General rules

  1. Subscribe to the “TYPO3 Announce” mailing list at http://lists.typo3.org , so that you are informed about TYPO3 security bulletins and TYPO3 updates.
  2. React as soon as possible and update the relevant components of the site(s) when new vulnerabilities become public (e.g. security issues published in the mailing list).
  3. Use different passwords for the Install Tool and the backend login. Follow the guidelines for secure passwords in this document.
  4. If you are administrating several TYPO3 installations, use different passwords for all logins and components for every installation.
  5. Never use the same password for a TYPO3 installation and any other service such as FTP, SSH, etc.
  6. Change the username and password of the “admin” account after the installation of TYPO3 immediately.
  7. If you are also responsible for the setup and configuration of TYPO3, follow the steps for TYPO3 integrators carefully, documented in the next chapter.