Page History

...

Many of the advices in this guide require you to edit the php.ini file, found in your server's PHP install folder (not in PrestaShop's folder).

Not all host hosts will allow you to edit or even access this file, so contact your host if you cannot access it.

...

The Dom extension enables to parse XML documents. PrestaShop uses for various functionalities, like the Store Locator. It is also used by some modules, as well as the pear_xml_parseparser library.

The allow_url_fopen directive enables modules to access remote files, which is an essential part of the payment process, among others things. It is therefore imperative to have it set to ON.

...

The Mcrypt provides PHP with a hardened security layer, enable which enables the use of more hashing and cryptography algorithmalgorithms.

The register_globals directive, when enabled, defines all environment variables (GET, POST, COOKIE, SERVER...) as global variables. It is unsafe to use unset variables, because a user could easily set a value into this variable by using the GET method, for example. It is therefore imperative to set register_globals to OFF.

...

This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can usea  use a .htpasswd file generator: http://aspirine.org/htpasswd_en.html.

...

1. Secure your back-office
   1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
   2. Protect your admin folder with the .htaccess and .htpasswd files, or ask your web host to do it for you.
   3. Do not let your browser keep traces of your password (cookie or any other helper).

   4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).

      Tip

      Safer than a password: you can use a passphrase. Not only is a passphrase easier to remember, but it is also much harder to crack, even when the hacker is using automatic tools (brute force attack or dictionary attack). A passphrase only needs to be long and easy to remember for you. Any popular saying should do ("Don’t Throw the Baby Out with the Bathwater"), but an absurd phrase will have even less risk of being discovered by a hacker. For instance, "Many reckless drivers confuse tractor with record sleeves". There are some good passphrase generators online, which help you get a unique phrase for you only. For instance: http://passphra.se/ or http://www.fourmilab.ch/javascrypt/pass_phrase.html. PrestaShop's passwords are not limited in either number of characters or types of characters.

2. Securing your PHP installation
   1. See the required and recommended PHP settings, at the beginning of this very guide.
3. Always delete the /install folder after having installed or updated PrestaShop
4. Always delete useless files from production server:
   1. all All readme_xx.txt files.
   2. the The CHANGELOG file.
   3. the The /docs folder.

5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:

   Code Block
   language none
   <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>

...

Among other constant values, this file contains the location for all files and folders. If you need these changed, do not forget to keep the original at hand, in case you wish to go back to the original path.

smarty.config.inc.php file

• $smarty->caching = false;: Smarty's cache system must be disabled because it is not compatible with PrestaShop.
• IMPORTANT: in production mode, $smarty->force_compile must be set to "false", as it will give a 30% improvement on page load time. On the other hand, when editing a .tpl file, you will have to delete the content of the /tools/smarty/compile folder (except index.php) in order to see the changes live. Note that this setting can also be done in the back-office, in the "PreferencesAdvanced parameters" > "Performance" sub-tabpage, in the "Smarty" section.
• $smarty->compile_check should be left to "false".
• $smarty->debugging gives you access to Smarty's debugging information when your pages are displayed.

...

Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. Opcode means "operation code", and defines the compiled state of the dynamic files, which can then be processed faster.
PrestaShop is compatible with eAccelerator (http://eaccelerator.net/) as well as the new OPcache feature from PHP 5.5.0: http://www.php.net/manual/en/intro.opcache.php.

Improving MySQL performance

• Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).

• Whenever possible, use the MySQL drop-in replacement Percona Server (http://www.percona.com/software/percona-server), which provides significant improvements over the standard MySQL server thanks to its XtraDB database engine.
  See this page for a performance comparison: http://www.percona.com/doc/percona-server/5.5/feature_comparison.html

...

If possible, split your static elements betweens between different domains and sub-domains, in order to get parallel HTTP connexionsconnections. To put that in place, open the /config/defines.inc.php file and add these lines (adapted to your needs):

...

Here are the direction you should put in your nginx.conf file in order to make friendly URLs work:

...

If your installation of PrestaShop is using the multistore mode, you need to add a few lines for each store. For instance, if one of your store stores is called "high-tech":

location /PRESTASHOP_FOLDER/high-tech/ {
  rewrite ^/PRESTASHOP_FOLDER/high-tech/(.*)$ /PRESTASHOP_FOLDER/$1 last;
  try_files $uri $uri/ /PRESTASHOP_FOLDER/index.php?$args;
}

...

• /admin: contains all the PrestaShop files pertaining to the back-office. When accessing this folder with your browser, you will be asked to provide proper identification, for security reasons. Important: you should make sure to protect that folder with a .htaccess or .htpasswd file!
• /cache: contains temporary folders that are generated and re-used in order to alleviate the server's load.
• /classes: contains all the files pertaining to PrestaShop's object model. Each file represents (and contains) a PHP class, and its methods/properties.
• /config: contains all of PrestaShop's configuration files. Unless asked to, you should never edit them, as they are directly handled by PrestaShop's installer and back-office.
• /controllers: contains all the files pertaining to PrestaShop controllers – as in Model-View-Controller (or MVC), the software architecture used by PrestaShop. Each file controls a specific part of PrestaShop.
• /css: contains all CSS files that are not attached to themes – hence, these are mostly used by the PrestaShop back-office.
• /docs: contains some documentation. Note: it should be deleted in a production environment.
• /download: contains your digital products, which can be downloaded: PDFs, MP3s, etc.
• /img: contains all of PrestaShop's default images, icons and picture files – that, those that do not belong to the theme. This is where you can find the pictures for product categories (/c sub-folder, those for the products (/p sub-folder) and those for the back-office itself (/admin sub-folder).
• /install: contains all the files related to PrestaShop's installer. You will be required to delete it after installation, in order to increase security.
• /js: contains all JavaScript files that are not attached to themes. Most of them belong to the back-office. This is also where you will find the jQuery framework.
• /localization: contains all of PrestaShop's localization files – that is, files that contain local information, such as currency, language, tax rules and tax rules groups, states and the various units in use in the chosen country (i.e., volume in liter, weight in kilograms, etc.).
• /log: contains the log files generated by PrestaShop at various stages, for instance during the installation process.
• /mails: contains all HTML and text files related to e-mails sent by PrestaShop. Each language has its specific folder, where you can manually edit their content if you wish.
• /modules: contains all of PrestaShop's modules, each in its own folder. If you wish to definitely remove a module, first uninstall it from the back-office, then only can you delete its folder.
• /override: this is a special folder that appeared with PrestaShop 1.4. By using PrestaShop's regular folder/filename convention, it is possible to create files that override PrestaShop's default classes or controllers. This enables you to change PrestaShop core behavior without touching to the original files, keeping them safe for the next update.
• /pdf: contains all the template files (.tpl) pertaining to the PDF file generation (invoice, delivery slips, etc.). Change these files in orde order to change the look of the PDF files that PrestaShop generates.
• /themes: contains all the currently-installed themes, each in its own folder.
• /tools: contains external tools that were integrated into PrestaShop. For instance, this were you'll find Smarty (template/theme engine), FPDF (PDF file generator), Swift (mail sender), PEAR XML Parser (PHP tool).
• /translations: contains a sub-folder for each available language. However, if you wish to change the translation, you must do so using the PrestaShop internal tool, and not edit them directly in this folder.
• /upload: contains the files that would be uploaded by clients for customizable products (for instance, a picture that a client wants printed on a mug).
• /webservice: contains files that enable third-party applications to access PrestaShop through its API.

...

1. Put your shop in maintenance mode, so as to not lose new customers or orders while moving the data.
   Go to your back-office, and under the "Preference" tab, menu, open the "Maintenance" page and set the "Enable shop" option to "No".
2. Move your files:
   1. Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
   2. Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
3. Move your data:
   1. Make a backup of you database (a "dump"): connect to phpMyAdmin, click on the "Export" tab, select the database of your PrestaShop installation, and click the "Go" button. Save the downloaded file on your hard-drive. If phpMyAdmin times out before it is able to export all your data, contact your host.
   2. Transfer the SQL dump to the new database: connect to the new server's phpMyAdmin, click on the "Import" tab, click the "Browse..." button, find the SQL file you just downloaded, and click the "Go" button to upload it. If phpMyAdmin times out before it is able to import all your data, contact your new host.
4. ConfigurationConfigure your shop:
   
   1. On the new server, open the /config/settings.inc.phpfile and update the settings for the new database server (with your own settings instead of the examples here):
      • define('_DB_SERVER_', 'sql.domainname.com');
      • define('_DB_NAME_', 'prestashop');
      • define('_DB_USER_', 'PS-user');
      • define('_DB_PASSWD_', 'djsf15');
      • define('_DB_PREFIX_', 'ps_');
   2. (1.4 and earlier) In that same file, update the Base URI setting ('/' being the server root):
      • define('__PS_BASE_URI__', '/prestashop/');
   3. Log in to your Back Officeback-office, go to the "Preferences" tabmenu, select the "SEO & URLs" sub-tabpage, and in the "Set shop URL" section change the domain name to your new domain. Do the same for the SSL domain.
      In effect, this will update the "ps_shop_url" SQL table (as well as the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table.In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the .htaccess and robots.txt files., for retrocompatibility reasons).
5. Connect to your new FTP server and delete everything except the index.phpfiles in the following folders:
   • /cache/smarty/cache
   • /cache/smarty/compile
6. Go to your back-office, and under in the "PreferenceMaintenance" tabpreference page, set the "Enable shop" option back to "Yes".

You should be good to go! Check that all the links are functioning, that all your products, images, modules and themes are still there, and try to create a new account and place an order so as to make sure your shop is working as expected.

...

1. Put your shop in maintenance mode, so as to not lose new customers or orders will moving the data.
   Go to your back-office, and under the "Preference" tab, menu, open the "Maintenance" page and set the "Enable shop" option to "No".
2. Move your files
   1. Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
   2. Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
3. Configuration
   1. On the new server, open the /config/settings.inc.php file and update the settings for the new database server (with your own settings instead of the examples here):
      • define('_DB_SERVER_', 'sql.domainname.com');
      • define('_DB_NAME_', 'prestashop');
      • define('_DB_USER_', 'PS-user');
      • define('_DB_PASSWD_', 'djsf15');
      • define('_DB_PREFIX_', 'ps_');
   2. (1.4 and earlier) In that same file, update the Base URI setting ('/' being the server root):
      • define('__PS_BASE_URI__', '/prestashop/');
   3. Log in to your Back Officeback-office, go to the "Preferences" tabmenu, select the "SEO & URLs" sub-tabpage, and in the "Set shop URL" section change the domain name to your new domain. Do the same for the SSL domain.
      In effect, this will update the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table.
   4. In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the .htaccess and robots.txt files.
4. Connect to your new FTP server and delete everything except the index.phpfiles in the following folders:
   • /tools/smarty/cache
   • /tools/smarty/compile
   • /tools/smarty_v2/cache
   • /tools/smarty_v2/compile
5. Go to your back-office, and under in the "PreferenceMaintenance" tabpreference page, set the "Enable shop" option back to "Yes".

You should be good to go! Check that all the links are functioning, that all your products, images, modules and themes are still there, and try to create a new account and place an order so as to make sure your shop is working as expected.