Mari Jørgensen
Nov 11, 2010
(3 votes)

Protect your plugins!

One of the things I love about EPiServer is how easy it is to extend. I’m sure that most of the EPiServer projects out there uses some kind of edit or admin plugin.


What we see very often, is that these plugins are not under EPiServer authorization. In effect, If you know the url to the plugin .aspx, you can browse it directly anonymously!

So, how can we be sure that the plugins are secured?
Well, any of the solutions below should solve the problem.

Safest bet: Check access from code when aspx loads

protected override void OnInit(EventArgs e)
  /// Making sure only administrators can reach this plugin
  if (!EPiServer.Security.PrincipalInfo.HasAdminAccess)

This is a sample from an admin plugin. Your .aspx need to inherit from an EPiServer PageBase class (e.g. EPiServer.SimplePage) in order to use the AccessDenied method.

Using the location tag in web.config

<location path="EPiCode/ManageLanguages">
        <allow roles="WebAdmins, Administrators"/>
        <deny users="*"/>

This is the same way EPiServer secures it’s admin and edit mode. Remember to add this section in all environments – development, test and especially at the production server. You can also place your plugin the same place as the EPiServer UI, but this complicates module packaging (as the UI paths will differ from project to project).

There is also the option of adding a web.config file at the same level as the .aspx file(s). An example implementation can be found here:  web.config for the EPiCode.PageTypeUtil module.

Important: Using the ICustomPlugInLoader interface (see description here) will not secure your aspx.

Use 5 minutes today to verify that your plugins are secure - this also includes any module plugins downloaded from CodePlex, EPiCode or the Code section on

Nov 11, 2010


Nov 11, 2010 10:32 AM

Great reminder and very important !

Magnus Rahl
Magnus Rahl Nov 11, 2010 10:34 AM

Very important - and often forgotten!

Nov 11, 2010 11:06 AM

Aah always used the location element way. But doing it in code is so much nicer.

Nov 11, 2010 11:52 AM

Great post!
One way to solve the problem with putting the aspx/ascx in EPiServers UI-folder is to
have them embedded as resources and then register an appropriate VirtualPathProvider to deliver them from the edit/admin url.

tost Nov 12, 2010 01:20 AM

Great post Mari, this is something that a lot of people forget.

Please login to comment.
Latest blogs
Implementing EmbeddedLocalization in Optimizely CMS 12

My previous post on translation (Translating Optimizely CMS 12 UI components) gives an overview of how to implement the FileXmlLocalizationProvider...

Eric Herlitz | Jan 27, 2023 | Syndicated blog

Breaking changes in EPiServer.CMS.TinyMce 4.0.0

After upgrading to the latest version of EPiServer.CMS.TinyMce, the dropdown with formats disappears. Learn how to get it back!

Tomas Hensrud Gulla | Jan 27, 2023 | Syndicated blog

Translating Optimizely CMS 12 UI components

Optimizely CMS 12 have been out for a while now, but still some elements haven't been properly translated resulting in a GUI defaulting to english....

Eric Herlitz | Jan 26, 2023 | Syndicated blog

Image preview in Optimizely CMS12 all properties view

With these simple steps, you can now see an Image and its Metadata, including size and dimensions, when editing an Image property in Optimizely...

Tomas Hensrud Gulla | Jan 26, 2023 | Syndicated blog