Contents
- Always install Contao separately from other systems
- Use SSH, FTPS or SFTP instead of FTP
- Encrypted transmission via HTTPS
- Proper use of passwords
- Enable two-factor authentication
- As few admins as needed
- Protect Contao install tool
- Rename Contao Manager
- Change Contao back end URL
- Regular Contao updates
- Use latest PHP version
- Summary
Always install Contao separately from other systems
Security starts with the installation of Contao. Make sure that you use a separate (sub)domain, directory structure and database for each Contao installation. Under no circumstances should you install third party software like WordPress, Joomla! or Matomo inside the Contao directory structure or the same database. It is best to install each Contao installation on a separate hosting account. This way, the systems are isolated from each other and an attacker who gains access to one of the systems cannot access all of them.
Use SSH, FTPS or SFTP instead of FTP
To transfer files to the server, you should not use an unsecured FTP connection. With FTP, username and password are transferred in clear text! Always use a secure connection like SSH, FTPS or SFTP. If you use SSH access, you can increase security by using SSH keys instead of passwords.
Encrypted transmission via HTTPS
HTTPS transmission is standard nowadays and you should always use it. Most hosting providers offer free certificates for this, such as the ones issued by Let's Encrypt, for example. It is recommended that you enable HTTPS already in the development phase.
Proper use of passwords
This topic is enormously important and at the same time nothing new. Be honest with yourself, do you actually follow the recommendations? Repetition can't hurt, so here are the most important points when dealing with passwords and other credentials.
Use long passwords
A strong password is designed in such a way that it cannot be cracked by anyone close to you or by bots or using a brute force attack. Therefore, it is important that you follow certain criteria when setting a good password. A good password - contrary to what you unfortunately still read in many recommendations - does not consist of as many special characters as possible, but is one thing above all: long.
If you think about it more carefully, this is actually mathematically quite logical. Ideally, an attacker does not know which special characters you have used and therefore has to try out all possibilities anyway. However, the number of possible combinations of 6 characters is much smaller than the number of possible combinations of 30 characters.
Modern supercomputers can try several billion combinations per second. So put on record: the longer your password, the better.
Opinions differ about the best minimum length for a password. Sometimes you read 8, sometimes 12, others say 30. This depends on many factors and of course not every attacker has a supercomputer in their basement. But a general hint: Currently, the maximum password length for Contao is limited to 4096 bytes. So depending on the characters used, you can use really, really long passwords. 100 characters? Maybe a bit exaggerated but absolutely no problem! Of course you can't remember such a password, more about that in a moment.
Of course, we can still combine the recommendation of long passwords with the recommendation to use both upper and lower case letters, numbers and special characters (e.g. # & ? * ! ?). Furthermore, it should not be found in any dictionary and should not be related to people close to you or personal data. Similarly, simple strings of numbers or letters or a series of adjacent keys on the keyboard are a poor choice.
To create strong and secure passwords, you can use one of the many free password generators or a password manager. More on this later.
To enforce password policies in Contao, you can use the contao-password-validation extension by terminal42.
Use different passwords per installation
For convenience, it is tempting to use the same password for multiple Contao installations. Unfortunately, this also means that an attacker who has the credentials to one installation can easily gain access to all other installations. Instead, you should set a unique and secure password for each installation.
Using a password manager
If you heed the previous advice, then you have numerous passwords that you can't remember. The solution is a password manager. It allows you to create and store strong passwords, so you don't have to memorize every password. In addition, modern password managers offer automatic login to websites and apps, which speeds up and simplifies the login process. In the future, you'll only need to remember one strong master password, and you can still be sure that your credentials are protected. In addition, depending on the password manager, you can share the access data in a team. Well-known tools include Enpass, Bitwarden, KeePass, 1Password and LastPass.
Enable two-factor authentication
Since Contao 4.6, you have the option to protect your back end login with two-factor authentication (2FA). This requires an additional code to confirm your account after you have entered your password. This code is generated either by an external app like Authy, Google Authenticator or FreeOTP on your smartphone. With many password managers, the 2FA code can also be generated. Two-factor authentication is an excellent way to drastically increase the protection of your Contao installation.
2FA can even be enforced for all back end users. To do this, edit the config.yml file as follows:
# config/config.yml
contao:
security:
two_factor:
enforce_backend: true
Then clear the application cache again and 2FA is mandatory for all back end users.
You can enable 2FA for your trakked account as well.
As few admins as needed
The number of administrators should be kept as low as possible. The more people have access to the Contao back end, the higher the risk that an attacker can get into the system unnoticed. If you do not necessarily need multiple administrators, reduce the number to a minimum.
Instead of admins, you should create user groups with limited rights.
It is best to always set an expiration date for temporary users and regularly delete inactive users.
Protect Contao install tool
Since Contao Manager 1.6 and Contao 4.9, database migrations can be performed directly through the Contao Manager. Thus, it is recommended to lock the login of the install tool. The fastest and easiest way is to open the Contao Manager and click the button "Lock Install Tool" under "Maintenance". Alternatively, you can manually create an empty install_lock file via SFTP or the console in the /var directory.
Another possibility is the protection via htaccess. You can allow access based on IP address or set it up using username and password.
Starting with Contao 5, the Contao install tool disappears as a fleeting memory of good old times.
Rename Contao Manager
You can easily rename the contao-manager.phar.php to a name of your choice. This will make it harder for unknown people to find the login to the Contao manager. You can rename the Contao Manager to cm.phar.php. This saves you additional typing work in the browser ;-)
To make sure that the Contao Manager can be called from the backend after the renaming, please make the following entry in config.yml and then clear the application cache once via the Contao Manager ("System Maintenance" > "Refresh Prod. Cache") or via the console.
# config/config.yml
contao_manager:
manager_path: cm.phar.php
Once you have renamed the Contao Manager, you can customize the path in trakked.
Change Contao back end URL
Since Contao 4.13, the path for the back end login can be customized. To do this, you can make the following adjustment in config.yml:
# config/config.yml
contao:
backend:
route_prefix: '/admin'
Before you implement this measure, however, it is much more important that you enable 2FA. "Hiding" the back end only increases the perceived security.
When changing the Contao back end URL, you have to keep in mind that not all extensions can handle it yet.
Regular Contao updates
As with any other software, regular updates are essential for Contao to fix bugs and close security vulnerabilities. Contao currently consists of more than 180 packages. This means that security vulnerabilities can occur not only in the Contao core packages, but also in all other dependent packages. For this reason, you should regularly install updates and update all packages, even if there is currently no known vulnerability for Contao itself.
trakked monitors your Contao installations for you and you will be informed immediately by email if a security vulnerability occurs in one of the more than 180 packages. In addition, updates can be installed much faster and easier with trakked.
Use latest PHP version
Besides the Contao updates, a current PHP version is also an important part and should be updated regularly. Usually, the hosting providers update the PHP version automatically. However, a change to a newer minor or major version of PHP must always be done manually.
Here, trakked can support you too. trakked monitors the PHP version for you and records the history of the different versions. If the used PHP version is outdated, you will be notified.
Summary
If you want to secure your Contao installation, there are some simple measures you can take. Whether you implement all of them is up to you. Most important are regular updates, secure passwords and 2FA, and always install Contao separately from other systems.
Have you any further suggestions, additions or tips, please leave us a comment.
