Child pages
  • System Administrator Guide

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of contents

Table of Contents
maxLevel3

...

System Administrator Guide

...

Many of the advices in this guide require you to edit the php.ini file, found in your server's PHP install folder (not in PrestaShop's folder).

Not all host hosts will allow you to edit or even access this file, so contact your host if you cannot access it.

...

In short, it is imperative to have the following directives set to the indicated values:

Code Block
html
html

extension = php_mysql.dll
extension = php_gd2.dll
allow_url_fopen = On

...

The Mcrypt provides PHP with a hardened security layer, enable which enables the use of more hashing and cryptography algorithm.

...

In short, it is highly recommended to have the following directives set to the indicated values:

Code Block
html
html

register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off

...

MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible actionsaction. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).

...

Thus, if you have access to a master MySQL account that can create other users, here's how you could do it using the command line:

Code Block
html
html

mysql -u USERNAME -p PASSWORD

You could also use the following SQL query:

Code Block
html
html

mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';

...

We need to allow this user to use the 'prestashop' database, and configure his rights at the same time. Here is a template for the SQL query to do that:

Code Block
html
html

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER
     > ON 'prestashop'.* TO 'new_user'@'localhost';
mysql> FLUSH PRIVILEGES;

...

In order to better protect your PrestaShop install, we need to establish a basic authentication on the admin directory.

One of the aim aims of the .htaccess file is to protect your folders and all its sub-folders. It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess file.

To achieve basic authentication on your admin folder, we need to add a .htaccess file in that folder (for instance, /var/www/prestashop/admin):

Code Block
html
html

AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes

...

Here is a sample content for the .prestashop_admin file, with a login and a password:

Code Block
html
html

login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/

...

It is also possible to perform IP and domain restrictions using your .htaccess file:

Code Block
html
html

Order Allow, Deny
Deny from all
Allow from .myprestashop.com
Allow from 127.0.0.1

However, you should not put this kind of directive:

Code Block
html
html

<LIMIT GET POST>
Require valid-user
</LIMIT>

...

  1. Secure your back-office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with a the .htaccess and .htpasswd files, or ask your web host to do it for you.
    3. Do not let your browser keep trace traces of your password (cookie or any other helper).
    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can and should use a password generator, such as PCTools's or GRC's.
  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this very guide.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. all readme_xx.txt files.
    2. the CHANGELOG file.
    3. the /docs folder.
  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:

    Code Block
    html
    html
    
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
    </FilesMatch>
    

...

  • config.inc.php: core configuration file for PrestaShop.
  • defines.inc.php: contains all of PrestaShop constant values. Previously defined in settings.inc.php.
  • settings.inc.php: contains the access information to the database, as well as the PrestaShop version number.
  • smarty.config.inc.php: contains all configuration settings pertaining to Smarty, the template/theme engine used by PrestaShop.

...

  • Enable MySQL's cache (or ask your web host to do it for you), and give it a high value (for instance, 256M).
  • Do not forget to put the $smarty->force_compile to "false" when in production mode, either via the smarty.inc.php file or the back-office.
  • Whenever possible, use an opcode cache (or ask your web host to install one for you), in order to alleviate the server's processing load. PrestaShop is compatible with eAccelerator. Opcode means "operation code", and defines the compiled state of the dynamic files, which can be processed faster.
  • If possible, split your static elements betweens different domains and sub-domains, in order to get parallel HTTP connexions. To put that in place, open the /config/defines.inc.phpfile and add these lines (adapted to your needs):

    Code Block
    html
    html
    
    if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' )
    {
      define( '_THEME_IMG_DIR_',   'http://img2.xxx.com/'       );
      define( '_THEME_CSS_DIR_',   'http://css.xxx.com/'        );
      define( '_THEME_JS_DIR_',    'http://js.xxx.com/'         );
      define( '_THEME_CAT_DIR_',   'http://img1.xxx.com/c/'     );
      define( '_THEME_PROD_DIR_',  'http://img1.xxx.com/p/'     ); 
      define( '_THEME_MANU_DIR_',  'http://img1.xxx.com/m/'     ); 
      define( '_PS_IMG_',          'http://img1.xxx.com/'       ); 
      define( '_PS_ADMIN_IMG_',    'http://img1.xxx.com/admin/' ); 
    } else { 
      define( '_THEME_IMG_DIR_',   _THEMES_DIR_ . _THEME_NAME_ . '/img/' ); 
      define( '_THEME_CSS_DIR_',   _THEMES_DIR_ . _THEME_NAME_ . '/css/' ); 
      define( '_THEME_JS_DIR_',    _THEMES_DIR_ . _THEME_NAME_ . '/js/'  ); 
      define( '_THEME_CAT_DIR_',   __PS_BASE_URI__ . 'img/c/'            ); 
      define( '_THEME_PROD_DIR_',  __PS_BASE_URI__ . 'img/p/'            ); 
      define( '_THEME_MANU_DIR_',  __PS_BASE_URI__ . 'img/m/'            ); 
      define( '_PS_IMG_',          __PS_BASE_URI__ . 'img/'              ); 
      define( '_PS_ADMIN_IMG_',    _PS_IMG_.'admin/'                     ); 
    }
    

...

PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having the Safe Mode on enabled can render your payment modules useless.

Updates

Your applicationsapplication's PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.

...

  • /admin: contains all the PrestaShop files pertaining to the back-office. When accessing this folder with your folderbrowser, you will be ask asked to provided provide proper identification, for security reasons. Important: you should make sure to protect that folder with a .htaccess or .htpasswd file!
  • /cache: contains temporary folders that are generated and re-used in order to alleviate the server's load.
  • /classes: contains all the files pertaining to PrestaShop's object model. Each file represents (and contains) a PHP class, and its methods/properties.
  • /config: contains all of PrestaShop's configuration files. Unless asked to, you should never edit them, as they are directly handled by PrestaShop's installer and back-office.
  • /controllers: contains all the files pertaining to PrestaShop controllers – as in Model-View-Controller (or MVC), the software architecture used by PrestaShop. Each file controls a specific part of PrestaShop.
  • /css: contains all CSS files that are not attached to themes – hence, these are mostly used by the PrestaShop back-office.
  • /docs: contains some documentation. Note: it should be deleted in a production environment.
  • /download: contains your digital products, which can be downloaded: PDFs, MP3s, etc.
  • /img: contains all of PrestaShop's default images, icons and picture files – that, those that do not belong to the theme. This is were where you can find the pictures for product categories (/c sub-folder, those for the products (/p sub-folder) and those for the back-office itself (/admin sub-folder}}.
  • /install: contains all the files related to PrestaShop's installer. You will be required to deleted delete it after installation, in order to increase security.
  • /js: contains all JavaScript files that are not attached to themes. Most of them belong to the back-office. This is also where you will find the jQuery framework.
  • /localization: contains all of PrestaShop's localization files – that is, files that contain local information, such as currency, language, tax rules and tax rules groups, states and the various units in use in the chosen country (i.e., volume in liter, weight in kilograms, etc.).
  • /log: contains the log files generated by PrestaShop at various stages, for instance during the installation process.
  • /mails: contains all HTML and text files related to e-mails sent by PrestaShop. Each language has its specific folder, where you can manually edit their content if you wish.
  • /modules: contains all of PrestaShop's modules, each in its own folder. If you wish to definitely remove a module, first uninstall it from the back-office, then only can you delete its folder.
  • /override: this is a special that appeared with PrestaShop 1.4. By using PrestaShop's regular folder/filename convention, it is possible to create files that override PrestaShop's default classes or controllers. This enables you to change PrestaShop core behavior without touching to the original files, keeping them safe for the next update.
  • /themes: contains all the currently-installed themes, each in its own folder.
  • /tools: contains external tools that were integrated into PrestaShop. For instance, this were you'll find Smarty (template/theme engine), FPDF (PDF file generator), Swift (mail sender), PEAR XML Parser (PHP tool).
  • /translations: contains a sub-folder for each available language. However, if you wish to change the translation, you must do so using the PrestaShop internal tool, and not edit them directly in this folder.
  • /upload: contains the files that would be uploaded by clients for customizable products (for instance, a picture that a client wants printed on a mug).
  • /webservice: contains files that enable third-party applications to access PrestaShop through its API.

Moving PrestaShop

A PrestaShop installation does seldom remain at the same physical place. There are many reasons why you would need to move your PrestaShop files and data around:

  • Moving your shop from your local computer to your online server.
  • Moving your shop from a test sub-domain to the main domain.
  • Moving your shop from one server to another.
  • Moving your shop from one domain name to another.

In all of these circumstances, you must be careful to properly move both all of your files (including the custom images, your themes, the modules you bought...) and all your data (which is contained in your MySQL database).

Moving PrestaShop to a New Server

Here are the main steps when changing servers, or copying from your local hard-drive to your online server:

  1. Put your shop in maintenance mode, so as to not lose new customers or orders while moving the data.
    Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "No".
  2. Move your files
    1. Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
    2. Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
  3. Move your data
    1. Make a backup of you database (a "dump"): connect to phpMyAdmin, click on the "Export" tab, select the database of your PrestaShop installation, and click the "Go" button. Save the downloaded file on your hard-drive. If phpMyAdmin times out before it is able to export all your data, contact your host.
    2. Transfer the SQL dump to the new database: connect to the new server's phpMyAdmin, click on the "Import" tab, click the "Browse..." button, find the SQL file you just downloaded, and click the "Go" button to upload it. If phpMyAdmin times out before it is able to import all your data, contact your new host.
  4. Configuration
    1. On the new server, open the /config/settings.inc.phpfile and update the settings for the new database server (with your own settings instead of the examples here):
      • define('_DB_SERVER_', 'sql.domainname.com');
      • define('_DB_NAME_', 'prestashop');
      • define('_DB_USER_', 'PS-user');
      • define('_DB_PASSWD_', 'djsf15');
      • define('_DB_PREFIX_', 'ps_');
    2. (1.4 and earlier) In that same file, update the Base URI setting ('/' being the server root):
      • define('__PS_BASE_URI__', '/prestashop/');
    3. Log in to your Back Office, go to the "Preferences" tab, select the "SEO & URLs" sub-tab, and change the domain name to your new domain. Do the same for the SSL domain.
      In effect, this will update the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table.
    4. In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the .htaccess and robots.txt files.
  5. Connect to your new FTP server and delete everything except the index.phpfiles in the following folders:
    • /tools/smarty/cache
    • /tools/smarty/compile
    • /tools/smarty_v2/cache
    • /tools/smarty_v2/compile
  6. Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "Yes".

You should be good to go! Check that all the links are functioning, that all your products, images, modules and themes are still there, and try to create a new account and place an order so as to make sure your shop is working as expected.

Moving PrestaShop to a New Domain

Here are the main steps when moving PrestaShop to a new domain within the same server. These are mostly a simpler version of the above steps – we do not touch the data, which stays on the same MySQL server.

  1. Put your shop in maintenance mode, so as to not lose new customers or orders will moving the data.
    Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "No".
  2. Move your files
    1. Make a backup of all the files: connect to your FTP server, and copy all the files and folders to your local hard-drive.
    2. Transfer your files to your new host: Connect to the FTP server for your new host, and copy all the files and folders that you just downloaded to your local hard-drive, as is.
  3. Configuration
    1. On the new server, open the /config/settings.inc.phpfile and update the settings for the new database server (with your own settings instead of the examples here):
      • define('_DB_SERVER_', 'sql.domainname.com');
      • define('_DB_NAME_', 'prestashop');
      • define('_DB_USER_', 'PS-user');
      • define('_DB_PASSWD_', 'djsf15');
      • define('_DB_PREFIX_', 'ps_');
    2. (1.4 and earlier) In that same file, update the Base URI setting ('/' being the server root):
      • define('__PS_BASE_URI__', '/prestashop/');
    3. Log in to your Back Office, go to the "Preferences" tab, select the "SEO & URLs" sub-tab, and change the domain name to your new domain. Do the same for the SSL domain.
      In effect, this will update the "PS_SHOP_DOMAIN" and "PS_SHOP_DOMAIN_SSL" rows in the "ps_configuration" SQL table.
    4. In your back-office, go to the "Tools" tab, "Generators" sub-tab, and regenerate both the .htaccess and robots.txt files.
  4. Connect to your new FTP server and delete everything except the index.php files in the following folders:
    • /tools/smarty/cache
    • /tools/smarty/compile
    • /tools/smarty_v2/cache
    • /tools/smarty_v2/compile
  5. Go to your back-office, and under the "Preference" tab, set the "Enable shop" option to "Yes".

You should be good to go! Check that all the links are functioning, that all your products, images, modules and themes are still there, and try to create a new account and place an order so as to make sure your shop is working as expected.