Umbraco
Book a discovery call
Book a discovery call
Umbraco

Security

How we keep Umbraco secure

In today’s world, a continuous focus on security is essential. No doubt. That’s why following best practice and performing regular testing is all part of our security operations, ensuring that you can use our products and services with peace of mind. 

Security and Open Source

The Umbraco CMS is Open Source which means that the core code is open and accessible to everyone. This, however, does not mean that everyone is able to alter the code. We, Umbraco HQ, ensures that the core of the CMS, Umbraco Cloud, Forms and Courier, stays as bullet-proof as possible - and if a vulnerability is discovered, we make sure to fix the vulnerability automatically (Umbraco Cloud) and provide information about manual fixes in a timely and secure manner.

How to get informed about security advisories

Umbraco employee

3rd party penetration tests

Apart from doing regular internal testing, we have an external security company doing thorough penetration testing of Umbraco CMS and Umbraco Cloud to detect possible vulnerabilities.

These penetration tests are done twice a year.

The results of the tests are not published online, but we share the confirmation letter as proof. 

Confirmation letter download - for Umbraco 14 STS (CMS & Cloud) 

Confirmation letter download - for Umbraco 13 LTS (CMS)

Confirmation letter download for Umbraco 13 LTS (Cloud)

Questions regards this can be forwarded to security@umbraco.com 

How to report a vulnerability

If you through your internal use and testing of Umbraco come across a vulnerability, we’d, of course, like to hear about it. In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.

Person with Cloud slogan

Security in Umbraco Cloud and Heartcore

As part of the Umbraco Cloud offering, we've added extra security-related features to your project set-up. Features that, for example, automatically make sure your sites are always running the latest, most secure version of Umbraco.

Added security in Umbraco Cloud

Security tips for you

We have structured ways of testing and keeping the Umbraco foundation secure. Due to the open-source nature of Umbraco, there are also ways for you to ensure that your project is set up in the best way possible security-wise. That’s why we have gathered a number of tips for you on this right here:

How to make your Umbraco set-up more secure

Umbraco Security Features

  • Automated Security updates (Umbraco Cloud) ✔️
  • Automated HTTPS certificate (Umbraco Cloud) ✔️
  • Hashed passwords ✔️
  • Support for HTTPS ✔️
  • Support for OAuth login system ✔️
  • Possible to set-up password rules ✔️
  • Possible to implement two-factor authentication ✔️ 
  • Default log-out of backoffice due to inactivity ✔️ 
  • Built-in security Health Checks ✔️