Child pages
  • System Administrator Guide

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This guide will help you configure a walled Web server.

PHP configuration

Basic configuration


Manipulating php.ini

Many of the advices in this PHP require you to edit edit the php.ini file, found in your server PHP install (not in PrestaShop's folder).

Not all host will allow you to edit this file, so contact your host if you cannot access it. Editing the php.ini file

For instance, you probably won't have access to php.ini on a shared hosting. If your host doesn't provide the required configuration by default and you cannot touch php.ini, then you should either move to a dedicated hosting, or change to a more permissive host.

Editing the PHP configuration requires you to change some values in the php.ini file, most of the time from "On" to "Off" or vice versa. The file contains a lot of documentation for each line, be sure to read them in order to better understand your changes. Be careful of what you edit, as this has a direct impact on the way PHP runs, and therefore on your servers stability and even security.

Required settings

Your PHP installation must feature the following settings and libraries:

  • MySQL (not through the mysqli extension or the PDF library).
  • GD library.
  • Dom extension.

The MySQL extension enables to access your data. PrestaShop simply cannot work without it.

The GD library si a library that enables PHP to dynamically manipulate images. PrestaShop uses it to resize and rework the image files that are uploaded (watermarking, trimming, etc.). Without images, an online shop loses most of its interest, so make sure that GD is enabled.

The allow_url_fopen directive enables modules to access remote files, which is an essential part of the payment process, among others things. It is therefore imperative to have it set to ON.

In short, it is imperative to have the following directives set to the indicated values:

Code Block

allow_url_fopen = On

Recommended settings

Your PHP installation should feature the following settings and libraries, for best experience:

  • GZIP support.
  • Mcrypt library.
  • register_globals disabled.
  • magic_quotes disabled.
  • allow_url_include disabled

Having GZip support enables the web server to pack web pages, images and scripts before sending them to the browser. This makes navigating the shop faster, and therefore a more agreeable experience.

The Mcrypt provides PHP with a hardened security layer, enable the use of more hashing and cryptography algorithm.

The register_globals directive, when enabled, defines all environment variables (GET, POST, COOKIE, SERVER...) as global variables. It is unsafe to use unset variables, because a user could easily set a value into this variable by using the GET method, for example. It is therefore imperative to set register_globals to OFF.


The allow_url_include directive is used to allow to include any file via the require and include statements, even if it does not come from your Web server. This option must be set to OFF, because if one application on your web server suffers of "include vulnerability", users will be able to include any file from any server and those will be executed on your own server.

In short, it is imperative good practice to find have the following directives , and change their values to "Off"set to the indicated values:

Code Block
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off


You can also check on a few sessions-related directive in order to improve your server's handling of these.


session.save_handler = files
session.save_path = "/var/www/sessions"
session.use_cookies = 1 = PHPSESSID
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php


  • session.save_handler: defines the name of the handler which is used for storing and retrieving data associated with a session.
  • session.save_path: defines the argument which is passed to the save handler.
  • session.use_cookie: specifies whether the server will use cookies to store the session id on the client side.
  • specifies the name of the session which is used as cookie name.
  • session.cookie_path: specifies path to set in the session cookie.
  • session.cookie_domain: specifies the domain to set in the session cookie (default: "/"). If it is empty, the server's host name will be used according to the cookie's specifications.
  • session.cookie_httponly: Marks the cookie as accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
  • session.serialize_handler: defines the name of the handler which is used to serialize/deserialize data.
  • For more informations about session:

MySQL configuration

MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible actions. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).


You can now install PrestaShop safely.


You can also check on a few directives to make your database more efficient:


mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.connect_timeout = 10
mysql.trace_mode = Off


  • mysql.allow_persistent: Turn it on if you want to enable MySQL to have persistent connections (MySQL will close its connections after several HTTP request).
  • mysql.max_persistent: Set the maximum number of persistent connections allowed by MySQL (-1 means the maximum that system can allow).
  • mysql.max_links: Set the maximum number of connections allowed by MySQL (-1 means the maximum that system can allow).
  • mysql.connec_timeout: Set the number of seconds MySQL must wait before declaring a connection as lost.
  • mysql.trace_mode: When this mode is activated, MySQL shows warnings for table/index scans, non free result sets, and SQL errors.
  • For more informations about MySQL directives:

Basic authentication establishment (.htaccess)


Code Block
Order Allow, Deny
Deny from all
Allow from
Allow from


Code Block
Require valid-user



Safe Mode

PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having Safe Mode on can render your payment modules useless.


Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on whic which your website runs.

UNIX/BSD systems have the cron command, which enables the recurring execution of command lines, based on configuration files (named crontab). It enables you to automate application updates, and to backup your files and databases without needing an administrator to intervene.