Subscribe to Acqal
Got Thoughts? Write Us!
Approved TYPO3 Agency
Acqal is an approved TYPO3 agency focusing on support, training and website migration.
This means that we...
- are available on TYPO3.org
- make substantial contributions to TYPO3 teams
- are registered as business members of the TYPO3 Association
- have completed more than four TYPO3 projects
- have proven our technical abilities with quality TYPO3 extensions
- use TYPO3 for our own website
Popular Blog Posts
Tech Tuesday Went Snowboarding at T3BOARD09
TYPO3 and Other Open Source WCM Systems Dissed Again
Automatic tt_news META descriptions via Acqal's extension aqnewsmeta
TYPO3, comments and Gravatar via Acqal's extension comments_gravatar
TYPO3 Extension cbstarter Version 1.3.2 Released
Sunday at T3BOARD09 in Laax, Switzerland
Not Good, Not Bad, Just Different
Increase TYPO3 Workspace Relation Limits
Getting Help With TYPO3
Looking into TYPO3 Webhosting?
Blog Topics
Virgil on Twitter
Recent Blog Posts
US Political Campaign Websites - The Basics
My Talk at T3CON10 Dallas - TYPO3 User jobs and Tasks
Dallas Barbeque Joint Reviews
T3CON10 Dallas
Acqal is Going Through Some Changes
Creating a MySQL Database for TYPO3 using CPanel
Acqal Promotes Biking and Families with World Vision
It's Official T3CON10-Dallas Web Site Launched! Join Us!
Create a simple "Contact Us" mail form in TYPO3
Configure TYPO3 for Localized Websites
Blog Archives
Quick Tips for TYPO3 Security
Submitting your vote...
How do you check your website's TYPO3 security?
TYPO3 website security is an imperative these days and ignoring it is quite costly in terms of time, money and resources. However, with TYPO3, many of the most common security checks can be easily done with a single TYPO3 extension.
Security Check, found as security_check in the TYPO3 extension respository, runs from the TYPO3 backend and checks about 40 of the most common TYPO3 security concerns. Besides a report of potential lapses and guidance on how to fix them, there are a couple of tools for finding unnecessary and insecure files.
When TYPO3's Security Check is combined with the principals and steps outlined in the TYPO3 Security Cookbook, downloadable below, a TYPO3 website's security is quite solid from the server side.
So... What Does Security Check, Check?
Per the security_check manual, the following points are checked. Sample results at right.
- Php Ini Check
- Test if the Setting open_basedir is set
- Is the PHP Setting "error_log" is set?
- Is the PHP Setting "register_globals" off?
- Is the PHP Setting "display_errors" off?
- Is the PHP Setting "magic_quotes_gpc" off?
- Database Check
- Test the access to mysql config Database
- Test the Host Restrictions of the Mysql User
- Test the Mysql User passwords
- loacalconf
- Is the encryptionkey set?
- Are the Filerights on creation of new Files to hight?
- Are the Filerights on creation of new Folder to hight?
- Is the Installtool Password changed?
- Is the Option lockSSL active?
- Is the Security level the highest?
- Is a Warning E-Mail Address inserted?
- Is the Session Timeout to hight?
- Is the SQL-Debug Feature disabled?
- Is the Display of Errors disabled?
- Is the Option to install global Extension disabled?
- Is the Flag "disable_exec_function" activated?
- Is the Option to edit of Extensions disabled?
- Backend Access
- Is the access to Typo3 Backend protected?
- Is the access to Typo3 Install Tool protected?
- Files Check
- Are there Backup Files on the Server?
- Are there CVS Files on the Server?
- Are there Files without Extension on the Server?
- Are there CVS Files on the Server?
- Are there Readme Files on the Server?
- Are there Subversion Files on the Server?
- Typo3
- Is the standard Password used?
- Checks if insecure Extensions loaded.
- Is Typo3 up to Date?
- External Tools
- Search PHP-Info Outputs.
- File rights
- Checks the Rights of Folders.
- Checks the Rights of Files.
User Input TYPO3 Security Suggestions
While Security Check and the TYPO3 Security Cookbook help with server side concerns, these following TYPO3 extensions check incoming data. In turn, they help protect the website from spamming, cross-site scripting XSS and SQL injection attacks.
- Anti-spam - wt_spamshield & captcha
- Bad request dropping - timtab_badbehavior
- Parameter checking - wt_doorman
Keywords:
- typo3 security, web security, internet security, website security, typo3, security_check
Acqal Corporation is an approved TYPO3 agency with over 40 years of Internet experience. Acqal offers you TYPO3 support, TYPO3 templates and TYPO3 training and tutorials.
Please subscribe to Acqal Newsletter and Acqal Blogging via Email or RSS Feed 
.
© 2009 Acqal Corporation. All Rights Reserved.
Add comment
* - required field