April 14, 2025 · 4 min read
How to protect a PrestaShop store from the most common attacks
An online store attracts attacks simply by existing: it handles payments, stores customer data and has immediate economic value for anyone who manages to compromise it. Protecting a PrestaShop store from the most common attacks doesn't require exotic tools: it requires method on three fronts, updates, access and the server. Here are the defenses we configure first on the stores we manage.
Where attacks on PrestaShop come from
Most attacks aren't targeted: they're bots scanning thousands of sites looking for known vulnerabilities, almost always inside outdated modules. Once inside, the typical scenarios are three: injecting code into the payment pages to intercept card data (so-called web skimming), sending spam through your server, or stealing the customer database. The point to understand is that you don't need to be a famous store to end up in the crosshairs: bots don't choose, they try everything they find. A small store, where nobody checks the logs, is actually an easier target than a big one, because a compromise can go unnoticed for months.
Updates: the defense that covers the most
The vast majority of compromises exploit vulnerabilities that are already known and already fixed: the store gets breached because the fix hadn't been installed. From this follow the basic rules:
- Update the PrestaShop core when security fixes come out, without putting it off for months. If the store is heavily customized, test the update on a staging copy first.
- Update the modules, which over the years have been the most frequent entry point. A badly written module exposes the whole store, even if the core is in order.
- Uninstall what you don't use: every module that is deactivated but still on the server is still reachable code. If it's not needed, it should be removed, not just switched off.
- Follow the security bulletins from PrestaShop and the makers of your main modules, so you know when there's urgency.
If some critical module no longer receives updates from its author, put it at the top of the list of things to replace: it's the classic problem you ignore until it presents the bill.
Locking down the back office and access
The admin panel is the front door, and it should be treated as such:
- A non-obvious admin folder name: PrestaShop renames it at installation; check that over time nobody has simplified it into something predictable.
- IP restriction or additional authentication on the back office folder, if your team connects from fixed locations: an extra layer that stops automated attempts before they even reach the login page.
- Strong passwords and employees with minimal permissions: every collaborator should have their own account with a profile suited to their role, and accounts of former collaborators should be deactivated immediately.
- Debug mode off in production: detailed on-screen errors hand valuable information to attackers.
- HTTPS across the whole store, not just on the checkout.
These are configurations that can be fixed in a few hours and considerably raise the cost of an attack.
The server does half the work
A well-kept PrestaShop on top of a neglected server remains exposed. At the infrastructure level, the protections we consider baseline are a web application firewall (WAF) in front of the store, filtering the most common attack patterns before they reach PrestaShop; automatic blocking of IPs that accumulate failed login attempts; a PHP version that is still supported and up to date; and isolating the store from other sites on the same server, so a compromise elsewhere doesn't spread. On top of this comes monitoring: logs retained and reviewed, alerts when store files are modified outside maintenance windows. This is the kind of work we cover with our server and infrastructure service: for an eCommerce, server security and application security are the same project.
Backups: the insurance that has to work
Even with every defense active, you need a plan for the worst-case scenario. A useful backup has three characteristics: it's automatic and frequent (for a store, the database needs saving more often than the files), it's stored off the store's server, and it has been tested with a trial restore at least once. The last point is the one almost nobody does: discovering the backup is corrupted during an emergency means not having a backup. If the store gets compromised, the clean backup plus the logs let you work out when it happened, restart from a healthy copy and close the hole, instead of cleaning up blind.
Secure the store before you need it
If your PrestaShop has been online for years and nobody has ever done a full security check, this is the right time: it costs far less than a compromise. With our server and infrastructure service we handle hardening, firewalls, updates and backups for online stores. Book a free call: we'll analyze the state of your store and tell you where you're exposed and what to fix first.
