For more than a year, stores built on the PrestaShop platform have been constantly targeted by security attacks. While the core PrestaShop source code remains relatively secure, the platform has grown considerably, especially in terms of modules and themes available on various marketplaces. The official marketplace, Addons, alone has more than 2000 themes, attracting designers from all over the world.
However, the evolution of these new themes, often more focused on marketing than on technical aspects, has led many creators to integrate modules from various sources without fully understanding the development process. The result is themes that incorporate dozens of modules, all developed by different individuals and not maintained by the theme creator.
Unfortunately, these modules, which are often poorly developed, are not individually tested during the validation process in the add-on marketplace. As a result, hackers are able to exploit vulnerabilities in these modules to compromise PrestaShop stores. In fact, 99% of the time, it is through these add-ons that hackers gain access to stores and steal sensitive customer information, including banking and personal data.
It is important to note that as a store owner, you are fully responsible for the security of your site and the protection of your customers' information. Failure to take adequate security measures can have legal and financial consequences.
To avoid these risks, it is essential to implement a proactive security policy at your site. This means taking action before problems occur, so that they don't happen in the first place. By adopting good security practices, you can protect your store and your customers from potential threats.
Proactive security on PestaShop
In order to protect your website against hacking, it is imperative to establish certain rules at different levels. The first level of security is that of hosting, which should be discussed with your hosting company or the person responsible for its management. Failure to comply with security protocols may result in the host being held liable for a security breach.
If your website is hosted on a shared server, the hosting provider should already have security measures in place. Therefore, it is important to choose a hosting provider that offers attentive customer support, so that any security issues can be resolved directly.
If you have a dedicated server and have outsourced its management, it is essential to discuss security measures with the outsourcing company.
The second level of security is to use common sense when selecting developers or designers. However, identifying trustworthy professionals can be a complex task. To simplify this process, the Friends of Presta has established a security cell that identifies and alerts on problematic modules. It is essential to stay informed of this work in order to respond quickly to any potential threats.
To facilitate this analysis, the Profileo team collaborated with the Friends of Presta security team to develop a free module, PrestaScan Security, which scans your store and identifies vulnerabilities or risks. This module is constantly evolving and will help you stay informed about the risks associated with running your PrestaShop store.
But what if your store has already been hacked?
PrestaShop security fix
A store hack can have a devastating effect on the business. In such a situation, it is essential to have a plan in place to quickly and effectively resolve the problem. However, there are differing opinions on the best approach to take.
Some experts recommend using a module to start a cleanup process, while others suggest using independent scripts that can be run even if the store is no longer functional. Personally, I strongly believe that using independent scripts is the best solution.
In particular, I recommend using the Cleaner.php script, which was developed by the community for the community. This script provides a primary cleanup of your store's files, which can help identify problems and prevent further damage. However, it is important to note that this script should not be considered a substitute for proper security measures.
Although Cleaner.php can be called regularly using a cron job, it is still essential to implement strong security measures to prevent future attacks. If your store has been hacked once, it is likely to be targeted again in the future.
One of the main advantages of using Cleaner.php is that it provides quick and easy access to the scan results. By receiving these results via email, you can react quickly and prevent further damage to your store or your customers' sensitive information.
In conclusion, when it comes to remedying a store hack, it is important to have a clear plan in place. While there are different approaches to consider, using independent scripts like Cleaner.php can provide a reliable and effective solution.
As a responsible PrestaShop store owner, it is imperative that you understand the importance of implementing both proactive and corrective solutions in a joint effort to protect your business from potential hacking threats.
It is your duty to take all necessary measures to prevent unauthorized access to your store or, in the unfortunate event of a hack, to take immediate corrective action. By doing so, you not only protect your business, but you also ensure the security of your customers' sensitive information.
It is therefore highly recommended to stay vigilant and keep your store up to date with the latest security measures to avoid any potential breaches. Remember, prevention is always better than cure, and taking proactive measures can save you a lot of trouble in the long run.
In conclusion, it is your responsibility to prioritize the security of your PrestaShop store and take all necessary measures to prevent or correct any hacking attempts. By doing so, you can ensure the trust and loyalty of your customers and protect your business from any potential damage.