- Always install Contao separately from other systems
- Use SSH, FTPS or SFTP instead of FTP
- Encrypted transmission via HTTPS
- Proper use of passwords
- Enable two-factor authentication
- As few admins as needed
- Protect Contao install tool
- Rename Contao Manager
- Change Contao back end URL
- Regular Contao updates
- Use latest PHP version
Always install Contao separately from other systems
Security starts with the installation of Contao. Make sure that you use a separate (sub)domain, directory structure and database for each Contao installation. Under no circumstances should you install third party software like WordPress, Joomla! or Matomo inside the Contao directory structure or the same database. It is best to install each Contao installation on a separate hosting account. This way, the systems are isolated from each other and an attacker who gains access to one of the systems cannot access all of them.
Use SSH, FTPS or SFTP instead of FTP
To transfer files to the server, you should not use an unsecured FTP connection. With FTP, username and password are transferred in clear text! Always use a secure connection like SSH, FTPS or SFTP. If you use SSH access, you can increase security by using SSH keys instead of passwords.
Encrypted transmission via HTTPS
HTTPS transmission is standard nowadays and you should always use it. Most hosting providers offer free certificates for this, such as the ones issued by Let's Encrypt, for example. It is recommended that you enable HTTPS already in the development phase.
Proper use of passwords
This topic is enormously important and at the same time nothing new. Be honest with yourself, do you actually follow the recommendations? Repetition can't hurt, so here are the most important points when dealing with passwords and other credentials.
Use long passwords
A strong password is designed in such a way that it cannot be cracked by anyone close to you or by bots or using a brute force attack. Therefore, it is important that you follow certain criteria when setting a good password. A good password - contrary to what you unfortunately still read in many recommendations - does not consist of as many special characters as possible, but is one thing above all: long.
If you think about it more carefully, this is actually mathematically quite logical. Ideally, an attacker does not know which special characters you have used and therefore has to try out all possibilities anyway. However, the number of possible combinations of 6 characters is much smaller than the number of possible combinations of 30 characters.
Modern supercomputers can try several billion combinations per second. So put on record: the longer your password, the better.
Of course, we can still combine the recommendation of long passwords with the recommendation to use both upper and lower case letters, numbers and special characters (e.g. # & ? * ! ?). Furthermore, it should not be found in any dictionary and should not be related to people close to you or personal data. Similarly, simple strings of numbers or letters or a series of adjacent keys on the keyboard are a poor choice.
To create strong and secure passwords, you can use one of the many free password generators or a password manager. More on this later.
To enforce password policies in Contao, you can use the contao-password-validation extension by terminal42.
Use different passwords per installation
For convenience, it is tempting to use the same password for multiple Contao installations. Unfortunately, this also means that an attacker who has the credentials to one installation can easily gain access to all other installations. Instead, you should set a unique and secure password for each installation.
Using a password manager
If you heed the previous advice, then you have numerous passwords that you can't remember. The solution is a password manager. It allows you to create and store strong passwords, so you don't have to memorize every password. In addition, modern password managers offer automatic login to websites and apps, which speeds up and simplifies the login process. In the future, you'll only need to remember one strong master password, and you can still be sure that your credentials are protected. In addition, depending on the password manager, you can share the access data in a team. Well-known tools include Enpass, Bitwarden, KeePass, 1Password and LastPass.
You can enable 2FA for your trakked account as well.
As few admins as needed
The number of administrators should be kept as low as possible. The more people have access to the Contao back end, the higher the risk that an attacker can get into the system unnoticed. If you do not necessarily need multiple administrators, reduce the number to a minimum.
Instead of admins, you should create user groups with limited rights.
It is best to always set an expiration date for temporary users and regularly delete inactive users.
Starting with Contao 5, the Contao install tool disappears as a fleeting memory of good old times.
Rename Contao Manager
You can easily rename the
contao-manager.phar.php to a name of your choice. This will make it harder for unknown people to find the login to the Contao manager. You can rename the Contao Manager to
cm.phar.php. This saves you additional typing work in the browser ;-)
To make sure that the Contao Manager can be called from the backend after the renaming, please make the following entry in
config.yml and then clear the application cache once via the Contao Manager ("System Maintenance" > "Refresh Prod. Cache") or via the console.
# config/config.yml contao_manager: manager_path: cm.phar.php
Once you have renamed the Contao Manager, you can customize the path in trakked.
Change Contao back end URL
Since Contao 4.13, the path for the back end login can be customized. To do this, you can make the following adjustment in
# config/config.yml contao: backend: route_prefix: '/admin'
Before you implement this measure, however, it is much more important that you enable 2FA. "Hiding" the back end only increases the perceived security.
When changing the Contao back end URL, you have to keep in mind that not all extensions can handle it yet.
Regular Contao updates
As with any other software, regular updates are essential for Contao to fix bugs and close security vulnerabilities. Contao currently consists of more than 180 packages. This means that security vulnerabilities can occur not only in the Contao core packages, but also in all other dependent packages. For this reason, you should regularly install updates and update all packages, even if there is currently no known vulnerability for Contao itself.
trakked monitors your Contao installations for you and you will be informed immediately by email if a security vulnerability occurs in one of the more than 180 packages. In addition, updates can be installed much faster and easier with trakked.
Use latest PHP version
Besides the Contao updates, a current PHP version is also an important part and should be updated regularly. Usually, the hosting providers update the PHP version automatically. However, a change to a newer minor or major version of PHP must always be done manually.
Here, trakked can support you too. trakked monitors the PHP version for you and records the history of the different versions. If the used PHP version is outdated, you will be notified.
If you want to secure your Contao installation, there are some simple measures you can take. Whether you implement all of them is up to you. Most important are regular updates, secure passwords and 2FA, and always install Contao separately from other systems.
Have you any further suggestions, additions or tips, please leave us a comment.