Sitecore security practices

Security is one of the very important considerations for any website.Today I want to share on how to make sure we keep site’s security in mind while implementing the solution, security is equally important as your build.


Following are few points which contribute in website security:

  • Change the administrator password : 
    • Sitecore recommends that we create a new administrator account, with a unique name, and delete the out-of-the-box administrator account.
    • Before you deploy your Sitecore installation, you must change the administrator password to a strong password.
    • Changing the password prevents unauthorized users from using the default password to access the admin account.
  • Enforce a strong password policy:
    • Sitecore leverages the Microsoft ASP.NET Membership Provider as the out-of-the-box user management system.
    • Sitecore recommends that you change the password policies to one that works for your organization.
  • Separate Content management and Content delivery Servers:
    • We should setup Separate content management and delivery servers, and content management server shouldn’t be internet facing.
    • If you have to expose your content management environment to the internet, you must:
      • Use HTTPS to secure the content management server.
      • Consider using IP Filtering to allow only whitelisted clients to connect to the Content Management environment.
  • Protect the connectionstrings section in the web.config file:
    • Sitecore stores sensitive information in the web.config file in the <connectionStrings> section.
    • You should encrypt the <connectionStrings> section to prevent this information from being exposed if the web.config file is accessed without authorization.
    • The Microsoft ASP.NET IIS Registration Tool (aspnet_regiis.exe) can be used to encrypt this section.
  • Separate Database server:
    • The CMS and database should be in two different servers.
  • Security rights on content item(s):
    • We should make sure that security rights has been configured for users and more specifically on roles, which users will be a part of.
    • Setting security rights on the  roles level helps administrators to change the configuration, if user moves to a different department, which all together has a different role.
  • Anonymous access to /data and /indexes folder:
    • We should make sure that data/indexes folder are not accessible to anonymous users(This prevents unwanted access to files), and it should be outside of website folder.

These are few of the things which we should take care while implementing/deploying Sitecore solution, this helps us in dealing with hacks and security breaches to some extent.


Happy learning 🙂





Sitecore items mass delete through serialization

In one of the Sitecore application i worked, we had to sync large amount of data from XML, XML had several thousands of records, there was also a business rule in place which used to check certain conditions/fields before it can be inserted as item in Sitecore.

We performed several tests in local environment, before that utility can be executed in QA and other high end environment, but in this process, we have to go back and delete all existing imported items several times.

This was a time consuming process, as deleting several thousand items in Sitecore, can make your Sitecore instance slow, so, we used Sitecore Serialization to delete the items in bulk.


The Sitecore serialization functionality is designed to help teams of developers that
work on the same Sitecore solution to synchronize database changes between their
individual development environments, but is also valuable when a single developer
works on a solution.

Serialization allows you to serialize an entire Sitecore database or a series of items in
a database to text files. You can then use these text files to transfer this database or
series of items to another database or Sitecore solution.

This is particularly helpful when we use Sitecore Item buckets to structure all our content items.

Serialization option can be enabled from “Developer” ribbon.


In this example, I have created a folder called “Generic Items” and added few items under it.


Follow the following steps to bulk delete the items:

  • Select the folder whose child items you want to delete, in this case, it’s “Generic Items” folder.
  • In next step, from “Developer” ribbon, click on “Serialize tree” link, this will serialize selected item and child items.
  • Serialization process will start and, it will create .item file for Generic Items folder and all child items under it.
  • Sitecore will store the .item files in data\serialization folder- in my case it’s Data\serialization\master\sitecore\content\Helix\Home\Test Eventsserialize-s2
  • Let’s assume we want to delete all items of “Generic Items” folder, delete the .item files from file system.
  • Once .items files are deleted, go back to Sitecore and from Developer ribbon click on “Revert tree” link.
  • Sitecore will start synching your items back from file system.Serialization-Sync
  • Once the process end, refresh your “Generic Items” folder, and you won’t find any child items there.
  • Sitecore serialization can delete several thousand of items in just few mins, which is way faster then manually deleting the items, which affects performance as well.

This can reduce your development and testing time, when working with large amount of data.

Please let me know if you have any questions, or want to share thoughts around this.

Happy learning 🙂


fixing end of string expected at position error in Sitecore

Recently while verifying some of the components in Experience Editor, I observed that while adding datasource to the renderings, it was throwing “End of string expected at position 75” error.

I checked following things to troubleshoot the issue:

  1. If Datasource location specified in the rendering exists or not, and it exists.
  2. If Datasource template is defined in rendering or not, and it was there.
  3. Check the errors in log file, and there was an error there, please see the below screen shot what error it was.log
  4. Following error was visible in front end while adding datasource.end-of-string-error


It turns out Sitecore doesn’t like hyphens “-” in query path, and few other which includes:

  1. If you query contains keyword “and
  2. If query contains keyword “or
  3. If query contains hyphen “

In my case when i checked the query and it contains keyword “and“, which was basically failing and not allowing me to add  datasource from Experience editor.


In order to fix this issue we can add escape character “#” before and after of the items that contains any of these keywords or hyphen “-“, so, for example:

Before : query:./ancestor::*[@@templatename=’SitecoreRoot’]/Global//Modules/Image and Media Module

After : query:./ancestor::*[@@templatename=’SitecoreRoot’]/Global//Modules/#Image and Media Module#

After making this change, the issue was fixed.

It seems this issue was there in Sitecore 6, but it can be replicated in Sitecore 8.1 (rev 160302) as well.

I have raised this with Sitecore support team, and they have registered this as Wish/Feature, so, we may see this issue resolved in coming product versions.

I hope this helps somebody.

Happy learning 🙂


Test changes without publishing to web DB in Sitecore

In your development environment, did you ever felt that publishing is not providing a great value, but acting like a hindrance?


In Sitecore you can directly test your changes without publishing your changes to web DB, and configure Sitecore to use content from master DB.
This can be done in two ways:

  1. If you don’t have any custom Site configuration config file exist, please go to App_Config/Include/LiveMode.config.example file and rename it to LiveMode.config or
  2. If you have custom Site configuration file exists, you can change the database value to “master” from “web”.

Please make sure to revert your changes, before deploying the solution to QA or production environment.

Happy learning 🙂


Securing Sitecore connection strings

There are scenarios where we don’t want to compromise with the security of our application resources, this includes Connectionstring.config file as example, If someone compromised CD servers, they will have access to Connection string file and can use the details in a wrong way.

There are ways we can secure the connection string in Sitecore, in this blog post I would like to give an example of one of the approach which can be used:

Please see the sample code snippet, to encrypt and decrypt  connection string file.

Configuration config = WebConfigurationManager.OpenWebConfiguration(“~”);

// Get the connectionStrings section.
ConnectionStringsSection section = config.GetSection(“connectionStrings”) as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
// Save changes to the Web.config file.

Few points to note and consider:

  • This approach uses System.Web.Configuration namespace to work.
  • We access application’s web.config file via OpenWebConfiguration method.
  • We access connectionStrings section of the web.config file via GetSection method.
  • Encrypt and decrypt the sections.
  • Save the changes.

This is how the connection string.config file looks before encryption:

<?xml version=”1.0″ encoding=”utf-8″?>
Sitecore connection strings.
All database connections for Sitecore are configured here.
<add name=”core” connectionString=”user id=user;password=password;Data Source=(server);Database=Sitecore_Core” />
<add name=”master” connectionString=”user id=user;password=password;Data Source=(server);Database=Sitecore_Master” />
<add name=”web” connectionString=”user id=user;password=password;Data Source=(server);Database=Sitecore_Web” />
<add name=”analytics” connectionString=”mongodb://localhost/analytics” />
<add name=”” connectionString=”mongodb://localhost/tracking_live” />
<add name=”tracking.history” connectionString=”mongodb://localhost/tracking_history” />
<add name=”” connectionString=”mongodb://localhost/tracking_contact” />
<add name=”reporting” connectionString=”user id=user;password=password;Data Source=(server);Database=Sitecore_Analytics” />

After encryption, this is how the file looks:

<?xml version=”1.0″ encoding=”utf-8″?>
<connectionStrings configProtectionProvider=”DataProtectionConfigurationProvider”>

If we want to decrypt the section, we can use UnprotectSection()  and can review the connections, once we are good we can again encrypt the setting using ProtectSection() method.

We can also secure the setting using aspnet_regiis.exe tool.

I hope this helps someone, who is looking for something similar, please let me know for any questions on this, happy to discuss more.

Happy learning 🙂

MongoDB authentication in Sitecore

Securing application data is critical for any client and business, and the same principle applies to Sitecore application as well.

One of the most important component of Sitecore is MongoDB, which is where we store all Experience(xDB) related data, MongoDB was shipped into Sitecore’s ecosystem from Sitecore 7.5, and it’s very important to make sure the data stored in xDB is secured, and only authorized uses has access to the data.

Recently, we heard about thousands of MongoDB data being hacked, so what’s the reason behind it? any guess? it’s simple- all those DBs were not configured to be secure and anyone can access it.

It would be great if MongoDB installation itself comes with an option, where we can secure our data while installing it, like how we do it for SQL.

Even though, we can go back and secure the data  by setting up users/roles and permissions, but it’s always great to do it it first place.

We also have to see and make sure that Connection string used for MongoDB is all protected with credentials, so that only authorized users can access it.

As part of this blog post, i would like to cover the steps which we can follow and make our Sitecore application more secure.

  1. Create MongoDB User
    1. Follow the below command to create the user.
    2. db.createUser({user: “mongoadmin”,pwd: “mongoadmin”,roles: [ { role: “userAdminAnyDatabase”, db:”admin” },{ role: “root”, db:”admin” }]})
    3. We just created a new mongouser- “mongoadmin” under database “admin”, and has given all rights to this user by assigning role “root“.
  2. Verifying the User
    1. If we want to verify that user gets created or not, we can use the following command for the same:
    2. db.auth(“mongoadmin”,”mongoadmin”)
    3. This should return 1, if the user is authenticated.
    4. We can also see the list of all users by running following command:
    5. db.getUsers()
  3. Assigning specific roles to unique collections
    1. We shouldn’t be giving “root” level access to the user, and it should be more specific to the database and collection.
    2. For example: we can give read and write access to analytics database in Sitecore.
    3. In order to do that, please login to mongo shell and switch to admin.
    4. use analytics
      db.createUser({user: “mongouser”,pwd: “mongopassword”,roles: [ { role: “readWrite“, db:”analytics” }]})

    5. In this case we created a new user called “mongouser” and assigned “readWrite” role to it, and is specific to “analytics” database.
    6. In the same way, we can do it for other three databases also.
  4. Connection string updates
    1. This is how the default connection string looks like:
    2. <add name=”analytics” connectionString=”mongodb://localhost:27017/sample_analytics” />
      <add name=”” connectionString=”mongodb://localhost:27017/sample_tracking_live” />
      <add name=”tracking.history” connectionString=”mongodb://localhost:27017/sample_tracking_history” />
      <add name=”” connectionString=”mongodb://localhost:27017/sample_tracking_contact” />

    3. After making updates to connection string, and adding required username and password details to it, this is how it looks:
    4. <add name=”analytics” connectionString=”mongodb://mongoadmin:mongoadmin@localhost:27017/sample_analytics?authSource=admin” />
      <add name=”” connectionString=”mongodb://mongoadmin:mongoadmin@localhost:27017/sample_tracking_live?authSource=admin” />
      <add name=”tracking.history” connectionString=”mongodb://mongoadmin:mongoadmin@localhost:27017/sample_tracking_history?authSource=admin” />
      <add name=”” connectionString=”mongodb://mongoadmin:mongoadmin@localhost:27017/sample_tracking_contact?authSource=admin” />

    5. This is how the format looks like:
    6. mongodb//[username:password@]host[:port]/database?authSource

If we are trying to access MongoDB without passing valid credentials, we get this error in the log, please see the screen shot for ref:


Once we pass the valid credentials, this error will go off.

It’s always a good practice to authenticate MongoDB in local environment as well, this helps us in setting the habit for it and we can uncover any issues well in advance.

I hope this helps in getting the understanding about how we can secure and authenticate MongoDB, and how to create users/permissions for the same.

There is a great article in MongoDB documentation, around setting up auth for Mongo and setting up users, creating roles for the same, please consider reviewing this as well, this is great source of information.

Thanks, and please let me know for any questions, happy to discuss more.

Happy learning 🙂

Changing data directory for MongoDB in Sitecore

As part of my MongoDB Blog series part 1, we discussed how we can Install MongoDB and we used “C” drive as default Installation location for it.

But as a best practice and considering scalable environment, we shouldn’t be using “C” drive to store any application data, it should be reserved only for system files, so that if we need to upgrade the OS or need to repair existing Installation, our application data is still safe.

We have done this for one of the implementation, and it’s always better to do this in early phase of the development.

We can always go back and change the default data directory location for MongoDB in Sitecore, and can use mongo config file which we created for Installing MongoDB.(Please refer MongoDB Blog series part-1 for more details)

This is how it was before:


Let’s use another drive to store data and logs for MongoDB, in this case it’s “G


From the above screenshot we can see that, the data and log folder points to “G” drive now, and rest of the configuration is all same.

If you Installed MongoDB as a service, your service still points to “C” drive, but your data and log will be stored in “G” drive.

If you want to copy over existing data from “C” to “G” (in this example), make sure to stop your service, copy your data from “C” to “G”(in this example) and restart MongoDB Service.

This is good from maintenance perspective, and easy to manage afterwards.

I hope this helps someone, who is looking for something similar.

Thanks, and please let me know for any questions and any feedback, happy to discuss more.

Happy learning 🙂

Sitecore MongoDB Blog series: Part 3-Creating custom contact facets

In previous blog post, we gone through introduction of MongoDB with Sitecore which includes scaling, contacts and understanding MongoDB queries.

In this blog post we will go through and understand, how to create a custom contact facet and how to deploy it to Sitecore.

By default there are facets which Sitecore uses, and you can find the details here:


<factory type=”Sitecore.Analytics.Data.ContactFactory, Sitecore.Analytics” singleInstance=”true” />
<template type=”Sitecore.Analytics.Data.ContactTemplateFactory, Sitecore.Analytics” singleInstance=”true” />
<facet name=”Personal” contract=”Sitecore.Analytics.Model.Entities.IContactPersonalInfo, Sitecore.Analytics.Model” />
<facet name=”Addresses” contract=”Sitecore.Analytics.Model.Entities.IContactAddresses, Sitecore.Analytics.Model” />
<facet name=”Emails” contract=”Sitecore.Analytics.Model.Entities.IContactEmailAddresses, Sitecore.Analytics.Model” />
<facet name=”Phone Numbers” contract=”Sitecore.Analytics.Model.Entities.IContactPhoneNumbers, Sitecore.Analytics.Model” />
<facet name=”Picture” contract=”Sitecore.Analytics.Model.Entities.IContactPicture, Sitecore.Analytics.Model” />
<facet name=”Communication Profile” contract=”Sitecore.Analytics.Model.Entities.IContactCommunicationProfile, Sitecore.Analytics.Model” />
<facet name=”Preferences” contract=”Sitecore.Analytics.Model.Entities.IContactPreferences, Sitecore.Analytics.Model” />

In this specific example, we will show how to add a custom string value to existing contact card, we can call this Facet “Education

In order to create a custom Facet, we need following components:

  1. Interface (that’s used to create a contract/facet)
  2. Implementation
  3. Configuring the system to use new Facet.


Education is the Facet, and the Education property we define for this is Element for this Facet,so we need to create Facet and Element interface.

Here is IProfileEducationFacet Interface, this should inherit IFacet.


Next step is to create IProfileEducationElement Interface, here is the sample snippet for the same:



Once we have Interfaces created for Facet and Element, next step will be to create class that can implement those interfaces.

ProfileEducationFacet class


ProfileEducationElement class



Once the Facets and Elements are created, next step will be to register these Facets and Elements in Sitecore, we also call this deploying to Sitecore.

In order to deploy these facets and Elements, we can either update the default configuration file, or we can also create a patch file, which will have changes specific to Education Facets.

Here is the patch file for ref:


<configuration xmlns:patch=””&gt;
<element patch:after=”*[@interface=’Sitecore.Analytics.Model.Entities.IBehaviorProfileValue, Sitecore.Analytics.Model’]” interface=”Sample._Classes.xDBProfile.Elements.IProfileEducationElement, Sample.Sitecore”
implementation=”Sample._Classes.xDBProfile.Elements.ProfileEducationElement, Sample.Sitecore” />
<element patch:after=”*[@interface=’Sitecore.Analytics.Model.Entities.IBehaviorProfileValue, Sitecore.Analytics.Model’]” interface=”Sample._Classes.xDBProfile.Facets.IProfileEducationFacet, Sample.Sitecore”
implementation=”Sample._Classes.xDBProfile.Facets.ProfileEducationFacet, Sample.Sitecore” />
<facet patch:after=”*[@name=’Preferences’]” name=”Education” contract=”Sample._Classes.xDBProfile.Facets.IProfileEducationFacet, Sample.Sitecore” />

Getting and setting properties are done using GetAttribute and SetAttribute methods retrieved from Sitecore.Analytics.Model.Framework.Element and Sitecore.Analytics.Model.Framework.Facet.

Happy learning 🙂

Understanding Clones in Sitecore

There are scenarios when we want to replicate/duplicate entire content tree/individual items and create another structure in same Sitecore Instance, we also want to make sure that content can be shared from parent item to new item, in these scenarios and cases we can make use of Sitecore Cloning which helps to achieve the same.


A clone is an item that is not just a copy of the original item, but one that inherits the field values from the original item. If we update a field in the original item, the corresponding field in the clone is also updated, this helps in implementing content sharing across sites/items in the same Sitecore Instance.

What can be cloned:

Here are the following items which can be considered for cloning:

  1. Complete site
  2. Section of site
  3. Individual Item

How to clone an Item:

In order to create a clone, please follow the following steps:

  1. Select the item which you want to clone from content tree.
  2. From the configure tab, click Cloneclone-tab
  3. From Clone Item dialog box, please select the location where you want to create the cloned item.
  4. Clone-Target
  5. Click Clone.
  6. Now go to the cloned item, and you will observe the “original value” next to the field, which explains that value for this field is inherited from parent/original item.clone-original-field-values

How to Unclone an Item:

In order to Unclone an item in Sitecore, please follow the below steps:

  1. Select the Item from content tree which you want to Unclone.
  2. Click on Unclone, from the configure tab.Unclone-tab
  3. Once we Unclone an Item, this item becomes an individual item which can be managed separately.

Breaking the Inheritance for Cloned Item:

As i mentioned above that we can Unclone an item, by which that item becomes a new item which can be managed separately.

But, we can also break the inheritance on field level, in order to break inheritance on the field level, just go to clone item and update any specific field value.

Once we update specific field value manually for any clone item, that field won’t share/inherit the value from parent/original item.

This is helpful in cases where certain field values to be shared from parent item, and certain field values managed separately in clone item.

Unclone-field value

In the above screen shot we can see that “Teaser” doesn’t show any “original value” text because the value was updated directly in the cloned item, but “Main Content” still inherits it from parent item.

Few points to note:

  • Before we take a decision what item/section should be clone, we need to do understand our content strategy.
  • For example- If we have to create a microsite which should be based on parent site, we can go for cloning, but, we also have to understand what are the different sections that needs to share the content, if only certain pages needs to be shared, we don’t have to clone the entire content tree(site), rather we can just clone specific pages/items.
  • Another example can be navigation, we want the navigation to be same for all the sites, but content differs, in this case we can just clone Navigation Items and not pages/items.
  • We can make use of field value inheritance, if the content of the clones items needs to be different, we can break the inheritance and add specific content to cloned item.

I hope this will help someone who is trying to do understand how clones work in sitecore, please let me know if you have any feedback or questions, happy to help.

Happy learning 🙂