TYPO3 has enterprise security processes and extension ecosystem. Hardening focuses on advisory-driven patching, backend access control, and extension governance.
$GLOBALS['TYPO3_CONF_VARS']['BE']['allowedIPs'])lockToDomain setting)LocalConfiguration.php and PackageStates.php permissions (640)disable_functions, open_basedir)# Set directory permissions
find /var/www/typo3-site -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/typo3-site -type f -exec chmod 644 {} \;
# Secure config directory
chmod 750 /var/www/typo3-site/config
chmod 640 /var/www/typo3-site/config/LocalConfiguration.php
chmod 640 /var/www/typo3-site/config/AdditionalConfiguration.php
# Set ownership
sudo chown -R www-data:www-data /var/www/typo3-site
The Install Tool (/typo3/install/) has full system access. Protect it:
Apache (.htaccess):
<If "reqpath =~ m#^typo3/install/#">
Require ip 192.168.1.0/24
</If>
Nginx:
location ~* /typo3/install/ {
allow 192.168.1.0/24;
deny all;
}
Or set install tool password in AdditionalConfiguration.php:
$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = '$argon2i...';
Configure in Install Tool or AdditionalConfiguration.php:
// Session timeout (seconds)
$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout'] = 7200;
// Lock backend to domain
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockToDomain'] = 'typo3.example.com';
// Enable MFA for admin group
$GLOBALS['TYPO3_CONF_VARS']['BE']['mfa']['enforcedForGroups'] = [1];
// Login security level
$GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel'] = 'normal';
// Allowed backend IPs (comma-separated)
$GLOBALS['TYPO3_CONF_VARS']['BE']['allowedIPs'] = '192.168.1.0/24,10.0.0.0/8';
Apache (.htaccess in fileadmin/):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /fileadmin/.*\.php$ {
deny all;
}