System Administrator Guide

This guide will help you configure a better and safer Web server.

Once this is done, you will be ready to install PrestaShop, using our Getting Started guide.

PHP configuration

Manipulating php.ini

Many of the advices in this guide require you to edit the php.ini file, found in your server's PHP install (not in PrestaShop's folder).

Not all host will allow you to edit this file, so contact your host if you cannot access it.

For instance, you probably won't have access to php.ini on a shared hosting. If your host doesn't provide the required configuration by default and you cannot touch php.ini, then you should either move to a dedicated hosting, or change to a more permissive host.

Editing the PHP configuration requires you to change some values in the php.ini file, most of the time from "On" to "Off" or vice versa. The file contains a lot of documentation for each line, be sure to read them in order to better understand your changes. Be careful of what you edit, as this has a direct impact on the way PHP runs, and therefore on your servers stability and even security.

Required settings

Your PHP installation must feature the following settings and libraries:

The MySQL extension enables to access your data. PrestaShop simply cannot work without it.

The GD library enables PHP to dynamically manipulate images. PrestaShop uses it to resize and rework the image files that are uploaded (watermarking, trimming, etc.). Without images, an online shop loses most of its interest, so make sure that GD is enabled!

The Dom extension enables to parse XML documents. PrestaShop uses for various functionalities, like the Store Locator. It is also used by some modules, as well as the pear_xml_parse library.

The allow_url_fopen directive enables modules to access remote files, which is an essential part of the payment process, among others things. It is therefore imperative to have it set to ON.

In short, it is imperative to have the following directives set to the indicated values:

extension = php_mysql.dll
extension = php_gd2.dll
allow_url_fopen = On

Recommended settings

Your PHP installation should feature the following settings and libraries, for best experience:

Having GZip support enables the web server to pack web pages, images and scripts before sending them to the browser. This makes navigating the shop faster, and therefore a more agreeable experience.

The Mcrypt provides PHP with a hardened security layer, enable the use of more hashing and cryptography algorithm.

The register_globals directive, when enabled, defines all environment variables (GET, POST, COOKIE, SERVER...) as global variables. It is unsafe to use unset variables, because a user could easily set a value into this variable by using the GET method, for example. It is therefore imperative to set register_globals to OFF.

The magic_quotes directive automatically escapes (or "adds slashes") to all special character sequences (', ", \, NULL) for all environment variables (GET, POST, COOKIE, SERVER...). This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed. Moreover, some Web applications overlook this option, so some variables could be addslashed twice, resulting in corrupted data.

The allow_url_include directive is used to allow to include any file via the require and include statements, even if it does not come from your Web server. This option must be set to OFF, because if one application on your web server suffers of "include vulnerability", users will be able to include any file from any server and those will be executed on your own server.

In short, it is highly recommended to have the following directives set to the indicated values:

register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off

MySQL configuration

MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible actions. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).

If you just installed MySQL, do add a password for the root account, who has no password as default.

One user per web application

Each time you install a new web application on your server, you must create a new MySQL user when just the necessary rights to handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.

Let's say we manage MySQL with user account that can create new users. Let's do just that, using the following command line:


...or using the following SQL query:

mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';

Note that your host might give you access to an online tool to do MySQL administration tasks more easily, such as cPanel. Do use that, since you probably won't have access to the command line in that case.

Now we have a username with just enough rights to connect to the local database.

We need to allow this user to use the 'prestashop' database, and configure his rights at the same time. Here is a template for the SQL query to do that:

     > ON 'prestashop'.* TO 'new_user'@'localhost';

We now have one user just for our 'prestashop' database. Remember to do this for each new web application you add to your server.

You can now install PrestaShop safely.

Basic authentication establishment (.htaccess)

In order to better protect your PrestaShop install, we need to establish a basic authentication on the admin directory.

One of the aim of the .htaccess file is to protect your folders and all its sub-folders. It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess file.

To achieve basic authentication on your admin folder, we need to add a .htaccess file in that folder (for instance, /var/www/prestashop/admin):

AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes


Here is a sample content for the .prestashop_admin file, with a login and a password:


This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can follow this link: .htpasswd file generation.

It is strongly recommended to put this file into a directory that is inaccessible to your web applications, so before the /openbase_dir folder. It prevents .htpasswd file injection, in case one of yours web applications is vulnerable.


It is also possible to perform IP and domain restrictions using your .htaccess file:

Order Allow, Deny
Deny from all
Allow from
Allow from

However, you should not put this kind of directive:

Require valid-user


Making your PrestaShop install more secure

The recommendations below are sorted by order of importance:

  1. Secure your back-office
    1. Rename your /admin folder after the PrestaShop installation. This is a must, and you actually cannot access your PrestaShop administration if you haven't performed that change. Make sure to pick a really unique name, ideally a mix of letter and number, such as "my4dm1n".
    2. Protect your admin folder with a .htaccess or .htpasswd file, or ask your web host to do it for you.
    3. Do not let your computer keep trace of your password (cookie or any other helper).
    4. Pick a complex password, by mixing letters, numbers and even punctuation marks, such as "5r3XaDR#". You can us an only password generated, such as PCTools's or GRC's.
  2. Securing your PHP installation
    1. See the required and recommended PHP settings, at the beginning of this page.
  3. Always delete the /install folder after having installed or updated PrestaShop
  4. Always delete useless files from production server:
    1. all readme_xx.txt files.
    2. the CHANGELOG file.
    3. the /docs folder.
  5. Forbid access to your theme's files/templates, using a .htaccess file with the following content:
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all

Fine-tuning & performances

This section will help you better understand configuration variables than are not handled using the back-office, but directly in configuration files.

There are four configuration files in PrestaShop, all in the /config folder: file

In production mode:

On contrary, in development/test mode, you can get help tracing possible errors by: file

Among other constant values, this file contains the location for all files and folders. If you need these changed, do not forget to keep the original at hand, in case you wish to go back to the original path. file

Improving PrestaShop's performances

Here are a few tips that should enable you to optimize PrestaShop.

Other recommendations

Safe Mode

PHP's Safe Mode is deprecated in the latest version of PHP, and should not be used anymore. For PrestaShop in particular, having Safe Mode on can render your payment modules useless.


Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on which your website runs.


The PrestaShop file structure

The PrestaShop developers have done their best to clearly and intuitively separate the various parts of the software.

Here is how the files are organized: