Restrict Access to Umbraco App_Plugins and config folder

There are many ways to prevent access to your app_plugins and config folder. One such way is listed on Umbraco's website and the code is below.

The problem with the above code is that you need a static IP address, but what if you do not have a static IP address.

As Umbraco uses ASP.Net Identity OAuth for logging into the backend, we can add some custom code in the startup.cs file which checks if the user is logged into the CMS, if they are then the user can continue working in the CMS and access all the files in the app_plugins and config folder, while at the same time anyone not logged in will get a 404 or whatever status you want to return if they try to access the folders from the front-end.

Why restrict access to Umbraco App_Plugins and config folder

By default, files in the App_Plugins and config folder are not shown if they are .config files, but if they are .js files then if you know the name of the file you can view it.

The problem with this is that it could possibly allow someone to see what version of Umbraco you are using and attempt to hack into your site. So blocking them from doing this is a win-win. 

The code for the startup.cs file is below.

The image below will show what you will see when logged into the CMS

Logged In

If you are not logged into the CMS and try to view content in the App_Plugins folder, you will see the page below.

Not logged in

Another way to block access to create an authorization rule in your web.config file. Although I have tried this in the past, I have found it to be a bit temperamental at times, by this I mean it seems to work one minute, then sometimes it would not work.

The code for this method is below.

This demo was created using the default setting in Umbraco if you are using custom login credentials then it may not works as I have not tested that scenario.  

I hope you found this blog helpful, if yes please leave a comment below.

Leave a comment