Worried about security!

[jamesb92]

Just built my brand new and first prestashop, but what do I need to do to make sure the site is safe? Is there any certain settings I need to apply? please help.

[gkontos]

Just built my brand new and first prestashop, but what do I need to do to make sure the site is safe? Is there any certain settings I need to apply? please help.

Avoid having world writable files & directories. The manual suggest that some of them should be but this is only necessary if you are hosting your e-shop to a provider that doesn't allow you to modify proper ownership.

The webserver needs access to /modules directory so you assign a 777 permission. This is a potential security risk. Anything that has been compromised in that server, somebody else's bot for example, can modify this directory.

 

Try to harden any 3rd party modules, templates you might be using.

 

Always inspect your logs for traffic and match denied with permitted.

 

Use a web application firewall as a first line of defense against known attacks.

 

Regards,

George

[jhnstcks]

Use a good host, with good security, this might mean spending more on hosting.

Purchase a SSL certficiate to protect customer information (your host should be able to sort this).

Make sure permissions are set correctly over the whole site.

Be aware of third party modules and themes (I once found a theme that was monitoring which sites were using them).

 

If someone wants to hack your site for some reason, they will find a way of doing it regardless of how much protection you have, just look at the major sites that have been compromised this last year.....Sony and Steam

[Tramp82]

Are these permissions generally set by default?

 

I am with uksecurewebhosting w/ SSL

[gkontos]

Are these permissions generally set by default?

 

I am with uksecurewebhosting w/ SSL

Not necessarily. As a good rule of thumb, keep 644 for flies and 755 for folders.

 

The problem is that some directories require write access by the webserver. This can be accomplished in two ways:

 

1) Make those folders world writable

2) Make those folders writable by the user apache runs as.

 

First option means that anyone who has access to the webserver can modify your files.

 

Second option means that only the apache user can do that. This is better than the first but if apache gets compromised somehow then you will be in trouble.

 

For those reasons it is very important to host our e-shop in a host that takes security seriously.

That means a host that is performing regular OS patching and software updates.

A host that doesn't allow insecure servers like IRC, Proxies and Bots to operate.

We choose SFTP instead of FTP

 

Nothing is hack proof but it is in our hands to make their life a bit more difficult and be proactive!

 

Cheers,

George

[devilsown]

honesty prestashop has done a really stand up job with security and this software. My previous software was oscommerce and then i used creloaded. I had all sorts of issues. I really had to stay up on it.

 

Honesty the main issue i see for people is issues on your personal putter. there is a virus out there that willl open up your ftp and add iframe and code to ever index.xxx page on your site.

 

People figuring out where your /admin folder is. Might want to rename ever once in a while. creloaded had a bug where you could type in some stuff in the url and you could view the whole admin of a site ;(

 

I been around the block i really feel this is a good software to use. but as hackers go where there is a will there is a way. will my store get hacked some day. Probley. will i do what i can to keep it from happening. yes.

 

 

So here is some other things you can do if your parnoid.

pw protect your admin folder with htaccess.

I also only allow 2 ip address to have access to my admin section threw httaccess. I just remove it when someone i want to have access.

 

Appachie can be setup so anytime someone tries to log in and after so many failed atemptes they will be banned. you can also get it set to email you on failed log in attempts. this is to protect your cpanel

[hugosnel]

GKONTOS is correct when he states :As a good rule of thumb, keep 644 for flies and 755 for folders.

Unfortunately quite some settings have to be changed for setup purposes.

I used to work with Magento, I had a clear list of the exceptions te be maintained like the var/cache and var/ session diretories as well as a directory for uploading. Even a set of SSh chmod commands to do the complete job

I have looked around but cannot seem to find a list like this for Prestashop.

What exceptions are to be maintained for optimal security?

TIA

[hugosnel]

• These dirs are all set to writing enabled (777) at installation time, should they be reset to 775 after install ? :
  
• ~/config/
  
• ~/cache/
  
• ~/log/
  
• ~/img/
  
• ~/mails/
  
• ~/modules/
  
• ~/themes/default/lang/
  
• ~/themes/default/pdf/lang/
  
• ~/themes/default/cache/
  
• ~/translations/
  
• ~/upload/
  
• ~/download/
  
• ~/sitemap.xml
  

Edited January 9, 2013 by hugosnel (see edit history)

[fixgear]

hi all. great topic! I've been burned before by hackers on a joomla site I have and it was terrible, porn links everywhere and pirate code all over the place. it was such a small site too, don't know why anyone would be interested in hacking it (( it all made me sick to my stomach as I did not have a backup.

 

with prestashop can I assume that if I...

 

1) have a complete local backup of my shop on my computer and elsewhere (external HD).

2) have database backed up on web server.

 

... then if I am hacked I can just replace the hacked shop files (all of them if I can't locate only the compromised code) and all will be well again?

 

also, if my site is compromised is my database also in trouble?

 

I pay extra to host with rochen (www.rochen.co.uk) and when my joomla site was hacked they said it was probably due to either someone guessing my password or entering via a PHP script and it had nothing to do with their servers ((

 

I REALLY do not want to be hacked since I've spent soooo many hours on my sites.

 

thanks,

jer...

 

[vekia]

You should make backups of your data frequently. Moreover, i think that your webhosting provider should do it for your.

anyway, i think that prestashop is very safe store without "breakpoints". Joomla is very unsafe script so you were hacked not by hackers but by automatic robots / crawlers etc.