But, as we know with increasing technology and advancements, website security is a never-ending process. While TYPO3 itself is secure, avoiding TYPO3 security mistakes requires a little bit of effort from site owners too.
"One single vulnerability is all an attacker needs."
- Window Snyder
We can feel that your TYPO3 website is just like a child to you. You put in a lot of effort, time, and often money to care for it the best way possible, make it user-friendly, and have it run smoothly. In addition to that, you do your very best to keep it from harm.
For that reason, in this micro article, we want to talk about some of the most common TYPO3 security mistakes users make. By learning about them, you avoid committing them yourself. Doing so will make your TYPO3 website much safer.
P.s This guide is especially simplified for non-technical TYPO3 website owners.
Sound good? Then let’s dive right in.
TYPO3 has a great community that’s alert to security issues, and the team at TYPO3 issues updates regularly to fix security threats. But it’s up to us to carry out these updates on our TYPO3 install and patch up any security holes.
The TYPO3 community continuously releases the security checks version with branches eg., TYPO3 9.5.10 You should always update TYPO3’s latest version. Check out the detailed report at https://get.typo3.org/release-notes/10.4.12. Generally, It only contains security patches & changes, so it’s easy to update in matters of 3/4 hours.
It means you need to consider the TYPO3 update version from one LTS (Long Term Support) to another LTS.
In both cases, it’s important to apply the updates as soon as possible. Doing so will ensure any vulnerabilities are patched.
Updating TYPO3 for minor updates is often a smooth process, but with major updates sometimes there can be incompatibility issues that break your website.
Here are some quick resources for TYPO3 Upgrade,
Though TYPO3 backups and security are not interrelated, a backup of a TYPO3 site taken before an attack by malware, ransomware, or by other mediums can save your data (and life!).
Ransomware attacks are performed to make money, and hence these attacks deem your website inaccessible and leave it in a compromised state. Hackers may demand ransom to retrieve your site and give you access, but a proper detailed backup can save you time and money.
- Schedule backups every week and go for a detailed backup on a fortnightly basis.
- Use reliable TYPO3 Backup extensions like Backup Plus TYPO3 Extension.
Many business owners feel that firewalls and anti-virus software give enough protection to their website. Some think that since monetary transactions are not required on their site, there is no need for SSL security. Under this myth, they seem to ignore or forget the significance of the SSL certificate which provides robust 256-bit encryption security to your website.
Hackers can easily compromise any unencrypted sensitive information. This not only puts your visitors at risk of their credentials being stolen, but your site could also be compromised.
Encryption of confidential information (especially important for e-commerce)
- Trust indicator
- A rise in SEO rankings
Once an SSL certificate is installed, it encrypts username and passwords too, which secures your login area, making hacker entry near-impossible. This improves credibility and trustworthiness which are both essential for businesses looking to sell products or generate leads online.
Poorly coded TYPO3 templates and extensions are a security hazard on your TYPO3 website. Not only can they slow down your website, but they can also be incompatible with the TYPO3 version you’re using, or with each other. Moreover, some extensions or templates may be an invitation for malicious software.
Precaution to adopt here is to purchase TYPO3 templates and TYPO3 Extensions only from quality sources. There are many good free TYPO3 templates and TYPO3 extensions available for free in TYPO3 from TYPO3 Extension Repository.
If your choice is for a premium template or extension, look up for them at T3Planet, TYPO3 Marketplace.
- Avoid TYPO3 themes and plugins that haven’t been updated in some time.
- Always get trustworthy templates and extensions from reputable TYPO3 marketplaces and reliable third-party vendors.
- Check the ratings, reviews, and user download count before using any plugins.
- Keep your themes and plugins updated regularly because security patches can fix the bugs and loopholes, making your site more secure.
Just like the TYPO3 core version, your themes and plugins should have regular updates for bug fixes and security patches. It’s your job to test these updates then install them to keep your TYPO3 website safe.
In fact, vulnerable plugins and themes account for 51 percent of all hacked websites. Consequently, you’d do well to keep them up to date in order to minimize security risks.
TYPO3 has many user roles – Administrator, Editor, Author, Contributor, Subscriber, and whatnot. Not all of them need to have the same privileges on your website. When you add users to your site, be careful with the privileges you grant them at the backend. Allow only as much privilege as is necessary for them to fulfill their roles on the website.
Granting unrestricted access to all users can make it easier for hackers to break in.
Editor level access should be granted only to trusted users, and Admin level access can be granted, if at all, very sparingly. Allowing limited privileges to users and forcing them to use strong passwords can control access to the backend to a large extent.
Having unused or inactive extensions and themes are on your website is a major TYPO3 security mistake. One of the primary blunders that most business owners do not realize is the hoarding of new templates, extensions, or user accounts. Of course, you need to keep on adding plugins as per business needs. But once you are done with a particular plugin, do not just deactivate or disable it, go ahead and remove it completely from your TYPO3 site.
Though these idle plugins do not use RAM or bandwidth, they use server space. This affects site performance, resulting in slow speed.
The same goes for themes and user accounts too. Each idle user account is a platform for brute force attacks. It is best that your website is simple and not stuffed with these unused themes and plugins. Hence to minimize the risk effectively, it is best to reduce their number.
- Go through all the plugins and delete all the deactivated ones.
- The same procedure applies to themes too.
- After completing the clean-up process, take a step further and go for a decluttering process.
- Delete unpublished draft posts, unused pages, and other old posts for minimizing the size of your site database.
- Delete all unused tags, categories, and spam comments.
- Go to your media library and delete identical or unattached images.
Be merciless in deleting all idle and unnecessary stuff and keep your site healthy and risk-free.
Not all web hosts are created equal, and choosing one solely on price can end up costing you way more in the long run with TYPO3 security mistakes.
Most shared hosting environments are secure, but some do not properly separate user accounts. If user accounts aren’t properly separated, a single compromised account could take down every website on that shared server.
Your host should be vigilant about applying the latest security patches and following other important hosting security best practices related to server and file security.
This is one of the most common mistakes across the web, and we are not just talking about TYPO3 sites. Strong passwords are the front-line defense against brute-force attacks and compromised user accounts, thus it is one of the most important things to take into consideration when making sure your site is secure.
Passwords like ‘password1234,’ ‘qwerty,’ ‘admin’ are all too common and way too simple. It takes just seconds to brute force or manually guess weak passwords, thus only taking attackers seconds to get into your account.
We highly recommend taking the following measure to stop using weak passwords:
- Create Strong Complex Passwords:
Your passwords should consist of more than 10 characters, with at least one number, one symbol, and one uppercase character.
- Limit the number of users with administration rights:
TYPO3 has different levels of user roles for good reason. Not everyone should be able to do whatever they want. To make your site more secure, it’s a good idea to give everyone just as much permission as they need.
- Install Popular EXT:be_secure_pw:
This extension gives you the possibility to force secure passwords from your BE users. You can set up the password patterns like e.g. capitals, digits, etc. and a minimal length of the password. After activating the extensions, your BE users must fit the patterns and the length of the password to save a new one!
One must enable Email Notification for Login Attempt, the email address defined here will receive notifications, whenever an attempt to login to the Install Tool is made. TYPO3 will also send a warning whenever there are more than three failed backend login attempts (regardless of the user) are detected within one hour.
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'] = ‘firstname.lastname@example.org’;
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_mode'] = ‘2’;
Go to Admin Tools > Settings > Configure Installation-Wide Options
TYPO3 core provides a feature to check the security status of your TYPO3 instance.
Go to System > Reports > Status Report > Security
You should keep your eyes on reports and logs generated by TYPO3, In that way, you can figure out security issues eg., Trying to access the TYPO3 backend several times by bots.
Go to System > Log
Thanks to the Marketing Factory guys who did the setup automation TYPO3 code review tool Sonarqube for TER (TYPO3 Extensions Repository).
Check TYPO3 Code Quality
Step 1. Go to TER Sonarcube
Step 2. Search your extension key at the top-right corner
Step 3. You can check the quality of extension with possible bugs, code smells, duplication of code, etc.,
We’re all human and mistakes happen. Sometimes important security decisions are simply overlooked or forgotten about, so it’s always a good idea to revisit your TYPO3 site and check on its current security posture.
We hope that providing you with these 12 TYPO3 security mistakes will encourage you to check on your site and make sure you are following the best practices associated with a secure TYPO3 environment.
If this becomes too much for you to handle, you may need to get help from a professional TYPO3 support team. Feel free to reach out to us and learn how we can handle your security, maintenance, and updates.
And if you have any questions or comments, drop us a line down below.