Ingrid_bw.png
Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

The Ultimate Prestashop Security Practices and Malware Removal Guide

This Prestashop security guide will help you to protect your Prestashop website from hackers & how you can fix your hacked store website.

The Ultimate Prestashop Security Practices and Malware Removal Guide

Prestashop is one of the most popular e-commerce shopping cart software in the market, mostly catering to small and medium-sized businesses. It has retained its place as among the top players in the global Retail E-commerce Software market. PrestaShop is known to be quite secure yet, Prestashop Security remains a concern for business owners as it’s still targetted by hackers who exploit vulnerabilities. In this Ultimate PrestaShop Security Practices Guide, we aim to educate you with basic knowledge about enforcing security steps in your Prestashop installation. This PrestaShop Security Practices Guide also includes tips for malware removal.

Basic Prestashop Security Practices

There are several basic steps you can implement to secure their Prestashop, irrespective of your technical knowledge.

  1. Use the latest version of Prestashop: Keeping an updated Prestashop is of paramount importance as newer versions regularly tackle impending vulnerabilities, add new features, contain bugfixes and other necessary fixes. While the update process may be cumbersome, not to forget that your store goes into maintenance mode and generates lesser traffic, it is smart to spend some time on updates than deal later with hackers and data theft.
  2. Set up secondary password protection: It is an intelligent practice to set up a server-side password for your back office folder to further limit the access to it.  This would require adding the extensions: .htaccess and a .htpasswd file, which works on only Apache servers and would essentially protect your folders and respective sub-folders. Here is a detailed tutorial on how to secure admin folder with HTTP Authentication (.htpasswd & .htaccess).
  3. Use strong passwords: It is recommended to use complex passwords by mixing letter numbers and special characters. Another reliable option is using a password generator or a passphrase, which is not only easier to remember, but also much harder to crack, even if a hacker employs a brute force attack or dictionary attack
  4. Remove no longer useful install files: After installing or updating PrestaShop, make sure you delete useless default files like the /install folder. Some other files which can be rendered useless are the README.md file, the CONTRIBUTING.md and CONTRIBUTORS.md files, and the /docs folder along with all its content.
  5. Block direct access to your templates: Using a using a .htaccess file, disallow access to your theme’s files/templates. The following code snippet can be used to do that:
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
  6. Update server software: It is strongly recommended to always update your server’s applications: PHP, MySQL, Apache. That’s because a non-updated PHP code makes your server vulnerable.

Intermediate Prestashop Security Practices

Following best practices can help you further secure your store from online fraudsters

  1.  SSL Encryption: Using an SSL certificate is one of the most common security measures. An SSL certificate encrypts all data passed to and fro from customer to web server.
  2. Create Backups: Having a backup is paramount as in worst case scenario all your data could be lost. A Backup copies all of your website settings, database, and content which can be restored later. It is recommended to either backup your store or let your hosting company do it as most hosting plans include weekly backup services.
  3. Using Cookies: Using cookies to store your visitor’s information can help you nab fraudsters and stop consequent malicious attempts. You can enable cookie usage and turn on the option called “Check the IP address on the cookie.”, which checks whether IP of visitors matches its browser cookie IP.
  4. Front office security: This is Prestashop’s default feature which can be enabled in the Preferences section. This provides every customer session a unique URL to secure the customer’s added information and refrain it from use in another browser or computer
  5. Themes and Plugins: Always be cautious about the source of your installed theme/plugin. Download without hesitation the themes or plugins approved and verified by platform developers. Those downloaded from unreliable sources may induce malware into your system.
  6. Security Plugins: Installing a few security plugins can go a long way in improving your Prestashop store protection. These are
  • Key Manager module – Creates a unique key for every product that was purchased by a customer;
  • Anti Fraud for orders module – A plugin which checks for fraudulent ordering
  • No CAPTCHA reCAPTCHA module – Adds captcha to your store.

WaterTight/Ultimate Prestashop Security Practices

  1. Change File Permissions: Ensure that you give correct permissions to your Prestashop hosting account’s files and directories. The proper permissions for files are 644 (rw-r—r–) and for directories are 755 (rwxr-xr-x).
  2. Disable Dangerous PHP Functions: Your Prestashop installation harbors some PHP files which are not really needed and can pose as a security risk. Thus, it’s advised to disable them by putting the following rule in the php.ini file for your account: disable_functions = proc_open,phpinfo,
    show_source,system,shell_exec,
    passthru,exec,popen
  3. Enable Security Tokens: Security tokens is another feature which improved Prestashop’s security. Although it is enabled by default, it is highly recommended to keep so. To enable security tokens, go to the Preferences tab of your store’s admin panel and ensure that the option Increase Front Office security is set to Yes.
  4. Secure account details: In Prestashop, one can use ciphering to secure account details. Two different ciphering algorithms exist in the backend of your Prestashop: Rijndael with mcrypt and the custom BlowFish class. To alter the algorithm, click on the admin panel’s Preferences tab, navigate to Performance sub-tab, and scroll down to the section.

Malware Removal Steps

You may have adhered to the above precautions to ensure your Prestashop Security, yet a malware attack took place. In such cases, it advised to immediately implement the following steps

  1. Check for infection: First and foremost check for the location and date of infection. You’d need to login to your ftp and scan the directories. Malicious attacks usually start from one of the following places:
  • modules/homepageadvertise/slides
  • modules/homepageadvertis2/slides
  • modules/productpageadverts/slides
  • modules/columnadverts/slides
  • modules/simpleslideshow/slides
  1. Once the malware is placed the above locations, it is highly likely that the attacker could put a backdoor on your server. Therefore it is essential to check the above folders for the presence of any other files than images or index.php.

  2. Restore clean backup: It is a good practice to keep regular backups of your server, in case your website gets hacked you’ll be able to restore the hack-free version and apply security patches. In case you are lacking a backup, retrieve one from your hosting provider. Once you’ve restored a backup, update your theme to the latest version.
  3. Scan and clean site: In case you lack a clean backup, you’ll need to scan your infected site and clean it from malicious code. Once a hacker has established a backdoor or multiple backdoors (in case one is removed during the manual update), he can use it regain access to your site. These backdoors can be added as new files in your server or as part of existing core files of Prestashop or modules. Hence, it is paramount to perform a full site scan and take necessary measures to eliminate all backdoors.
  4. Alter access data: Before moving forward with a clean site, change all passwords on your website.
    • MySQL database access data
    • ftp data
    • hosting panel/cpanel access data
    • ssh access data
    • your back office users access data

Like every other store management system, Prestashop too is vulnerable to various online threats. To thwart an attacker’s attempt, it advisable to follow the abovementioned basic precautions and ensure a safe functioning of your Prestashop site.

Worried about your Prestashop store’s safety in light of recent online threats? Contact Astra for a comprehensive security scan of your site.

Prestashop Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

PrestaShop Malware Scanner & Backdoor Removal Addon

The page contain details about our OpenCart malware scanner & how can you use it to clean your website

Ingrid_bw.png
Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

PrestaShop Malware Scanner

Accurate, fast & machine learning powered PrestaShop malware scanner now at your finger tips. Astra’s PrestaShop scanner detects all malware, backdoors & core file changes on your website without effecting speed of your website in any way

Super Fast

Astra’s malware scanner optimizes itself with each scan making subsequent scans visibly faster making malware scanning a 5 minute affair for you

Ever Evolving

Our malware scanner is powered by machine learning which intelligently detects early signs of malware & flags them for you

Intuitive Reports

Malware, backdoors & core file changes are beautifully visualized telling the exact instances of malware within your code making everything super simple for you

Astra's PrestaShop Malware Scanner

Unveil all Malware & Backdoors

One-Click Start from Dashboard

Now scan your PrestaShop store by just a click of button, anytime as per your convenience 

Detects Hidden Malware & Backdoors

Our Malware scanner is highly tailored for all  PrestaShop versions & detects the hidden, encrypted malware 

Beyond Malware Signature Matching

Our malware scanner is deeply coupled with our firewall, security audit & community security offerings helping us stay on top of the security world & bringing in that intelligence to malware scanner 

Community Powered

Astra’s community powered  PrestaShop malware scanner brings collective intelligence of thousands of website to your website’s security, helping you stay a step ahead of hackers 

Resource Optimized

Unlike other malware scanners, Astra’s malware scanner would never slow your website. Our intelligent scanning technology helps us scan faster than other scanners without slowing down your website 

Astra's Rock Solid Security For PrestaShop Store

Web Aplication Firewall

Astra’s Web Application Firewall is highly tailored for PrestaShop store and stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time

Manual Malware Cleanup

Apart from automated scan, our engineers perform in-depth malware cleanup of your website & assure it remains secure throughout the year, no questions asked

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website

FAQs - PrestShop Malware Scanner

Our Malware scanner can be installed as a PrestaShop module. You can download the plugin from Astra dashboard after the sign-up.

Our PrestaShop malware scanner which will give you a well detailed report of all malware & backdoors. Then you need to go to the file path & delete the malicious code or file.

Yes, with malware scanner you get access to Astra firewall which stops all malware attacks in real time.

Hosting malware scanners are not tailored as per CMS & they scan only limited files of your website. You need a scanner that is tailored for your CMS & updates periodically with the hacks

Still have a question? Read more FAQ’s or feel free to contact us

Astra is amazing!!! I bought Astra after having used malcare and webarx religiously. I run a digital marketing agency so having web security is extremely important. First I had malcare do a manual cleaning of my site cause they had said there were some malicious code in my site. They send me the email when they complete it and my site is in the clear…so I think. I immediately installed Astra about an hour later on my main site (no client sites yet). Astra did it’s initial scan and came back with 9 malicious codes installed!

I am thoroughly amazed and impressed by Astra and its abilities let alone the support response time. The report isn’t generalized in any way, it’s extremely specific and detailed about your specific site. This is a must in my opinion if you have any type of website. The security it gives me in knowing that I have a capable company like Astra watching over my site and if something goes wrong they are there to rid the problem. Astra is a major relief and weight of security off my shoulders.

Ferdinand Mehlinger

owner of Bluoo Digital & Laptop Lyfestyle

Astra's OpenCart Malware Scanner

Disclose all Malware & Backdoors

Top Brands Using Astra Security

What Our Customers Have to Say

Continue reading

Prestashop Security Audit & VAPT

This contains all details of tests, pricing & sample PrestaShop Security Audit report.

Ingrid_bw.png
Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

Astra Uncovers Security Vulnerabilities in your PrestaShop Store - PrestaShop Security Audit

The PrestaShop security audit focuses on evaluating the vulnerabilities in your store by methodically validating & verifying the effectiveness of security controls. The process involves an active analysis of the Prestashop store for any weaknesses, technical flaws, or vulnerabilities.

Comes with 150+ security tests followed by tests tailored to your tech stack & needs.

  • Detailed Code Analysis
  • Business Logic Testing
  • Dedicated Engineer
  • Prevent Credit Card Hack

Our team that has helped to secure

Adobe
Blackberry
Yahoo
Microsoft
AT&T
Buffer App

Super Secure My Business

PrestaShop Security Audit - Features

Vulnerability Assessment and Penetration Testing

Exhaustive VAPT for your Prestashop store is performed that would identify security loopholes in the Web Application which could potentially allow a malicious user to gain access to the system or perform malicious operations.

Static & Dynamic Code Analysis

Astra’s Web Application Security Testing is based on the OWASP Testing Methodologies and the OWASP Testing Framework. We perform over 150+ ‘active’ tests that have been classified on the basis of type of vulnerabilities found.

Business Logic Testing

It is the core logic of your Prestashop store. Here we check Price Manipulation, Getting More Discounts, Privilege Escalation, Bypass Security Restrictions, Access to Unauthorized Information. You can read more about it here.

Payment Handling & Integration

Checkout Portals and Payment Gateways are thoroughly checked for credit card hacks, formjacking, price manipulation vulnerabilities and more. Such vulnerabilities in a web application’s payment flow directly affects the business. 

Server Infrastructure Testing & DevOps

Securing the perimeter becomes the initial step here. The key activities would involve Auditing Existing Configurations, Ensuring Encryption & Safe Data Storage, Optimizing DevOps Processes & suggesting best practices.

Network Devices Configuration Audit​​

An assessment of the device patch level, the logging & auditing implementation, authentication mechanisms. Audit based on device configuration, administrative and authentication services, network filtering, protocol analysis.

Testing for Known CVEs

While Prestashop security audit we test for common vulnerabilities and exposures. This will ensure that your store is protected from all known vulnerabilities that were exploited in the past

Assistance in Patching Security Vulnerabilities

Our engineers will share a detailed report with step by step POC (screenshots/videos) and detailed fix information with code/config examples that will help your developer to patch vulnerabilities. 

Dashboard for Vulnerability Reporting​​

Vulnerabilities are reported on our intuitive dashboard where your developers can interact directly with our security engineers. Also, you can request for a re-scan to ensure that the vulnerability is patched.

Top Security Issues Tested - PrestaShop Security Audit

  • Configuration and Deployment Misconfiguration

    Tests HTTP Methods, HTTP Strict Transport Security, Network/Infrastructure Configuration, Application Platform configuration

  • Application or Framework Specific Vulnerabilities

    We test for all possible major causes of Prestashop hacks such as SQLi, XSS, RCE, CSRF, LFI, RFI etc.

  • Broken or Improper Authentication

    Tests for Weak & Guessable passwords, Test for lack of appropriate session Timeouts, User Enumeration, use of default credentials, Account Lockout Policy, Session ID randomness etc.

  • Identifying Technical & Business Logic Vulnerabilities

    We test for OWASP Top 10, WASC Top Threats, etc. and our Testing methodology is based on OWASP Testing Guide v4.

  • Over 150+ Active Security Tests

    Testing for Input Validation issues, SSL issues, Authorization/Authentication issues, security best practices etc.

Astra Pricing For PrestaShop Security Audit

CMS Scan

A comprehensive security audit for your website built with Magento, OpenCart, WordPress and other CMSs. We perform 80+ active tests with the right mix of automated & manual testing.

Be safe from critical issues like CC theft, Malware, Known Exploits, Security Misconfigurations, Vulnerable Plugins & more.

  • Cloud Dashboard
  • Steps to Fix
  • Amazing Support
Flat fee of
$499
/scan

Business Logic Scan

An in-depth VAPT (Vulnerability Assessment & Penetration Testing) for custom built web-apps or CMSs with custom development. We perform 120+ active tests specific to your tech stack.

We pinpoint Business Logic Errors, Payment Gateway flaws, Price Manipulation Vulnerabilities, Customer Data Theft & more.

  • Security Manager
  • Cloud Dashboard
  • Steps to Fix
Starts from
$999
/scan
Contact Us

Astra's Rock Solid Security For PrestaShop

Web Aplication Firewall

Our Web Application Firewall is highly tailored for Prestashop & stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time.

On-Demand Malware Cleanup

Astra’s on demand malware scanner is super fast. It detects all malware & backdoors in your Prestashop store. You can run scan as per your convenience.

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website.

Top Brands Using Astra Security

What Our Customers Have to Say

Frequently Asked Questions

Yes, a security audit is an in-depth exercise that requires hours of effort of human & technology resources. That’s why an upfront payment is expected.

Definitely, once you’ve fixed the vulnerabilities you can request a scan simply by clicking a button on your dashboard. Following which, our engineers are notified and they plan a re-scan. If you are a business plan customer, you get a re-scan every month. If you’ve opted for a security audit separately then one re-scan is available to you.

Not at all, the security audit and VAPT are agnostic of the technology stack and work well on all websites.

You start seeing vulnerabilities reported by us from the day testing is started. You can ask for support in fixing the vulnerabilities for 30-days, starting from the day our engineers finish testing. During these 30 days, our engineers will be available to work with you or your developers and assist them in fixing bugs via the comment system of our dashboard. At any point, if the engineers feel that there is a need for a chat, they’ll be happy to talk to you over a chat too.

Yes, for sure. We assist your developers in fixing the vulnerabilities reported. Your developer can comment under each vulnerability if they have any questions regarding the fixation process.

Definitely, we test mobile apps too. You can learn more about them here.

Still have a question? Read more FAQ's or drop us a message in the chat box

Super Secure My Business

Continue reading