Quick Guide to Harden TYPO3 Security

Quick Guide to Harden TYPO3 Security

History says TYPO3 is one of the most secure OpenSource CMS. But, security is a never-ending task, In this article, I want to introduce Helmut’s popular “TYPO3 Secure Web” package to more secure your TYPO3 site.

We as a whole see that it is so essential to maintain the TYPO3 Security of your site. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing continuously.

Fortunately, TYPO3 has better built-in firewall security because the core architecture of TYPO3 is robust. But, TYPO3 security never-ends. The TYPO3 community is always serious about security and performance, and always develops something which improves security.

“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.
- Richard Clarke”

TYPO3 - Most Secure OpenSource CMS

According to the report of Sucuri.net TYPO3 is the world's least hacked OpenSource CMS.

Why TYPO3 Security Matters?

Here is the statistics report which shows why website security is so important.

Source
A hacked TYPO3 site can make genuine harm to your business income and notoriety. Hackers can take client data, passwords, introduce noxious programs, sell information, and can even multiply malware to their clients. 

Most noticeably awful, you may wind up paying ransomware to hackers just to recover access to your very own website.

What’s the Ideal TYPO3 Code Structure?

A normal composer based installation contains only a “public” folder. Imagine below the TYPO3 architecture of “private” and “public” folders to add the TYPO3 security level.

public

that only contains assets like css/js/images etc., for the web public users.

private

that contains typo3 core sysext, typo3conf ext, etc.,

var

that contains cache, log, session, etc.,

vendor

that contains CMS as well as extension’s vendors.

Applause to Helmut Hummel

Sounds fascinating right? We serve gratitude to Helmut for his 10+ long years of contribution and commitment to the TYPO3 Community - particularly on TYPO3 security. 

I would love to present his extraordinary TYPO3 secure web bundle https://github.com/helhum/typo3-secure-web 

It's an ideal opportunity to acknowledge and state our "much appreciation for Helmut" by staying in contact and being associated with him at:

IMHO: Someday, we wish typo3-secure-web package gets included within the TYPO3 core!

Did you know?
TYPO3.org project has been secured with this package typo3-secure-web :)

Step-by-step Guide to TYPO3 Secure Web

Pre-requisite and Dependencies

Package

Description

typo3/cms-core

^8.7.10 || ^9.5.2 || ^10.4

typo3/cms-composer-installers

^1.4 || ^2.0 || ^3.0

helhum/typo3-composer-setup

^0.5.4


Care to the Conflict

Package

Description

helhum/typo3-composer-setup

<0.5.4

typo3/cms

<8.7.10

typo3/cms-core

<8.7.10

 

Let’s get ready to implement a TYPO3 secure web package to your composer based TYPO3 installation, Our technical team develops TYPO3 projects with best practices of Docker, DDEV, Composer as below.

Step 1: Create a project folder

 

mkdir my-typo3-site
cd my-typo3-site

 

Step 2: Configure PHP version

 

ddev config --project-type php --php-version 7.2

 

Step 3: Download latest version through Composer

 

ddev composer create typo3/cms-base-distribution ^10 --no-interaction
ddev config --project-type typo3
ddev start

 

Step 4: Run TYPO3 Installation Wizard

 

touch public/FIRST_INSTALL

 

Step 5: At composer.json, Setup private and public folders

 

"extra": {
    "typo3/cms": {
    "root-dir": "private",
    "web-dir": "public"
    }
}

 

Step 6: Secure your TYPO3 with folders structure private and public

 

ddev composer require helhum/typo3-secure-web

 

When you have effectively installed TYPO3-secure-web bundle, it will organize entire files and folders architecture at your server as follows: 

  • This bundle will at that point set up the web server document root inside the public folder and TYPO3 inside the private folder. 
  • The private folder will look familiar and will contain typo3, typo3conf, fileadmin, typo3temp, uploaded folders
  • The public folder will just have the entry scripts and connections to fileadmin, typo3temp/assets and, Resources/Public of all installed (framework) extensions.

Access to Private

"private" folder will highlight the code of TYPO3 core and extensions. No web public user will have the option to get to your TYPO3 code. 

Root design of private folder 

Access to Public

"public" folder will highlight the web server record root, and just contains asset documents. At every folder, you will have the option to see just /Resources/Public/folder which will symlink to a specific private/Resources/Public/folder. 

The architecture of public/typo3temp

Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news  /public/typo3conf/ext/news

The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/

Conclusion

  • In spite of the fact that the TYPO3 is made robust and secure, Let's keep it safer through the extraordinary typo3-secure-web composer package. 
  • Remember to say "thanks and Donate to Helmut" for his extraordinary endeavors to the TYPO3 people community. 

Are you encountering any issues during setup? Please feel free to connect with us for support. Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below.

Inspiring People To Secure!

Post Comment

Your email address will not be published. Required fields are marked *

×

Name is required!

Enter valid name

Valid email is required!

Enter valid email address

Comment is required!

Google Captcha Is Required!

Comments :

  • Lutz Veith September 4, 2020 At 2:18 pm
    Great Article Sanjay. Thanks for sharing tips and Helhum's security architecture. One of the easiest ways to test security things like this is to clone to a staging or dev environment, run your updates, verify everything is good. And then run it on production.

Everything About TYPO3 Backend Access, User Roles & Permissions

If you’re not the only person running your TYPO3 website, you’ve probably needed to think about TYPO3 user roles. TYPO3 comes with…

TYPO3 Backend Login Setup Guide

Are you looking for TYPO3 Backend login integration and configuration? This blog will help you implement the TYPO3 backend login…

40+ Steps to Improve Your TYPO3 Security

30 Steps to Improve Your TYPO3 Security

It feels proud that our very own TYPO3 CMS is one of the world’s most secure OpenSource CMS! But, as we know with increasing…

Stay up to date with our recent TYPO3 Blogs, news, & updates