Security best practices for your PrestaShop store
Security of your online store is of vital importance as customers are providing their private information, credit card details, addresses, phone numbers, etc. So it is better to be locked and loaded.
You'll Learn About:
- Platform version
- SSL Certificate
- Usernames and passwords
- Admin username
- Use .htaccess file
- Backups
- Cookies usage
- Front office security
- Plugins and themes
- Security plugins
1. Platform version
Always use the latest stable version of the platform. One of the main reasons why developers release new versions is to improve security of the engine (accounts, transactions, etc). So, once a new version has been released, check what has been added or modified in the update changelog (a list where you can see all updates in the release). Almost every update has security improvements.
2. SSL Certificate
SSL Certificate encrypts the data which is passed from customer to web server and back. It is one of the most common security measures, and each shop has to have it. Some people who are purchasing online even check whether the store has SSL enabled.
3. Admin password
Admin password has to be long and complex. However, do not overdo it, otherwise you will have to restore it any time you log into the admin panel. Remember to use upper and lowercase, numbers, symbols. Don’t use obvious passwords like birthday date, the word “password,” qwerty, etc.
4. Usernames and passwords
When you create a web store, you will create passwords and usernames on multiple levels - FTP, hosting cPanel, platform, database. Do not use the same passwords and usernames. Create a separate username and password for each one.
In case you cannot come up with a complicated password, use passcodes generators like:
- Strong Password Generator
- Secure Password Generator
- Password Generator by Norton
5. Use .htaccess file
.htaccess file is a file for Apache web servers that controls access to the directory/folder it is located in and all its subdirectories.
With the help of .htaccess, you can set up a few security measures:
- lock access to the admin panel (whitelist the IPs that can have access to the store back end)
- lock template files, so that they cannot be accessed
The .htaccess file can be used in many different ways. However, it is recommended not to mess with it unless you are experienced enough or have a developer to help you.
6. Backups
Backup basically makes a copy of your website settings, database and content. It saves the copy in case your website goes down or is hacked, or something else bad happens and you need to restore it.
It’s similar to writing an email in webmail: no matter what happens to your computer, the draft is saved every few minutes. You can’t tell for sure that your website will not crash, thus it is better to be prepared to enable a quick recovery. And that's when backups will come in handy.
You can back up your store on your own or leave it to your hosting company. Most hosting plans include weekly backup service, but you can order additional and more frequent backups.
7. Cookies usage
Use cookies to store information about your customers and visitors. You can enable or disable cookies usage; just log into your admin panel, go to Administration > Preferences. Here you can turn on the option called “Check the IP address on the cookie.” This way the store will check whether IP of visitors matches its browser cookie IP. This helps to detect fraudsters and stop undesirable attempts to log into the admin area.
But you also need to warn visitors that you use cookies to store their info. There are modules which can help you with this type of notification:
- Cookies Warning module
- EU Cookie Law Compliance
- Free EU Cookie Law Module
8. Front office security
This is a PrestaShop default feature that can be enabled in Preferences > General. “Increase Front Office security” - set it to "yes". This way each customer’s session gets a unique URL, so that information that the customer has added is secured and cannot be used in another browser/computer.
9. Plugins and themes
Always be mindful of what you’re adding to your store. If a plugin or a theme is approved and verified by platform developers, then you can download and install it without any concerns. Note that all themes and modules at PrestaShop Addons are approved, so you can use them safely. But make sure that templates and plugins you are downloading are secure and are not infected with some malware.
10. Security plugins
There are multiple plugins that will help you to improve your PrestaShop store protection, here are some of them:
- Protect My Shop addon - complex security package with protection from different types of hacker attacks;
- Login protector module - this plugin will let you lock access to your front office. Only users with password will be able to login;
- Key Manager module - creates a unique key for every product that was purchased by a customer;
- Anti Fraud for orders module - this plugin checks whether the order was placed by a fraudster or not;
- No CAPTCHA reCAPTCHA module - adds captcha to your store;
- Block Bots module - will help you to ban specific IP, country or user.
Check more security modules at Security & Access - PrestaShop Modules and some PrestaShop themes at TemplateMonster.
Do not forget that your web store is still a store that you have to protect from fraudsters, hackers, thieves, and a variety of accidents. That is why you need to set up proper security measures and use additional resources like plugins and platforms to improve security.
Have better tips on how to protect PrestaShop? Tell us below!
Simon Morgan
Simon is a TemplateMonster sales operator who helps small businesses and startups by day and passionately rocking on the stage with his bass guitar by night. Simon is a truly creative spirit and idea generator who can draw almost everything he imagines.