In this blog post, I'm documenting all the steps that I usually perform when new Sitecore project is pushed from a non-production environment to a production environment.
Sitecore has many resources and steps that we have to follow. Also, our Sitecore community blog posts have great tips available for us.
In this blog post, I put all the pieces that I usually perform:
1. Change default admin user.
Administrator password parameter available in Sitecore SIF as "SitecoreAdminPassword". In Sitecore 9.0.2 and earlier, SIF does not enforce changing the administrator password. In 9.1 and later, SIF will generate a random password if you do not change the default value.
Whatever the version that you use, make sure that you should change the default account.
2. Deny anonymous users access to folders
Anonymous users access to folders is not disabled by default using Sitecore installation framework. Anonymous access has to be denied on the following folders:
/App_Config /sitecore/admin /sitecore/debug /sitecore/login /sitecore/shell/WebService
3. Apply Security Hardening to all roles
Carefully follow the steps documented in Security Hardening Documentation
4. Configure Keep-Live Service
In short, keep alive service will make sure your site will keep alive even if the application pool reaches the idle timeout which configured in the IIS.
By default, the timeout for the application pool is 20 minutes - which means if the site kept idle for 20 minutes it will shut down.
What we have to do to avoid putting the site in an idle state is to run an agent on each Sitecore instance that runs in less interval than the idle time.
Adding the following simple configuration file will make the application always in Live state:
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/"> <sitecore> <scheduling> <agent type="Sitecore.Tasks.UrlAgent" method="Run" interval="00:05:00"> <param desc="url">http://mysite/sitecore/service/keepalive.aspx</param> <LogActivity>true</LogActivity> </agent> </scheduling> </sitecore>
- keepalive.aspx comes with Sitecore
- Make sure to URL has to be absoulte
5. Remember to use your client Sitecore license
Lets always remember that we are using the right license in the production environment.
6. Caching is your best friend! Rely on him!
I have seen that caching is not tuned in many Sitecore projects. Always configure and use Sitecore caching to your production sites. Believe me, If you use it once - you will always use it as it makes huge diffrence to the site speed.
Following the setups in this document will take your site to the next level Sitecore Cache Configuration
7. Disabled WebDAV!
WebDAV can only be used on Content Management servers (CM). It should not be enabled on any other role.
To disable WebDAV, all you need to do is rename the Sitecore.WebDAV.config file to Sitecore.WebDAV.config.disabled.
8. Remove Default.aspx Page!
Sitecore comes with empty Default.aspx page inside the root. No need to keep this page hosted on production - it might be indexed by the search crawlers or indicates to attackers that your site is hosted on Sitecore.
Make sure it's removed!
9. Always use custom errors pages - don't expose your technology!
Hide your server errors whatever they are application errors or IIS.
10. Show 404 for nonexisting languages
Let's assume that you have only English in your site, what if another language parameter has been passed to your site such as www.example.com/ar.
The site should show a 404 page instead of showing empty content. This can be done by following the implementation in this blog post: Provoke 404 for inexistent language version.
please feel free to comment on any step that you feel it has to be included in this list.