IP Whitelisting the Umbraco back-office

Often times, for security reasons, it is important to block public access to Umbraco and the Umbraco log-in page. One simple solution is to add an IIS rewrite rule within the web.config file that whitelists access to the Umbraco URL.

In the following example, only requests originating from and will gain access to log in and view the Umbraco back-office.


        <!-- Restrict access to Umbraco -->
        <rule name="Restrict  Umbraco access" stopProcessing="true">
          <match url="umbraco(?!/api/)" />
            <!-- add input patterns that match the IP address ensuring to escape the '.' character -->
            <add input="{REMOTE_ADDR}" pattern="192\.168\.0\.2" negate="true"/>
            <add input="{REMOTE_ADDR}" pattern="192\.168\.0\.3" negate="true"/>
          <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />