Around 20% of attacks on PrestaShop stores involve stolen credentials and sensitive information about the store. Quite a larger share of these attacks revolve around the login page of your PrestaShop store.
We have seen attackers taking a cue from error messages, prolonged idle authentications, ill-managed passwords, etc to get access to a store. Attacks on the admin page are particularly harsh and cause more deepening consequences. Why? We will talk about that later in the post. For now, it can be agreed upon that PrestaShop login security is the need of the hour. And it is time we actually implemented it.
In this post, I am going to share with you 7 simple ways to lock in your login pages. Be with me till the end.
Before we get to that, let’s briefly look into – Why is PrestaShop login security is so important?
Why do you need PrestaShop login security?
The admin panel is the most crucial resource of any e-commerce website. You can think of it as a pilot’s cabin. Admin panel lets you manage, look over, and steer your e-commerce the direction you wish. It helps you keep a track of your web-pages, user registration, website optimization among many other things.
In recent years, PrestaShop has suffered many admin panel hacks. Weak PrestaShop login security could give hackers easy access to your store’s backend. Hackers could harm your website and business in several ways after exploiting your overlooked PrestaShop login security. They can:
- Create new admin accounts.
- Modify the admin dashboard.
- Disable security plugins to allow for other kinds of attacks.
- Privilege escalation of multiple users.
- Website defacement.
- Product manipulation
- Price manipulation
- Injection of skimmers and malverts
and much more.
Instances of a hacked PrestaShop admin panel are many. But, the following cases give a rough idea of how it troubling it can be for a store owner like you.
How to enhance PrestaShop login security?
Now that we know the consequences, it is time to take a step back and assess our PrestaShop login security. Have you taken any security measures to secure your login pages? If no, then this list of PrestaShop login security measures will give you a better insight into the matter.
Follow these guidelines to enhance the admin security of your PrestaShop website.
1. Rename Admin Folder
Deleting the install folder and renaming the admin folder is security through obscurity. These folders are present in your root installation by default, and keeping it that way is a security risk. It is not hard for attackers to conjecture the URL – /admin. The same goes for the install folder.
By renaming them you can deter hackers from gaining access to the folders by brute force attack or just by conjecture.
To rename the admin folder,
- Go to cPanel file manager
- Select admin folder
- Click on Rename icon
- Pick a unique name and click on the rename button to save changes.
To delete the install folder
- Go to cPanel file manager
- Select install folder
- Click on the Delete icon
3. Password Protect Your Admin Folder
As we discussed above, the default admin URL is public knowledge. This makes it even crucial to secure it. After you have renamed the folder, make sure to password protect it. Here are steps to set up basic authentication for the admin folder:
- Create a .htaccess file and .htpasswd file or You can generate both files from PrestaShop htaccess generator.
- Place the two files in the root folder /var/www/prestashop/admin123456
- For additional security, you are recommended to put this file into a directory that is inaccessible by your web applications.
3. Use Strong Passwords Overall
Weak and stolen passwords account for 81% of data breaches, according to a Verizon report. Hence, it is important to use strong passwords. Passwords should be a combination of uppercase and lowercase alphanumeric characters along with special characters. You can use a password generator, such as Symantec or GRC, or follow secure password creation guidelines.
4. Multi-Factor Authentication
Multi-Factor authentication provides added PrestaShop login security against brute force attacks. With multi-factor authentication, the user has to go through additional steps to log into the admin account. Thus, making it more difficult to gain illegitimate access to your admin account. Google authenticator add-on secures the login process of your back office folder.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. And that is what it does. It ensures that your website is interacting with a human and not a bot. Use captcha for your store’s admin login and password reset page. The Prestashop community has developed several security add-ons that activate captcha protection on your website. Here is a list of the best available captcha modules for Prestashop login security
6. Block Direct Access to Template
Third-party modules and templates could act as gateways for fraudsters. Therefore, use only secure and trust-worthy modules. Regularly update all add-ons. And, keep the number of modules as low as possible because each new module adds a potential gateway for attackers. You can disallow access to your theme’s files/templates, using a .htaccess file with the following content:
<FilesMatch ".tpl$"> order deny, allow deny from all </FilesMatch>
Firewall is the first line of defense for an e-commerce website. The Astra Firewall filters out bad bots and illegitimate traffic, thus, naturally cutting down the brute-force attacks.
Moreover, security solutions like Astra let you keep a tab on your Store’s login activity. Which again, is super helpful in ensuring notch PrestaShop login security.
Not only this, Astra automatically blocks all login attempts from identified malicious IPs to keep your PrestaShop store secure. Even for non-blacklisted IPs, there is a limited number of attempts allowed.
Get the ultimate Prestashop security checklist with 300+ test parameters
Security is now more important than ever. With the number of cyberattacks against PrestaShop rising, it is only prudent to start securing your Store today.
Implement the mentioned PrestaShop login security measures and lock in your PrestaShop store from prying eyes.
While we encourage every store owner to take up security as a habit in their e-commerce. Many a time shoving security into an already packed schedule, does more bad than good. You may think you are secure when in truth you are not.
To this, I recommend getting automated security tools which protects your store 24*7.