--- title: "How To Secure Your TYPO3 Sites From Hack Attempts?" url: "https://nitsantech.de/en/blog/how-to-secure-your-typo3-sites-from-hack-attempts" description: "Protect your TYPO3 website from hackers with these important security tips, learn how!" image: "https://nitsantech.de/fileadmin/_processed_/f/b/csm_How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts_7c0d659343.jpg" author: Sanjay Chauhan - TYPO3 Technopreneur date: 2019-10-04 modified: 2025-10-04 lastUpdated: 2026-02-26 keywords: - CMS security - Hacking - protection - website - ssl - GDPR . TYPO3 - TYPO3 CMS - TYPO3 Security - TYPO3 Tips categories: - Security --- # How To Secure Your TYPO3 Sites From Hack Attempts? How To Secure Your TYPO3 Sites From Hack Attempts? ================================================== 01 Aug 2019 [![](https://nitsantech.de/fileadmin/ns_theme_nitsan/Team_Slider/Sven_Thelemann.png)](https://nitsantech.de/en/blog/author/sven-thelemann) [Sven Thelemann](https://nitsantech.de/en/blog/author/sven-thelemann) [ Security ](https://nitsantech.de/en/categories/security) Although TYPO3 being a self secured CMS, let’s try to make your TYPO3 sites more secure. How about increasing security by disabling access TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog. ![How To Secure Your TYPO3 Sites From Hack Attempts?](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/Blog-Redesign.jpg) Table of content According to a survey, TYPO3 is one of the most secure open-source CMS platforms. It’s a proud feeling to work with such a dedicated community on security; something every [**TYPO3 Agency**](https://nitsantech.de/en/typo3-agency) values and implements in their projects. But yeah, as you know with increasing advancements security is a never-stopping thing, so Let’s try to [make your TYPO3 sites more secure](https://nitsantech.de/en/blog/typo3-security). At last [TYPO3 Code Sprint](https://nitsantech.de/en/blog/typo3-code-sprint-india-2019), we have deeply explored the security topic from [Thomas Loffler](https://twitter.com/spooner_web) **-** Thanks a lot! And yes, we have already started to implement high-security features to our customer’s projects. We are happy to share it hereby with you too. ![TYPO3 Security](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security.png "TYPO3 Security") TYPO3 is a well-designed CMS with different security-levels and layers in the core framework. And that’s the main reason why it’s extremely difficult or impossible to hack TYPO3 sites in comparison to other CMS and Framework :) ![TYPO3 security facts and figures](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_Facts_figures.png "TYPO3 security facts and figures") Although TYPO3 being a self secured CMS, it would be better to provide more security at server-level. How about increasing security by disabling access (to web users) the TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog. The hackers or public users will not be able to have access to TYPO3 core and extensions files. Because, we are going to set everything to “private”, and the “public” folder will only contain assets. Imagine below security-level server architecture as your TYPO3 setup. ![TYPO3_security_Server_Architecture](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_Server_Architecture.png "TYPO3_security_Server_Architecture") | Folder | Description | |---|---| | public | which only contains assets like css/js/images etc., for the web public users. | | private | which contains typo3 core sysext, typo3conf ext, etc., | | var | which contains cache, log, session, etc., | | vendor | which contains CMS as well as extension’s vendors. | ![Helmut Hummel](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/typo3_security_helmut.png "Helmut Hummel") Sounds interesting right? Big thanks to Helmut for his 10+ years of dedication and contribution to the TYPO3 community - especially on TYPO3 security. I would like to introduce his great TYPO3 secure web package It’s time to appreciate and say your “thanks-giving to Helmut” by keeping in touch and being connected with him at: - Twitter: - Github: - Blogs: We wish [typo3-secure-web](https://github.com/helhum/typo3-secure-web) package gets included within TYPO3 core! ### Did you know? [TYPO3.org](https://typo3.org/) project has been secured with this package typo3-secure-web :) Here, I would like to guide step-by-steps to install and configure typo3-secure-web composer package. First, let’s check what are the dependencies and conflict with this package. ### Pre-requisite and Dependencies | Folder | Description | |---|---| | typo3/cms-core | ^8.7.8 \|\| ^9.5.5 | | typo3/cms-composer-installers | ^1.4 \|\| ^2.0 | | helhum/typo3-composer-setup | ^0.5.4 | ### Care to the Conflict | Folder | Description | |---|---| | helhum/typo3-composer-setup | <0.5.4 | | typo3/cms | <8.7.10 | | typo3/cms-core | <8.7.10 | Our team is setting up [TYPO3 ](https://nitsantech.de/en/blog/typo3)with industries best standards and approach using Docker/DDEV and Composer for our customer’s projects. Let’s secure your [**TYPO3 websites**](https://nitsantech.de/en/blog/typo3-website) by following steps. ```none mkdir my-typo3-site cd my-typo3-site ``` ```none ddev config --project-type php --php-version 7.2 ``` ```none ddev composer create typo3/cms-base-distribution ^9 --no-interaction ddev config --project-type typo3 ddev start ``` ```none touch public/FIRST_INSTALL ``` ![TYPO3 Security installation](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_Installation_Wizard.png "TYPO3 Security installation") ```none "extra": { "typo3/cms": { "root-dir": "private", "web-dir": "public" } } ``` ```none ddev composer require helhum/typo3-secure-web ``` Once you have successfully installed TYPO3-secure-web package, it will organize whole folders and files architecture at your server as follows: ### Access to Private “private” folder will point to the code of TYPO3 core and extensions. No web public user will be able to access your TYPO3 code. **Root architecture of private folder** ![TYPO3_security_Access_To_Private](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_Access_To_Private.png "TYPO3_security_Access_To_Private") ### Access to Public “public” folder will point as web server document root, and only contains assets files. At each folder, you will able to see only /Resources/Public/ folder which will symlink to a particular private /Resources/Public/ folder. **Root architecture of public folder** ![TYPO3_security_Access_to_Public](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_Access_to_Public.png "TYPO3_security_Access_to_Public") **The architecture of public/typo3temp** ![TYPO3_security_public_typo3temp](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_public_typo3temp.png "TYPO3_security_public_typo3temp") **Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news /public/typo3conf/ext/news** ![TYPO3_security_Resources](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_resources.png "TYPO3_security_Resources") **The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/** ![TYPO3_security_backend_Resources](https://nitsantech.de/fileadmin/ns_theme_ns2019/blog/live/How_To_Secure_Your_TYPO3_Sites_From_Hack_Attempts/TYPO3_security_backend_Resources.png "TYPO3_security_backend_Resources") - Although the TYPO3 is secured, Let’s keep it more secure through great typo3-secure-web composer package. - Don’t forget to say “Thanks to [Helmut](https://twitter.com/helhum)” for his great efforts to the TYPO3 community. - Are you experiencing any issues during setup? Please feel free to connect with us for support. - Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below. **Inspiring People To Secure!** ![](data:,) Is Your TYPO3 Website Properly Secured? --------------------------------------- Learn how to review system updates, user permissions, hosting security, and configuration settings. [ Download guide ](https://nitsantech.de/javascript:;) #### Contact for Internet agency and TYPO3 projects #### Sven Thelemann Service Partner - Germany [ st@nitsantech.de ](mailto:st@nitsantech.de) [ +49 351 48196661 ](tel:4935148196661) ![Sven Thelemann](/fileadmin/ns_theme_nitsan/CTA/SVEN__1_.png "Sven Thelemann") ![](https://nitsantech.de/fileadmin/ns_theme_nitsan/Team_Slider/Sven_Thelemann.png) ### Sven Thelemann Client Service Lead - [](https://www.linkedin.com/in/sven-thelemann-0a30867b/ "linkedin") Sven Thelemann serves as the Client Service Lead at NITSAN, focusing on delivering TYPO3 solutions that meet client goals. With a strong understanding of technology and client expectations, he ensures smooth communication and project execution. Outside of work, Sven enjoys cycling and experimenting with homemade recipes. Comments and Responses ---------------------- Thank you for your comment. Your Comment Added Successfully. Thank you for your comment. Your Comment Will Be Visible After Approval. Oops! Something went wrong, please try again later. ##### **Be the First to Comment** ### Related Blogs [ ![](https://nitsantech.de/data:,) #### TYPO3 Security and Maintenance: Updates, Extensions, & GDPR ](https://nitsantech.de/en/blog/typo3-security-and-maintenance) [ ![](https://nitsantech.de/data:,) #### TYPO3 Database Management: Structure, Security & Optimization ](https://nitsantech.de/en/blog/typo3-database)