We will do everything possible to make sure our store is not the victim of a successful attack. Fortunately, the PrestaShop team takes security very seriously and issues updates and fixes as soon as possible after any problems are discovered. We just have to make sure we do everything we can and also implement the PrestaShop upgrades as soon as they are available. It is also vital that we always have a recent copy of our store because one day, it is probably inevitable that our shop will die on us. It might be a hacker or maybe we will accidentally muck it up ourselves. A recent backup to handle this type of event is a minor inconvenience, because without one, it is an expensive catastrophe.
So let’s get on with it…
Types of security attacks
There are different types of security attacks. Here is a very brief explanation of some of the most common ones. Hopefully, this will make it clear why security is an ongoing and evolving issue and not something that can ever be 100 percent solved out of the box.
Common sense issues
These are often overlooked—make sure your passwords are impossible to guess. Use number sequences that are memorable to you but unguessable and meaningless to everyone else. Combine number sequences with regular letters in a variety of upper and lower case. Don’t share your passwords with anyone. This applies to anyone who has access to your shop or hosting account.
This is when an attacker uses software to repeatedly attempt to gain access or discover a password by guessing. Clearly, the simplest defence against this is a secure password. A good password is one with upper and lower case characters, apparently random numbers and words that are not names or are in the dictionary. Does your administrator password stand up to these criteria?
SQL injection attack
A malicious person amends, deletes, or retrieves information from your database by cleverly manipulating the forms or database requests contained in the code of PrestaShop. By appending to legitimate PrestaShop database code, harm can be done or breaches of security can be achieved.
Attackers add instructions to access code on another site. They do this by appending a URL pointing to malicious code to a PHP URL of a legitimate page on your site.
This is straight forward. It is likely that while developing or amending your website, you will mess up some or perhaps all of your PrestaShop. I did it once while writing this article. I will give you the full details of my slightly embarrassing confession later.
So with so many ways that things can go wrong, we better start looking at some solutions.
Employees and user security
If you plan to employ someone or if you have a partner who is going to help in your new shop, it makes good sense to create a new user account so that they have their own login details. Even if it will be only you who needs to use the PrestaShop control panel, there is still a good argument for creating two or more accounts. Here is why.
First we will consider a scenario, though a slightly exaggerated one:
Guns4u wants to offer articles about how to use its products. The management, probably correctly, believe that in-depth how-tos about all its products will boost sales and increase customer retention. The diverse nature of their products makes employing a single writer impossible. For example, an expert on small arms is rarely an expert on ground-to-air ordinance. And a user of laser targeting equipment probably doesn’t know the first thing about ship-based artillery.
This is quite a problem. The management decides they need a way to allow a whole team of freelance writers who can login directly to the PrestaShop CMS. But bearing in mind the highly dubious backgrounds some of these writers will have, how can they be trusted in the PrestaShop control panel?
- Users of Guns4u.com:
Suppose you employ somebody to write articles for you. You don’t really want them being able to play with product prices or payment modules. You would want to restrict them to the CMS area of the control panel. Similarly, your partner might be helping you wrap and pack your products. To avoid accidents you might like to restrict them to the Customers and Orders tab.
Now consider this scenario. Even you, after reading this article, can make a mistake. It is a really good idea to create at least one extra user account for you. I always make myself a wrapping and packing account. I use it all the time and it is reassuring to know that I can’t accidentally click anything that can cause a problem.
This type of user security is common in large organisations. On a company intranet, employees will almost always be restricted to areas of the company system to which they need and nothing more.
Below is how to create a new user account and then after that we will look at profiles and permissions to enforce the restrictions and permissions suitable to us.
Okay, let’s create a new user.
Time for action – creating users
As you have come to expect, this is really easy.
- Click on the Employees tab and then click on the Add new link.
- Enter the Last name, First name, and E-mail address of your new employee or user.
- The status box enables you to allow or disallow access to the new employee. Unless you have a reason for creating an account and not letting them use it, select the check mark (Allow). If you have reason to want to stop your new employee or user accessing your control panel, simply come back here and click on the cross.
- In the Profile drop-down box, choose Administrator. This will give the new user full access. We will investigate when this is a good idea and when you might like to change this, if you would like to add our freelance writer next.
- Click the Save button to create the new user account.