Imagine waking up one morning to find you can't log in to your PrestaShop back office. "That's odd," you think. "Did I forget my password?"
Not likely. There's something more sinister going on, and it has everything to do with your PrestaShop security.
Then, you get a sinking feeling in the pit of your stomach once you piece everything together. Your store's been hacked, and you've been locked out.
Sadly, this is a reality many online entrepreneurs have had to deal with at some point. With the proper digital armor, this nightmare doesn't have to be your reality.
The Importance of PrestaShop Store Security
It's no secret that eCommerce has had a significant impact on the way people conduct online transactions. The sector has seen remarkable growth and efficiency, both of which have improved the way businesses and customers operate. Unfortunately, the growth of eCommerce has also caught the attention of bad actors.
Reports indicate that eCommerce businesses face the biggest risk from hackers. 32% of all cyberattacks target online stores, with that number expected to grow in the coming years. What's even more alarming is that a whopping 30% of all traffic to websites comprises malicious requests from bad bots.
If these numbers are anything to go by, it is evident that there's no reprieve for eCommerce business owners. Not anytime soon, anyway. Hackers are getting smarter by the day. They are constantly deploying a host of sophisticated tactics to exploit security vulnerabilities in eCommerce websites to gain access to sensitive customer and business information.
It is entirely up to online business owners to put watertight measures in place to safeguard their stores against the ever-present threat of hackers. Failure to do this can result in significant irrecoverable financial losses, reputational damage, and loss in market share. 60% of eCommerce businesses that fall victim to cyberattacks don't make it beyond the six-month mark before they close shop – permanently.
If that's not a reason to secure your PrestaShop store against the threat of hackers, we don't know what is. The survival and longevity of your business depend on it.
Understanding the Risks and Consequences of Inadequate Security
So far, we've established that adequate PrestaShop security is non-negotiable as far as running an online store goes. The majority of eCommerce businesses that have suffered a cyberattack hardly ever recover. For this reason, you need to be aware of the risks inadequate security poses to your online store and the devastating consequences of a data breach.
Risks of Inadequate PrestaShop Store Security
eCommerce security threats generally fall into one of four categories:
1. Theft of Business-Critical Information
According to the 2020 Verizon DBIR report, internal actors are responsible for roughly 30% of the data breaches that occur every year. It means that individuals who work or have worked for an organization are involved in the theft of business-critical information.
While it can be disheartening to think of the people who work for you stealing sensitive data to perpetrate their sinister motives, these data breaches aren't always done maliciously. More often than not, it is by accident. Something as simple as an employee losing their laptop or smartphone could put your eCommerce business at risk should the device end up in the wrong hands.
2. Password Breaches
Google reports that 53% of people typically "re-use" the same passwords when creating new accounts. 20% simply modify the standard pattern they use for their passwords to create new ones.
The glaring issue this poses to customer financial data in the event of a data breach is that hackers can skim personal information such as birthdays, addresses, children's names, pet names, etc., and use it to guess weak passwords.
3. Phishing Attacks
"Phishing" is a general term that refers to several different types of cyberattacks, all of which have one common denominator: Social engineering. Phishing is single-handedly responsible for 36% of all cyberattacks.
Hackers use cleverly-veiled tactics to entice unsuspecting users into clicking malicious links, volunteering sensitive information such as banking details, or entering their password, which is then used to exploit an individual, a business system, or an online store.
4. Malware Infection
Malware, short for "malicious software," is any program that covertly harvests, moves, or wipes sensitive business-critical information or personal user data. These programs can cause significant damage to a single computer, server, or an entire computer network.
While several different types of malware exist, the most common ones are keyloggers that track every keystroke you make on your phone or computer and malicious links embedded into emails and email attachments.
See also: The Complete PrestaShop Tutorial.
Consequences of Inadequate PrestaShop Store Security
A security breach on your online store can have devastating and often irremediable consequences for your eCommerce business. These can be categorized as follows:
Financial Implications
If a cyberattack on your PrestaShop store results in the theft of sensitive customer information, there's a good chance you and your business will be held liable for damages. Depending on the extent of the breach, you could be looking at footing costs related to litigation, compensating victims who have suffered monetary losses, and patching the security vulnerability responsible for the breach in the first place.
Breached Customer Trust
Consumer trust plays a major role in eCommerce conversions. People are generally wary of providing their credit card details or any sort of payment information over the internet. While this isn't necessarily a problem per se when it comes to major marketplaces like Amazon and eBay, customers may be a little hesitant when it comes to less well-known online stores.
It, in effect, means that you would have gained a shopper's unearned trust from the get-go if they decided to purchase from your store. If a security breach on your PrestaShop site results in sensitive shopper information getting into the wrong hands, regaining customer trust will be a near-impossible feat.
Damaged Brand Reputation
A single data breach can put your brand reputation in jeopardy. Customers only buy products from companies they trust. If a recent security breach on your online store resulted in the theft of sensitive customer information, they'd associate your brand with being untrustworthy. It will not only drive away your existing customers but also new shoppers who weren't previously aware of your store.
Is Your PrestaShop Store Secure?
PrestaShop is one of several eCommerce platforms and has increasingly gained global popularity, particularly in the last few years. That said, the platform has been grappling with several security issues, which aren't new to all eCommerce providers.
Here are some of the common security vulnerabilities that, if not addressed, can be a gateway for hackers to access your online store.
1. Back Office Breach
One of the common entry points that hackers use to gain access to PrestaShop stores is the admin dashboard, also known as the back office. A bad actor might exploit a security vulnerability in the site's code to hack the admin dashboard. If a hacker accesses your back office through an open door, they will likely:
- Disable any existing security plugins to pave the way for more attacks
- Change your admin dashboard user interface
- Create several new admin accounts and lock you out of your store
- Violate your hosting provider's terms of use, resulting in the suspension of your account
- Make changes to your dashboard, resulting in the admin area showing a blank file listing or blank page
2. Credit Card Stealing Scripts and Malware
Online stores handle a lot of sensitive information related to payment data, such as credit card details. While some PrestaShop merchants don't store this information, some do, making their databases a prime target for hackers looking to get their hands on this information.
With that in mind, there are two main strategies they use to steal credit card information from eCommerce websites.
On the one hand, they may run a script that uses SQL queries to connect them to the store database and view columns with sensitive information. These columns include id_order_payment, card_brand, card_number, and card_expiration, all of which are found in the ps_payment_cc table.
On the other hand, they may use phishing tactics to infect the store with malware, which they can then use to skim customers' credit card information.
3. Cross-Site Scripting
Two cross-site scripting (XSS) vulnerabilities were uncovered in PrestaShop some time back. The first, which was dubbed CVE-2018-5681, required a hacker to log into the store's back office before they could exploit it.
The second and more severe XSS threat was in the Contact Form module and was designed to bypass PrestaShop's isCleanHtml() function using base64 encoding. As a result, hackers could use it to inject HTML codes, which would, in turn, allow them to edit the display of site messages.
4. Google Keyword Spam Injection
In a PrestaShop store spam injection attack, hackers gain access to the website's backend and create fake pages displaying adult products or content in an entirely different language.
When search engines crawl the hacked site, the pages that get indexed are the modified ones. As a result, when users enter legitimate queries with keywords related to your products and your site is served up in the search results, prospective shoppers get redirected to the spam pages when they click on your website.
Since Google has malware filters, your PrestaShop store will eventually get blacklisted for malware or spam content.
5. Privilege Escalation
PrestaShop suffered a security vulnerability dubbed CVE-2018-13784 that resulted from improper handling of cookie encryption. The net effect of this issue was that hackers could modify cookie content to gain admin privileges to the store.
With their newly acquired admin status, the hacker could, among many things, intercept any active customer session, gain access to the admin dashboard, and steal sensitive shopper data such as credit card numbers, address details, etc.
6. Malicious Redirects
As a PrestaShop merchant, your store is also at risk of malicious redirects. Hackers inject JavaScript code into the site's source code, which then redirects unsuspecting store visitors to adult websites or other stores selling different products. Smaller PrestaShop stores are the most vulnerable to these types of attacks.
7. RCE Vulnerabilities
In a Remote Code Execution (RCE) attack, which has since been dubbed CVE-2018-8823, hackers run PHP code at will on the host server, allowing them to:
- Run PHP commands directly on the server
- Read and modify sensitive files
- Escalate admin privileges
- Execute commands as a site admin
This last step would conclude the system takeover, effectively locking you out of your store.
8. SQL Injection
In an SQL injection, hackers insert strings of malicious code into database queries, giving them unauthorized access to your eCommerce website. If your PrestaShop store becomes the target of an SQL injection attack, the hacker would be able to:
- Obtain your login credentials and log into PrestaShop as a site admin
- Read the database contents
- Steal sensitive shopper data such as credit card details if you stored them locally
- Attack other users based on the customer information they've stolen from the database
9. DNS Server Misconfiguration
DNS is short for Domain Name System. A DNS server is a database with the internet domain names of websites, which are then translated into their associated IP addresses.
If, for whatever reason, you wish to transfer your domain name from your existing DNS provider's server to a different one, you would have to enable the zone transfer function. If the zone transfer is not configured properly, one or more sub-domains may be left unclaimed, which hackers might then exploit.
10. Open Ports
If, in the process of installing and configuring your server, some ports are accidentally left open, hackers can exploit these open ports to infect your PrestaShop store with malware. They often use special search engines like Shodan to crawl the web and identify websites with port misconfigurations.
11. Outdated or Poorly Coded Modules
Installing an outdated or poorly coded module leaves your online store vulnerable to cyberattacks. There's always the chance they'll add backdoors to your website, which hackers then use to gain access to your store and infect it with malware.
12. Weak Login Credentials
Brute force attacks are not uncommon in PrestaShop stores. In these attacks, hackers deploy sophisticated software to guess user login credentials, passwords, and even encryption keys. Admin and customer accounts with weak, easy-to-guess passwords are particularly vulnerable to these attacks.
See also: The DIY Guide on Migrating OpenCart to PrestaShop.
PrestaShop Security: Best Practices to Protect Your Store
Like any other eCommerce platform, PrestaShop faces the constant threat of cyberattacks. One seemingly small security loophole is all a hacker needs to gain access to your online store and flush all your hard work down the drain. Whether or not this scenario plays out depends on the steps you take to safeguard your store against these threats.
Here are 10 best practices to protect your PrestaShop store.
1. Change Your Store's Admin URL From the Default
Everyone, including hackers, knows that the default URL to any PrestaShop admin dashboard is your store URL followed by "/admin." If you don't change it, you're simply making it easier for bad actors to launch your admin page and employ various tactics like brute force, security bypass, code execution, etc., to gain access to your store's backend.
Change your PrestaShop's default admin URL to something hard to guess to ensure that only you know the path to access your back office.
2. Do Periodic Security Audits
A website security audit and pentest allows you to discover loopholes and vulnerabilities before hackers do. They highlight issues with the code, potential information leaks, backdoors in third-party add-ons, and underlying vulnerabilities that could compromise your PrestaShop store's security.
3. Install a Firewall and Antivirus
A firewall monitors all the incoming HTTP traffic to your online store and effectively curbs any attempt at malicious entry. For eCommerce business owners, the two most effective firewalls you can install on your PrestaShop store are application firewalls and proxy firewalls.
An application firewall establishes two lines of communication – from your computer/network to the proxy and the proxy to the destination computer/network. Think of it as a sort of checkpoint all information being transmitted has to go through. Only authorized traffic and data are allowed to pass.
A proxy firewall works like an application firewall, only that, in this case, an entirely new network is established at the checkpoint. That way, there's no direct communication between your computer/network and other computers/networks. Proxy firewalls make it even harder for hackers and bad actors to discover and access your computer/network.
Antivirus software periodically scans your store files for any signs of malware infection and also checks for backdoors and potential security vulnerabilities in your PrestaShop files and add-ons.
4. Install an SSL Certificate
SSL, the shortened version of Secure Sockets Layer, is a technology designed to encrypt data exchanged between a browser and a website to secure an internet connection. That way, no third party (read hacker) can intercept any information being transferred, including financial and personal data.
Installing an SSL certificate on your PrestaShop website guarantees that any communication between your store and users is safe from man-in-the-middle attacks.
5. Install the Necessary Security Modules
There are several add-ons from reputable developers you can install on your PrestaShop store to beef up the security of your website. These modules can:
- Block access to the store's front office except for authorized users
- Block spam IPs and bots from accessing your online store
- Flag orders placed by bots
- Generate a unique key for every purchase
- Protect your store from known cyberattacks
Some popular add-ons you can install include reCaptcha to keep bots and traffic from spam IPs off your site, PrestaShop's GDPR Compliance module, PrestaSecure password management plugin, etc.
6. Keep Core Files Hidden
The core files for your PrestaShop store should never be publicly visible. You should also ensure that all spam IPs are banned from accessing your site. The most straightforward way to accomplish this is through the .htaccess file. Not only will it hide your site's core files and block spam IPs, but it can also protect your website against various script injection attacks. Simply insert the relevant code into your website's .htaccess file, and you're good to go.
7. Keep Your Store Up-to-Date and Backed Up
Always ensure you're using the latest stable version of PrestaShop by installing new updates and security patches the moment they're released. It is the cheapest and most effective way to ensure your eCommerce website doesn't fall prey to emerging cyber threats.
In the same breath, ensure you regularly back up your store. That way, you can restore your store to a prior stable version in the event of a malware infection.
8. Leverage PrestaShop's Built-In Security Preferences
Under the Preferences settings of your PrestaShop admin dashboard, you'll find a host of built-in security options you can leverage to beef up your store's security. For starters, you can enable cookies to track site visitors, differentiate between real users and bots, and flag fictitious logins.
Another built-in feature you can leverage is the Increase Front Office Security setting. This option assigns a unique session URL to each visitor to your site, therefore minimizing the chances of a privilege escalation attack.
9. Set File, Folder, and Directory Permissions
If you have multiple employees working for you, you need to protect your files and folders from arbitrary access by every Tom, Dick, and Harry. The most effective way to do this is by setting appropriate file, folder, and directory permissions. 644 and 755 are the recommended permissions for PrestaShop files and folders, respectively.
10. Use Strong Login Credentials
As a rule, do not recycle passwords you've used elsewhere. Have different passwords for your PrestaShop back office, cPanel, FTP, etc. You should also steer clear of common passwords like "password," "admin," "welcome," "iloveyou," and easy-to-guess words like your name, your store name, your child's name, your pet's name, and so forth.
As is standard practice, ensure your preferred password is 8-15 characters long, contains a mix of uppercase and lowercase letters, has numbers, and incorporates special characters. The more "random" your password combination is, the more secure your account will be. That way, your store remains safe from brute force attacks.
See also: The Complete Magento to PrestaShop Migration Checklist.
Final Thoughts
There you have it – everything you need to know about PrestaShop security. Remember, hackers never sleep. They're constantly on the prowl, looking for security loopholes and backdoor vulnerabilities they can exploit to steal sensitive business-critical data.
The good news is that with the quick fixes we've highlighted in this guide, you can beef up your PrestaShop store's security and protect your eCommerce website against cyberattacks.
Are you thinking of switching from your existing eCommerce provider to a different platform entirely? Cart2Cart can help. With our automated shopping cart migration tool, you can transfer your online store to the platform of your choice in a few clicks with no downtime and no risk of data loss.
Sign up today for a free demo to see Cart2Cart in action.
FAQs
What are the built-in security features of PrestaShop?
PrestaShop boasts several native features designed to beef up the security of your online store. For instance, it supports SSL and HTTPS encryption to ensure all communications and transactions between customers and your store are secure against hackers and other bad actors. You can enable the built-in firewall to block unwanted traffic from malicious IPs. You can also set file, folder, and directory permissions to restrict arbitrary access to sensitive information.
How can I make my PrestaShop store faster?
One of the easiest ways of enhancing your online store's performance is to limit the use of JavaScript and reduce the amount of site customization you do through coding. You should also consider installing plugins and modules that allow you to cache your PrestaShop store on external servers for shorter page loading times.
How do I secure my PrestaShop store?
Top ways of safeguarding your online store against the threat of cyberattacks include:
- Changing your store admin URL from the default
- Installing a firewall and antivirus
- Installing security modules from trusted developers
- Using strong login credentials
Keeping your store's core files hidden with .htaccess