Inside TYPO3

< 3.10. Security in TYPO3  Table Of Content 3.10.3. Recommendations >

3.10.2. Additional security measures you can take:

  1. Add a .htaccess file to the typo3/ source code directory. This will "webserver protect" the backend interface. Backend users will have to type in two passwords: First the general webserver password, then the user-specific TYPO3 password.
    The authenticated web-server user is not used by TYPO3 in any way. It just adds another gate in the authorization process.
    Notice: This solution will not work if you are using file resources (such as images) from extensions in your frontend! That might be the case if your site uses frontend plugins from extensions installed as "system" or "global". If an image is referenced on the site it will trigger an authorization box to pop up! The solution could be to install the extension as "local" (in typo3conf/ext/) where the directory is not password protected.

  2. Add IP-filtering (see TYPO3_CONF_VARS[BE][IPmaskList]) - this enables you to lock out any backend users which are not coming from a certain IP number range.

  3. Add lockToDomain in be_users/be_groups records (makes sure that users are logging in only from certain URL's - maybe some secret admin-url you make?)

  4. Change name of the "typo3/" backend directory (makes it harder to guess the administration URL).

  5. Set the TYPO3_CONF_VARS[BE][warning_mode] and TYPO3_CONF_VARS[BE][warning_email_addr] - that will inform you of logins and failed attempts in general.

  6. Use https for all backend activity. That will make sure that your passwords and data communication with the server are truely encrypted. TYPO3_CONF_VARS[BE][lockSSL]=1 will force users to use https.

To top


Valid XHTML 1.0!