...
Many of the advices in this guide require you to edit the php.ini
file, found in your server's PHP install folder (not in PrestaShop's folder).
Not all host will allow you to edit or even access this file, so contact your host if you cannot access it.
For instance, you probably won't have access to php.ini
on a shared hosting. If your host doesn't provide the required configuration by default and you cannot touch php.ini
, then you should either move to a dedicated hosting, or change to a more permissive host.
Still, editing php.ini
remains a technical and advanced action. If your shop does currently work well, there's no need for you to touch that file, let alone change host.
Editing the PHP configuration requires you to change some values in the php.ini
file, most of the time from "On" to "Off" or vice versa. The file contains a lot of documentation for each line, : be sure to read them the ones pertaining to your changes, in order to better understand your changesthem. Be careful of what you edit, as this has a direct impact on the way PHP runs, and therefore on your servers stability and even security.
Required settings
Your In order for PrestaShop 1.4.x to run properly, your PHP installation must feature the following settings and libraries:
- MySQL.
- GD library.
- Dom extension.
- allow_url_fopen.
The MySQL extension enables to access your data. PrestaShop simply cannot work without it.
...
The magic_quotes
directive automatically escapes (or "adds slashesantislashes") to all special character sequences (', ", \, NULL) for all environment variables (GET, POST, COOKIE, SERVER...). This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed. Moreover, some Web applications overlook this option, so some variables could be addslashed twice, resulting in corrupted data.
...
Warning |
---|
If you just installed MySQL, do add a password for the root account, who has no password as default. |
One MySQL user per web application
Each time you install a new web application on your server, you must create a new MySQL user when just the necessary rights to handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.
Let's say we manage MySQL with user Thus, if you have access to a master MySQL account that can create new other users. Let, here's do just that, how you could do it using the following command line:
Code Block | ||||
---|---|---|---|---|
| ||||
mysql -u USERNAME -p PASSWORD |
...or using You could also use the following SQL query:
Code Block | ||||
---|---|---|---|---|
| ||||
mysql> USE mysql; mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password'; |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<LIMIT GET POST> Require valid-user </LIMIT> |
Indeed, <LIMIT GET POST>
Making your PrestaShop install more secure
...
- Secure your back-office
- Rename your
/admin
folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n". - Protect your admin folder with a the
.htaccess
or and.htpasswd
file files, or ask your web host to do it for you. - Do not let your computer browser keep trace of your password (cookie or any other helper).
- Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can us an only password generatedand should use a password generator, such as PCTools's or GRC's.
- Rename your
- Securing your PHP installation
- See the required and recommended PHP settings, at the beginning of this pagevery guide.
- Always delete the
/install
folder after having installed or updated PrestaShop - Always delete useless files from production server:
- all
readme_xx.txt
files. - the
CHANGELOG
file. - the
/docs
folder.
- all
- Forbid access to your theme's files/templates, using a
.htaccess
file with the following content:Code Block html html <FilesMatch "\.tpl$"> order deny,allow deny from all </FilesMatch>
...