How To Secure Your TYPO3 Sites From Hack Attempts?

How To Secure Your TYPO3 Sites From Hack Attempts?

According to a survey, TYPO3 is one of the most secure Open Source CMS - it is a proud feeling to be involved and working with such a great community who did their best for the security concerns.

But yeah, as you know with increasing advancements security is a never-stopping thing, so Let’s try to make your TYPO3 sites more secure.

At last TYPO3 Code Sprint India, We have deeply explored the security topic from Thomas Loffler - Thanks a lot!

And yes, we have already started to implement high-security features to our customer’s projects. We are happy to share it hereby with you too.

TYPO3 is the most secure OpenSource CMS

TYPO3_security

TYPO3 is a well-designed CMS with different security-levels and layers in the core framework. And that’s the main reason why it’s extremely difficult or impossible to hack TYPO3 sites in comparison to other CMS and Framework :)

Facts and figures of security issues

Facts and figures of security issues

Ideal Secure Server Architecture

Although TYPO3 being a self secured CMS, it would be better to provide more security at server-level.

How about increasing security by disabling access (to web users) the TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog.

The hackers or public users will not be able to have access to TYPO3 core and extensions files. Because, we are going to set everything to “private”, and the “public” folder will only contain assets.

Imagine below security-level server architecture as your TYPO3 setup.

TYPO3_security_Server_Architecture

FolderDescription
publicwhich only contains assets like css/js/images etc., for the web public users.
privatewhich contains typo3 core sysext, typo3conf ext, etc.,
varwhich contains cache, log, session, etc.,
vendorwhich contains CMS as well as extension’s vendors.

Thanks to Helmut Hummel

typo3_security_helmut

Sounds interesting right? Big thanks to Helmut for his 10+ years of dedication and contribution to the TYPO3 community - especially on TYPO3 security. I would like to introduce his great TYPO3 secure web package https://github.com/helhum/typo3-secure-web

It’s time to appreciate and say your “thanks-giving to Helmut” by keeping in touch and being connected with him at:

We wish typo3-secure-web package gets included within TYPO3 core!

Did you know?

TYPO3.org project has been secured with this package typo3-secure-web :)

TYPO3 system requirement and conflict

Here, I would like to guide step-by-steps to install and configure typo3-secure-web composer package. First, let’s check what are the dependencies and conflict with this package.

Pre-requisite and Dependencies

FolderDescription
typo3/cms-core^8.7.8 || ^9.5.5
typo3/cms-composer-installers^1.4 || ^2.0
helhum/typo3-composer-setup^0.5.4

Care to the Conflict

FolderDescription
helhum/typo3-composer-setup<0.5.4
typo3/cms<8.7.10
typo3/cms-core<8.7.10

Step-by-step guide to install and configure TYPO3 securely

Our team is setting up TYPO3 with industries best standards and approach using Docker/DDEV and Composer for our customer’s projects. Let’s secure your TYPO3 sites by following steps.

Step 1: Create a project folder

mkdir my-typo3-site
cd my-typo3-site

Step 2: Configure PHP version

ddev config --project-type php --php-version 7.2

Step 3: Download latest version through Composer

ddev composer create typo3/cms-base-distribution ^9 --no-interaction
ddev config --project-type typo3
ddev start

Step 4: Run TYPO3 Installation Wizard

touch public/FIRST_INSTALL

TYPO3_security_Installation_Wizard

Step 5: At composer.json, Setup private and public folders

"extra": {
    "typo3/cms": {
        "root-dir": "private",
        "web-dir": "public"
    }
}

Step 6: Secure your TYPO3 with folders structure private and public

ddev composer require helhum/typo3-secure-web

Once you have successfully installed TYPO3-secure-web package, it will organize whole folders and files architecture at your server as follows:

Access to Private

“private” folder will point to the code of TYPO3 core and extensions. No web public user will be able to access your TYPO3 code.

Root architecture of private folder

TYPO3_security_Access_To_Private

Access to Public

“public” folder will point as web server document root, and only contains assets files. At each folder, you will able to see only /Resources/Public/ folder which will symlink to a particular private /Resources/Public/ folder.

Root architecture of public folder

TYPO3_security_Access_to_Public

The architecture of public/typo3temp

TYPO3_security_public_typo3temp

Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news  /public/typo3conf/ext/news

TYPO3_security_Resources

The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/

TYPO3_security_backend_Resources

Conclusion

  • Although the TYPO3 is secured, Let’s keep it more secure through great typo3-secure-web composer package.

  • Don’t forget to say “Thanks to Helmut” for his great efforts to the TYPO3 community.

  • Are you experiencing any issues during setup? Please feel free to connect with us for support.

  • Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below.

Inspiring People To Secure!

Sanjay Chauhan - TYPO3 Technopreneur

A young technology enthusiast and entrepreneur. At 24, he co-founded NITSAN – a TYPO3 Agency in Bhavnagar, India. He is sought-after marketing face of NITSAN, is accredited with the management of customer-service teams, collaborations with agencies and clients, projects executions, and more. A tech guy in every sense of the word, Sanjay is the real TYPO3 Guru at NITSAN.

Leave A Comment

Need expert tips? Check out our Blog!

This website uses cookies

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy.