Server- and environment-level security
In addition to TYPO3-specific hardening, system administrators are also responsible for maintaining a secure hosting environment, PHP configuration, and monitoring systems. This section highlights complementary actions to strengthen the overall security posture.
Keep the hosting environment minimal and secure
Administrators should maintain a minimal, secure server setup. Each service (web, mail, database, DNS, etc.) is a potential attack vector. A compromise in one component can endanger the entire environment, including TYPO3.
Best practices:
- Disable unnecessary services
- Keep all system software up to date, including PHP, the web server, database, and other services
- Isolate systems where possible
A slim, well-maintained environment improves both performance and security.
If in-house server administration is not feasible, consider using a reputable managed hosting provider that specializes in TYPO3 or PHP applications.
Use secure PHP settings
TYPO3 runs on PHP, so secure PHP configuration is critical. Useful options include:
open_
to restrict accessible directoriesbasedir disable_
to disable risky PHP functionsfunctions
If you rely on external services and don't have curl
support, you may need to
enable allow_
.
Be aware that blocking outbound traffic (e.g. via firewall) can prevent TYPO3 from retrieving extension updates or translation files.
Monitor failed backend logins
Failed backend logins and other security-related events are logged using the TYPO3 logging framework.
Admins can configure a dedicated log file for authentication messages and use external tools like fail2ban to respond to suspicious activity.
Example configuration:
<?php
use Psr\Log\LogLevel;
use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Core\Log\Writer\FileWriter;
// Other settings
$GLOBALS['TYPO3_CONF_VARS']['LOG']['TYPO3']['CMS']['Core']['Authentication']['writerConfiguration'] = [
LogLevel::INFO => [
FileWriter::class => [
'logFile' => Environment::getVarPath() . '/log/typo3_auth.log',
],
],
];
Protect against clickjacking
Clickjacking tricks users into clicking hidden UI elements via transparent
layers or iframes. TYPO3 protects its backend by sending the HTTP header
X-
, which blocks embedding backend pages in external domains
(see RFC 7034).
To extend protection to the frontend, configure the web server:
Explanation of header values:
SAMEORIGIN
: Allow frames from the same origin onlyDENY
: Block all framingALLOW-
: Allow framing from a specific origin (less supported)FROM [uri]