Jump to content

lets make our prestashop shops safe


kostas34
 Share

Recommended Posts

Important question,

 

Iam no expert but ill post my tips:

 

1.Folder permissions 755 is a good start,but my hta access is 644 so no execute on that file.

2.Use a reliable host to host your website.you dont want someone to compromise your sql databases.

3.Use SSL (i use the free one from startSSL ) and it works the same as any other certificate.This is good to secure login and order pages.

4.Do not give out your ftp passwords to anyone.If you gave it to someone who is helping you out, change it later anyway.

5.Use security fix given in the themes>sticky section for third party themes

but i think taht is only for older ps versions.

..........

Share this post


Link to post
Share on other sites

Besides tips from indus I suggest:

 

1) As hacker attacks comes from known bad bots I suggest to integrate tools like project honeypot or bot-trap (only for german community) into your page. Known bad bots where banned from your site. Both big communities and known bad behaviours will included in their ban-scripts at once and banned from your site.

2) maintain your software up-to-date.

  • Like 1

Share this post


Link to post
Share on other sites

Besides tips from indus I suggest:

 

1) As hacker attacks comes from known bad bots I suggest to integrate tools like project honeypot or bot-trap (only for german community) into your page. Known bad bots where banned from your site. Both big communities and known bad behaviours will included in their ban-scripts at once and banned from your site.

2) maintain your software up-to-date.

 

 

Also , recently someone from these forums pointed out security problem with my site where anyone can view directories in my server root by specifying the url.

So i have added an option 'Options -Indexes' to my htaaccess file which now gives a forbidden access error to any folders on my site.So if anyone types a url for example www.example.com/modules/modulename it will give forbidden error.

I really recommend this to everyone.That line restricts indexing of your site.I think this can also be done from cpanel easily.

  • Like 1

Share this post


Link to post
Share on other sites

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

  • Like 4

Share this post


Link to post
Share on other sites

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

 

This was a great post, thank you!

Share this post


Link to post
Share on other sites

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

Share this post


Link to post
Share on other sites

  • 2 weeks later...

Yes, you can paste the code snippet into htaccess file via Tools > Generators > Htaccess file generation.

 

While we are on the topic of security, does anyone know how to port bad-behavior as a module to use with prestashop?

 

http://bad-behavior.ioerror.us/documentation/installation/

 

http://bad-behavior.ioerror.us/documentation/porting-guide/

 

I just followed these instructions (pasted the code snippit into Tools > Generators > Htaccess file generation and now I get a 500 Internal Server error. How do I fix this please?

Share this post


Link to post
Share on other sites

I did paste code in back office. It works, but I now have in BO home page inside the “ a good beginning” window - Browser cache & compression warning (showing yellow instead of green). It’s not affecting my shop at the present, hopefully.

Any tips how to get rid of cache warning?

 

I wish to help you with 500 errors but I am novice in Prestashop.

Are you having Apache web server?

There is Warning: this tool (Htaccess file generation) can ONLY be used if you are hosted by an Apache web server. Please ask your webhost.

Share this post


Link to post
Share on other sites

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

 

Hi aivars

Did you manage to get this working as I followed the advice and pasted the code into the .Htaccess generator and now I get an Internal Server Error... :( Did you have any luck?

Share this post


Link to post
Share on other sites

Matt,

 

The code shouldn't do anything weird to your shop configuration. Try comparing your old htaccess file to the new htaccess code with the appended code.

 

If all else fails, remove the code snippet.

Share this post


Link to post
Share on other sites

I managed idea to work by copying suggested .htacess code in Tools > Generators > Htaccess file generation. I had no any kind of server errors at all. I can’t help you – sorry - no expertise.

Share this post


Link to post
Share on other sites

Options All -Indexes

 

<Files "*.tpl">

Order Allow,Deny

Deny from All

</Files>

 

ErrorDocument 403 /index.php

 

Do I have to add this code in BO .htaccess file generation - Specific configuration form or directly in my .htacess file.

asking becouse in my htacess file there is text - # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution

# WARNING: PLEASE DO NOT MODIFY THIS FILE MANUALLY. IF NECESSARY, ADD YOUR SPECIFIC CONFIGURATION WITH THE HTACCESS GENERATOR IN BACK OFFICE

 

just to make sure I don't do something stupid!!!

and if I do it in back office - shell I unselect Optimization and Friendly URL.

This will erase your old .htaccess file! - text under generation button???

 

This is a great topic, thank you!

 

Hi aivars

Did you manage to get this working as I followed the advice and pasted the code into the .Htaccess generator and now I get an Internal Server Error... :( Did you have any luck?

 

 

I too had this problem when i used that code, not sure why.Everyone seems to recommend it.But when i used it i got internal server error.

Maybe i used it in the wrong path.Right now i only use the options - Indexes line.That is working good.

 

Edit:Ok i placed it now in htaccess and its working ok.I think i had placed it outside my root folder's htaacess file previously.

Share this post


Link to post
Share on other sites

I would like to add one very important tip.

 

My ftp connections to the server are encrypted for security reasons.In fact my host does not allow unsecure connections to the server.

 

 

 

 

indus

Share this post


Link to post
Share on other sites

I usually run the following within the prestashop directory:

 

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

 

This will chmod all the files to 644 and directories to 755

 

Then instead of allowing everyone to modify the files necessary for prestashop to work I chown them to apache:

 

chown www:www config
chown www:www tools/smarty/compile
chown  www:www tools/smarty/cache
chown  www:www tools/smarty_v2/compile
chown  www:www tools/smarty_v2/cache
chown  www:www sitemap.xml
chown  www:www log
chown -R www:www img
chown -R www:www mails
chown -R www:www modules
chown -R www:www themes/prestashop/lang
chown -R www:www themes/prestashop/cache
chown -R www:www translations
chown -R www:www upload
chown -R www:www download

  • Like 2

Share this post


Link to post
Share on other sites

  • 6 months later...
  • 3 months later...

hi friends you can redirect anyone who wants to access your ".tpl" file using a simple redirecting method in .htaccess file.

 

just copy, paste and edit the code below in your .htaccess file if it exists other wise you can create a new .htaccess file

 

 

RewriteEngine on #its activates rewrite engine in apache server

RewriteRule ^([A-Za-z0-9/-]+).tpl$ http://www.yoursite.com/index.php [L] #this is the condition to redirect url

 

 

just change your site url at yoursite.com.

 

now if any one want to access your ".tpl" file its automatically redirects them to index.php page

 

if you want to block those ip address you can block them using some advance code.

 

i hope it will help you people to protect your site little bit.

  • Like 1

Share this post


Link to post
Share on other sites

  • 1 month later...
  • 1 month later...
  • 1 month later...

I didn't get an earlier post about

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

 

Cause it was related to change owner to Apache...

 

Well, since I have only a rented host so to speak, Hetzner, I am wondering what is the case about security if I cannot change the owner.

All my folders are 755 and files 644 as fasr as I know. I found this thread since I was looking for info about the proper settings. What I found in most PS setup guides and in the forum is that certain folders need 755. But what is with rest as in my case?

Share this post


Link to post
Share on other sites

  • 4 months later...

Add this to your .htaccess files

 

Options All -Indexes

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

ErrorDocument 403 /index.php

 

People will get a 403 if they are browsing your directories or TPL files. Instead of showing them access denied, they are redirected to your homepage index.php

 

 

And this is simply pasted in the htaccess file exactly as it is there yes, also is this still relevant due to the date of the post.

Edited by RCP90 (see edit history)

Share this post


Link to post
Share on other sites

  • 4 weeks later...
  • 4 weeks later...

What is your opinion about a firewall on ftp (there are a few that support prestashop) to protect php and block bad bots; Does anyone use that method to protect prestashop;

Many people say that one of the best methods to be secured is to update prestashop and modules. That makes me think how hard can be to keep a premium theme with all the modules updated.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More