Your TYPO3 database holds the user accounts, form submissions, and FAL file records of everyone who has ever interacted with your site. Whoever you give your credentials to for the migration has access to everything.
What Is Actually Inside a TYPO3 Database
TYPO3 is disproportionately used in environments that handle sensitive data: universities, government portals, healthcare organizations, nonprofit membership platforms, and enterprise intranets. That pattern is not coincidental. The granular TYPO3 ACL system makes it well suited for multi-department sites where different users need different levels of access to different content. But it also means the data in a typical TYPO3 database is more sensitive than average.
A standard TYPO3 installation stores backend user accounts (with email addresses, hashed passwords, and login history), frontend user accounts (members, registrants, customers), all form submission data from EXT:form or third-party form extensions, file metadata from the File Abstraction Layer (FAL) including document access logs, and any structured data stored in extension-specific tables. Government and institutional sites often also have legally protected data under national privacy laws, GDPR, or sector-specific frameworks.
All of that lives in the same MySQL database that you would hand to a freelancer or migration tool to run your migration.
What Has Actually Gone Wrong in Data Migrations
The following incidents are documented and cited. They did not happen to theoretical organizations. They are real cases that establish the baseline for what goes wrong when data moves without proper security governance.
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. No malicious intent. A single operational shortcut by a contractor during a routine data transfer. The result was one of the largest data exposures on record. The lesson is not that contractors are untrustworthy. It is that without a formal, documented security process, any data transfer creates an exposure window that may not be visible until it is too late.
The malicious clone of the Salesforce Data Loader tool is a textbook example of how trust in familiar-looking software can be weaponized to access sensitive credentials. Even with legitimate tools, a poorly scoped OAuth setup or unsecured endpoint can leave the door wide open.
Conemis security research, August 2025
Customer credit card data intercepted during a cloud migration, personally identifiable information exposed due to misconfigured permissions in the new database. These are not hypothetical scenarios. They result in regulatory fines, lawsuits, and destroy customer trust.
Monte Carlo Data, September 2025
For TYPO3 specifically, the credential exposure window is broader than most CMS migrations. A TYPO3 admin login gives access to the backend, all content, all file assets, and all user records. Database credentials expose the entire data schema including extension-specific tables that may contain information the site owner does not immediately recognize as sensitive. SSH or FTP credentials expose the entire server. A migration provider who holds all three simultaneously has complete access to everything your organization has built on that server.
The Freelancer and Cheap Service Problem
A search for “TYPO3 to WordPress migration” on any freelancer marketplace returns dozens of results at prices between $100 and $500. Some of those people are technically skilled. Almost none of them have a formal data handling framework. Here is the specific gap between what you need and what you get.
- No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data on your behalf. Without one, your organization is in violation regardless of what the freelancer does or does not do. The DPA defines what is processed, why, how, and for how long. Most freelancers have never heard of it.
- No formal credential policy. Your TYPO3 admin login, database credentials, and FTP/SSH access are typically sent by email. They sit in the freelancer’s inbox, possibly on an unencrypted machine, for as long as they retain their email archive. There is no deletion commitment and no audit trail.
- No encryption requirement. Your database export travels via whatever method the freelancer chooses: FTP, unencrypted email attachment, Dropbox, WeTransfer. None of those are GDPR-compliant channels for personal data transfer.
- No data retention policy. After the job, your database backup stays wherever the freelancer last put it until they choose to delete it. There is no timeline, no secure deletion method, and no notification to you when deletion happens.
- No breach notification obligation. If the freelancer’s laptop is stolen, their cloud storage is compromised, or their email is hacked, they have no contractual obligation to tell you. Your users’ data could be circulating without your knowledge.
- No professional liability. If the migration corrupts your data, exposes your users, or triggers a regulatory investigation, a marketplace freelancer has no insurance and no legal exposure in most jurisdictions. Your organization absorbs the full cost.
- TYPO3-specific technical gaps. Most freelancers who advertise TYPO3 migrations rely on third-party scripts or manual methods that handle standard content elements but routinely fail on FAL-linked media, extension-specific data tables, TypoScript-generated pages, and complex permission structures. The result is a “done” migration that is missing significant portions of the site with no audit trail to tell you what went wrong.
Why Automated Migration Tools Do Not Solve This
Tools marketed for TYPO3 to WordPress migrations introduce a different but equally serious set of risks. Understanding how they work explains why.
Most automated migration tools require you to install a connector plugin or export script on your source TYPO3 installation. That script extracts your content, user data, and file metadata and transmits it to the tool’s servers for processing. Your data moves through third-party infrastructure you have never audited, have no contractual data protection relationship with, and cannot verify is compliant with GDPR or any other applicable law.
Beyond the security gap, these tools consistently fail on the structural complexity of TYPO3 content. TypoScript-rendered pages have no direct equivalent in the WordPress post model and require manual mapping. Content elements (text, text with image, accordion, tab sections, custom extension output) need explicit translation to WordPress Gutenberg blocks or ACF-powered structures. The File Abstraction Layer stores file metadata separately from the physical files, and both must be migrated correctly or file references break. Extension-specific tables (custom content types built on EXT:news, EXT:femanager, custom extensions) are typically ignored entirely.
GDPR exposure compounds this. If your TYPO3 site has EU users and you use an automated tool without a signed DPA with that tool’s provider, you are processing personal data outside a lawful data sharing framework. GDPR fines start at 2% of annual global turnover or €10 million, whichever is higher. For universities, government bodies, and healthcare organizations, the regulatory exposure from an undocumented data transfer can dwarf the cost of the migration itself.
How gConverter Does It
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8), which means we operate under a documented legal framework for every piece of personal data we handle. Here is exactly what that framework looks like.
Step 1: Legal documentation before credentials
Before you share a single credential, you receive a Data Processing Agreement for review and signature. For clients requiring additional assurance, a Non-Disclosure Agreement is also executed. No data access of any kind is granted until both documents are in place and countersigned. The DPA is a legally binding contract that defines what we process, the lawful basis for processing, data retention limits, and our liability in the event of a breach.
Step 2: Secure credential handling
Your TYPO3 admin credentials, database credentials, and FTP/SSH access are transmitted via an encrypted channel, never by plain email. They are immediately stored in an AES-256 encrypted vault with access restricted to the single assigned engineer. Credentials are deleted from all systems within 24 hours of job completion with written confirmation provided to you.
Step 3: Isolated, encrypted staging
Your database is exported and transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, Germany, keeping all data inside the European Economic Area throughout the migration. For standard clients, processing occurs on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never processed on shared hosting and never stored alongside other customers’ data.
Step 4: Logged migration on staging
Every database query and file access during the migration is logged. The migration is completed entirely on staging and presented to you for review and approval before anything changes on your production site. The staging environment is firewalled and not publicly accessible.
Step 5: Verified delivery and secure deletion
After your approval and go-live, credentials are revoked and deleted immediately. All customer data on our systems is permanently deleted within 30 days using secure overwrite deletion. You receive written confirmation. Pending user deletion requests received during the migration window are honoured before final delivery.
Step 6: Breach response protocol
We notify you within 72 hours of becoming aware of any security incident affecting your data (GDPR Article 33), and we assist you in notifying your supervisory authority if required. We maintain an internal breach register and a tested incident response plan. All staff sign binding confidentiality agreements and receive data security training. Only the assigned engineer can access your data, and no team member may copy, share, or retain it.
Read the complete documentation: GDPR and Data Protection at gConverter →
Questions to Ask Any TYPO3 Migration Provider
Whether you are evaluating gConverter or anyone else, these questions will tell you whether the provider has built a real data protection process or is improvising.
- Will you sign a Data Processing Agreement before accessing any data? A “yes” followed by an actual DPA document is the minimum. Anything else means they are not GDPR-compliant and you face legal exposure.
- How are credentials transmitted? Acceptable: encrypted channel, password manager share, or secure vault. Not acceptable: email, Slack, WhatsApp, or any plain-text channel.
- Where exactly is my data processed and stored during migration? You need a real answer: specific server location, encryption method, and who has access. Not “on our servers.”
- When and how will my data be deleted after completion? You need a timeline (days, not “eventually”) and a deletion method (secure overwrite, not trash).
- Does your process cover TYPO3-specific content? Ask specifically about FAL-linked media, EXT:news or similar extension content, TypoScript-rendered pages, and custom extension tables. If they cannot answer specifically, they have not done it properly before.
- Do you carry professional liability insurance? Without it, you have no financial recourse if a security incident or data loss occurs during the migration.
- What is your breach notification procedure? If they do not have a documented one, they have no obligation to tell you if your data is compromised.
Technical Quality Matters Too
Security is the foundation. But the technical depth of the migration determines whether you end the process with a fully functional WordPress site or a partial import that requires months of manual repair. A complete TYPO3 to WordPress migration by gConverter covers all content types and pages, FAL-linked media imported to the WordPress Media Library with alt text and metadata, custom content element types converted to ACF-powered Gutenberg blocks, taxonomies and terms reconstructed with full hierarchy, frontend users migrated with role mapping, SEO titles and meta descriptions carried across to Yoast SEO, 301 redirects for every URL that changes, navigation menus rebuilt programmatically, and a custom WordPress theme that matches your source design exactly.
For the full picture of why organizations are choosing to leave TYPO3, including market share data and real user feedback: Why Organizations Are Migrating From TYPO3 to WordPress →
To discuss your specific site and get a migration quote: TYPO3 to WordPress migration at gConverter →
What Our Clients Say
The security framework matters. So does delivering on the technical side.
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – verified on Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – verified on Customer Lobby, February 2024
The Bottom Line
A TYPO3 migration gives a third party access to your server credentials, your database, your user records, and your file assets. The organizations that use TYPO3 disproportionately handle sensitive data. The gap between what a properly governed data transfer looks like and what most freelancers and tools provide is not small.
gConverter is US-registered and EU GDPR-compliant, with a documented six-step security process, signed legal agreements before any data access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and a 30-day data deletion commitment. Hundreds of migrations completed. Zero data incidents.
Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems. That is what a secure TYPO3 to WordPress migration looks like.