Securing your PrestaShop store is essential to protect customer data, prevent hacking attempts, and ensure smooth operations. Cyber threats constantly evolve, making it crucial to implement strong security measures. Whether you’re using shared hosting or a VPS, proper hardening can significantly reduce risks. In this guide, we’ll cover 18 essential steps to safeguard your store. By following these best practices, you’ll enhance security and keep your eCommerce business safe.
- Keep PrestaShop Updated
Updates include security patches that fix vulnerabilities. Before making any changes, backup your website. If you have a shared hosting server with us, you can make a backup via Installatron tool.
Other way is to backup your website via FTP/cPanel File Manager by copying/downloading files and database.
If you want to go premium, there are paid modules starting from 69.99 EUR, where backups are made inside your PrestaShop admin panel.
Use the 1-Click Upgrade module or update manually via Installatron or FTP.
- Use a Secure Hosting Provider
A weak hosting environment exposes your site to attacks. Choose a host with firewall protection, DDoS mitigation, and malware scanning. At Hostens your server are fully protected against DDoS mitigation, and we scan with our ImunifyAV antivirus software.
- Enforce HTTPS (SSL Certificate)
Encrypts data transmission, preventing man-in-the-middle attacks. In cPanel by default “Let’s Encrypt” SSL certificate is issued automatically. When installing PrestaShop via Installatron you need to choose path which begins with “HTTPS://”. It means your website will be automatically used with secured connection (without redirections).
Other way, you need to make manual changes:
- Install an SSL certificate via your hosting panel.
- Enable “Enable SSL on all pages” in Advanced Parameters > Performance.
- Change Default Admin URL
Hackers target the default /admin path. Rename the /admin123xyz folder to a unique name. The name of the folder is different per installation, however it is easy to identify, since it has random characters assigned. If you like the folder name, you can keep it.
- Set Strong Admin Passwords
Weak passwords are easy to crack. Use a password manager and create random 12+ character passwords. There are several ways of changing password:
- In Installatron configuration area;
- In PrestaShop Admin panel, by choosing your profile in the upper right corner;
- In Database environment.
Strong passwords consist of at least 12 characters, with at least 1 upper letter, 1 number and 1 special symbol.
- Limit Admin Login Attempts
Admin login attempt limits prevents brute-force attacks. You can modify your .htaccess file to allow only certain IP addresses to login to your admin panel. For example, you can allow only to access your website from one IP address (XXX.XXX.XXX.XXX is your IP address):
order deny,allow
deny from all
allow from XXX.XXX.XXX.XXX
Please double check the path leading from .htaccess file, since it can block visitors from visiting your whole site.
Second option is to use a security module like “Simple Security” from the PrestaShop marketplace.
- Disable Directory Listing
Hide important files from hackers. Add this line in your .htaccess file:
Options -Indexes- Set File & Folder Permissions
Prevent unauthorized file modifications. Set correct permissions using SSH/FTP:
chmod 644 config/settings.inc.php
chmod -R 755 modules/
- Disable PHP Execution in Certain Directories
Prevent backdoor scripts from running. Create a .htaccess file in these directories (img, uploads, download) with:
<FilesMatch "\.php$">
deny from all
</FilesMatch>
- Protect .htaccess and .env Files
These files contain sensitive configurations. Add this in .htaccess:
<FilesMatch "(\.htaccess|\.env)">
Order allow,deny
Deny from all
</FilesMatch>
- Regularly Backup Your Store
Restore your site in case of an attack. As mentioned before, you can backup your site several ways including Installatron automatic backups:
- Via Installatron, here you can choose to backup your website regularly;
- By downloading/copying files via FTP or cPanel File Manager;
- Via Premium addons.
- Enable Web Application Firewall (WAF)
Block malicious traffic before it reaches your site. Use Cloudflare, Sucuri, or ModSecurity on VPS. If you need more information on how to setup Cloudflare protection, you can use our other topic.
- Monitor Security Logs
Detect suspicious activities early. Enable logging in Advanced Parameters > Logs. There you can setup your store to send you emails about any activity about your website.
- Secure MySQL Database
SQL injection can expose customer data.
- Use strong database passwords.
- Change default “ps_” table prefix in settings.inc.php.
- Disable Unused Modules
Reduce security risks. Go to Modules > Module Manager and uninstall unnecessary modules.
- Set Up Two-Factor Authentication (2FA)
Add an extra security layer to admin logins. Use a 2FA module like “Google Authenticator for PrestaShop”.
- Double Check Installing Modules/Themes
Many modules and themes can contain vulnerabilities. Always choose from trusted sources with reviews from real people. It will save your site in the future.
We’ve covered 17 essential security steps to protect your PrestaShop store, from securing admin access to setting proper file permissions and enabling firewalls. By implementing these measures, you reduce the risk of cyberattacks, data breaches, and unauthorized access. Regular monitoring and updates will ensure long-term security. Stay proactive, and your store will remain safe and reliable for your customers.
