Quick Guide to Harden TYPO3 Security

History says TYPO3 is one of the most secure OpenSource CMS. But, security is a never-ending task, In this article, I want to introduce Helmut’s popular “TYPO3 Secure Web” package to more secure your TYPO3 site.

Quick Guide to Harden TYPO3 Security

History says TYPO3 is one of the most secure OpenSource CMS. But, security is a never-ending task, In this article, I want to introduce Helmut’s popular “TYPO3 Secure Web” package to more secure your TYPO3 site.

We as a whole see that it is so essential to maintain the TYPO3 Security of your site. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing continuously.

Fortunately, TYPO3 has better built-in firewall security because the core architecture of TYPO3 is robust. But, TYPO3 security never-ends. The TYPO3 community is always serious about security and performance, and always develops something which improves security.

“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.
- Richard Clarke”

TYPO3 - Most Secure OpenSource CMS

According to the report of Sucuri.net TYPO3 is the world's least hacked OpenSource CMS.

Why TYPO3 Security Matters?

Here is the statistics report which shows why website security is so important.

A hacked TYPO3 site can make genuine harm to your business income and notoriety. Hackers can take client data, passwords, introduce noxious programs, sell information, and can even multiply malware to their clients. 

Most noticeably awful, you may wind up paying ransomware to hackers just to recover access to your very own website.

What’s the Ideal TYPO3 Code Structure?

A normal composer based installation contains only a “public” folder. Imagine below the TYPO3 architecture of “private” and “public” folders to add the TYPO3 security level.


that only contains assets like css/js/images etc., for the web public users.


that contains typo3 core sysext, typo3conf ext, etc.,


that contains cache, log, session, etc.,


that contains CMS as well as extension’s vendors.

Applause to Helmut Hummel

Sounds fascinating right? We serve gratitude to Helmut for his 10+ long years of contribution and commitment to the TYPO3 Community - particularly on TYPO3 security. 

I would love to present his extraordinary TYPO3 secure web bundle https://github.com/helhum/typo3-secure-web 

It's an ideal opportunity to acknowledge and state our "much appreciation for Helmut" by staying in contact and being associated with him at:

IMHO: Someday, we wish typo3-secure-web package gets included within the TYPO3 core!

Did you know?
TYPO3.org project has been secured with this package typo3-secure-web :)

Step-by-step Guide to TYPO3 Secure Web

Pre-requisite and Dependencies




^8.7.10 || ^9.5.2 || ^10.4


^1.4 || ^2.0 || ^3.0



Care to the Conflict










Let’s get ready to implement a TYPO3 secure web package to your composer based TYPO3 installation, Our technical team develops TYPO3 projects with best practices of Docker, DDEV, Composer as below.

Step 1: Create a project folder


mkdir my-typo3-site
cd my-typo3-site


Step 2: Configure PHP version


ddev config --project-type php --php-version 7.2


Step 3: Download latest version through Composer


ddev composer create typo3/cms-base-distribution ^10 --no-interaction
ddev config --project-type typo3
ddev start


Step 4: Run TYPO3 Installation Wizard


touch public/FIRST_INSTALL


Step 5: At composer.json, Setup private and public folders


"extra": {
    "typo3/cms": {
    "root-dir": "private",
    "web-dir": "public"


Step 6: Secure your TYPO3 with folders structure private and public


ddev composer require helhum/typo3-secure-web


When you have effectively installed TYPO3-secure-web bundle, it will organize entire files and folders architecture at your server as follows: 

  • This bundle will at that point set up the web server document root inside the public folder and TYPO3 inside the private folder. 
  • The private folder will look familiar and will contain typo3, typo3conf, fileadmin, typo3temp, uploaded folders
  • The public folder will just have the entry scripts and connections to fileadmin, typo3temp/assets and, Resources/Public of all installed (framework) extensions.

Access to Private

"private" folder will highlight the code of TYPO3 core and extensions. No web public user will have the option to get to your TYPO3 code. 

Root design of private folder 

Access to Public

"public" folder will highlight the web server record root, and just contains asset documents. At every folder, you will have the option to see just /Resources/Public/folder which will symlink to a specific private/Resources/Public/folder. 

The architecture of public/typo3temp

Architecture of TYPO3 extension only contains /Resources/Public/ eg., EXT:news  /public/typo3conf/ext/news

The architecture of the TYPO3 core only contains /Resources/Public/ eg., EXT:backend /public/typo3/sysext/backend/


  • In spite of the fact that the TYPO3 is made robust and secure, Let's keep it safer through the extraordinary typo3-secure-web composer package. 
  • Remember to say "thanks and Donate to Helmut" for his extraordinary endeavors to the TYPO3 people community. 

Are you encountering any issues during setup? Please feel free to connect with us for support. Do you know any other tips and tricks to secure TYPO3? We would love to receive your feedback in the comment box below.

Inspiring People To Secure!

Would you prefer a Ready-made template(s) or a Custom one for TYPO3?

  • FreeTYPO3 security audit & report
  • 35+Team of TYPO3 developers
  • 13+ Published free & premium TYPO3 templates
  • 13+Years of TYPO3 experience
  • 3Package plans are available for the TYPO3 security
TYPO3 Security Gig
TYPO3 Security Gig

Post a Comment

Captcha Code Can't read the image? Click here to refresh
  • user
    Lutz Veith 2020-09-04 at 2:18 pm
    Great Article Sanjay. Thanks for sharing tips and Helhum's security architecture. One of the easiest ways to test security things like this is to clone to a staging or dev environment, run your updates, verify everything is good. And then run it on production.