Installing & Securing PrestaShop – A Step-by-Step Guide

By Posted on

Installing & Securing PrestaShop – A Step-by-Step Guide

PrestaShop is a powerful, open-source e-commerce platform that empowers countless online stores globally. Its intuitive interface and extensive feature set make it a popular choice for entrepreneurs looking to establish a robust online presence. However, the very nature of e-commerce, involving sensitive customer data and financial transactions, makes security paramount. Neglecting security can lead to devastating consequences, including data breaches, financial losses, and irreparable damage to your brand’s reputation.

This comprehensive guide provides a detailed, step-by-step approach to installing PrestaShop and implementing essential security measures. By following these instructions, you’ll create a secure and reliable platform ready to handle real-world transactions and protect your customers’ information. Installing & Securing PrestaShop is crucial for long-term success.

By the end of this guide, you’ll have a PrestaShop store installed and ready-to-use securely for handling real orders.

Server Requirements

Before diving into the installation process, it’s crucial to ensure your web server meets PrestaShop’s minimum requirements. These requirements guarantee optimal performance and compatibility.

  • System: Unix, Linux or Windows.
  • Web Server: Apache 2.2 or later, or Nginx 1.0 or later.
  • PHP: 7.2 or later (ideally 7.4 or 8.0 for security and performance).
  • MySQL: 5.6 or later, or MariaDB.
  • Memory: At least 128MB of RAM (256MB or more recommended).
  • Disk Space: At least 10GB.

Additionally, some PrestaShop modules may have higher technical requirements. Check module documentation for specifics.

Meeting these requirements ensures your store runs smoothly without technical issues.

First, let’s get the PrestaShop files on your server:

  • Download the latest PrestaShop package from the official PrestaShop website.
  • Upload the downloaded ZIP file to your web server, typically to the public_html or www directory.
  • Extract the contents of the ZIP file.
$ chmod 755 -R /var/www/html/prestashop

This covers downloading and placing PrestaShop files for installation.

Database Setup

PrestaShop relies on a MySQL or MariaDB database to store all store-related data, including product information, customer details, and order history.

Set up a new database and user specifically for PrestaShop:

  • Access your MySQL or MariaDB server using a client like phpMyAdmin or the command line.
  • Create a new database for PrestaShop.
CREATE DATABASE prestashop;
  • Create a new user with specific privileges for accessing the database.
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'DBp4ssw0rd';
  • Grant the user all necessary privileges on the PrestaShop database.
GRANT ALL PRIVILEGES ON prestashop.* TO 'prestashopuser'@'localhost';

This preps a database that PrestaShop will use.

Make note of the database name, user credentials, and other details like hostname – as they will be required during PrestaShop installation.

With files downloaded and database ready, let’s proceed with the actual PrestaShop installation.

PrestaShop Installation

The PrestaShop installer takes you step-by-step through the quick installation process:

  1. Open your web browser and navigate to the directory where you extracted the PrestaShop files (e.g., http://yourdomain.com/prestashop).
  2. The PrestaShop installer will automatically launch. Follow the on-screen instructions, selecting your preferred language, agreeing to the license terms, and verifying system compatibility.
  3. Enter the database connection details (database name, username, password, and hostname) that you created in the previous step.
  4. Configure your store settings, including store name, country, and default language.
  5. Create an administrator account by providing your email address and a strong password.
  6. The installer will then proceed to install PrestaShop, creating the necessary database tables and configuring the core files.
  7. Once the installation is complete, you’ll be prompted to remove the "install" folder for security reasons.

With the setup completed, let’s access the admin panel for first-time tasks.

Admin Account Setup

Once installed, access the PrestaShop admin panel:

http://yourdomain.com/prestashop/admin786elw8k

Enter credentials created during installation.

Then, proceed with admin account configuration:

  1. Log in to the PrestaShop admin panel using the administrator credentials you created during installation.
  2. Navigate to the "Administration" section and configure your store’s general settings, including store name, address, contact information, and default currency.
  3. Configure shipping and payment methods according to your business needs.
  4. Add products to your catalog, providing detailed descriptions, images, and pricing information.
  5. Customize the look and feel of your store by selecting a theme and configuring design elements.

You now have access to the PrestaShop Dashboard.

Before launching your live store, the next step is properly securing your PrestaShop installation.

Securing PrestaShop for Production Use

Out of the box, PrestaShop works well but is not ready for immediate public access.

Certain security measures need to be taken for a production site handling real user data and transactions.

Here are key tips to secure your PrestaShop store:

Disable Demo Mode

If enabled, disable Demo Mode under Advanced Parameters:

Go to: Preferences > General > Enable Shop Demo Mode
Set to: No

Demo mode is meant for module testing purposes and bypasses normal security checks. Keep disabled for a live site.

Set Admin Folder

The default admin folder admin786elw8k is publicly guessable.

Change it to a random difficult-to-guess sequence:

Go to: Preferences > General > Set Admin Folder
Example: ab5dz931tz

This obscures access to your admin panel.

Remove Install Folder

Delete the install folder from your server:

/var/www/html/prestashop/install

This removes remnants from the installation process, preventing malicious use.

Disable Friendly Error Pages

In production mode, disable friendly error pages meant for development:

Go to: Preferences > General > Disable Friendly Error
Set Error Reporting to: No
Display Errors to: No

This prevents exposing sensitive error messages to public users.

Use HTTPS

Configure PrestaShop for HTTPS access only:

  • Obtain an SSL certificate for your domain.
  • Configure your web server to use HTTPS.
  • Enable SSL in PrestaShop’s back office (Preferences > General).

Enforcing HTTPS ensures login forms and payments are encrypted for security against attacks.

Update PHP Version

Use PHP 7.4+ which still has security support:

PHP 7.2 will reach End of Life in Nov 2023
Upgrade to a supported PHP version like 7.4 or 8.0

Latest PHP versions have critical security fixes and improved performance.

Strong Admin Password

Ensure you set a very strong password for the admin account.

14+ random characters containing upper/lowercase letters, numbers and symbols.

Weak admin passwords are targeted in automated credential stuffing attacks.

Use Captchas

Enable and use captchas in areas prone to automated attacks:

  1. Install a captcha module from the PrestaShop Addons marketplace.
  2. Configure the module to protect login forms, registration pages, and contact forms.

Captchas block automated bots making fake login attempts, spam contact forms etc.

Update Regularly

Keep PrestaShop and installed modules updated:

Go to: Advanced Parameters > Modules > Modules & Services
Check and install available upgrades

Updates contain vital security fixes and improvements.

Proper File Permissions

Use principle of least privilege for file permissions:

Example safe permissions:
Folders: 755
Files: 644
Unsafe: 777 (full access for all)

This minimizes impact if a file is somehow compromised.

Other Security Tips

  • Regularly back up your PrestaShop database and files.
  • Monitor your server logs for suspicious activity.
  • Use a web application firewall (WAF) to protect against common web attacks.
  • Disable or remove unused modules.
  • Educate yourself and your staff about common security threats and best practices.

Be vigilant and follow security best practices for threat prevention. Installing & Securing PrestaShop demands continuous attention.

Alternative Security Solutions

While the above steps provide a solid foundation for PrestaShop security, let’s explore two alternative approaches to enhance your store’s protection:

1. Content Security Policy (CSP) Implementation:

CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. It essentially tells the browser which sources of content (scripts, stylesheets, images, etc.) are allowed to be loaded. By defining a strict CSP, you can prevent the browser from executing malicious code injected by attackers.

Explanation:

CSP works by adding an HTTP header or a <meta> tag in your HTML file that defines a whitelist of sources from which the browser is allowed to load resources. Any resource loaded from a source not on the whitelist will be blocked by the browser.

Code Example (adding CSP via .htaccess):

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self';"
</IfModule>

Explanation of the CSP directives in the example:

  • default-src 'self': This directive sets the default policy for loading resources. It allows resources to be loaded only from the same origin (your domain).
  • script-src 'self' 'unsafe-inline' https://trusted-cdn.com: This allows JavaScript to be loaded from the same origin and from https://trusted-cdn.com. The 'unsafe-inline' keyword allows inline JavaScript, but it’s generally recommended to avoid inline scripts for better security.
  • style-src 'self' 'unsafe-inline' https://fonts.googleapis.com: This allows CSS to be loaded from the same origin and from https://fonts.googleapis.com. The 'unsafe-inline' keyword allows inline styles, similar to JavaScript, avoid inline styles where possible.
  • img-src 'self' data:: This allows images to be loaded from the same origin and from data URIs (inline images).
  • font-src 'self' https://fonts.gstatic.com: This allows fonts to be loaded from the same origin and from https://fonts.gstatic.com.
  • frame-ancestors 'self': This directive specifies the valid parents that may embed a <frame>, <iframe>, <object>, <embed> or <applet>. Setting this to ‘self’ means that your site can only be framed by pages on the same origin.

2. Using a Web Application Firewall (WAF):

A WAF acts as a shield between your PrestaShop store and the internet, analyzing incoming traffic and blocking malicious requests before they reach your server. It can protect against various attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks.

Explanation:

WAFs work by inspecting HTTP traffic and applying a set of rules to identify and block malicious patterns. These rules can be based on signatures of known attacks, behavioral analysis, or custom policies.

Implementation:

There are several options for implementing a WAF:

  • Cloud-based WAF: Services like Cloudflare, Sucuri, and Akamai offer cloud-based WAF solutions that are easy to set up and manage. They typically involve changing your DNS records to route traffic through their servers.
  • Hardware-based WAF: These are physical appliances that you install on your network. They offer high performance and granular control but are more complex to manage.
  • Software-based WAF: These are software packages that you install on your web server. They are more flexible than hardware-based WAFs but can impact server performance.

Example (using Cloudflare WAF):

  1. Sign up for a Cloudflare account.
  2. Add your website to Cloudflare.
  3. Change your DNS records to point to Cloudflare’s nameservers.
  4. Configure Cloudflare’s WAF settings, such as security level, firewall rules, and bot protection.

Cloudflare will then automatically protect your PrestaShop store against various threats. These alternative security solutions offer further defense for your PrestaShop store.

Conclusion

There you have it – a comprehensive guide to getting PrestaShop installed securely from start to finish. Installing & Securing PrestaShop requires attention to detail.

Following these key steps allows you to:

  • Successfully install PrestaShop on your web server.
  • Configure a secure database connection.
  • Harden your PrestaShop installation against common security threats.
  • Implement alternative security measures for enhanced protection.

You can now proceed with customizing your online store, adding products, setting up payments and fulfilment integrations.

Execute proper security measures as outlined here for threat prevention throughout your e-commerce journey.

This establishes a robust foundation for the success and security of your PrestaShop business!

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *