things and putting them into sensible structure and order. It puts a smile on my face :). And I once went horseback riding for about 20 minutes, so that is where the “Dragoon” part comes in.

What am I hired to do at Umbraco HQ? My first big task is the new site. We want our visitors to have a better experience when visiting our site. That’s why we want to focus a lot more on the site’s general structure, content and design. For our new site, we also want to use this great new hosting service we’ve heard tons of good things about, you know, Umbraco Cloud (or Umbraco as a Service) ;). I can’t wait to get started! 

Let me tell you about myself...

I tend to end up writing a lot once I get started, so instead of describing my life story, here is a list of things I have done that I am proud of:

  • Dismantling and building electronic devices since before I was 10, and getting a ton of low voltage shocks in the process
  • Building websites in Notepad since I was 16
  • Flew a small airplane above Switzerland
  • Drove a large tractor in Jutland
  • Kissed a girl and I liked it
  • Studied psychology and business studies
  • Building a ton of email templates before Litmus and mobile was really a thing
  • Sent very successful email campaigns to more than 300,000 recipients
  • Lead a team of content creators from 7 different countries
  • Trained a ton of people in various systems, software and methods
  • Masterminded some huge communications projects in a major Danish SaaS company
  • Cut trees down with an axe
  • Cut trees down with a chainsaw
  • Got my first Umbraco certificate - I'm now an Umbraco Certified Professional !

  • Went Bridge Walking with my new co-workers at Umbraco HQ (see picture below)
  • Met a lot of awesome people and made some fantastic friends along the way

I am passionate about making teams work well together, because one of the things I enjoy the most in life is, to solve difficult problems alongside competent and enthusiastic people.

Other than that I love outdoor activities, especially hiking, canoeing and kayaking and fire pit cooking. I am a food and wine lover and Italy is where most of my favorite food and wine is produced. I live on the Manhattan of Copenhagen, Amager though. With a bit of imagination it does actually resemble Italy a little. A colder, darker and less colorful Italy, but it is OK.

I am looking forward to being part of the Umbraco team and community and to hopefully contribute to an already amazing product and company.