lets make our prestashop shops safe

[kostas34]

Come on guys...lets make our prestashop shops safe....post in this topic your secure tips, propose, ways ....

[indus]

Important question,

 

Iam no expert but ill post my tips:

 

1.Folder permissions 755 is a good start,but my hta access is 644 so no execute on that file.

2.Use a reliable host to host your website.you dont want someone to compromise your sql databases.

3.Use SSL (i use the free one from startSSL ) and it works the same as any other certificate.This is good to secure login and order pages.

4.Do not give out your ftp passwords to anyone.If you gave it to someone who is helping you out, change it later anyway.

5.Use security fix given in the themes>sticky section for third party themes

but i think taht is only for older ps versions.

..........

[guest*]

Besides tips from indus I suggest:

 

1) As hacker attacks comes from known bad bots I suggest to integrate tools like project honeypot or bot-trap (only for german community) into your page. Known bad bots where banned from your site. Both big communities and known bad behaviours will included in their ban-scripts at once and banned from your site.

2) maintain your software up-to-date.

[indus]

Besides tips from indus I suggest:

 

1) As hacker attacks comes from known bad bots I suggest to integrate tools like project honeypot or bot-trap (only for german community) into your page. Known bad bots where banned from your site. Both big communities and known bad behaviours will included in their ban-scripts at once and banned from your site.

2) maintain your software up-to-date.

 

 

Also , recently someone from these forums pointed out security problem with my site where anyone can view directories in my server root by specifying the url.

So i have added an option 'Options -Indexes' to my htaaccess file which now gives a forbidden access error to any folders on my site.So if anyone types a url for example www.example.com/modules/modulename it will give forbidden error.

I really recommend this to everyone.That line restricts indexing of your site.I think this can also be done from cpanel easily.

[Bewitching]

I just want to note:

The following page titled "Instal PrestaShop" still has the old CHMOD 777 listed as the prefered file permissions.

It NEEDS to be updated like YESTERDAY !!

Link: PrestaShop Install Guide

 

I almost ruined a new install by following that old info. Good thing my sanity prevailed ! LOL

[bsmooth]

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

[LouisF]

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

 

This was a great post, thank you!

[aivars]

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

[bsmooth]

Yes, you can paste the code snippet into htaccess file via Tools > Generators > Htaccess file generation.

 

While we are on the topic of security, does anyone know how to port bad-behavior as a module to use with prestashop?

 

http://bad-behavior.ioerror.us/documentation/installation/

 

http://bad-behavior.ioerror.us/documentation/porting-guide/

[Matt O'Gara]

Yes, you can paste the code snippet into htaccess file via Tools > Generators > Htaccess file generation.

 

While we are on the topic of security, does anyone know how to port bad-behavior as a module to use with prestashop?

 

http://bad-behavior.ioerror.us/documentation/installation/

 

http://bad-behavior.ioerror.us/documentation/porting-guide/

 

I just followed these instructions (pasted the code snippit into Tools > Generators > Htaccess file generation and now I get a 500 Internal Server error. How do I fix this please?

[aivars]

I did paste code in back office. It works, but I now have in BO home page inside the “ a good beginning” window - Browser cache & compression warning (showing yellow instead of green). It’s not affecting my shop at the present, hopefully.

Any tips how to get rid of cache warning?

 

I wish to help you with 500 errors but I am novice in Prestashop.

Are you having Apache web server?

There is Warning: this tool (Htaccess file generation) can ONLY be used if you are hosted by an Apache web server. Please ask your webhost.

[Matt O'Gara]

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

 

Hi aivars

Did you manage to get this working as I followed the advice and pasted the code into the .Htaccess generator and now I get an Internal Server Error... Did you have any luck?

[bsmooth]

Matt,

 

The code shouldn't do anything weird to your shop configuration. Try comparing your old htaccess file to the new htaccess code with the appended code.

 

If all else fails, remove the code snippet.

[aivars]

I managed idea to work by copying suggested .htacess code in Tools > Generators > Htaccess file generation. I had no any kind of server errors at all. I can’t help you – sorry - no expertise.

[Paul C]

Try entering each of the three sections one by one. You get an "Internal Server Error" for invalid configuration commands in .htaccess - one of them is causing the issue.

 

Paul

[indus]

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

 

Hi aivars

Did you manage to get this working as I followed the advice and pasted the code into the .Htaccess generator and now I get an Internal Server Error... Did you have any luck?

 

 

I too had this problem when i used that code, not sure why.Everyone seems to recommend it.But when i used it i got internal server error.

Maybe i used it in the wrong path.Right now i only use the options - Indexes line.That is working good.

 

Edit:Ok i placed it now in htaccess and its working ok.I think i had placed it outside my root folder's htaacess file previously.

[indus]

I would like to add one very important tip.

 

My ftp connections to the server are encrypted for security reasons.In fact my host does not allow unsecure connections to the server.

 

 

 

 

indus

[gkontos]

I usually run the following within the prestashop directory:

 

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

 

This will chmod all the files to 644 and directories to 755

 

Then instead of allowing everyone to modify the files necessary for prestashop to work I chown them to apache:

 

chown www:www config
chown www:www tools/smarty/compile
chown  www:www tools/smarty/cache
chown  www:www tools/smarty_v2/compile
chown  www:www tools/smarty_v2/cache
chown  www:www sitemap.xml
chown  www:www log
chown -R www:www img
chown -R www:www mails
chown -R www:www modules
chown -R www:www themes/prestashop/lang
chown -R www:www themes/prestashop/cache
chown -R www:www translations
chown -R www:www upload
chown -R www:www download

[arialblack14]

Sorry for bumping this old thread, but i found it useful and i would appreciate any new info on this.

[kiran.chenna]

hi friends you can redirect anyone who wants to access your ".tpl" file using a simple redirecting method in .htaccess file.

 

just copy, paste and edit the code below in your .htaccess file if it exists other wise you can create a new .htaccess file

 

 

RewriteEngine on #its activates rewrite engine in apache server

RewriteRule ^([A-Za-z0-9/-]+).tpl$ http://www.yoursite.com/index.php [L] #this is the condition to redirect url

 

 

just change your site url at yoursite.com.

 

now if any one want to access your ".tpl" file its automatically redirects them to index.php page

 

if you want to block those ip address you can block them using some advance code.

 

i hope it will help you people to protect your site little bit.

[CrS27]

Thanks for the great tip!!! I'll try it

[vynx]

additional :

 

<FilesMatch "\. (inc | tpl | h | iHTML | sql | ini | conf | class | bin | spd | themes | modules | exe | asa) $" >
deny from all
< / FilesMatch >

[BoKr]

I didn't get an earlier post about

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

 

Cause it was related to change owner to Apache...

 

Well, since I have only a rented host so to speak, Hetzner, I am wondering what is the case about security if I cannot change the owner.

All my folders are 755 and files 644 as fasr as I know. I found this thread since I was looking for info about the proper settings. What I found in most PS setup guides and in the forum is that certain folders need 755. But what is with rest as in my case?

[RCP90]

dh42 posted a blog post of his with some nice points:

 

http://blog.dh42.com/best-e-commerce-security/

[RCP90]

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

 

 

And this is simply pasted in the htaccess file exactly as it is there yes, also is this still relevant due to the date of the post.

Edited April 29, 2013 by RCP90 (see edit history)

[guest*]

Use "geotargetring" and block all countries for which you aren't selling (But please do not block US, from where the major SERP's are coming/sending their bots).

[medred]

What is your opinion about a firewall on ftp (there are a few that support prestashop) to protect php and block bad bots; Does anyone use that method to protect prestashop;

Many people say that one of the best methods to be secured is to update prestashop and modules. That makes me think how hard can be to keep a premium theme with all the modules updated.