TYPO3 v9.3.0 released

Categories: Development Created by Michael Schams
Packed with a lot changes and improvements for editors, integrators and developers, we are more than happy to announce the release of TYPO3 version 9.3 today.

The outstanding aspects of the 4th sprint release are SEO features "out of the box", new options to make it easy to comply with GDPR and added support for stronger password hashing functions, which hardens security even more.

Make Search Engines Happy

Search engines such as Google, Bing, Yahoo! and others are still the starting point for many users on their search for specific information on the Internet. These search engines require websites, which they can visit, scan and index the content. The "indexing process" is basically the association of words and other definable tokens to a domain name. Websites, which support search engines in this process are called search engine friendly or search engine optimized (SEO).

TYPO3 always had the reputation of being search engine friendly, mainly because it has been easy to configure basic techniques such structured page content (typically heading tags <h1> to <h6> as a top-down hierarchy). Other options to make a website easy to scan for search engines are speaking URLs, meta data and redirects to instruct search engines to update their index. More sophisticated techniques can be achieved by installing extensions developed by the TYPO3 community from the TYPO3 Extension Repository (TER)

However, the importance of good practise SEO should not depend on third party extensions, according to Richard Haeser. He started an initiative earlier this year at the TYPO3 User Experience Week (T3UXW18) to enhance the TYPO3 core by modern SEO features. Richard teamed up with Joost de Valk and Riny van Tiggelen and together they formed an expert group, who have been working hard on various aspects of this topic.

The first results of their amazing efforts can be seen in TYPO3 version 9.3, which introduces a new system extension called "SEO". Meta tags, which are relevant for SEO and set in page properties are rendered in the frontend by default with no additional configuration required. Behind the scenes, a new Meta Tag API manages this in a modern and fast way. More obvious for integrators and editors alike is a new tab "SEO" of the page properties in the backend. It is possible to instruct search engines to index a page or follow links on that page, add Open Graph data to a page or add information especially for Twitter. The Open Graph protocol is supported by all modern social networks such as Facebook or LinkedIn.

The SEO initiative has more features up its sleeve and the TYPO3 core will likely receive further improvements before the LTS version (Long Term Support) will be launched later this year.

General Data Protection Regulation

If you work in the IT industry or followed the news over the last few weeks, you surely came across GDPR. The General Data Protection Regulation came into effect on 25 May 2018 and has implications on almost every aspect of web development, including the design and planning phase, as well as ongoing operation. GDPR aims to give users more power over protection, transparency and control of their personal data, whilst imposing strict rules on hosting and data processing.

As a leading enterprise content management system, TYPO3 features various measures to allow administrators and integrators to achieve a full GDPR compliance. Based on the GDPR Initiative, led by Georg Ringer, a number of settings can be configured in TYPO3 version 9.3, that control if and what kind of user data and for how long it is stored (data retention time). A new scheduler task can be activated to anonymize IP addresses of users/visitors in several database tables after a certain period of time.

The privacy of users visiting your TYPO3 site is also improved by using YouTube’s "no-cookie domain" by default, instead of "youtube.com" when embedding videos.

The TYPO3 GmbH has published a number of interesting articles by various authors about GDPR. We suggest to have a look at their Blog posts if you need further information about this topic.

Hardening the Security

We constantly review TYPO3 to determine effective actions to improve the security and remove features, which are not state-of-the-art anymore and may weaken the security of the system. As a logical consequence, almost every TYPO3 release contains improvements in this area and TYPO3 earned its reputation of being one of the most secure content management systems on the market. TYPO3 version 9.3 is no different.

Inactive frontend and backend users can now be removed from the database. This is in light of the principle of data minimisation: data (including user profiles), which does not exist, cannot be compromised in case of a security breach.

TYPO3 supports salted passwords for more than a decade now! Back then, MD5 hashed passwords were not unusual and many other systems even stored passwords in plain text. The support of clear text passwords for backend users was dropped with the release of TYPO3 version 6.2 in 2014 already. Salted passwords have been the standard in TYPO3 and the era of plain text passwords ends with TYPO3 version 9.3 now - even for frontend users. Clear-text passwords are an absurdity today and as a result, they are not longer possible in TYPO3 at all.

The system extension "Salted Passwords" takes care of the passwords of frontend and backend users in TYPO3. This extension now supports the PHP Password Hashing API, which introduces the Argon2 hashing algorithm. Integrators can now choose between several password hashing methods in the configuration (Extension Manager), including "Standard PHP password hashing (argon2i)" amongst others. Password hashes of existing users are automatically updated as required, as soon as users log in.

Database Table Creation Simplified

TYPO3 database tables usually contain "management" and "business" fields. Management fields are used to manage and organize the records, for example "uid", "pid", "sorting" as well as start and stop date/time, the hidden and deleted flag, etc. Business fields are required for the specific purpose of the table, for example to store a name, an email address, a location or a title.

Extension developers define an "ext_tables.sql" file and the Table Configuration Array (TCA), which in combination instruct TYPO3 which database tables and fields should be created.

The database schema analyzer became much smarter in TYPO3 version 9.3. It now creates most of the management fields automatically, by reading the TCA definition. Therefore, developers do not need to add most of the general fields to the SQL file anymore. Their focus can and should be on the business logic. A complete list of auto-generated columns can be found in the ChangeLog.


TYPO3 can be installed in various ways. For example the traditional way by using the source package at get.typo3.org or the modern way by setting up a project using composer, to name just two. Further details can be found in the according release notes at https://get.typo3.org/version/9.

What's Next

To learn more about the new features, changes and improvements of TYPO3 version 9.3, have a look at the TYPO3 What’s New Slides or the detailed technical change log.

The next release on our road to the LTS version of TYPO3 v9 will be version 9.4, currently scheduled to be released in September 2018. This will be the last release including new features for v9. You can find the release agenda in the TYPO3 Roadmap.

Until then, we would like to encourage you to check out TYPO3 version 9.3, embrace the new features and improvements, share your thoughts and report issues. There are also some exciting development initiatives, where you can get be involved to shape the future of TYPO3.