TYPO3 website security is an imperative these days and ignoring it is quite costly in terms of time, money and resources. However, with TYPO3, many of the most common security checks are easily done with a single TYPO3 extension.
Security Check, found as security_check in the TYPO3 extension repository, runs from the TYPO3 backend and checks about 40 of the most common TYPO3 security concerns. Besides a report of potential lapses and guidance on how to fix them, there are a couple of tools for finding unnecessary and insecure files.
When TYPO3′s Security Check is combined with the principles and steps outlined in the TYPO3 Security Cookbook, downloadable below, a TYPO3 website’s security is quite solid from the server-side.
So… What Does Security Check, Check?
Per the security_check manual, the following points are checked. Sample results in main image.
- Php Ini Check
- Test if the Setting open_basedir is set
- Is the PHP Setting “error_log” is set?
- Is the PHP Setting “register_globals” off?
- Is the PHP Setting “display_errors” off?
- Is the PHP Setting “magic_quotes_gpc” off?
- Database Check
- Test the access to mysql config Database
- Test the Host Restrictions of the Mysql User
- Test the Mysql User passwords
- loacalconf
- Is the encryptionkey set?
- Are the Filerights on creation of new Files to minimalist?
- Are the Filerights on creation of new Folder to minimalist?
- Is the Installtool Password changed?
- Is the Option lockSSL active?
- Is the Security level the highest?
- Is a Warning E-Mail Address inserted?
- Is the Session Timeout to hight?
- Is the SQL-Debug Feature disabled?
- Is the Display of Errors disabled?
- Is the Option to install global Extension disabled?
- Is the Flag “disable_exec_function” activated?
- Is the Option to edit of Extensions disabled?
- Backend Access
- Is the access to TYPO3 Backend protected?
- Is the access to TYPO3 Install Tool protected?
- Files Check
- Are there Backup Files on the Server?
- Are there CVS Files on the Server?
- Are there Files without Extension on the Server?
- Are there CVS Files on the Server?
- Are there Readme Files on the Server?
- Are there Subversion Files on the Server?
- TYPO3
- Is the standard Password used?
- Checks if insecure Extensions loaded.
- Is TYPO3 up to Date?
- External Tools
- Search PHP-Info Outputs.
- File rights
- Checks the Rights of Folders.
- Checks the Rights of Files.
- Security Check Results
- TYPO3 Security Cookbook Localconf Suggestions
User Input TYPO3 Security Suggestions
While Security Check and the TYPO3 Security Cookbook help with server-side concerns, these following TYPO3 extensions check incoming data. In turn, they help protect the website from spamming, cross-site scripting XSS and SQL injection attacks.
- Anti-spam - wt_spamshield & captcha
- Bad request dropping - timtab_badbehavior
- Parameter checking - wt_doorman
Related Links
- security_check extension
- security_check manual
- Security in TYPO3
- TYPO3 Security Cookbook
Originally published Oct 12, 2009. Revised.