Table of contents
Table of Contents | ||
---|---|---|
|
...
System Administrator Guide
...
Many of the advices in this guide require you to edit the php.ini
file, found in your server's PHP install folder (not in PrestaShop's folder).
Not all host hosts will allow you to edit or even access this file, so contact your host if you cannot access it.
...
In short, it is imperative to have the following directives set to the indicated values:
Code Block | ||||
---|---|---|---|---|
| ||||
extension = php_mysql.dll
extension = php_gd2.dll
allow_url_fopen = On
|
...
The Mcrypt provides PHP with a hardened security layer, enable which enables the use of more hashing and cryptography algorithm.
...
In short, it is highly recommended to have the following directives set to the indicated values:
Code Block | ||||
---|---|---|---|---|
| ||||
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off
|
...
Thus, if you have access to a master MySQL account that can create other users, here's how you could do it using the command line:
Code Block | ||||
---|---|---|---|---|
| ||||
mysql -u USERNAME -p PASSWORD
|
You could also use the following SQL query:
Code Block | ||||
---|---|---|---|---|
| ||||
mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';
|
...
We need to allow this user to use the 'prestashop' database, and configure his rights at the same time. Here is a template for the SQL query to do that:
Code Block | ||||
---|---|---|---|---|
| ||||
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER
> ON 'prestashop'.* TO 'new_user'@'localhost';
mysql> FLUSH PRIVILEGES;
|
...
To achieve basic authentication on your admin folder, we need to add a .htaccess
file in that folder (for instance, /var/www/prestashop/admin
):
Code Block | ||||
---|---|---|---|---|
| ||||
AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes
|
...
Here is a sample content for the .prestashop_admin
file, with a login and a password:
Code Block | ||||
---|---|---|---|---|
| ||||
login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/
|
...
It is also possible to perform IP and domain restrictions using your .htaccess
file:
Code Block | ||||
---|---|---|---|---|
| ||||
Order Allow, Deny
Deny from all
Allow from .myprestashop.com
Allow from 127.0.0.1
|
However, you should not put this kind of directive:
Code Block | ||||
---|---|---|---|---|
| ||||
<LIMIT GET POST>
Require valid-user
</LIMIT>
|
...
- Secure your back-office
- Rename your
/admin
folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n". - Protect your admin folder with the
.htaccess
and.htpasswd
files, or ask your web host to do it for you. - Do not let your browser keep traces of your password (cookie or any other helper).
- Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as PCTools's or GRC's.
- Rename your
- Securing your PHP installation
- See the required and recommended PHP settings, at the beginning of this very guide.
- Always delete the
/install
folder after having installed or updated PrestaShop - Always delete useless files from production server:
- all
readme_xx.txt
files. - the
CHANGELOG
file. - the
/docs
folder.
- all
Forbid access to your theme's files/templates, using a
.htaccess
file with the following content:Code Block html html <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>
...
- Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).
- Do not forget to put the
$smarty->force_compile
to "false" when in production mode, either via thesmarty.inc.php
file or the back-office. - Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. PrestaShop is compatible with eAccelerator. Opcode means "operation code", and defines the compiled state of the dynamic files, which can be processed faster.
If possible, split your static elements betweens different domains and sub-domains, in order to get parallel HTTP connexions. To put that in place, open the
/config/defines.inc.php
file and add these lines (adapted to your needs):Code Block html html if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' ) { define( '_THEME_IMG_DIR_', 'http://img2.xxx.com/' ); define( '_THEME_CSS_DIR_', 'http://css.xxx.com/' ); define( '_THEME_JS_DIR_', 'http://js.xxx.com/' ); define( '_THEME_CAT_DIR_', 'http://img1.xxx.com/c/' ); define( '_THEME_PROD_DIR_', 'http://img1.xxx.com/p/' ); define( '_THEME_MANU_DIR_', 'http://img1.xxx.com/m/' ); define( '_PS_IMG_', 'http://img1.xxx.com/' ); define( '_PS_ADMIN_IMG_', 'http://img1.xxx.com/admin/' ); } else { define( '_THEME_IMG_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/img/' ); define( '_THEME_CSS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/css/' ); define( '_THEME_JS_DIR_', _THEMES_DIR_ . _THEME_NAME_ . '/js/' ); define( '_THEME_CAT_DIR_', __PS_BASE_URI__ . 'img/c/' ); define( '_THEME_PROD_DIR_', __PS_BASE_URI__ . 'img/p/' ); define( '_THEME_MANU_DIR_', __PS_BASE_URI__ . 'img/m/' ); define( '_PS_IMG_', __PS_BASE_URI__ . 'img/' ); define( '_PS_ADMIN_IMG_', _PS_IMG_.'admin/' ); }
...
PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having the Safe Mode on enabled can render your payment modules useless.
Updates
Your applicationsapplication's PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.
...
- Put your shop in maintenance mode, so as to not lose new customers or orders while moving the data.
Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "No". - Move your files
- Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
- Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
- Move your data
- Make a backup of you database (a "dump"): connect to phpMyAdmin, click on the "Export" tab, select the database of your PrestaShop installation, and click the "Go" button. Save the downloaded file on your hard-drive. If phpMyAdmin times out before it is able to export all your data, contact your host.
- Transfer the SQL dump to the new database: connect to the new server's phpMyAdmin, click on the "Import" tab, click the "Browse..." button, find the SQL file you just downloaded, and click the "Go" button to upload it. If phpMyAdmin times out before it is able to import all your data, contact your new host.
- Configuration
- On the new server, open the
/config/settings.inc.php
file and update the settings for the new database server (with your own settings instead of the examples here):define('_DB_SERVER_', 'sql.domainname.com');
define('_DB_NAME_', 'prestashop');
define('_DB_USER_', 'PS-user');
define('_DB_PASSWD_', 'djsf15');
define('_DB_PREFIX_', 'ps_');
- (1.4 and earlier) In that same file, update the Base URI setting ('/' being the server root):
define('__PS_BASE_URI__', '/prestashop/');
- Log in to your Back Office, go to the "Preferences" tab, select the "SEO & URLs" sub-tab, and change the domain name to your new domain. Do the same for the SSL domain.
In effect, this will update the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table. - In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the
.htaccess
androbots.txt
files.
- On the new server, open the
- Connect to your new FTP server and delete everything except the
index.php
files in the following folders:/tools/smarty/cache
/tools/smarty/compile
/tools/smarty_v2/cache
/tools/smarty_v2/compile
- Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "Yes".
...
- Put your shop in maintenance mode, so as to not lose new customers or orders will moving the data.
Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "No". - Move your files
- Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
- Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
- Configuration
- On the new server, open the
/config/settings.inc.php
file and update the settings for the new database server (with your own settings instead of the examples here):define('_DB_SERVER_', 'sql.domainname.com');
define('_DB_NAME_', 'prestashop');
define('_DB_USER_', 'PS-user');
define('_DB_PASSWD_', 'djsf15');
define('_DB_PREFIX_', 'ps_');
- (1.4 and earlier) In that same file, update the Base URI setting ('
/
' being the server root):define('__PS_BASE_URI__', '/prestashop/');
- Log in to your Back Office, go to the "Preferences" tab, select the "SEO & URLs" sub-tab, and change the domain name to your new domain. Do the same for the SSL domain.
In effect, this will update the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table. - In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the
.htaccess
androbots.txt
files.
- On the new server, open the
- Connect to your new FTP server and delete everything except the index.php files in the following folders:
/tools/smarty/cache
/tools/smarty/compile
/tools/smarty_v2/cache
/tools/smarty_v2/compile
- Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "Yes".
...