Orchard Core CMS Security. Configure UserOptions in Orchard Core to specify custom URL's for user logon, logoff, etc.

UserOptions in Orchard Core for Custom Login, Logoff, Change Password, and External Login URL's

Orchard Core allows you to customize the URL’s for user login, logoff, change password, and external logins. This is done by overriding the default UserOptions. The default UserOptions are defined in a UserOptions Class. As you can see below, the default URL's for user login, logoff, change password, and external logins are not only well documented, but quite intuitive and easy to guess.

public class UserOptions
    private string _loginPath = "Login";
    private string _logoffPath = "Users/LogOff";
    private string _changePasswordUrl = "ChangePassword";
    private string _externalLoginsUrl = "ExternalLogins";

    public string LoginPath
        get => _loginPath;
        set => _loginPath = value.Trim(' ', '/');

    public string LogoffPath
        get => _logoffPath;
        set => _logoffPath = value.Trim(' ', '/');

    public string ChangePasswordUrl
        get => _changePasswordUrl;
        set => _changePasswordUrl = value.Trim(' ', '/');

    public string ExternalLoginsUrl
        get => _externalLoginsUrl;
        set => _externalLoginsUrl = value.Trim(' ', '/');

Accepting the default UserOptions is probably fine if you're using Orchard Core CMS as a personal blog or marketing website that contains no sensitive or personal data and you're using a highly secure username and password. However, if you're running an Orchard Core website that contains personal data on customers or users of your website, I highly recommend you customize and override the default UserOptions for additional security. I think customizing UserOptions should be part of your new Orchard Core CMS website checklist in all cases.

Although you can override UserOptions using code, the easiest way to override UserOptions is via your appsettings.json file in your Orchard Core website. Again, choose less obvious URL's, but this gives you the idea.

"OrchardCore_Users": {
    "LoginPath": "SecureLogin",
    "LogoffPath": "Users/SecureLogOff",
    "ChangePasswordUrl": "SecureChangePassword",
    "ExternalLoginsUrl": "SecureExternalLogins"

Just like AdminUrlPrefix, creating custom URL's to your user login, logoff, change password, and external login adds additional security to your Orchard Core website. As a popular open source ASP.NET Core CMS, malicious visitors may target your Orchard Core CMS website for nefarious reasons. Don’t allow them to easily find the location of the user account and security pages and allow them to either take advantage of vulnerabilities in Orchard Core or attempt brute-force attacks.

You may want to peek at additional developer notes and tutorials on Orchard Core Security, too.