Attention

TYPO3 v10 has reached end-of-life as of April 30th 2023 and is no longer being maintained. Use the version switcher on the top left of this page to select documentation for a supported version of TYPO3.

Need more time before upgrading? You can purchase Extended Long Term Support (ELTS) for TYPO3 v10 here: TYPO3 ELTS.

Introduction

Security is taken very seriously by the core developers of TYPO3 projects and especially by the members of the official TYPO3 Security Team. It is also in the interest of system administrators, website owners, editors and everybody who is responsible for a TYPO3 site, to protect the site and its content against various threats. This chapter describes some typical risks and advises on how to protect a TYPO3 site in order to ensure it is and stays secure and stable.

This guide also explains how the TYPO3 Security Team deals with incidents, how security bulletins and security updates are published and how system administrators should react when their system has been compromised.

It is important to understand that security is not a condition – security is a process with ongoing tasks and regular reviews are essential.

Reporting a security issue

If you would like to report a security issue in a TYPO3 extension or the TYPO3 core system, please report it to the TYPO3 Security Team. Please refrain from making anything public before an official fix is released. Read more about the process of incident handling by the TYPO3 Security Team in the next chapter.

Target audience

This chapter is intended for all users of TYPO3, from editors to system administrators, from TYPO3 integrators to software developers. The Security Guide is an essential lecture for everyone who works with TYPO3 and who is responsible for a publicly accessible TYPO3 site in particular.