We’re Retiring beuser_iprange

Many years ago, we created our TYPO3 extension beuser_iprange to enhance backend security by allowing logins only from specific IP addresses. Back in 2008, this was a technically solid idea — but today, it's simply no longer state of the art. To be honest, we haven’t used the extension ourselves in quite some time. So, we've decided to discontinue its development.

When we released the extension in 2008, the goal was to restrict TYPO3 backend access to specific IPv4 addresses or networks. You could configure allowed IP ranges in the TYPO3 configuration and define different zones for editors and administrators. At the time, internet access was still relatively straightforward, and this approach quickly added an extra layer of security.

Static networks with fixed IPv4 addresses are now rarely assigned or used. Many companies rely on redundant internet connections via multiple (often globally distributed) providers. There’s no longer a single IP range which can be reliably whitelisted. Instead, configurations need to be updated frequently to match changes in corporate networks.

Remote employees (e.g. in homeoffice) receive dynamic IP addresses depending on their location. Therefore it's no longer feasible to restrict access based on a fixed IP or range. Technically, corporate VPNs could still allow IP-based restrictions, but in our experience, this is rarely implemented — and even when it is, the same issues as mentioned above apply.

Relying solely on IPv4 address ranges to secure access to a system is simply outdated. With the growing adoption of IPv6, the common use of both protocols in dual-stack environments, and mechanisms like Happy Eyeballs that prioritize the fastest connection, an IPv4-only restriction is no longer effective. It ignores a significant and growing portion of the internet and can create connectivity issues for dual-stack users. A modern security strategy must account for IPv6 to ensure both protection and accessibility.

In short: IP addresses can no longer be considered a reliable way to identify a user group.

One purpose of the extension was to prevent unauthorized login attempts. Brute-force attacks from anonymous internet sources were no longer possible. Since TYPO3 version 11.3, the core includes rate limiting, making brute-force attacks significantly harder — the core now takes care of this. That same version also introduced support for two-factory authentication, allowing you to prevent unauthorized logins and make the backend even more secure.

In a corporate environment, you should consider integrating existing identity providers using OAuth2 or similar systems — and yes, we already have an extension for that… 😉

And if you really want IP-based protection: modern TYPO3 versions allow you to restrict backend access on the web server level. That’s the proper layer for this kind of control and doesn’t add extra load to TYPO3.

By retiring the extension and relying on TYPO3 core features, maintaining your installation becomes simpler — giving us more time to focus on helping our clients move forward. 

Existing versions will remain available in the TER and on GitHub. We won’t be publishing any new releases. However, if someone is interested in taking over maintenance, we’d be happy to hand it off — think of it as the extension staying active in semi-retirement. 😊