Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The recommendations below are sorted by order of importance:

  1. Secure your back-officeback office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with the .htaccess and .htpasswd files, or ask your web host to do it for you.
    3. Do not let your browser keep traces of your password (cookie or any other helper).
    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as Symantec's (http://www.pctools.com/guides/password/) or GRC's (https://www.grc.com/passwords.htm).

      Tip

      Safer than a password: you can use a passphrase. Not only is a passphrase easier to remember, but it is also much harder to crack, even when the hacker is using automatic tools (brute force attack or dictionary attack).

      A passphrase only needs to be long and easy to remember for you. Any popular saying should do ("Don’t Throw the Baby Out with the Bathwater"), but an absurd phrase will have even less risk of being discovered by a hacker. For instance, "Many reckless drivers confuse tractor with record sleeves".

      There are some good passphrase generators online, which help you get a unique phrase for you only. For instance: http://passphra.se/ or http://www.fourmilab.ch/javascrypt/pass_phrase.html.

      PrestaShop's passwords are not limited in either number of characters or types of characters.

  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this very guide.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. All readme_xx.txt files.
    2. The CHANGELOG file.
    3. The /docs folder.
  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:

    Code Block
    languagenone
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
    </FilesMatch>
    

...

This section will help you better understand configuration variables than are not handled using the back-officeback office, but directly in configuration files.

...

You can also enable the code profiling tool, which displays a lot of information at the bottom of every page: set the define('_PS_DEBUG_PROFILING_', false); line to true, then open front-office front office or back - office page. At the bottom of it, you will find a summary of the page loading performances. Note that you should really disable your store, so that visitors cannot see this information.

...

  • $smarty->caching = false;: Smarty's cache system must be disabled because it is not compatible with PrestaShop.
  • IMPORTANT: in production mode, $smarty->force_compile must be set to "false", as it will give a 30% improvement on page load time. On the other hand, when editing a .tpl file, you will have to delete the content of the /tools/smarty/compile folder (except index.php) in order to see the changes live. Note that this setting can also be done in the back-officeback office, in the "Advanced parameters" > "Performance" page, in the "Smarty" section.
  • $smarty->compile_check should be left to "false".
  • $smarty->debugging gives you access to Smarty's debugging information when your pages are displayed.

...