From /typo3 to /admin: A Guide to Securing Your TYPO3 v13 Backend

Published on :  
Sanjay Chauhan
T3Planet

From /typo3 to /admin: A Guide to Securing Your TYPO3 v13 Backend

Welcome to your inside look at one of TYPO3 v13 is most intriguing security enhancements: the ability to customize the backend entry point. Gone are the days of using the default domain.com/typo3 path! Now, you can easily reassign it to something more private, like domain.com/admin or even a custom subdomain such as backend.domain.com. In this blog post, we’ll explore how to configure this feature, discuss potential pitfalls, and share best practices for keeping your TYPO3 instance secure.

Table Of Content

Why Change the Default /typo3 Route?

TYPO3 v13 backend login via custom '/admin' route instead of default '/typo3'

  1. Enhanced Security Through Obscurity 

    By changing the default path, you add an extra hurdle for unauthorized users or bots that look for “/typo3” in a brute-force or automated scan. Although this is not a bulletproof solution by itself, it adds an additional layer of obscurity.

  2. Flexibility & Branding 

    Whether you’re managing multiple environments or simply prefer a more cohesive brand experience, customizing the path or subdomain can help unify the way you and your team access TYPO3.

  3. Streamlined Setup in TYPO3 v13 

    TYPO3 v13 simplifies the entry point configuration. The separate “typo3/” directory is no longer strictly required, making it much more straightforward to move or rename the backend entry point without complicated rearrangements.

Key Changes in TYPO3 v13

  • Elimination of Dedicated URI 
    Previously, TYPO3 needed separate entry points (/typo3/ for the backend and / for the frontend). Now, all HTTP requests share one consolidated entry point.
  • Removal of “typo3/” Directory 
    There’s no longer a mandatory typo3/ directory within your installation. This simplifies the file structure and reduces overhead when creating or migrating projects.
  • Configurable Backend URI 
    A major highlight! You can customize the backend URI, finally realizing a longstanding request from the TYPO3 community. By default, /typo3/ still works, but you now have full control over naming and location.
  • Adjustments for System Administrators 
    Because of these consolidated entry points, you might need to tweak your web server configuration (e.g., .htaccess in Apache or server block settings in Nginx) to ensure everything routes correctly.

Step-by-Step Configuration

TYPO3 v13 backend entryPoint configuration settings

Step 1. Open Your TYPO3 Configuration 
Locate your onfig/system/settings.php or config/system/additional.php file. You’ll adjust the $GLOBALS['TYPO3_CONF_VARS'] array here.

Step 2. Set the entryPoint Value 
Using a custom path (e.g. /admin)

$GLOBALS['TYPO3_CONF_VARS']['BE']['entryPoint'] = '/admin';
// Now, you’d visit example.com/admin to access the backend.

Using a distinct (sub)domain

$GLOBALS['TYPO3_CONF_VARS']['BE']['entryPoint'] = 'https://backend.example.com';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'] = '.example.com';

// Then, you’d simply access backend.example.com/ to log in.

Step 3. Check Web Server Settings 
Update your server rules to ensure requests to your new path or subdomain resolve properly and pass through TYPO3’s routing.

Web Server Configuration

Below are simplified examples for Apache and Nginx. Your actual configuration may vary based on your hosting environment, so treat these as starting points.

Apache (.htaccess) 
If you’re using .htaccess, ensure that your rewrite rules reflect the new entry point. A minimal example:

<IfModule mod_rewrite.c>
  RewriteEngine On
  
  # Ensure your custom admin path is captured and redirected to the index script
  RewriteCond %{REQUEST_URI} ^/admin
  RewriteRule ^admin/(.*)$ index.php [L,QSA]

  # Default rewriting for everything else (frontend)
  RewriteCond %{REQUEST_URI} !^/admin
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php [L,QSA]
</IfModule>

Nginx (server block) 
Within your server block, you can define a location for your custom admin path:

server {
    listen 80;
    server_name example.com;

    # Custom backend entry point
    location /admin/ {
        try_files $uri /index.php$is_args$args;
    }

    # Frontend
    location / {
        try_files $uri /index.php$is_args$args;
    }

    location ~ \.php$ {
        # Your existing PHP-FPM configuration
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Note: If you use a distinct subdomain (like backend.example.com), you’d create a dedicated server block for that domain rather than a sub-path.

Security Considerations & Best Practices

  • Cookie Domain 
    When using a separate subdomain, set $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'] to ensure proper session handling across subdomains.
  • Access Restrictions 
    Consider IP whitelisting or password protection (e.g., Basic Auth) if your project demands stricter access control.
  • Stay Updated 
    Keep your TYPO3 installation up to date. Security patches often address vulnerabilities that attackers might exploit.
  • Hide Your Admin URL 
    Don’t publicly share or expose your new backend path. While security through obscurity isn’t your only shield, it’s an additional layer that can discourage casual intrusions.
  • Monitor Logs 
    Regularly check your server logs to see if anyone is repeatedly attempting to access the old /typo3/ route. If you spot suspicious activity, consider restricting or blocking these IPs.

Potential Pitfalls

  • Hardcoding the Old Path 
    Some custom extensions or user scripts might still reference /typo3/. Make sure to review and update these references.
  • Forgetting to Update .htaccess or Nginx Config 
    Failing to reflect changes in server configuration might result in a broken backend. Double-check your rewrite rules or server blocks.
  • SSL Certificate Setup 
    If you’re using a separate domain or subdomain, ensure your SSL certificate covers it. Otherwise, you risk broken HTTPS connections or insecure setups.
  • Cache & Cookies 
    If you find yourself mysteriously logged out or experiencing session issues, confirm that your cookie settings and domain configurations are aligned with your new backend path.

Conclusion

Customizing the backend entry point in TYPO3 v13 is a straightforward yet highly effective approach to enhance your site’s security. Whether you choose a new path like /admin or opt for a subdomain like backend.example.com, this added flexibility can help you reduce unwanted attention from bots while retaining full control of your backend’s accessibility. Just remember to keep a close eye on your server configurations, cookies, and any references that might point to the old /typo3/ path. With the right precautions in place, you’ll enjoy a cleaner, more secure TYPO3 experience.

Enjoy tweaking and tinkering with this new feature in TYPO3 v13! As always, practice good security habits—update regularly, monitor logs, and keep your configurations tidy.

Happy TYPO3-ing!

Sanjay Chauhan

Sanjay Chauhan

CTO at T3Planet & NITSAN

Sanjay Chauhan, Co-Founder of NITSAN (Award winning TYPO3 agency) and Pioneer of T3Planet (first-ever TYPO3 Shop).

A true TYPO3 fanatic since 2010. I bring strong TYPO3 experience in building customer-business…

More From Author

Previous Article
5 Easy Steps to Start Your TYPO3 Blog - Download Now for Free!
Next Article
What Are Site Sets in TYPO3 v13? Key Features & Configurations

Post a Comment

×

You May Also Like

50 + TYPO3 Memes to Make Your Day Better

50+ TYPO3 Memes that every developer can relate!

Sophia Muller
T3Planet
TYPO3 Growth and Trends 2018 to 2024

TYPO3 Growth: Key Data and Trends Over the Years

Sanjay Chauhan
T3Planet
Looking Back at T3Planet TYPO3 Shop Year in review 2024

T3Planet Year in Review 2024

Sophia Muller
T3Planet