Prestashop - 1.4 Administrator's Guide
Contents
1. content if you wish modules Contains all of PrestaShop s modules each in its own folder If you wish to definitely remove a module first uninstall it from the back office then only can you delete its folder override this is a special that appeared with PrestaShop 1 4 By using PrestaShop s regular folder filename convention it is possible to create files that override PrestaShop s default classes or controllers This enables you to change PrestaShop core behavior without touching to the original files keeping them safe for the next update themes contains all the currently installed themes each in its own folder tools contains external tools that were integrated into PrestaShop For instance this were you ll find Smarty template theme engine FPDF PDF file generator Swift mail sender PEAR XML Parser PHP tool translations contains a sub folder for each available language However if you wish to change the translation you must do so using the PrestaShop internal tool and not edit them directly in this folder upload contains the files that would be uploaded by clients for customizable products for instance a picture that a client wants printed on a mug webservice Contains files that enable third party applications to access PrestaShop through its API2. css contains all CSS files that are not attached to themes hence these are mostly used by the PrestaShop back office docs contains some documentation Note it should be deleted in a production environment download contains your digital products which can be downloaded PDFs MP3s etc img contains all of PrestaShop s default images icons and picture files that those that do not belong to the theme This is were you can find the pictures for product categories c sub folder those for the products p sub folder and those for the back office itself admin Sub folder install contains all the files related to PrestaShop s installer You will be required to deleted after installation in order to increase security js contains all JavaScript files that are not attached to themes Most of them belong to the back office This is also where you will find the jQuery framework localization contains all of PrestaShop s localization files that is files that contain local information such as currency language tax rules and tax rules groups states and the various units in use in the chosen country i e volume in liter weight in kilograms etc log contains the log files generated by PrestaShop at various stages for instance during the installation process mails contains all HTML and text files related to e mails sent by PrestaShop Each language has its specific folder where you can manually edit their
3. the file containing allowed users and their passwords prestashop admin is a text file e AuthName Defines the message to show when the authentication window pops up e AuthType Defines the authentication type e Require Requires users to log in in order to access the content valid user enables multiple users to connect and access the folder e Options Defines the folder s options Indexes disables automatic generation of a directory index if no index file is available Here is a sample content for the prestashop admin file with a login and a password loginl Sapr1S wJelik8Se90zgRaVL8J8wSsFBXjorl login2 SaprilSyV65KqqzScFt3sV2 Q7hhLRRUJDoS5a This file contains logins and hashed password who are allowed to access to the folder To hash password you can follow this link htpasswd file generation It is strongly recommended to put this file into a directory that is inaccessible to your web applications so before the openbase dir folder It prevents htpasswd file injection in case one of yours web applications is vulnerable Example Authentification uise 2 Entrez le nom et le mot de passe pour null Utilisateur login1 Mot de passe An It is also possible to perform IP and domain restrictions using your htaccess file Order Allow Deny Deny from all Allow from myprestashop com Allow from 127 0 0 1 However you should not put this kind of directive lt LIMIT GET POST gt Require val
4. MG DIR http img2 xxx com ie define THEME CSS DIR http css xxx com i define THEME JS DIR http js xxx com j3 define THEME CAT DIR http img1 xxx com c E define THEME PROD DIR http img1 xxx com p define THEME MANU DIR http imgl xxx com m define PS IMG http imgl xxx com define PS ADMIN IMG http imgl xxx com admin else define THEME IMG DIR THEMES DIR x THEME NAME img define THEME CSS DIR THEMES DIR 7 THEME NAME fess ys define THEME JS DIR THEMES DIR THEME NAME js define THEME CAT DIR PS BASE URI img c define THEME PROD DIR PS BASE URI img p ie define THEME MANU DIR PS BASE URI a img m define PS IMG PS BASE URI img is define PS ADMIN IMG _PS_ IMG admin Other recommendations Safe Mode PHP s Safe Mode is deprecated in the latest version of PHP and should not be used anymore For PrestaShop in particular having Safe Mode on can render your payment modules useless Updates Your applications PHP code is the only vulnerable path to your server It is therefore strongly recommended to always update your server s applications PHP MySQL Apache and any other application on which your website run
5. System Administrator Guide This guide will help you configure a better and safer Web server Once this is done you will be ready to install PrestaShop using our Getting Started guide PHP configuration Manipulating php ini Many of the advices in this guide require you to edit the php ini file found in your server s PHP install not in PrestaShop s folder Not all host will allow you to edit this file so contact your host if you cannot access it For instance you probably won t have access to php ini on a shared hosting If your host doesn t provide the required configuration by default and you cannot touch php ini then you should either move to a dedicated hosting or change to a more permissive host Editing the PHP configuration requires you to change some values in the php ini file most of the time from On to Off or vice versa The file contains a lot of documentation for each line be sure to read them in order to better understand your changes Be careful of what you edit as this has a direct impact on the way PHP runs and therefore on your servers stability and even security Required settings Your PHP installation must feature the following settings and libraries e GD library e Dom extension The MySQL extension enables to access your data PrestaShop simply cannot work without it The GD library enables PHP to dynamically manipulate images PrestaShop uses it to resize and rework the image files that a
6. en editing a tpi file you will have to delete the content of the tools smarty compile folder except index php in order to see the changes live Note that this setting can also be done in the back office in the Preferences gt Performance sub tab in the Smarty section Ssmarty gt compile check should be left to false Ssmarty gt debugging gives you access to Smarty s debugging information when your pages are displayed Improving PrestaShop s performances Here are a few tips that should enable you to optimize PrestaShop Enable MySQL s cache or ask your web host to do it for you and give it a high value for instance 256M Do not forget to put the Ssmarty gt force compile to false when in production mode either via the smarty inc php file or the back office Whenever possible use an opcode cache or ask your web host to install one for you in order to alleviate the server s processing load PrestaShop is compatible with eAccelerator Opcode means operation code and defines the compiled state of the dynamic files which can processed faster If possible split your static elements betweens different domains and sub domains in order to get parallel HTTP connexions To put that in place open the config defines inc php file and add these lines adapted to your needs S Ss RVER REMOTE ADDR 127 0 0 1 define THEME I
7. iable by using the GET method for example It is therefore imperative to set register globals to OFF The magic quotes directive automatically escapes or adds slashes to all special character sequences NULL for all environment variables GET POST COOKIE SERVER This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed Moreover some Web applications overlook this option so some variables could be addslashed twice resulting in corrupted data The allow url include directive is used to allow to include any file via the require and include statements even if it does not come from your Web server This option must be set to OFF because if one application on your web server suffers of include vulnerability users will be able to include any file from any server and those will be executed on your own server In short it is highly recommended to have the following directives set to the indicated values register globals Off magic_quotes_gpc Off allow url _ include Off MySQL configuration MySQL often has an administrator account as default root admin which gives access to all of the databases content no matter who the database is managed by The administrator has all the rights and can do every possible actions You therefore need to safekeep your databases so as to prevent your web applications from succumbing to SQL injections which can ha
8. id user lt LIMIT gt Indeed lt LIMIT GET POST gt Making your PrestaShop install more secure The recommendations below are sorted by order of importance 1 Secure your back office 1 Rename your admin folder after the PrestaShop installation This is a must and you actually cannot access your PrestaShop administration if you haven t performed that change Make sure to pick a really unique name ideally a mix of letter and number such as my4dm1in 2 Protect your admin folder with a htaccess OF htpasswa file or ask your web host to do it for you 3 Do not let your computer keep trace of your password cookie or any other helper 4 Pick a complex password by mixing letters numbers and even punctuation marks such as 5r3XaDR You can us an only password generated such as PCTools s or GRC s 2 Securing your PHP installation 1 See the required and recommended PHP settings at the beginning of this page 3 Always delete the instali folder after having installed or updated PrestaShop 4 Always delete useless files from production server 1 all readme xx txt files 2 the cuancetoc file 3 the docs folder 5 Forbid access to your theme s files templates using a htaccess file with the following content 6 7 lt FilesMatch tpl1 gt 8 order deny allow 9 deny from all 10 lt FilesMatch gt Fine tuning amp performances This section will help you better understand configuration va
9. our prestashop database Remember to do this for each new web application you add to your server You can now install PrestaShop safely m Enter password Welcome to the MySQL monitor Commands end with or g Your MySQL connection id is 4515 Server version 5 0 51a community nt MySQL Community Edition GPL Type help or h for help Type c to clear the buffer mysql gt USE mysql Database changed mysql gt CREATE USER simple_user localhost IDENTIFIED BY simple_password Query OK O rows affected 0 00 sec mysql gt SELECT Host User Password FROM user WHERE User simple_user mysql gt GRANT SELECT INSERT UPDATE DELETE CREATE DROP INDEX ON prestashop simple_user localhost Basic authentication establishment htaccess In order to better protect your PrestaShop install we need to establish a basic authentication on the admin directory One of the aim of the htaccess file is to protect your folders and all its sub folders It only works on Apache servers and a few others Make sure your web server is Apache before creating a htaccess file To achieve basic authentication on your admin folder we need to add a htaccess file in that folder for instance var www prestashop admin AuthUserFile var www prestashop admin AuthName Prestashop Admin Access AuthType Basic Require valid user Options Indexes Explanation e AuthUserFile Shows the path to
10. ppen when a user succeeds in obtaining the admin password If you just installed MySQL do add a password for the root account who has no password as default One user per web application Each time you install a new web application on your server you must create a new MySQL user when just the necessary rights to handle that application s data Do NOT use the same username to handle the databases for all of your installed web applications Let s say we manage MySQL with user account that can create new users Let s do just that using the following command line mysql u USERNAME p PASSWORD or using the following SQL query mysql gt USE mysql mysql gt CREATE USER username servername IDENTIFIED BY new password Note that your host might give you access to an online tool to do MySQL administration tasks more easily such as cPanel Do use that since you probably won t have access to the command line in that case Now we have a username with just enough rights to connect to the local database We need to allow this user to use the prestashop database and configure his rights at the same time Here is a template for the SQL query to do that mysql gt GRANT SELECT INSERT UPDATE DELETE CREATE DROP ALTER gt ON prestashop TO new_user localhost mysql gt FLUSH PRIVILEGES We now have one user just for
11. re uploaded watermarking trimming etc Without images an online shop loses most of its interest so make sure that GD is enabled The Dom extension enables to parse XML documents PrestaShop uses for various functionalities like the Store Locator It is also used by some modules as well as the pear xml parse library The allow_url_fopen directive enables modules to access remote files which is an essential part of the payment process among others things It is therefore imperative to have it set to ON In short it is imperative to have the following directives set to the indicated values extension php mysql dll extension php gd2 dll allow_url_fopen On Recommended settings Your PHP installation should feature the following settings and libraries for best experience e GZIP support e Mcrypt library e register_globals disabled e magic quotes disabled e allow url include disabled Having GZip support enables the web server to pack web pages images and scripts before sending them to the browser This makes navigating the shop faster and therefore a more agreeable experience The Mcrypt provides PHP with a hardened security layer enable the use of more hashing and cryptography algorithm The register globals directive when enabled defines all environment variables GET POST COOKIE SERVER as global variables It is unsafe to use unset variables because a user could easily set a value into this var
12. riables than are not handled using the back office but directly in configuration files There are four configuration files in PrestaShop all in the config folder e config inc php core configuration file for PrestaShop e defines inc php contains all of PrestaShop constant values Previously defined in settings inc php e settings inc php contains the access information to the database as well as the PrestaShop version number e smarty config inc php contains all configuration pertaining to Smarty the template theme engine used by PrestaShop config inc php file In production mode e make sure to leave ini_set display errors off to Off e make sure to leave define PS DEBUG SQL false to false On contrary in development test mode you can get help tracing possible errors by e changing ini_set display errors off to On e changing define PS_ DEBUG SQL false to true defines inc php file Among other constant values this file contains the location for all files and folders If you need these changed do not forget to keep the original at hand iN case you wish to go back to the original path smarty inc php file Ssmarty gt caching false Smarty s cache system must be disabled because it is not compatible with PrestaShop IMPORTANT in production mode S smarty gt force compile must be set to false as it will give a 30 improvement on page load time On the other hand wh
13. s Miscellaneous The PrestaShop file structure The PrestaShop developers have done their best to clearly and intuitively separate the various parts of the software db admin42 db cache db classes db config db controllers db css d docs M download J img d install dev J is d localization Ji log M mails di modules a override d themes d prestashop i cache Di css J img D is di lang di prestashop_alt d tools M translations d upload d webservice Here is how the files are organized e admin contains all the PrestaShop files pertaining to the back office When accessing this folder with your folder you will be ask to provided proper identification for security reasons Important you should make sure to protect that folder with a ntaccess OF htpasswa file e cache contains temporary folders that are generated and re used in order to alleviate the server s load e classes contains all the files pertaining to PrestaShop s object model Each file represents and contains a PHP class and its methods properties e config contains all of PrestaShop s configuration files Unless asked to you should never edit them as they are directly handled by PrestaShop s installer and back office controllers contains all the files pertaining to PrestaShop controllers as in Model View Controller or MVC the software architecture used by PrestaShop Each file controls a specific part of PrestaShop
Download Pdf Manuals
Related Search