About this document

Security is taken very seriously by the core developers of TYPO3 projects and especially by the members of the official TYPO3 Security Team. It is also in the interest of system administrators, website owners, editors and everybody who is responsible for a TYPO3 site, to protect the site and its content against various threats. This document describes some typical risks and advises on how to protect a TYPO3 site in order to ensure it is and stays secure and stable.

The terminology “TYPO3” used in this document refers to the TYPO3 family including TYPO3 CMS and TYPO3 Neos. This version of the document focuses on TYPO3 CMS. However, a lot of information also apply to TYPO3 Neos and some of the general advices are also relevant for other content managing websites. If it is not clear from the context, which specific project (TYPO3 CMS or TYPO3 Neos) the word “TYPO3” in this document refers to, please assume TYPO3 CMS.

This guide also explains how the TYPO3 Security Team deals with incidents, how security bulletins and security updates are published and how system administrators should react when their system has been compromised.

It replaced the “TYPO3 Security Cookbook” published in 2006, without being a simple checklist but a comprehensive guide how to ensure and maintain security of a TYPO3 instance.

It is important to understand that security is not a condition – security is a process with ongoing tasks and regular reviews are essential.