How To Secure Your TYPO3 Sites From Hack Attempts?

Although TYPO3 being a self secured CMS, let’s try to make your TYPO3 sites more secure. How about increasing security by disabling access TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog.

How To Secure Your TYPO3 Sites From Hack Attempts?

According to a survey, TYPO3 is one of the most secure Open Source CMS - it is a proud feeling to be involved and working with such a great community who did their best for the security concerns.

But yeah, as you know with increasing advancements security is a never-stopping thing, so Let’s try to make your TYPO3 sites more secure.

At last TYPO3 Code Sprint India, We have deeply explored the security topic from Thomas Loffler - Thanks a lot!

And yes, we have already started to implement high-security features to our customer’s projects. We are happy to share it hereby with you too.

TYPO3 is the most secure OpenSource CMS

TYPO3 is a well-designed CMS with different security-levels and layers in the core framework. And that’s the main reason why it’s extremely difficult or impossible to hack TYPO3 sites in comparison to other CMS and Framework :)

Facts and figures of security issues

Ideal Secure Server Architecture

Although TYPO3 being a self secured CMS, it would be better to provide more security at server-level.

How about increasing security by disabling access (to web users) the TYPO3 code by securing core files and folders? Yeah, that’s one of the main reason to write this blog.

The hackers or public users will not be able to have access to TYPO3 core and extensions files. Because, we are going to set everything to “private”, and the “public” folder will only contain assets.

Imagine below security-level server architecture as your TYPO3 setup.

Folder Description
public which only contains assets like css/js/images etc., for the web public users.
private which contains typo3 core sysext, typo3conf ext, etc.,
var which contains cache, log, session, etc.,
vendor which contains CMS as well as extension’s vendors.

Thanks to Helmut Hummel

Sounds interesting right? Big thanks to Helmut for his 10+ years of dedication and contribution to the TYPO3 community - especially on TYPO3 security. I would like to introduce his great TYPO3 secure web package

It’s time to appreciate and say your “thanks-giving to Helmut” by keeping in touch and being connected with him at:

We wish typo3-secure-web package gets included within TYPO3 core!

Did you know? project has been secured with this package typo3-secure-web :)

TYPO3 system requirement and conflict

Here, I would like to guide step-by-steps to install and configure typo3-secure-web composer package. First, let’s check what are the dependencies and conflict with this package.

Pre-requisite and Dependencies

Folder Description
typo3/cms-core ^8.7.8 || ^9.5.5
typo3/cms-composer-installers ^1.4 || ^2.0
helhum/typo3-composer-setup ^0.5.4

Care to the Conflict

Folder Description
helhum/typo3-composer-setup <0.5.4
typo3/cms <8.7.10
typo3/cms-core <8.7.10

Step-by-step guide to install and configure TYPO3 securely

Our team is setting up TYPO3 with industries best standards and approach using Docker/DDEV and Composer for our customer’s projects. Let’s secure your TYPO3 sites by following steps.

Step 1: Create a project folder

mkdir my-typo3-site
cd my-typo3-site

Step 2: Configure PHP version

ddev config --project-type php --php-version 7.2

Step 3: Download latest version through Composer

ddev composer create typo3/cms-base-distribution ^9 --no-interaction
ddev config --project-type typo3
ddev start

Step 4: Run TYPO3 Installation Wizard

touch public/FIRST_INSTALL

Step 5: At composer.json, Setup private and public folders

"extra": {
    "typo3/cms": {
        "root-dir": "private",
        "web-dir": "public"

Step 6: Secure your TYPO3 with folders structure private and public

ddev composer require helhum/typo3-secure-web

Once you have successfully installed TYPO3-secure-web package, it will organize whole folders and files architecture at your server as follows:

Access to Private

“private” folder will point to the code of TYPO3 core and extensions. No web public user will be able to access your TYPO3 code.

Root architecture of private folder

Access to Public

“public” folder will point as web server document root, and only contains assets files. At each folder, you will able to see only /Resources/Public/ folder which will symlink to a particular private /Resources/Public/ folder.

Root architecture of public folder

The architecture of public/typo3temp

Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news  /public/typo3conf/ext/news

The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/


  • Although the TYPO3 is secured, Let’s keep it more secure through great typo3-secure-web composer package.

  • Don’t forget to say “Thanks to Helmut” for his great efforts to the TYPO3 community.

  • Are you experiencing any issues during setup? Please feel free to connect with us for support.

  • Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below.

Inspiring People To Secure!

Posts by Nitin Chauhan

Comments and Responses


Name is required!

Enter valid name

Valid email is required!

Enter valid email address

Comment is required!

You have reached the limit for comments!

* These fields are required.

Be the First to Comment