...
- GZIP support.
- Mcrypt library.
register_globals
disabled.magic_quotes
disabled.allow_url_include
disabled.- Safe mode disabled.
Having GZip support enables the web server to pack web pages, images and scripts before sending them to the browser. This makes navigating the shop faster, and therefore a more agreeable experience.
...
The allow_url_include
directive is used to allow to include any file via the require
and include
statements, even if it does not come from your Web server. This option must be set to OFF, because if one application on your web server suffers of "include vulnerability", users will be able to include any file from any server and those will be executed on your own server.
PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having the Safe Mode enabled can render your payment modules useless.
In short, it is highly recommended to have the following directives set to the indicated values:
Code Block | ||
---|---|---|
| ||
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off
safe_mode = Off
safe_mode_gid = Off |
MySQL configuration
MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible action. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password, read http://en.wikipedia.org/wiki/SQL_injection).
...
- Secure your back-office
- Rename your
/admin
folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n". - Protect your admin folder with the
.htaccess
and.htpasswd
files, or ask your web host to do it for you. - Do not let your browser keep traces of your password (cookie or any other helper).
- Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).
- Rename your
- Securing your PHP installation
- See the required and recommended PHP settings, at the beginning of this very guide.
- Always delete the
/install
folder after having installed or updated PrestaShop - Always delete useless files from production server:
- all
readme_xx.txt
files. - the
CHANGELOG
file. - the
/docs
folder.
- all
Forbid access to your theme's files/templates, using a
.htaccess
file with the following content:Code Block language none <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>
Updates
Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.
Fine-tuning & performances
...
- Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).
- Do not forget to put the
$smarty->force_compile
to "false" when in production mode, either via thesmarty.inc.php
file or the back-office. - Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. PrestaShop is compatible with eAccelerator (http://eaccelerator.net/). Opcode means "operation code", and defines the compiled state of the dynamic files, which can processed faster.
If possible, split your static elements betweens different domains and sub-domains, in order to get parallel HTTP connexions. To put that in place, open the
/config/defines.inc.php
file and add these lines (adapted to your needs):Code Block language php if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' ) { define( '_THEME_IMG_DIR_', 'http://img2.xxx.com/' ); define( '_THEME_CSS_DIR_', 'http://css.xxx.com/' ); define( '_THEME_JS_DIR_', 'http://js.xxx.com/' ); define( '_THEME_CAT_DIR_', 'http://img1.xxx.com/c/' ); define( '_THEME_PROD_DIR_', 'http://img1.xxx.com/p/' ); define( '_THEME_MANU_DIR_', 'http://img1.xxx.com/m/' ); define( '_PS_IMG_', 'http://img1.xxx.com/' ); define( '_PS_ADMIN_IMG_', 'http://img1.xxx.com/admin/' ); } else { define( '_THEME_IMG_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/img/' ); define( '_THEME_CSS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/css/' ); define( '_THEME_JS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/js/' ); define( '_THEME_CAT_DIR_', __PS_BASE_URI__ . 'img/c/' ); define( '_THEME_PROD_DIR_', __PS_BASE_URI__ . 'img/p/' ); define( '_THEME_MANU_DIR_', __PS_BASE_URI__ . 'img/m/' ); define( '_PS_IMG_', __PS_BASE_URI__ . 'img/' ); define( '_PS_ADMIN_IMG_', _PS_IMG_.'admin/' ); }
Other recommendations
Safe Mode
PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having Safe Mode on can render your payment modules useless.
Updates
Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.
Nginx friendly URLs
Most of the server instructions in this page pertain to the Apache web server. But some of you might prefer to rely on the Nginx web server. PrestaShop works well with Nginx, but is not able to generate the correct redirection rules for its Friendly URLs.
...