Don't send password by email on PrestaShop

Photo by CMDR Shane on Unsplash

If you are using an "old" version of PrestaShop; before the 1.7 branch; you probably noticed that the password entered by your customers is sent in clear in the registration confirmation email.

This is a feature that can make it easy to hack into the customer account, if someone malicious stumbles upon it, but it's not a big security hole since the passwords are encrypted in the database.

However, you can improve this by not sending this sensitive data by email anymore.

I propose a very simple method to correct this.

Modification de template

using your favorite FTP client, you must intervene in the files //mails/language code/account.html and //mails/language code/account.txt; language code corresponding to the iso code of the language to be modified, it is obvious that if you have several languages, you must intervene in the files of each language.
It is preferable to copy them in the directory of your template to keep this modification despite the updates of PrestaShop.
So, you have to save them in the directory //themes/your template/mails/language code/account.html and .txt; your template is the name of the directory of the active theme in the backoffice of your PrestaShop store.

In these 2 files you must edit them and modify these lines:

account.html
<td align="left"><strong>Thank you for creating a customer account at {shop_name}.</strong><br /><br /> Here are your login details:<br /><br /> E-mail address: <strong><span style="color: {color};">{email}</span></strong> <br />Password: <strong>{passwd}</strong></td>
à remplacer par
<td align="left"><strong>Thank you for creating a customer account at {shop_name}.</strong><br /><br /> Here are your login details:<br /><br /> E-mail address: <strong><span style="color: {color};">{email}</span></strong> <br />Password: <strong>******</strong></td>

account.txt
Password: {passwd}
à remplacer par
Password: ******

You must do the same for the files guest_to_customer.html et .txt. which is sent when a guest account is transformed into a customer account and even password.html et .txt which are sent when the client changes the password.

 

Comments