The Ultimate Prestashop Security Practices and Malware Removal Guide
Prestashop is one of the most popular e-commerce shopping cart software in the market, mostly catering to small and medium-sized businesses. It has retained its place as among the top players in the global Retail E-commerce Software market. PrestaShop is known to be quite secure yet, Prestashop Security remains a concern for business owners as it’s still targetted by hackers who exploit vulnerabilities. In this Ultimate PrestaShop Security Practices Guide, we aim to educate you with basic knowledge about enforcing security steps in your Prestashop installation. This PrestaShop Security Practices Guide also includes tips for malware removal.
Basic Prestashop Security Practices
There are several basic steps you can implement to secure their Prestashop, irrespective of your technical knowledge.
- Use the latest version of Prestashop: Keeping an updated Prestashop is of paramount importance as newer versions regularly tackle impending vulnerabilities, add new features, contain bugfixes and other necessary fixes. While the update process may be cumbersome, not to forget that your store goes into maintenance mode and generates lesser traffic, it is smart to spend some time on updates than deal later with hackers and data theft.
- Set up secondary password protection: It is an intelligent practice to set up a server-side password for your back office folder to further limit the access to it. This would require adding the extensions:
.htpasswdfile, which works on only Apache servers and would essentially protect your folders and respective sub-folders. Here is a detailed tutorial on how to secure admin folder with HTTP Authentication (.htpasswd & .htaccess).
- Use strong passwords: It is recommended to use complex passwords by mixing letter numbers and special characters. Another reliable option is using a password generator or a passphrase, which is not only easier to remember, but also much harder to crack, even if a hacker employs a brute force attack or dictionary attack
- Remove no longer useful install files: After installing or updating PrestaShop, make sure you delete useless default files like the
/installfolder. Some other files which can be rendered useless are the README.md file, the CONTRIBUTING.md and CONTRIBUTORS.md files, and the
/docsfolder along with all its content.
- Block direct access to your templates: Using a using a
.htaccessfile, disallow access to your theme’s files/templates. The following code snippet can be used to do that:
deny from all
- Update server software: It is strongly recommended to always update your server’s applications: PHP, MySQL, Apache. That’s because a non-updated PHP code makes your server vulnerable.
Intermediate Prestashop Security Practices
Following best practices can help you further secure your store from online fraudsters
- SSL Encryption: Using an SSL certificate is one of the most common security measures. An SSL certificate encrypts all data passed to and fro from customer to web server.
- Create Backups: Having a backup is paramount as in worst case scenario all your data could be lost. A Backup copies all of your website settings, database, and content which can be restored later. It is recommended to either backup your store or let your hosting company do it as most hosting plans include weekly backup services.
- Using Cookies: Using cookies to store your visitor’s information can help you nab fraudsters and stop consequent malicious attempts. You can enable cookie usage and turn on the option called “Check the IP address on the cookie.”, which checks whether IP of visitors matches its browser cookie IP.
- Front office security: This is Prestashop’s default feature which can be enabled in the Preferences section. This provides every customer session a unique URL to secure the customer’s added information and refrain it from use in another browser or computer
- Themes and Plugins: Always be cautious about the source of your installed theme/plugin. Download without hesitation the themes or plugins approved and verified by platform developers. Those downloaded from unreliable sources may induce malware into your system.
- Security Plugins: Installing a few security plugins can go a long way in improving your Prestashop store protection. These are
- Key Manager module – Creates a unique key for every product that was purchased by a customer;
- Anti Fraud for orders module – A plugin which checks for fraudulent ordering
- No CAPTCHA reCAPTCHA module – Adds captcha to your store.
WaterTight/Ultimate Prestashop Security Practices
- Change File Permissions: Ensure that you give correct permissions to your Prestashop hosting account’s files and directories. The proper permissions for files are 644 (rw-rr–) and for directories are 755 (rwxr-xr-x).
- Disable Dangerous PHP Functions: Your Prestashop installation harbors some PHP files which are not really needed and can pose as a security risk. Thus, it’s advised to disable them by putting the following rule in the php.ini file for your account: disable_functions = proc_open,phpinfo,
- Enable Security Tokens: Security tokens is another feature which improved Prestashop’s security. Although it is enabled by default, it is highly recommended to keep so. To enable security tokens, go to the Preferences tab of your store’s admin panel and ensure that the option Increase Front Office security is set to Yes.
- Secure account details: In Prestashop, one can use ciphering to secure account details. Two different ciphering algorithms exist in the backend of your Prestashop: Rijndael with mcrypt and the custom BlowFish class. To alter the algorithm, click on the admin panel’s Preferences tab, navigate to Performance sub-tab, and scroll down to the section.
Malware Removal Steps
You may have adhered to the above precautions to ensure your Prestashop Security, yet a malware attack took place. In such cases, it advised to immediately implement the following steps
- Check for infection: First and foremost check for the location and date of infection. You’d need to login to your ftp and scan the directories. Malicious attacks usually start from one of the following places:
Once the malware is placed the above locations, it is highly likely that the attacker could put a backdoor on your server. Therefore it is essential to check the above folders for the presence of any other files than images or index.php.
- Restore clean backup: It is a good practice to keep regular backups of your server, in case your website gets hacked you’ll be able to restore the hack-free version and apply security patches. In case you are lacking a backup, retrieve one from your hosting provider. Once you’ve restored a backup, update your theme to the latest version.
- Scan and clean site: In case you lack a clean backup, you’ll need to scan your infected site and clean it from malicious code. Once a hacker has established a backdoor or multiple backdoors (in case one is removed during the manual update), he can use it regain access to your site. These backdoors can be added as new files in your server or as part of existing core files of Prestashop or modules. Hence, it is paramount to perform a full site scan and take necessary measures to eliminate all backdoors.
- Alter access data: Before moving forward with a clean site, change all passwords on your website.
- MySQL database access data
- ftp data
- hosting panel/cpanel access data
- ssh access data
- your back office users access data
Like every other store management system, Prestashop too is vulnerable to various online threats. To thwart an attacker’s attempt, it advisable to follow the abovementioned basic precautions and ensure a safe functioning of your Prestashop site.
Worried about your Prestashop store’s safety in light of recent online threats? Contact Astra for a comprehensive security scan of your site.