Guidelines for System Administrators

General Rules

1. Subscribe to the "TYPO3 Announce" mailing list at https://lists.typo3.org, so that you are informed about TYPO3 security bulletins and TYPO3 updates.

2. React as soon as possible and update the relevant components of the site(s) when new vulnerabilities become public (e.g. security issues published in the mailing list).

3. Use different passwords for the Install Tool and the backend login. Follow the guidelines for secure passwords in this document.

4. If you are administrating several TYPO3 installations, use different passwords for all logins and components for every installation.

5. Never use the same password for a TYPO3 installation and any other service such as FTP, SSH, etc.

6. Change the username and password of the "admin" account after the installation of TYPO3 immediately.

7. If you are also responsible for the setup and configuration of TYPO3, follow the steps for TYPO3 integrators carefully, documented in the next chapter.

Further topics

Please see the chapters below for further security related topics of interest for administrators:

• Role Definition
• Integrity of TYPO3 Packages
• File/directory permissions
• Restrict access to files on a server-level
• Disable directory indexing
• File extension handling
• Content security policy
• Database access
• Encrypted Client/server Communication
• Other Services
• Further Actions