Child pages
  • System Administrator Guide

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • GZIP support.
  • Mcrypt library.
  • register_globals disabled.
  • magic_quotes disabled.
  • allow_url_include disabled.
  • Safe mode disabled.

Having GZip support enables the web server to pack web pages, images and scripts before sending them to the browser. This makes navigating the shop faster, and therefore a more agreeable experience.

...

The allow_url_include directive is used to allow to include any file via the require and include statements, even if it does not come from your Web server. This option must be set to OFF, because if one application on your web server suffers of "include vulnerability", users will be able to include any file from any server and those will be executed on your own server.

PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having the Safe Mode enabled can render your payment modules useless.

In short, it is highly recommended to have the following directives set to the indicated values:

Code Block
languagenone
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off
safe_mode = Off
safe_mode_gid = Off 

MySQL configuration

MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible action. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password, read http://en.wikipedia.org/wiki/SQL_injection).

...

  1. Secure your back-office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with the .htaccess and .htpasswd files, or ask your web host to do it for you.
    3. Do not let your browser keep traces of your password (cookie or any other helper).
    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).
  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this very guide.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. all readme_xx.txt files.
    2. the CHANGELOG file.
    3. the /docs folder.
  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:

    Code Block
    languagenone
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
    </FilesMatch>
    

Updates

Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.

Fine-tuning & performances

...

  • Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).
  • Do not forget to put the $smarty->force_compile to "false" when in production mode, either via the smarty.inc.php file or the back-office.
  • Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. PrestaShop is compatible with eAccelerator (http://eaccelerator.net/). Opcode means "operation code", and defines the compiled state of the dynamic files, which can processed faster.
  • If possible, split your static elements betweens different domains and sub-domains, in order to get parallel HTTP connexions. To put that in place, open the /config/defines.inc.php file and add these lines (adapted to your needs):

    Code Block
    languagephp
    if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' )
    {
      define( '_THEME_IMG_DIR_',   'http://img2.xxx.com/'       );
      define( '_THEME_CSS_DIR_',   'http://css.xxx.com/'        );
      define( '_THEME_JS_DIR_',    'http://js.xxx.com/'         );
      define( '_THEME_CAT_DIR_',   'http://img1.xxx.com/c/'     );
      define( '_THEME_PROD_DIR_',  'http://img1.xxx.com/p/'     ); 
      define( '_THEME_MANU_DIR_',  'http://img1.xxx.com/m/'     ); 
      define( '_PS_IMG_',          'http://img1.xxx.com/'       ); 
      define( '_PS_ADMIN_IMG_',    'http://img1.xxx.com/admin/' ); 
    } else { 
      define( '_THEME_IMG_DIR_',   _THEMES_DIR_ . _THEME_NAME_ . '/img/' ); 
      define( '_THEME_CSS_DIR_',   _THEMES_DIR_ . _THEME_NAME_ . '/css/' ); 
      define( '_THEME_JS_DIR_',    _THEMES_DIR_ . _THEME_NAME_ . '/js/'  ); 
      define( '_THEME_CAT_DIR_',   __PS_BASE_URI__ . 'img/c/'            ); 
      define( '_THEME_PROD_DIR_',  __PS_BASE_URI__ . 'img/p/'            ); 
      define( '_THEME_MANU_DIR_',  __PS_BASE_URI__ . 'img/m/'            ); 
      define( '_PS_IMG_',          __PS_BASE_URI__ . 'img/'              ); 
      define( '_PS_ADMIN_IMG_',    _PS_IMG_.'admin/'                     ); 
    }
    

Other recommendations

Safe Mode

PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having Safe Mode on can render your payment modules useless.

Updates

Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.

Nginx friendly URLs

Most of the server instructions in this page pertain to the Apache web server. But some of you might prefer to rely on the Nginx web server. PrestaShop works well with Nginx, but is not able to generate the correct redirection rules for its Friendly URLs.

...