11.1 release notes
11.1 is a major release and introduces large improvements to the CMS in several areas:
- GDPR support
- Zone editor widgets
- Advanced search improvments
- Make /Admin Endpoint Configurable
- Improvements to V3 Form Posts
As in previous releases we've received a lot of ideas from our wide user base. Many of our sites have been submitted to the government’s National Cyber Security Centre (NCSC) new tool. It provides ongoing recommendations, alerts and advice on securing your site and more importantly maintaining that security. A link to the blog article introducing the service is here. You can register for this yourself for free with no involvement from us. It doesn’t take long to do.
This release sees several changes in response to the use of this tool and repeated penetration tests of site.
Widgets for Drag and drop zone editing
The last release of the CMS brought a new drag and drop zone based editing system. It allowed editors to add any number of editable elements to a page and then drag them to reposition them. This release extends that further allowing configurable widgets made up of blocks of text blocks or images or anything to also be dragged onto a page. The widgets can be used to produce multiple repeatable elements like extending front page carousels or a staff directory or a sidebar quote
Revisions to the data protection laws are coming in May. This release supports helping to make you GDPR compliant. This report allows you to enter any email address in the search box to get a report listing the information you hold about them. The report will list where in your site you're holding information on that person and (where possible) there are links to the relevant part of the CMS that allows that entry to be viewed or deleted in a single click. We cannot make you compliant but we can halp in helping you manage compliance. In addition the CMS forms system enable you to create GDPR compliant T & C acceptance popups or check boxes.
Advanced search improvements
Search has been improved in several ways in this release
- A log is kept of search result clicks. The click count is used to give more relevance to items that are clicked more often in the results.
- Search indexes are now compressed with unnecessary common words removed to increase relevancy.
- New web services have been created to provide list of the most popular searches
Configurable admin end points
The CMS admin area is protected via https and admin configured password policies however some of our user requested additional changes. The admin interface has up till now always been accessible via <your site domain>/admin and it the predictability of the ‘/admin’ folder name that is seen to be a potential weak point. In 11.1 for deployed sites the admin folder name is now configurable. This means you can further secure the admin portion of your site behind your own naming convention such as www.mysite.com/editsitehere and a call to www.mysite.com/admin will result in a 404.
Configuration is via the relevant web.config
<add key="AdminEndpoint" value="/admin"/>
In addition there’s another new web.config key
<add key="AdminEndpointPassSite" value="true"/>
This second 'pass site' key controls whether the 'site' field on the login form gets populated. Setting this 'false' creates another layer of security as any potential attacker must get a valid site, user and password and admin folder to get in using brute force. Another way in which sitekit is making your sites more secure
- Configurable data retention for submissions (defaults to 12 months)
- Addition of regex support to emails on forms
- Ability to set fields as read only
- Improvement in usability of secure forms
- Support for Google reCaptcha
- Page load times has been improved via automatic minification of CSS and JS
When a stylesheet or CSS file is published, a minified version is created.
If no minified version of the file exists then the unminified version will be served.'?minify=0' can be added to the url of a css or js file to view the unminified version.
- Admin performance has been improved via having age Properties & Content In Same pop up window rather than separate ones
- SQl indexing has been optimised and more parameterised
As well as the configurable end point addition above this release sees other security related changes:
- Passwords are now hashed using bcrypt instead of SHA1.
- Passwords have some basic level rules applied to them now, they cannot contain your username or parts of your username or ‘password’
- obfuscation of passwords in logs
- Support for subresource integrity (SRI) in scripts via hashing
- Further usability improvements to secure forms
Documentation changes - New help pages
Most additional and new content is labelled as ‘11.1’ so a search of help for ‘11.1’ will present most if not all of the following:
- https://helpcms.sitekit.net/documentation/help/gdpr.htm - GDPR
- https://helpcms.sitekit.net/documentation/help/gdpr-support.htm - GDPR support
- http://helpcms.sitekit.net/documentation/help/help-report-gdpr.htm - GDPR report
Documentation changes - Updated pages
- https://helpcms.sitekit.net/documentation/syntax/syntax-comment-based.htm - new forms based changes
- https://helpcms.sitekit.net/documentation/help/form-fields.htm readonly attribute
- https://helpcms.sitekit.net/documentation/help/help-style-stylesheets.htm - minification on upload
- https://helpcms.sitekit.net/documentation/extending-posts.htm orderby field
- https://helpcms.sitekit.net/documentation/help/create-or-configure-posts.htm legacy import option
- https://helpcms.sitekit.net/documentation/help/help-configure-password.htm - password standards
- https://helpcms.sitekit.net/documentation/help/help-configure-add-user-group.htm - asset report on groups
- https://helpcms.sitekit.net/documentation/help/managing-scripts.htm - SRI support
- https://helpcms.sitekit.net/documentation/help/create-or-configure-a-form.htm - reCaptcha, email regex support and custom form fields (now strips out HTML for security reasons)
- https://helpcms.sitekit.net/documentation/help/help-configure-general-settings.htm Google reCaptcha and saml support
Documentation changes - Deprecated features
The EmailThisPage functionality has been removed as it constitutes a security vulnerability.
Old News, Old Events, Old Forums, Guestbooks, Postcards, FAQs, Page Commenting, Shops, Directory Pro, Custom Database. Removed from group rights if they are not used on the site.
FAQs, Events, and News may be deprecated in the future, there is a facility to allow their content to be migrated to Posts, see here for details.