In these times of digital transformation, websites are becoming increasingly important as a medium for information, transactions and presentation. At the same time, legislators have created strict rules for handling personal data in recent years.
Consequently, website outages and hacker attacks entail not only high economic but also legal risks:
Data misuse: The misuse of data by third parties causes image damage and can result in very high fines under the General Data Protection Regulation(GDPR).
Server abuse: Websites infected by viruses are often abused for third-party purposes (e.g. search engine spamming, "cryptojacking", DDoS attacks, etc.). They can cause liability damage as well as ranking losses up to blacklisting in search engines..
Data loss/dysfunctionality: As a rule, backups protect against the accidental or intentional loss of data. However, since a virus attack usually always becomes apparent much later, it may be that even backups made in the past no longer provide a remedy. In the worst case, the website has to be completely redeveloped.
In this article we would like to point out measures that minimize the above mentioned risks.
In the TYPO3 Association a dedicated Security Team is responsible for monitoring and controlling security related issues and problems around TYPO3.
It is definitely recommended to follow the team's releases via the channels email distribution list and Twitter account(@typo3_security).
There are three types of bulletins("Security Bulletins") that are published with a unique identifier:
TYPO3-CORE-SA-yyy-nnn for bulletins concerning the TYPO3 core
TYPO3-EXT-SA-yyy-nnn for bulletins that apply to TYPO3 extensions
TYPO3-PSA-yyyy-nnn for Public Service Announcements
Where yyyy is the corresponding year of release and nnn is a sequential number.
Public Service Anouncements
Security-relevant information that does not directly affect the source code of TYPO3 or extensions is published as so-called Public Service Announcements. These include problems with third party software like Apache, PHP or mySQL.
Severity is an indicator of the urgency of a vulnerability:
highest level of urgency requiring immediate action
second-highest level, need for action as soon as possible
your installation is not necessarily affected, nevertheless update should be done
the installation is only affected under certain - rather unlikely - circumstances. In this case, too, we recommend an update.
Why is it important to always install the latest security update? TYPO3 is a open source code system. By comparing the old version and the new version, hackers can very quickly see what changes have been made. In this way, the vulnerability of the old version then also becomes visible. Therefore, one of the most important rules in terms of safety:
Always keep the system up to date with the latest security patch.
Install the code directly from get.typo3.org. Avoid supposedly simpler third-party installation packages. Compare the hash value of the downloaded file with the one published on the official website.
Only the user (e.g. "apache") under which the web server is running should have read and write permissions. Programmers/administrators should be given appropriate rights through a group assignment. Basically the write permissions for the directories "fileadmin", "typo3conf" and "typo3temp" are sufficient.
The file typo3conf/LocalConfiguration.php is the most important configuration file in TYPO3. It should not be readable (because database access data is contained here in plain text) or writable (because a change of the installtool password and thus the creation of an admin account is possible) by unauthorized persons.
Only selected administrators should have so-called "maintainer rights" to use the installtool.
Editors should generally not have ftp/ssh/scp access to the web server.
Under the item "Reports" in the TYPO3 backend there is a section "Security", which should be completely set to green.
Server Response on static files This is a common warning message that is often displayed after a standard installation. This describes the possibility to upload files with the syntax "maliciouscode.html.txt" (or "maliciouscode.svg.txt") with the TYPO3 file manager. Some web servers treat these files as HTML files because they contain the string ".html". Since html and svg files can contain malicious code, it is possible for editors to subvert the system in this way. We describe in a separate article about server response on static files how you can fix this problem..
Under "Log" important events in TYPO3 are logged. This includes system errors, also login attempts, editorial actions, file uploads and much more.
This log is therefore an important tool for ongoing system monitoring:
In TYPO3 there are some possibilities to be informed about system changes or other events by mail.
Monitor system settings automatically
You can use the "System Status Update" scheduler task to monitor the system environment automatically. In case of errors/warnings (or if desired basically) a mail will be sent to the address stored in the task definition.
Let you be notified by mail when a user("1") or at least administrator("2") logs in:
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_mode’] = 1 oder 2
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr’] = <MAILADRESSE>
(Both values can be set via the install tool).
Editors can also be notified via their personal settings (see switch "Notify me by email when somebody logs in from my account") when somebody logs in via their account.
Failed login attempts
You can manually track failed login attempts by setting the "Action" filter field to "Login" under "Reports" and specifying the desired time period:
The following are additional measures that further increase the protection of your TYPO3 system:
As of TYPO3 v11, it is possible to allow backend users to access the backend only via multi-factor authentication. Access to the backend. More info in our article on multifactor authentication with TYPO3.
Anonymize log data
Anonymize the data in the sys_log table using the scheduler(Task " Anonymize IP addresses in database tables")
Using HTTP Security Header
Using HTTP Security Headers is another way to make your website more secure. The headers instruct browsers, for example, to make server requests only via "https"( "HTTP Strict Transport Security response header" or HSTS for short), prevent and avoid attacks through cross site scripting, MIME sniffing and clickjacking, among other things.
You can find a simple solution for setting the HTTP Security Header in our DSGVO article.
Disable "Plain HTML" content element
Table Garbage Collection
Delete regularly via the scheduler-Task Table Garbage Collection die Tabellen syslog und sys_history If you - like most - use the extension powermail , also delete the tables tx_powermail_domain_model_mail and tx_poswer,ail_domain_model_answer.
An important part of keeping a website running as smoothly as possible is keeping a backup.
Komponenten eines TYPO3 Backups
Das Backup einer TYPO3 Installation umfasst zwei Komponenten
1. Files Decisive are usually the two directories:
These are standard directories that can also be located elsewhere in special cases. "typo3conf", for example, can be located outside the webroot path for security reasons. "fileadmin" may be named differently or there may be other directories ("file mounts").
2. Database TYPO3 needs a database, which of course also has to be backed up.
Backup test To ensure that backups are complete and can be restored without problems, they should be tested. In practice, it is often a good idea to restore a backup in a second environment and then use this as a test environment at the same time for tasks that are not to be performed immediately in the live system (such as security update, template changes, etc.).
Keep in mind that backups may contain personal data as defined by the GDPR and take appropriate protection measures, such as encryption and password protection.
Since potential functional errors, data loss, and/or corrupt code are detected late in most cases, backups should be available over a longer period of time, not just from the previous day.
We recommend the following backup intervals:
Make a daily backup
Keep a backup of the last 7 days
Keep a backup of the last month
Keep a backup of the last half year
Keep a backup of the last 12 months
You need support for the secure operation of your TYPO3 installation(s)? As a TYPO3 agency with certified developers we are happy to support you and offer profeesional TYPO3 support. We are looking forward to your contact us.