Security

TYPO3 Security

Protect your TYPO3 installation against attacks. Best practices, configuration tips and security extensions for maximum protection.

12 essential TYPO3 security tips

Implement these measures to make your TYPO3 site more secure immediately

Keep TYPO3 up-to-date

Update regularly to the latest version. TYPO3 Security Team releases security updates monthly.

Use strong passwords

Minimum 16 characters for admin accounts. Use a password manager. Enforce via password policy.

Secure Install Tool

Set a strong Install Tool password and block access via IP whitelist. Remove /INSTALL.md.

Configure trusted hosts

Set trustedHostsPattern so TYPO3 only responds to your own domain names. Prevents host header attacks.

Use HTTPS everywhere

Force SSL for entire site and especially backend. Configure HSTS headers. Free SSL via Let's Encrypt.

Restrict backend access

Block /typo3 via .htaccess for all IPs except your office. Or use VPN access.

Disable file upload for editors

Restrict which files can be uploaded. Block .php, .html in fileadmin. Use fileDenyPattern.

Hide TYPO3 version

Remove X-TYPO3-Parsetime header and generator meta tag. Hackers cannot find version-specific exploits then.

Implement Content Security Policy

CSP headers protect against XSS attacks. Configure via .htaccess or nginx config.

Make daily backups

Automatic backups of database and files. Test if restore works. Store backups offsite.

Monitor security bulletins

Follow TYPO3 Security Advisories via typo3.org/security. Patch critical issues immediately.

Use two-factor authentication

Install 2FA extension for backend. Even with leaked password, nobody can log in.

Security configuration in TYPO3

Important settings for a secure TYPO3 installation

LocalConfiguration.php

Secure your installation via these configuration options:


                        // Trusted hosts pattern

                        'SYS' => [

                          'trustedHostsPattern' => 'jouwdomein\.nl',

                        ],


                        // Disable deprecation log

                        'LOG' => [

                          'TYPO3' => [

                            'CMS' => [

                              'deprecations' => [

                                'writerConfiguration' => [

                                  \TYPO3\CMS\Core\Log\LogLevel::NOTICE => [],

                                ],

                              ],

                            ],

                          ],

                        ],

.htaccess security

Add these rules to your .htaccess for extra security:


                        # Blokkeer toegang tot gevoelige bestanden

                        <FilesMatch "\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)$">

                          Require all denied

                        </FilesMatch>


                        # Security headers

                        Header set X-Frame-Options "SAMEORIGIN"

                        Header set X-Content-Type-Options "nosniff"

                        Header set X-XSS-Protection "1; mode=block"

                        Header set Referrer-Policy "strict-origin-when-cross-origin"

File permissions

Correct file permissions are crucial for security:

Directories: 755 (rwxr-xr-x)
Files: 644 (rw-r--r--)
Never use 777!
LocalConfiguration.php: 660

Extension security

Pay attention to these points with extensions:

Only install extensions from TER
Check last update date
Read reviews and security advisories
Remove unused extensions

Recommended security extensions

These TYPO3 extensions strengthen your security

typo3/cms-core

TYPO3 core already contains many security features. Always keep up-to-date for latest patches.

• Password policies
• CSRF protection
• XSS filtering
• SQL injection prevention

totp (2FA)

Two-factor authentication for backend. Use Google Authenticator or Authy app.

• TOTP based (RFC 6238)
• Can be enabled per user
• Backup codes
• Free and open source

secureweb

Extra security headers and configuration options for enterprise installations.

• Content Security Policy
• Security headers
• Cookie security
• HTTPS enforcement

Common attacks

What TYPO3 sites need to be protected against

SQL Injection

Attackers try to manipulate database queries via input fields.

Protection: TYPO3 uses prepared statements. Always use Extbase query builders, never raw SQL.

Cross-Site Scripting (XSS)

Injecting malicious JavaScript code into pages to attack users.

Protection: Use Fluid's escaping. Never output user input directly in HTML without htmlspecialchars().

Brute Force attacks

Automated attempts to log in with different passwords.

Protection: Implement rate limiting, IP blocking after X attempts, use 2FA.

File Upload exploits

Uploading malicious files (.php scripts) via forms.

Protection: Configure fileDenyPattern, validate MIME types, store uploads outside webroot.

Hosting with security features

Choose hosting with firewall, malware scanning and daily backups for extra protection.

Compare TYPO3 hosting Installation guide