How to prevent hacking on PrestaShop and thirty bees
The latest breach officially announced by PrestaShop is a reminder that we, as merchants, are responsible for our customers' data on our sites.
I have already discussed the subject of data plundering carried out legally by all the Google tools that you install without informing yourself, such as reCaptcha, which seems to recover all the data of your customers' visits, not to mention Google analytics, which has been pinned by Europe for its practices, even though alternatives exist and are not more complex to implement.
But that's not the point.
The script proposed by Eolia to help cleaning PrestaShop stores, also functional on thirty bees, that I presented to you, has evolved following the comments of the community and some of mine were retained and I thank him.
This script, in addition to automatically cleaning infected files, allows you to identify potential flaws in the modules installed on your store.
Because, yes, you have to know that 95% of PrestaShop or thirty bees store hacks come from elements outside the CMS core.
There is a list of modules known to have flaws that allow a hacker to spread the code he wants on your site and use it for anything and everything.
This community list is regularly enriched with new discoveries, but above all it allows us to identify that the door opened to the hacker is always the same, namely, a control flaw when saving a file provided by the user of the module or recovered in the wrong way from another location.
The script proposed by Eolia, allows you to list all the modules installed on your store, using the two possible methods to process this file loading:
- file_put_contents - Write data to a file
- move_uploaded_file - Move a downloaded file
If you are a developer not too "nanny", you should be able to read the code of these modules to understand if the processing of these files is secure enough, because there are thousands of tutorials available on the Internet to simply learn about these practices and especially, PrestaShop already integrates validation methods since it has a class dedicated to the subject classes/Validate.php
.
For coding neophytes, this is much more complex, I'm not going to give you an analysis of all the good and bad practices, because the list would be too long, but you have to look if the data written in the file by the method file_put_contents
, are coming from the module itself, like, the code identifies an error message and then decides to store it in a file of type log.txt
in the module, there, there should not be too much risk, since the data is not external.
When using the move_uploaded_file
method, often used to upload an image file from the module's configuration form, it is necessary to make sure that the script validates that it is an image, such as by using and checking a native PHP method like getimagesize()
, a result that can still be checked with a Validate::isImageSize($size)
.
For images, we can also perform a check on its type, namely the format used extracted from the result of the getimagesize()
function so Validate::isImageTypeName($type)
, $type
can also be retrieved using the exif_imagetype()
function.
Of course, my explanations are not exhaustive, but a first step to analyze your store and its modules to avoid any hacking.
As always, if you are not a specialist and if you prefer to spend your time doing your job as a merchant, it is better to go through a professional to manage the technical part of your store.
Essential bonus
We can't repeat it enough, but remember to back up all your stores (files, database) regularly and do it automatically to free your mind.
Personally, I backup my files daily and my database every 12 hours.
Moreover, if you make these backups manually by repatriating everything to your computer's disk, remember to also back up your computer using a Dropbox-type solution.
Comments