Table of Contents | ||||||
---|---|---|---|---|---|---|
|
System Administrator Guide
...
Once this is done, you will be ready to install PrestaShop, using our Getting Started guide: http://doc.prestashop.com/display/PS15/Getting+Started .
PHP configuration
Manipulating php.ini
...
In short, it is imperative to have the following directives set to the indicated values:
Code Block | ||
---|---|---|
| ||
extension = php_mysql.dll
extension = php_gd2.dll
allow_url_fopen = On
|
...
The magic_quotes
directive automatically escapes (or "adds antislashes", see http://php.net/manual/en/function.addslashes.php ) to all special character sequences (', ", \, NULL) for all environment variables (GET, POST, COOKIE, SERVER...). This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed. Moreover, some Web applications overlook this option, so some variables could be addslashed twice, resulting in corrupted data.
...
In short, it is highly recommended to have the following directives set to the indicated values:
Code Block | ||
---|---|---|
| ||
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off
|
...
MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible action. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password, read http://en.wikipedia.org/wiki/SQL_injection).
Warning |
---|
If you just installed MySQL, do add a password for the root account, who has no password as default. |
...
Thus, if you have access to a master MySQL account that can create other users, here's how you could do it using the command line:
Code Block | ||
---|---|---|
| ||
mysql -u USERNAME -p PASSWORD
|
You could also use the following SQL query:
Code Block | ||
---|---|---|
| ||
mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';
|
...
We need to allow this user to use the 'prestashop' database, and configure his rights at the same time. Here is a template for the SQL query to do that:
Code Block | ||
---|---|---|
| ||
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER
> ON 'prestashop'.* TO 'new_user'@'localhost';
mysql> FLUSH PRIVILEGES;
|
...
In order to better protect your PrestaShop install, we need to establish a basic authentication on the admin directory.
One of the aims of the .htaccess
file is to protect your folders and all its sub-folders (read http://en.wikipedia.org/wiki/Htaccess). It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess
file.
To achieve basic authentication on your admin folder, we need to add a .htaccess
file in that folder (for instance, /var/www/prestashop/admin
):
Code Block | ||
---|---|---|
| ||
AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes
|
...
Here is a sample content for the .prestashop_admin
file, with a login and a password:
Code Block | ||
---|---|---|
| ||
login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/
|
This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can follow this link: use .htpasswd file generation.generator: http://aspirine.org/htpasswd_en.html.
It is strongly recommended to put this file into a directory that is inaccessible to your web applications, so before the /openbase_dir
folder. It prevents .htpasswd
file injection, in case one of yours web applications is vulnerable.
It is also possible to perform IP and domain restrictions using your .htaccess
file:
Code Block | ||
---|---|---|
| ||
Order Allow, Deny
Deny from all
Allow from .myprestashop.com
Allow from 127.0.0.1
|
However, you should not put this kind of directive:
Code Block | ||
---|---|---|
| ||
<LIMIT GET POST>
Require valid-user
</LIMIT>
|
...
- Secure your back-office
- Rename your
/admin
folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n". - Protect your admin folder with the
.htaccess
and.htpasswd
files, or ask your web host to do it for you. - Do not let your browser keep traces of your password (cookie or any other helper).
- Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as PCToolsSymantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).
- Rename your
- Securing your PHP installation
- See the required and recommended PHP settings, at the beginning of this very guide.
- Always delete the
/install
folder after having installed or updated PrestaShop - Always delete useless files from production server:
- all
readme_xx.txt
files. - the
CHANGELOG
file. - the
/docs
folder.
- all
Forbid access to your theme's files/templates, using a
.htaccess
file with the following content:Code Block html language htmlnone <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>
...
- Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).
- Do not forget to put the
$smarty->force_compile
to "false" when in production mode, either via thesmarty.inc.php
file or the back-office. - Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. PrestaShop is compatible with eAccelerator (http://eaccelerator.net/). Opcode means "operation code", and defines the compiled state of the dynamic files, which can processed faster.
If possible, split your static elements betweens different domains and sub-domains, in order to get parallel HTTP connexions. To put that in place, open the
/config/defines.inc.php
file and add these lines (adapted to your needs):Code Block html language htmlphp if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' ) { define( '_THEME_IMG_DIR_', 'http://img2.xxx.com/' ); define( '_THEME_CSS_DIR_', 'http://css.xxx.com/' ); define( '_THEME_JS_DIR_', 'http://js.xxx.com/' ); define( '_THEME_CAT_DIR_', 'http://img1.xxx.com/c/' ); define( '_THEME_PROD_DIR_', 'http://img1.xxx.com/p/' ); define( '_THEME_MANU_DIR_', 'http://img1.xxx.com/m/' ); define( '_PS_IMG_', 'http://img1.xxx.com/' ); define( '_PS_ADMIN_IMG_', 'http://img1.xxx.com/admin/' ); } else { define( '_THEME_IMG_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/img/' ); define( '_THEME_CSS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/css/' ); define( '_THEME_JS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/js/' ); define( '_THEME_CAT_DIR_', __PS_BASE_URI__ . 'img/c/' ); define( '_THEME_PROD_DIR_', __PS_BASE_URI__ . 'img/p/' ); define( '_THEME_MANU_DIR_', __PS_BASE_URI__ . 'img/m/' ); define( '_PS_IMG_', __PS_BASE_URI__ . 'img/' ); define( '_PS_ADMIN_IMG_', _PS_IMG_.'admin/' ); }
...
/admin
: contains all the PrestaShop files pertaining to the back-office. When accessing this folder with your browser, you will be asked to provide proper identification, for security reasons. Important: you should make sure to protect that folder with a.htaccess
or.htpasswd
file!/cache
: contains temporary folders that are generated and re-used in order to alleviate the server's load./classes
: contains all the files pertaining to PrestaShop's object model. Each file represents (and contains) a PHP class, and its methods/properties./config
: contains all of PrestaShop's configuration files. Unless asked to, you should never edit them, as they are directly handled by PrestaShop's installer and back-office./controllers
: contains all the files pertaining to PrestaShop controllers – as in Model-View-Controller (or MVC), the software architecture used by PrestaShop. Each file controls a specific part of PrestaShop./css
: contains all CSS files that are not attached to themes – hence, these are mostly used by the PrestaShop back-office./docs
: contains some documentation. Note: it should be deleted in a production environment./download
: contains your digital products, which can be downloaded: PDFs, MP3s, etc./img
: contains all of PrestaShop's default images, icons and picture files – that, those that do not belong to the theme. This is where you can find the pictures for product categories (/c
sub-folder, those for the products (/p
sub-folder) and those for the back-office itself (/admin
sub-folder}})./install
: contains all the files related to PrestaShop's installer. You will be required to delete it after installation, in order to increase security./js
: contains all JavaScript files that are not attached to themes. Most of them belong to the back-office. This is also where you will find the jQuery framework./localization
: contains all of PrestaShop's localization files – that is, files that contain local information, such as currency, language, tax rules and tax rules groups, states and the various units in use in the chosen country (i.e., volume in liter, weight in kilograms, etc.)./log
: contains the log files generated by PrestaShop at various stages, for instance during the installation process./mails
: contains all HTML and text files related to e-mails sent by PrestaShop. Each language has its specific folder, where you can manually edit their content if you wish./modules
: contains all of PrestaShop's modules, each in its own folder. If you wish to definitely remove a module, first uninstall it from the back-office, then only can you delete its folder./override
: this is a special folder that appeared with PrestaShop 1.4. By using PrestaShop's regular folder/filename convention, it is possible to create files that override PrestaShop's default classes or controllers. This enables you to change PrestaShop core behavior without touching to the original files, keeping them safe for the next update./pdf
: contains all the template files (.tpl
) pertaining to the PDF file generation (invoice, delivery slips, etc.). Change these files in orde to change the look of the PDF files that PrestaShop generates./themes
: contains all the currently-installed themes, each in its own folder./tools
: contains external tools that were integrated into PrestaShop. For instance, this were you'll find Smarty (template/theme engine), FPDF (PDF file generator), Swift (mail sender), PEAR XML Parser (PHP tool)./translations
: contains a sub-folder for each available language. However, if you wish to change the translation, you must do so using the PrestaShop internal tool, and not edit them directly in this folder./upload
: contains the files that would be uploaded by clients for customizable products (for instance, a picture that a client wants printed on a mug)./webservice
: contains files that enable third-party applications to access PrestaShop through its API.
...