Aug 28, 2011

How to make your web site insecure

This article describe how you can make your site insecure. If you follow every point here, every junior hacker will be able to break in.

1. Never follow guidelines from the TYPO3 security cookbook

TYPO3 security cookbook contains generic information about securing your web site. Never read or follow it.

2. Do not hire TYPO3 professionals

Do not go for expensive but secure offers from known TYPO3 agencies. They know how to make sites secure. Instead, hire the cheapest and least known freelancer you can find. Preferably find the one, who claims he can create web sites with a dozen of CMSes. It means he does not known any of them well enough but this increases your chances to get insecure web site. This is what you want, isn't it? So, go for it! Be careful though. There are many freelancers out there, who actually create secure web sites. You do not need those. Search for the cheapest, preferably from outside of economically-developed countries. They will make sure your site is insecure. Seek also the fastest one: he will not pay attention to such minor thing as security.

3. Use some ancient TYPO3 version

The older TYPO3 version – the better. TYPO3 never had many vulnerabilities compared to other systems but some bugs were found and fixed in recent versions. So use TYPO3 3.6.5 or 4.0. It is much easier to break in.

Also never update extensions, especially if security vulnerabilities are fixed there.

4. Do not subscribe to TYPO3 security announcements

TYPO3 security announcements inform users when security issues are fixed. Ignore them. If you need an insecure web site, you do not need these announcements.

5. Do not protect directories

Make sure you have directory listing enabled. This will allow anyone to see what you keep in fileadmin/.

6. Do not use salted passwords

Salted passwords (through a TYPO3 system extension) make it much harder to discovere your passwords for hackers. Do not use salted passwords!

7. Make a database dump and put it to your web server (in fileadmin/)

If you enable directory listing and put a dump of your database to fileadmin/, anybody will be able to find it and hack into your computer. If your site has user registration, hackers will be able to get passwords and contact data of all your users. They will be able to use this data to login to other services that you users use.

8. Use FTP to transfer data to your site

FTP is a very insecure protocol. It transmits passwords in clear text. Thus anybody on the network will be able to get your password and login to the site. Makie sure you use FTP from your laptop in hotels, cafe or airport.

9. Make sure files are writable by anyone

Adjust permissions on file so, that anybody can modify files. In some time you will have your files modified, spam links appear on your web sites and PHP shells installed.


This post is a joke. Of course, I do not want anybody to make their web sites insecure. But the information presented here is very typical for sites that suffered a security breach. So see it as a security checklist. If you find anything from the list above on your web site, you are in danger. Go and fix. If you do not know how, contact TYPO3 security team.