Need to report a security vulnerability?

For responsible disclosure you can email us at: We will acknowledge receipt of your vulnerability report and send you regular updates about our progress. If you want we will publicly acknowledge your responsible disclosure. 

You are not allowed to search for vulnerabilities on itself. Umbraco is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a staging server.

If you want to encrypt your disclosure email please email us to ask for our PGP key.

This page

This page is a work in progress and will be updated regularly when relevant. If anything is missing, let us know on the email address above.
We know that some of the links below should be part of our documentation, but we put them on here for now so that we can at least help you find the information you need.

Umbraco core

We take the following precautions while writing code for Umbraco:


  • Every six months a security firm helps us do a penetration test to make sure we didn't drop the ball
    • Testing focuses both on new features and we select a few areas for the security firm to poke around in to see if it could be vulnerable
    • We will implement their recommended fixes and share what we have fixed here on this page for you and your clients to consult
    • If there's any critical issues we will blog about them and create patches like we've done in the past
  • Internal code reviews are done consulting the OWASP site for best practices when any code affecting security is updated 
    • Yes, we use parameritized queries to prevent SQL injection request
  • We have several base classes we can inherit from to make sure that code will only be executed if there's a valid logged in backoffice user
  • When critical security bugs are found we patch all of the versions that we can, even going back to very old versions to help you stay safe
    • Make sure to follow @umbracoproject on Twitter for updates, promise we won't spam you from that account
    • There's multiple IFTTT recipes available for people not on Twitter to get tweets as emails, RSS feeds, Slack messages etc.
  • Umbraco has dependencies on other software, we keep dependencies updated as much as we can to benefit from any security fixes they might do
  • We do internal training at Umbraco HQ to make sure everybody is up to speed on the latest security developments
  • At Umbraco HQ we follow security experts on Twitter, like Troy Hunt and Scott Helme. We also religiously listen to the Security Now podcast and follow all of Troy Hunt's excellent security courses on Pluralsight.

Backoffice security

  • Since 7.3 we use ASP.Net Identity as the authentication mechanism for back office users. This implementation wraps ASP.Net Membership APIs but can easily be changed to use the native ASP.Net Identity standards and/or be extended to use any custom standards for storing and validating passwords. For the front-end Umbraco uses the ASP.Net Membership APIs for member security but ASP.Net Identity can be used with the UmbracoIdentity plugin if required and again any of this can be extended to suit whatever needs there may be. Passwords by default are hashed with HMAC-SHA256 and the salt is 128bit (unless you have useLegacyEncoding=true , then the standard is lower).
    • Umbraco also supports a full OAuth login system which means if you want to store credentials in a 3rd party system like Azure Active Directory, Identity Server or any OAuth compliant service, this is certainly possible and you can have full control over the OAuth data flow. Of course HTTPS is fully supported and should certainly be used.
    • All of that is available for both front-end membership and the backoffice users
  • You can implement any membership / ASP.NET Identity provider you want for both front-end and backoffice if you don't want to rely on our implementation
  • By default 10 incorrect login attempts will lock out the a backoffice user to avoid brute force attacks. We currently only support indefinite lock out but currently do not support a lock time frame - ASP.Net Identity supports this so you could extend the current implementation to achieve this. The attempt count is configurable, you can extend this however you like.
  • Password rules (length, character diversity, etc.) are configurable from the web.config 
  • Password expiry and two factor authentication are currently not support, but could be custom implemented, as an alternative an OAuth provider could help you support that
  • Password security questions ("what was the name of your first dog?") are not supported and considered not secure
  • Umbraco 7.5+ will have a password reset option on the login screen
  • By default users are logged out of the backoffice after 20 minutes of inactivity, this can be configured to be shorter/longer

Historical security alerts

We've sent out the following very high priority security alerts in the past:


ClientDependency (a module that ships with Umbraco)

Umbraco Forms (optional plugin for Umbraco)

Protecting your sites

  • It is becoming easier and easier to run your site on HTTPS, even if your hosting provider does not support it and we strongly recommend doing that. Cloudflare has a free offering that is easy to configure.
  • Upgrading Umbraco is easier than ever before, keep up to date and benefit from all the smaller security fixes we put in all the time
  • You should audit 3rd party plugins you install in Umbraco. Most of them are open source so they can be inspected
    • We don't know of any malicious plugin that currently exists or has ever existed
  • Any user that can log into the backoffice should not have more privileges then they need, so an editor should not have access to the "developer" and "settings" section.
  • Make sure that your error handling is not leaking application information - in web.config set compilation debug to false, turn of tracing and turn customErrors on ("remoteOnly" or "on")

Umbraco and FIPS compliance

Umbraco can be set up to be FIPS compliant. Please note, however, that FIPS should only be added for compliance. It is NOT a recommended approach for added security. Read how to set up your Umbraco site to be FIPS compliant.

3rd party auditing

We receive security / penetration test reports every few weeks from web agencies that have had their site tested by various security firms. We always immediately implement recommendations where needed. If you have a 3rd party auditing your Umbraco site then we're happy to hear from you on with any findings so we can fix what's necessary.

We love getting results from penetration tests, but when you do report them please make sure that they are manually tested and verified to be a problem. When you send us a report from automated tool, the large majority of the results are usually false positives. We are more than happy to fix any real issue discovered as quickly as we can but we ask you to provide steps to reproduce the issue(s) manually.

Download Security PDF here

Sending us reports


We regularly get reports about security issues in Umbraco and appreciate those very much, we'd like to thank the following people for their amazing efforts in making Umbraco safer:

And thanks to the following people for pointing out configuration errors on some of our own properties:

Note: we include only people in this list who bring us actionable items. Sending us results of automated scans is usually not helpful and won't automatically qualify you for a credit. Additionally, we only credit the first person who points out a problem that we can fix. Consecutive reports of the same issue will not be credited.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
Number of active members in the community
Known free Umbraco packages available

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox