More than three hundred thousand shops are built on PrestaShop. With such a large user base, it is bound to attract attention. PrestaShop is an open-source eCommerce platform. Over the years, with an increase in popularity, there has been an increase in the number of attacks on PrestaShop websites. Being an eCommerce platform, PrestaShop security is of utmost importance since it handles important and personal data of customers. Also, any attack on an eCommerce website can have a direct financial impact and negatively affect your customer service.
Thus, it is necessary to understand the various threats and ways to protect your website. Apart from attacks, there have also been vulnerabilities that were discovered by security experts. These vulnerabilities were then fixed in future updates. Most of the attacks can be avoided by adopting simple security practices, while some will require advanced levels of security protocols. This guide will help you strengthen your PrestaShop security.
Types of PrestaShop security threats
While setting up a PrestaShop store, one needs to be careful of security protocols at every step. Before implementing such PrestaShop security steps, we have to understand the various types of attacks and effects on the website. Below are some of the most common types of PrestaShop hacks.
SQL Injection in Prestashop
This is a very common way to exploit vulnerabilities in PrestaShop. In this attack, malicious code injected into the website to achieve some desired result. Through this attack, attackers can access database data, steal personal details of customers, steal credit card information, to name a few. Once the malicious code is injected, the DBMS will interpret and process it to provide such details to the attacker.
There have been vulnerabilities that were discovered earlier that could be exploited using this attack. The first issue was with the “id_manufacturer” parameter. Anyone could insert a script after “id_manifacturer” and the system would allow this query to compromise the entire website by letting that attacker read the database if so desired. In the second instance, a module named “Responsive Mega Menu” had a security gap that allowed attackers to fetch data from AJAX queries by using vulnerable parameters. It also lets attackers view sensitive tables including login details. Anyone with this module should update it since it was fixed with later updates.
Escalating privilege issue in Prestashop
This was one of the most serious vulnerabilities that were found in PrestaShop security. It was found once in 2011 and then again in 2018. In this, users with limited access were able to get access to privileged files and folders. This issue resulted from inefficient encryption of cookies, which made them vulnerable to attacks. Attackers could easily read and edit the content of PrestaShop cookies and thus could use them to access sensitive files. With this attack they can steal detail such as credit card information, become administrator of your websites and lock you out, hijack any user session, to name a few.
Remotely executing codes
This attack is a result of faulty coding practices and bugs. In this attack, one can remotely trigger code and compromise your website. One such vulnerability was found in a module named “Responsive Mega Menu Pro”. Through an unknown function in the module, one could execute code remotely without any authentication.
Uploading arbitrary files
Not every time, all checks are implemented. In such cases, one can upload files that are specially crafted for PrestaShop. An attacker can use such an attack to compromise your website by uploading files with hidden malicious codes. These files can also be used to install malware on your website. Such cases are quite common and you can search for them in bulk with some simple keyword search such as ‘inurl:”/modules/columnadverts2/”’ or ‘inurl:”/modules/columnadverts/”’.
XSS attacks in prestashop
Cross-site scripting attacks are very common on websites and more than 40% of attacks on websites are these. In this attack, attackers will insert scripts into your website and will compromise your website as well as your customers. Through this attack, one can get admin access to your website, install malware and infect your users by sending through their browser-side scripts.
Another facet of this attack is to install malware resulting in Japanese SEO spam on your website. Once this malware is installed, Japanese words will start to randomly appear on your website and the search engine will start ranking your website based on these Japanese words. This will gradually reduce your SEO ranking and may lead to blacklisting by search engines.
Admin access attacks
While setting up your website, you need to be careful to replace all your default passwords and IDs. In a lot of cases, owners keep using their default IDs and passwords which are common words like “admin”. Attackers can easily guess or brute force such credentials and gain access to administrator privileges. This can also result from improper permission of admin files, allowing them to be visible and accessible to unauthorized users.
Weak usernames and passwords
Apart from changing the default usernames and passwords, care should be taken to ensure that strong and alphanumeric passwords are used. Easy and short passwords, including dictionary words, are easy to crack and can be brute-forced or guessed by dictionary attacks. This is a very common gap in PrestaShop security.
PrestaShop redirect hack
Attackers can modify codes or install malware on your website to redirect users to some other sites. Once this malware is installed, when your visitors visit your site, they will be automatically redirected to a site that might either be an infected or random site for generating traffic. In such a case, the following are some of the impacts:
- Blacklisting of your website by search engines
- Loss of traffic through redirection to other sites
- Negative impact on brand image
- Reduction in revenues
Credit card theft hack
This can be a result of either code injection or malware installed by attackers. This can also be done by using a phishing site. Once the attackers are inside they can send out queries to the database and extract credit card details of customers. Below is a script that dumps credit card details to an attacker controlled server.
Steps to protect your PrestaShop website
Since now we know and understand the various attacks and vulnerabilities that may occur, we need to take steps to protect our website. The below steps will help you in strengthening PrestaShop security:
Proper access permission
Permission for all files and folders must be different and depend on the users and function of those files. Admin files must be only accessible to administrators. These files are crucial for PrestaShop security and need to be protected from other users. This can be done by editing a “.htaccess” file. You can mention the various permissions for different files.
Check all your modules
Some modules have been found out to have vulnerabilities that can endanger your website. If you use any module, be sure of its function and check if they have any security gaps. Also, ensure that you use the latest versions of those modules since updates fix any known vulnerabilities. If you do not require any module then removing them is a good idea to avoid clutter and also potential PrestaShop security threat.
Using strong and alphanumeric passwords is always a good idea. Experts have shown that simple and dictionary words can be cracked easily. This makes it easy for attackers to enter and take control of your website. Also, change all default passwords while setting up your website. This is a common mistake that attackers can easily exploit and compromise your PrestaShop security.
Encoding your codes
All good programmers make sure that they hide their code. If your code is easily visible to other users, then it can be manipulated easily to insert malicious codes or alter the functioning of your website. Thus, if possible try to encode your codes with base64 format, which will make it difficult for others to translate or interpret your code.
Use SSL and HTTPS
Using SSL has become a standard security protocol. Almost all websites opt for an SSL certificate from a genuine provider. An SSL certificate will encrypt all communication and allows a secure connection. You should also HTTPS instead of HTTP. This will help in preventing any man-in-the-middle attack and avoid any snooping on a connection that might steal user information.
Backups of website
Always have a backup of all important files and folders. You can use your server’s automatic backup feature to create regular backups. Having a backup of your website will help you bring it back up in case attackers decide to bring down the entire site. Also, in case there is a malware that is difficult to remove or if attackers have altered your website’s configuration, you can quickly restore the website by using a clean copy. Backing up your data is an essential part of your PrestaShop security.
Security audit and active firewall
Security audits are necessary since it helps you to find any security gaps and vulnerabilities that can be exploited by attackers. To conduct a complete security audit, security services like Astra can assist you. With their complete suite of threat detecting tools, they can test all parameters and find an optimum combination of security and optimization for your website.
Apart from a regular security audit, you can also use an active firewall that keeps your website safe round the clock. With continuous monitoring and a dashboard, you will be aware of all attacks that have been prevented on your website.
Being an eCommerce website and handling tons of important data, it is necessary that we find out and plug any gaps in security. In such a competitive environment, a breach will negatively impact your brand image. With a proper understanding of PrestaShop security steps and awareness about the latest developments, you can protect your website and customers.