...
You can now install PrestaShop safely.
Basic authentication establishment (.htaccess)
In order to better protect your PrestaShop install, we need to establish a basic authentication on the admin directory.
One of the aims of the .htaccess
file is to protect your folders and all its sub-folders (read http://en.wikipedia.org/wiki/Htaccess). It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess
file.
To achieve basic authentication on your admin folder, we need to add a .htaccess
file in that folder (for instance, /var/www/prestashop/admin
):
Code Block | ||
---|---|---|
| ||
AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes
|
Explanation:
AuthUserFile
: Shows the path to the file containing allowed users and their passwords..prestashop_admin
is a text file.AuthName
: Defines the message to show when the authentication window pops up.AuthType
: Defines the authentication type.Require
: Requires users to log in in order to access the content.valid-user
enables multiple users to connect and access the folder.Options
: Defines the folder's options.-Indexes
disables automatic generation of a directory index if no index file is available.
Here is a sample content for the .prestashop_admin
file, with a login and a password:
Code Block | ||
---|---|---|
| ||
login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/
|
This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can use a .htpasswd
file generator: http://aspirine.org/htpasswd_en.html.
It is strongly recommended to put this file into a directory that is inaccessible to your web applications, so before the /openbase_dir
folder. It prevents .htpasswd
file injection, in case one of yours web applications is vulnerable.
It is also possible to perform IP and domain restrictions using your .htaccess
file:
Code Block | ||
---|---|---|
| ||
Order Allow, Deny
Deny from all
Allow from .myprestashop.com
Allow from 127.0.0.1
|
However, you should not put this kind of directive:
Code Block | ||
---|---|---|
| ||
<LIMIT GET POST>
Require valid-user
</LIMIT>
|
Making your PrestaShop install more secure
The recommendations below are sorted by order of importance:
- Secure your back office
- Rename your
/admin
folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n". - Protect your admin folder with the
.htaccess
and.htpasswd
files, or ask your web host to do it for you. - Do not let your browser keep traces of your password (cookie or any other helper).
Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).
Tip Safer than a password: you can use a passphrase. Not only is a passphrase easier to remember, but it is also much harder to crack, even when the hacker is using automatic tools (brute force attack or dictionary attack).
A passphrase only needs to be long and easy to remember for you. Any popular saying should do ("Don’t Throw the Baby Out with the Bathwater"), but an absurd phrase will have even less risk of being discovered by a hacker. For instance, "Many reckless drivers confuse tractor with record sleeves".
There are some good passphrase generators online, which help you get a unique phrase for you only. For instance: http://passphra.se/ or http://www.fourmilab.ch/javascrypt/pass_phrase.html.
PrestaShop's passwords are not limited in either number of characters or types of characters.
- Rename your
- Securing your PHP installation
- See the required and recommended PHP settings, at the beginning of this very guide.
- Always delete the
/install
folder after having installed or updated PrestaShop - Always delete useless files from production server:
- All
readme_xx.txt
files. - The
CHANGELOG
file. - The
/docs
folder.
- All
Forbid access to your theme's files/templates, using a
.htaccess
file with the following content:Code Block language none <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>
Updates
Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.
Security
Read this dedicated page, full of easy-to-apply advices.
Fine-tuning & performances
...