Child pages
  • System Administrator Guide

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Many of the advices in this guide require you to edit the php.ini file, found in your server's PHP install folder (not in PrestaShop's folder).

Not all host will allow you to edit or even access this file, so contact your host if you cannot access it.

For instance, you probably won't have access to php.ini on a shared hosting. If your host doesn't provide the required configuration by default and you cannot touch php.ini, then you should either move to a dedicated hosting, or change to a more permissive host.

Still, editing php.ini remains a technical and advanced action. If your shop does currently work well, there's no need for you to touch that file, let alone change host.

Editing the PHP configuration requires you to change some values in the php.ini file, most of the time from "On" to "Off" or vice versa. The file contains a lot of documentation for each line, : be sure to read them the ones pertaining to your changes, in order to better understand your changesthem. Be careful of what you edit, as this has a direct impact on the way PHP runs, and therefore on your servers stability and even security.

Required settings

Your In order for PrestaShop 1.4.x to run properly, your PHP installation must feature the following settings and libraries:

  • MySQL.
  • GD library.
  • Dom extension.
  • allow_url_fopen.

The MySQL extension enables to access your data. PrestaShop simply cannot work without it.

...

The magic_quotes directive automatically escapes (or "adds slashesantislashes") to all special character sequences (', ", \, NULL) for all environment variables (GET, POST, COOKIE, SERVER...). This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed. Moreover, some Web applications overlook this option, so some variables could be addslashed twice, resulting in corrupted data.

...

Warning

If you just installed MySQL, do add a password for the root account, who has no password as default.

One MySQL user per web application

Each time you install a new web application on your server, you must create a new MySQL user when just the necessary rights to handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.

Let's say we manage MySQL with user Thus, if you have access to a master MySQL account that can create new other users. Let, here's do just that, how you could do it using the following command line:

Code Block
html
html
mysql -u USERNAME -p PASSWORD

...or using You could also use the following SQL query:

Code Block
html
html
mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';

...

Code Block
html
html
<LIMIT GET POST>
Require valid-user
</LIMIT>

Indeed, <LIMIT GET POST>

Making your PrestaShop install more secure

...

  1. Secure your back-office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with a the .htaccess or and .htpasswd file files, or ask your web host to do it for you.
    3. Do not let your computer browser keep trace of your password (cookie or any other helper).
    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can us an only password generatedand should use a password generator, such as PCTools's or GRC's.
  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this pagevery guide.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. all readme_xx.txt files.
    2. the CHANGELOG file.
    3. the /docs folder.
  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:
    Code Block
    html
    html
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
    </FilesMatch>
    

...