How To Secure Your TYPO3 Sites From Hack Attempts?
Although TYPO3 being a self secured CMS, let’s try to make your TYPO3 sites more secure. How about increasing security by disabling access TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog.
Table of content
According to a survey, TYPO3 is one of the most secure Open Source CMS - it is a proud feeling to be involved and working with such a great community who did their best for the security concerns.
But yeah, as you know with increasing advancements security is a never-stopping thing, so Let’s try to make your TYPO3 sites more secure.
At last TYPO3 Code Sprint India, We have deeply explored the security topic from Thomas Loffler - Thanks a lot!
And yes, we have already started to implement high-security features to our customer’s projects. We are happy to share it hereby with you too.
TYPO3 is the most secure OpenSource CMS
TYPO3 is a well-designed CMS with different security-levels and layers in the core framework. And that’s the main reason why it’s extremely difficult or impossible to hack TYPO3 sites in comparison to other CMS and Framework :)
Facts and figures of security issues
Ideal Secure Server Architecture
Although TYPO3 being a self secured CMS, it would be better to provide more security at server-level.
How about increasing security by disabling access (to web users) the TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog.
The hackers or public users will not be able to have access to TYPO3 core and extensions files. Because, we are going to set everything to “private”, and the “public” folder will only contain assets.
Imagine below security-level server architecture as your TYPO3 setup.
| Folder | Description |
|---|---|
| public | which only contains assets like css/js/images etc., for the web public users. |
| private | which contains typo3 core sysext, typo3conf ext, etc., |
| var | which contains cache, log, session, etc., |
| vendor | which contains CMS as well as extension’s vendors. |
Thanks to Helmut Hummel
Sounds interesting right? Big thanks to Helmut for his 10+ years of dedication and contribution to the TYPO3 community - especially on TYPO3 security. I would like to introduce his great TYPO3 secure web package https://github.com/helhum/typo3-secure-web
It’s time to appreciate and say your “thanks-giving to Helmut” by keeping in touch and being connected with him at:
- Twitter: https://twitter.com/helhum
- Github: https://github.com/helhum
- Blogs: https://insight.helhum.io/
We wish typo3-secure-web package gets included within TYPO3 core!
Did you know?
TYPO3.org project has been secured with this package typo3-secure-web :)
TYPO3 system requirement and conflict
Here, I would like to guide step-by-steps to install and configure typo3-secure-web composer package. First, let’s check what are the dependencies and conflict with this package.
Pre-requisite and Dependencies
| Folder | Description |
|---|---|
| typo3/cms-core | ^8.7.8 || ^9.5.5 |
| typo3/cms-composer-installers | ^1.4 || ^2.0 |
| helhum/typo3-composer-setup | ^0.5.4 |
Care to the Conflict
| Folder | Description |
|---|---|
| helhum/typo3-composer-setup | <0.5.4 |
| typo3/cms | <8.7.10 |
| typo3/cms-core | <8.7.10 |
Step-by-step guide to install and configure TYPO3 securely
Our team is setting up TYPO3 with industries best standards and approach using Docker/DDEV and Composer for our customer’s projects. Let’s secure your TYPO3 sites by following steps.
Step 1: Create a project folder
mkdir my-typo3-site
cd my-typo3-siteStep 2: Configure PHP version
ddev config --project-type php --php-version 7.2Step 3: Download latest version through Composer
ddev composer create typo3/cms-base-distribution ^9 --no-interaction
ddev config --project-type typo3
ddev startStep 4: Run TYPO3 Installation Wizard
touch public/FIRST_INSTALL
Step 5: At composer.json, Setup private and public folders
"extra": {
"typo3/cms": {
"root-dir": "private",
"web-dir": "public"
}
}Step 6: Secure your TYPO3 with folders structure private and public
ddev composer require helhum/typo3-secure-webOnce you have successfully installed TYPO3-secure-web package, it will organize whole folders and files architecture at your server as follows:
Access to Private
“private” folder will point to the code of TYPO3 core and extensions. No web public user will be able to access your TYPO3 code.
Root architecture of private folder
Access to Public
“public” folder will point as web server document root, and only contains assets files. At each folder, you will able to see only /Resources/Public/ folder which will symlink to a particular private /Resources/Public/ folder.
Root architecture of public folder
The architecture of public/typo3temp
Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news /public/typo3conf/ext/news
The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/
Conclusion
- Although the TYPO3 is secured, Let’s keep it more secure through great typo3-secure-web composer package.
- Don’t forget to say “Thanks to Helmut” for his great efforts to the TYPO3 community.
- Are you experiencing any issues during setup? Please feel free to connect with us for support.
- Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below.
Inspiring People To Secure!
Comments and Responses
Be the First to Comment