Edit History

Cheap doesn't always mean bad. I spent more than a year on this project and I want to help as many store owners as possible. You get all the security features that you need in this module and I update the module on a regular basis.

PrestaShop in its own is very secure. It's among the most secure content management systems available. When that is said, PrestaShop advice you to set file- and folder permissions by your own, and secure your back-end with another layer of security from your webserver itself. This part is not covered by PrestaShop. I added those functions to the module, so you can do it without any coding knowledge. I added all the functions that you need to follow best practice. Trust me - this module will save you months of work.

I did not add settings that are obviously already covered by PrestaShop core with another technique, but if some technique having more layers is good practice, I added those extra layers of security. You can for instance enable Two-Factor Authentication and setup e-mail alert in case of brute force attacks.

Example of a great feature: You can enable e-mail notifications for filechanges. You choose the time interval to check for, by a cronjob. Then you will get an e-mail if there were any filechanges since last check.

In case you get malware, spyware etc., or you mess something up by yourself, you will get an e-mail with paths to the files that was changed. In that way you know exactly where to check!

Here are what you get with Security Pro (all the configurations are not listed, check screenshots for additional information):

Brute force protection:

•     Enable/Disable "Brute force protection for back office"
•     Enable/Disable "E-mail notification in case of fail attempts to login"
•     Enable/Disable "E-mail notification in case of successfully login"
•     Enable/Disable "Log"

Two-factor authentication

•     Enable/Disable "Two-factor authentication" (for back office)

Second login

•     Enable/Disable "Second login" (from your webserver itself)

Secure front office

•     Enable/Disable "Click-jack protection"
•     Enable/Disable "XSS protection"
•     Enable/Disable "Disable content sniffing"
•     Enable/Disable "Force secure connection with HSTS"
•     Enable/Disable "Expect CT"
•     Enable/Disable "Referrer policy"

Anti-SPAM

•     Enable/Disable "Prevent fake accounts / Block bots"
•     Enable/Disable "Contact form"
•     Enable/Disable "Block TOR IPv4 and IPv6 addresses"
•     Enable/Disable "Block custom list of IP addresses" (The module can handle IPv4, IPv6 addresses, as well as IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and in pattern format like ::*:* or 127.0.*.*)
•     Enable/Disable "Block custom list of user agents"

Anti-virus

•     Enable/Disable "Malware scanner"
•     Enable/Disable "filechanges scanner"
•     Enable/Disable "Log"
•     Enable/Disable "Block file uploads" (for back office)

Firewall (WAF)

•     Enable/Disable "Anti-flood / Anti DDoS protection"
•     Enable/Disable "Bot check"
•     Enable/Disable "Anti-SQL injection"
•     Enable/Disable "Anti-XXS injection"
•     Enable/Disable "Anti-SHELL injection"
•     Enable/Disable "Anti-HTML injection"
•     Enable/Disable "Anti-XST injection"
•     Enable/Disable "Block too long HTTP requests"
•     Enable/Disable "Block user agents with too long names"
•     Enable/Disable "Block old HTTP protocols"
•     Enable/Disable "Block file-upload" (front office)
•     Enable/Disable "Log"

Protect content

•     Enable/Disable "Disable right click"
•     Enable/Disable "Disable right click on images only"
•     Enable/Disable "Disable drag and drop"
•     Enable/Disable "Disable copy"
•     Enable/Disable "Disable cut"
•     Enable/Disable "Disable paste"
•     Enable/Disable "Disable text selection"

Automatic backups

•     Enable/Disable "Backup database to local"
•     Enable/Disable "Backup database to Dropbox"
•     Enable/Disable "Backup files to local"
•     Enable/Disable "Backup files to Dropbox"

Admin directory

•     Change name of admin directory in a few clicks.

Password generator

•     Strong password generator for MySQL database, FTP, hosting panel/cPanel, SSH access and back office.

Scripts

•     Fix insecure permissions vulnerability
•     Fix directory traversal vulnerability

Analyze system for all known vulnerabilities

•     CVE-2020-5293
•     CVE-2020-5288
•     CVE-2020-5287
•     CVE-2020-5286
•     CVE-2020-5285
•     CVE-2020-5279
•     CVE-2020-5278
•     CVE-2020-5276
•     CVE-2020-5272
•     CVE-2020-5271
•     CVE-2020-5270
•     CVE-2020-5269
•     CVE-2020-5265
•     CVE-2020-5264
•     CVE-2020-5250
•     CVE-2019-13461
•     CVE-2019-11876
•     CVE-2018-8823
•     CVE-2018-8824
•     CVE-2018-7491
•     CVE-2018-19355
•     CVE-2018-19124
•     CVE-2018-19125
•     CVE-2018-19126
•     CVE-2018-13784
•     CVE-2017-9841
•     CVE-2015-1175

Analyze your server for insecure settings

•     session.use_cookies
•     session.use_only_cookies
•     session.cookie_httponly
•     session.hash_function
•     session.use_trans_sid
•     session.cookie_secure
•     session.use_strict_mode
•     session.cookie_lifetime
•     session.lazy_write
•     session.sid_length
•     session.gc_divisor
•     session.sid_bits_per_character
•     allow_url_fopen
•     allow_url_include
•     display_errors
•     log_errors
•     error_reporting
•     display_startup_errors
•     expose_php
•     register_globals
•     register_argc_argv
•     short_open_tag
•     xdebug.default_enable
•     xdebug.remote_enable
•     file_uploads
•     upload_max_filesize
•     post_max_size
•     max_input_vars
•     max_input_time
•     memory_limit
•     max_execution_time
•     default_charset

Analyze you PrestaShop configuration for insecure settings

•     PHP version (7.2.19)
•     SSL enabled
•     SSL Enabled everywhere
•     PrestaShop token
•     Mod Security
•     PrestaShop admin directory name
•     Database table prefix
•     PrestaShop debug mode

Analyze SSL

•     Analyze your SSL certificate
•     Scan your website for mixed content

Recommandation
The module does not use overrides and none of the core-files are modified, so you are completely safe against conflicts between other modules.

Works on all major server software (Apache, Nginx, LiteSpeed, etc.).
Works on PrestaShop 1.6.1.x, 1.7.x.x and on thirty bees 1.x.x.
Works on PHP 5.6.x, 7.0.x, 7.1.x and 7.2.x.

Everything is very well tested. No known bugs exist and the module is battle tested! The module is already in production on many stores.

• Brute force protection
• Prevent unauthorized access to your back end
• Click-jack protection
• XSS protection
• Disable content sniffing
• Force secure connection with HSTS
• Expect CT

• Referrer policy
• Cookie secure flag
• Cookie HttpOnly flag
• Block specific files
• Block bad user-agents / bots
• Block custom list of IP’s
• Add missing index.php files
• Fix insecure permissions
• E-mail notification if case of file changes
• E-mail notification in case of malicious code (malware scan)
• Disable right click
• Disable drag and drop
• Disable copy
• Disable cut
• Disable paste
• Disable text selection
• Fix insecure admin directory name
• Check system for vulnerabilities

• Brute force protection
• Prevent unauthorized access to your back end
• Click-jack protection
• XSS protection
• Disable content sniffing
• Force secure connection with HSTS
• Expect CT

• Referrer policy
• Cookie secure flag
• Cookie HttpOnly flag
• Block specific files
• Block bad user-agents / bots
• Block custom list of IP’s
• Add missing index.php files
• Fix insecure permissions
• E-mail notification if case of file changes
• E-mail notification in case of malicious code (malware scan)
• Disable right click
• Disable drag and drop
• Disable copy
• Disable cut
• Disable paste
• Disable text selection
• Fix insecure admin directory name
• Check system for vulnerabilities