PrestaShop 1.6
Child pages
  • System Administrator Guide

Versions Compared

Old Version 4

changes.mady.by.user Alexandra Even

Saved on

compared with

New Version 5

changes.mady.by.user Xavier Borderie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can now install PrestaShop safely.

Basic authentication establishment (.htaccess)

In order to better protect your PrestaShop install, we need to establish a basic authentication on the admin directory.

One of the aims of the .htaccess file is to protect your folders and all its sub-folders (read http://en.wikipedia.org/wiki/Htaccess). It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess file.

To achieve basic authentication on your admin folder, we need to add a .htaccess file in that folder (for instance, /var/www/prestashop/admin):

Code Block
languagenone
AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes

Explanation:

  • AuthUserFile: Shows the path to the file containing allowed users and their passwords. .prestashop_admin is a text file.
  • AuthName: Defines the message to show when the authentication window pops up.
  • AuthType: Defines the authentication type.
  • Require: Requires users to log in in order to access the content. valid-user enables multiple users to connect and access the folder.
  • Options: Defines the folder's options. -Indexes disables automatic generation of a directory index if no index file is available.

Here is a sample content for the .prestashop_admin file, with a login and a password:

Code Block
languagenone
login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/

This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can use a .htpasswd file generator: http://aspirine.org/htpasswd_en.html.

It is strongly recommended to put this file into a directory that is inaccessible to your web applications, so before the /openbase_dir folder. It prevents .htpasswd file injection, in case one of yours web applications is vulnerable.

It is also possible to perform IP and domain restrictions using your .htaccess file:

Code Block
languagenone
Order Allow, Deny
Deny from all
Allow from .myprestashop.com
Allow from 127.0.0.1

However, you should not put this kind of directive:

Code Block
languagenone
<LIMIT GET POST>
Require valid-user
</LIMIT>

Making your PrestaShop install more secure

The recommendations below are sorted by order of importance:

  1. Secure your back office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with the .htaccess and .htpasswd files, or ask your web host to do it for you.
    3. Do not let your browser keep traces of your password (cookie or any other helper).

    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).

      Tip

      Safer than a password: you can use a passphrase. Not only is a passphrase easier to remember, but it is also much harder to crack, even when the hacker is using automatic tools (brute force attack or dictionary attack).

      A passphrase only needs to be long and easy to remember for you. Any popular saying should do ("Don’t Throw the Baby Out with the Bathwater"), but an absurd phrase will have even less risk of being discovered by a hacker. For instance, "Many reckless drivers confuse tractor with record sleeves".

      There are some good passphrase generators online, which help you get a unique phrase for you only. For instance: http://passphra.se/ or http://www.fourmilab.ch/javascrypt/pass_phrase.html.

      PrestaShop's passwords are not limited in either number of characters or types of characters.

  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this very guide.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. All readme_xx.txt files.
    2. The CHANGELOG file.
    3. The /docs folder.

  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:

    Code Block
    languagenone
    <FilesMatch "\.tpl$">
order deny,allow
deny from all
</FilesMatch>

Updates

Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.

Security

Read this dedicated page, full of easy-to-apply advices.

Fine-tuning & performances

...