New TYPO3 Security Guide
December 06, 2011
Author: François Suter and Michael Schams
The TYPO3 community is very pleased to release a brand new Security Guide, targeted at administrators, integrators and editors. This Guide not only covers technical aspects of protecting a TYPO3 installation, but also general strategies and a peek into the workings of the Security Team. It also offers guidelines on how to handle a compromised web site.
TYPO3 is one of the most famous Open Source Content Management Systems and powers upwards of 500,000 web sites. Associations, organizations and companies of various size - including quite a few blue chips - manage their online presence using TYPO3.
The importance of a web site security often becomes apparent only after it has been compromised and more than just defaced. Attackers may implant malicious code like backdoors and Trojan horses, as well as steal business-critical data. According to Helmut Hummel, TYPO3 Security Team leader, the number of attacks on web sites has significantly risen in 2011. The TYPO3 Security Team was founded in 2004 and is - among other tasks - the contact point for all security issues in the TYPO3 source code or extensions.
A successful attack on a web site can be blamed on many sources, more often than not on inappropriate configurations or usage of badly-coded extensions. The new TYPO3 Security Guide - which replaces the outdated "Security Cookbook" - aims to help reduce the occurrence of such issues. This document was put together in collaboration between the Documentation Team and the Security Team, under the project leadership of Michael Schams. It explains the typical threats a web site may face and how to address them in a TYPO3 installation. Beyond the technical issues, the Guide also offers general strategies and more pointed advice to the various target audiences on how to care for security in their daily work. Further chapters cover the workings of the Security Team, the release process of the Security Bulletins and what to do when a web site has been compromised.
The TYPO3 Security Guide is targeted at system administrators, TYPO3 integrators and editors. Says Michael Schams "Security is not a state that you can reach and stop worrying about. It is an ongoing process of constant improvement. The measures described in the Security Guide can help reach a minimal level of security and raise awareness among all stakeholders of a web site. We hope it will help all interested parties in finding possible holes in their security setup and thus improve their processes."
The TYPO3 Security Guide - like all the other official documentation - is published under the Open Content License and can be downloaded freely.