Platform Administration and Architecture

Security guide


Overview of Sitecore security recommendations including updates, disaster recovery and password policy.

Sitecore recommends that you follow all the security hardening instructions described in our documentation. In addition, the way you implement your Sitecore solution has a significant effect on the security of your website and it may require additional security-related coding and configuration.

Refer to the Knowledge Base for security bulletins and security updates. If you would like to receive notifications about new security bulletins, you can subscribe to the Security Bulletins RSS Feed.


Sitecore is not responsible for the security of any other software products that you use with your website. We strongly recommend that you install every available service pack and update for all of the software products that you use.

Updates and disaster recovery

Although Sitecore can run on several different operating systems, we recommend that you use the newest operating systems, supported by Sitecore, with the most up-to-date security features. Use the Windows update/Automatic update service to keep all your client computers and servers up to date with the most recent security updates and service packs.

You should also create a disaster recovery plan to ensure the rapid resumption of services should a disaster occur. The recovery program should include:

  • A plan for acquiring new or temporary equipment.

  • A plan for restoring backups.

  • Testing the recovery plan.

Enforce a strong password policy

Sitecore leverages the Microsoft ASP.NET Membership Provider as the out-of-the-box user management system. Sitecore recommends that you change the password policies to one that works for your organization.

In the web.config file, in the <membership> section, you can set the following properties:

  • minRequiredPasswordLength

  • minRequiredNonAlphanumericCharacters

  • maxInvalidPasswordAttempts

  • passwordAttemptWindow

  • passwordStrengthRegularExpression

For more information, see:

Protect the connectionStrings section in the web.config file

Sitecore stores sensitive information in the web.config file in the <connectionStrings> section. You should encrypt the <connectionStrings> section to prevent this information from being exposed if the web.config file is accessed without authorization.

The Microsoft ASP.NET IIS Registration Tool (aspnet_regiis.exe) can be used to encrypt this section with the –pe or –pef options.


The Microsoft ASP.NET IIS Registration Tool uses the machine key to perform the encryption and therefore you must separately encrypt the web.config file on each computer that you install Sitecore on.

For more information about ASP.NET IIS Registration Tool, see Microsoft’s documentation: