Security configuration check list

[RCP90]

Hiii,

 

I am totally new to Prestashop and so far am enjoying the challenge of learning about its features and what it offers.

 

My main concern with getting the configuration of Prestashop correct and stable is security. I have been reading a lot on the forum about this and also in the official Prestashop guide.

 

We currently have a website with over 50k products, the ecommerce software is custom to our trade and the backend is managed by a 3rd party who own the custom software. I designed the front end but there is only so much control i have before they want to charge us ( which is very frustrating, as everything we want I can code myself, but only they have access).

 

So we are thinking of running a smaller more specialized store alongside the current site, so as well as the front end and bo I will be running the back end as well, so I need to get it right. Ultimately we will have total control of the site without restriction.

 

It would be nice if there was a security checklist, ranging from good server configuration practices to how to ensure Prestashop is as secure as can be.

 

It would also be nice if this was in plain English, I am not asking to be spoon fed but lets not assume everyone here has the same level of technical knowledge and experience.

 

It would be nice to see a sticky in this sub forum with a simple checklist of good practices.

 

What do you think

[nienha]

+1

[Centio]

I'm fairly new to Prestashop as well and have got the same question. So far this is what I have done

 

-Limit access to BO to only certain IP's. If working from one location (= 1 IP) then make sure you have at least one other IP. Just in case you lose access from your primary site

 

-Use SSL where possible

 

-Use strong passwords for all employees. Lastpass is an amazing tool in letting users use strong passwords

 

-Restrict access to your shop for only those countries you actually need to have access

 

-I did not install my shop in the root but in a sub, i.e. /myshop/ . Makes guessing a little harder

 

-Random name for the backoffice URL

 

-File security as follows:

cd /home/d0001/public_html/myshop

find . -type f -exec chmod 644 {} \;

find . -type d -exec chmod 755 {} \;

 

chown apache:apache cache

chown apache:apache config

chown apache:apache tools/smarty/compile

chown apache:apache tools/smarty/cache

chown apache:apache tools/smarty_v2/compile

chown apache:apache tools/smarty_v2/cache

chown apache:apache sitemap.xml

chown apache:apache log

chown -R apache:apache img

chown -R apache:apache mails

chown -R apache:apache modules

chown -R apache:apache themes/prestashop/lang

chown -R apache:apache themes/prestashop/cache

chown -R apache:apache translations

chown -R apache:apache upload

chown -R apache:apache download

 

cd ..

chown apache:apache myshop

 

- Remove as many default products, references to prestashop etc. as possible. From a security perspective. The less someone knows about the underlying technique the harder it is to find weaknessess.

 

-Remove the password from the account creation email a user receives. 

 

 

I would like to hear from others what they have done so far.