Introduction
PrestaShop is an popular open-source ecommerce solution used by over 300,000 online stores worldwide. It offers a feature-rich admin panel and front-end to set up and manage an online store with ease.
However, like any other web application, having proper security measures in place is crucial as well. A compromised store can lead to damaged reputation, financial losses and more.
This guide takes you through a step-by-step process of installing PrestaShop and then securing it by following security best practices.
By the end of this guide, you’ll have a PrestaShop store installed and ready-to-use securely for handling real orders.
Server Requirements
Before installing PrestaShop, make sure your web server meets the minimum requirements:
- PHP 7.4 or higher (8.0 recommended)
- Required PHP Extensions: PDO MySQL, cURL, GD, OpenSSL, Mbstring, Tokenizer, JSON, XML, Zip
- MySQL 5.6 or higher (or any equivalent database)
- Web Server like Apache or Nginx
- Minimum 512MB RAM for store operations
Additionally, some PrestaShop modules may have higher technical requirements. Check module documentation for specifics.
Meeting these requirements ensures your store runs smoothly without technical issues.
Downloading & Extracting PrestaShop
First, let’s get the PrestaShop files on your server:
- Download the latest PrestaShop version from prestashop.com
- Extract the zip archive onto your web server at the desired location Example :
/var/www/html/prestashop
- The extraction results in a folder like “prestashop” containing all PrestaShop files
- Make the both the prestashop folder and its subfolders writable
$ chmod 755 -R /var/www/html/prestashop
This covers downloading and placing PrestaShop files for installation.
Database Setup
PrestaShop uses MySQL/MariaDB to store all store data.
Set up a new database and user specifically for PrestaShop:
- Login to MySQL
- Create a database for Prestashop
CREATE DATABASE prestashop;
- Create a MySQL user for Prestashop
CREATEUSER'prestashopuser'@'localhost' IDENTIFIED BY'DBp4ssw0rd';
- Grant database permissions to the user
GRANTALL PRIVILEGES ON prestashop.*TO'prestashopuser'@'localhost';
This preps a database that PrestaShop will use.
Make note of the database name, user credentials, and other details like hostname – as they will be required during PrestaShop installation.
With files downloaded and database ready, let’s proceed with the actual PrestaShop installation.
PrestaShop Installation
The PrestaShop installer takes you step-by-step through the quick installation process:
- Open your web browser and access the PrestaShop folder
- Example URL: http://yourdomain.com/prestashop
- Language Selection :
- Choose language for the installation process
- License Agreement
- Review and accept the open-source license terms
- System Compatibility Check
- The installer checks server for compatibility
- Displays PHP settings and required settings
- Ensure all requirements are met
- Store Information Enter store name, country, timezone etc
- Database Configuration
- Enter the database details set up earlier
- The installer connects to the database
- Store Installation
- Installer creates database tables
- Stores default store data
- Store Ready
- Front-end site and admin panel ready!
With the setup completed, let’s access the admin panel for first-time tasks.
Admin Account Setup
Once installed, access the PrestaShop admin panel:
http://yourdomain.com/prestashop/admin786elw8k
Enter credentials created during installation.
Then, proceed with admin account configuration:
- Choose Password Set a strong password for the admin account
- Opt out of Partner Offers Uncheck box to avoid promotional content
You now have access to the PrestaShop Dashboard.
Before launching your live store, the next step is properly securing your PrestaShop installation.
Securing PrestaShop for Production Use
Out of the box, PrestaShop works well but is not ready for immediate public access.
Certain security measures need to be taken for a production site handling real user data and transactions.
Here are key tips to secure your PrestaShop store:
Disable Demo Mode
If enabled, disable Demo Mode under Advanced Parameters:
Go to: Preferences > General > Enable Shop Demo Mode
Set to: No
Demo mode is meant for module testing purposes and bypasses normal security checks. Keep disabled for a live site.
Set Admin Folder
The default admin folder admin786elw8k
is publicly guessable.
Change it to a random difficult-to-guess sequence:
Go to: Preferences > General > Set Admin Folder
Example: ab5dz931tz
This obscures access to your admin panel.
Remove Install Folder
Delete the install folder from your server:
/var/www/html/prestashop/install
This removes remnants from the installation process, preventing malicious use.
Disable Friendly Error Pages
In production mode, disable friendly error pages meant for development:
Go to: Preferences > General > Disable Friendly Error
Set Error Reporting to: No
Display Errors to: No
This prevents exposing sensitive error messages to public users.
Use HTTPS
Configure PrestaShop for HTTPS access only:
- Obtain an SSL certificate
- Enable HTTPS on your web server
- Force SSL on all PrestaShop Pages
Enforcing HTTPS ensures login forms and payments are encrypted for security against attacks.
Update PHP Version
Use PHP 7.4+ which still has security support:
PHP 7.2 will reach End of Life in Nov 2023
Upgrade to a supported PHP version like 7.4 or 8.0
Latest PHP versions have critical security fixes and improved performance.
Strong Admin Password
Ensure you set a very strong password for the admin account.
14+ random characters containing upper/lowercase letters, numbers and symbols.
Weak admin passwords are targeted in automated credential stuffing attacks.
Use Captchas
Enable and use captchas in areas prone to automated attacks:
- Login Page
- Forgot Password Page
- Contact Form
Captchas block automated bots making fake login attempts, spam contact forms etc.
Update Regularly
Keep PrestaShop and installed modules updated:
Go to: Advanced Parameters > Modules > Modules & Services
Check and install available upgrades
Updates contain vital security fixes and improvements.
Proper File Permissions
Use principle of least privilege for file permissions:
Example safe permissions:
Folders: 755
Files: 644
Unsafe: 777 (full access for all)
This minimizes impact if a file is somehow compromised.
Other Security Tips
- Limit number of admin users
- Use only reputable modules from Prestashop Marketplace
- Remove any unused modules
- Schedule regular malware scans of files
- Audit logs regularly for signs of intrusions
Be vigilant and follow security best practices for threat prevention.
Conclusion
There you have it – a comprehensive guide to getting PrestaShop installed securely from start to finish.
Following these key steps allows you to:
- Get PrestaShop up and running smoothly
- Configure core settings correctly from the start
- Harden security to prevent attacks against your live store
- Set up maintenance for keeping PrestaShop secure
You can now proceed with customizing your online store, adding products, setting up payments and fulfilment integrations.
Execute proper security measures as outlined here for threat prevention throughout your ecommerce journey.
This establishes a robust foundation for the success and security of your PrestaShop business!