Security guidelines for system administrators

  1. Follow the TYPO3 Security Advisories. Subscribe to the advisories via mailing list or RSS feed.
  2. Update the TYPO3 Core or any affected third-party extensions as soon as possible after security fixes are released.
  3. Use individual account names. Do not share accounts. For example, administrator and system maintainer account names should be something like john.doe. Do not use general usernames like "admin".
  4. Use different passwords for the Install Tool and your personal backend login. Do not reuse passwords across multiple TYPO3 installations.
  5. Follow the guidelines for secure passwords in this document. Implement secure password policies.
  6. Never use the same password for a TYPO3 installation and other services such as FTP, SSH, etc.
  7. If you are responsible for the setup and configuration of TYPO3, carefully follow the Guidelines for TYPO3 integrators which are documented in the next chapter.

Please refer to the chapters below for security-related topics of interest to administrators: