Are the modules in your PrestaShop store safe?

The PrestaShop ecosystem is full of great modules, but it is also full of modules that are either years past their prime or that developers should have retired years ago. The topic of attacks on online stores based on open-source software is nothing new; every platform struggles with this problem, including PrestaShop. However, there are initiatives in our ecosystem aimed at helping the community in this uneven fight. Meet Friends of Presta Security Advisories.

Friends of Presta

Let’s start with what Friends of Presta actually is. As they write on their website:

“Friends of Presta brings together the PrestaShop community consisting of programmers, integrators, agencies, and software publishers. We are the first network of technology experts around PrestaShop CMS.”

This is an independent association of members of the PrestaShop community founded in France, which runs a series of initiatives in our ecosystem. One of them is “Security Advisories,” aimed at improving security in the ecosystem.

Friends of Presta Security Advisories

“Friends of Presta” launched an initiative that consists of creating a catalog with information about vulnerabilities in modules available for PrestaShop. They respond to reports from the community, clients of the association’s members, investigate them, and make sure the whole process ends with patching the vulnerabilities.

They follow best practices for reporting such bugs, investigate the issue, contact the authors of modules where vulnerabilities have been found, and then share detailed information about the potential attack and the version containing the security patch. However, it sometimes happens that the author completely ignores communications from their side. Unfortunately, some popular marketplaces (not from Poland and not the official one) ignore such calls to react. In this case, the Friends of Presta maintainers recommend finding an alternative to the affected module.

The list of module security advisories on this site can undoubtedly make it easier for agencies and store owners to react even before an attack, which is the most important thing — to respond before it happens.

Automatic module checking in your store

Now that you know such an initiative exists, let’s move to the main point of this article. One of the community members has created a module that allows you to scan your stores in search of add-ons that have known security vulnerabilities.

Wilson Alba Cal has shared a module that fetches vulnerability information from the Friends of Presta site and creates a ready report available in your store’s back office. The module also includes an option for scheduling periodic tasks that will check the store, e.g., once a day, and if any modules requiring your attention are detected, an email will be sent to you.

PrestaShop store security

It’s worth installing the described module, adding a recurring CRON task on your server, and helping yourself keep your stores secure. Of course, this is not a solution to every security problem. The security of any software is a complex matter. You should, above all, make sure to apply regular updates. If your store runs on an older version of PrestaShop, nothing prevents the agency that manages it from implementing only and exclusively security patches released for newer versions. Very often this is possible, sometimes it requires more work, but it’s certainly not as much as a full update.

It’s also worth remembering to properly care for the storage of your back office passwords — the access to your back office should be unique, maybe even cataloged in a secured password manager, and you might also consider using two-factor authentication modules. It’s equally important to update modules regularly. However, all of this does not mean that your store will never fall victim to an attack — unfortunately, quite the opposite. This does not only concern PrestaShop. Every month, similar cases occur in the WordPress or Magento ecosystems. Therefore, following the above recommendations or downloading and installing the module described in this article is just the first step.

The fop_publishedvulnerabilityscan module

The latest version of the module can be downloaded from GitHub in the repository where its development is ongoing.

If you are a developer and want to expand this module with new features, that’s of course possible too.

The module mentioned in this article is not the only community product designed to help you fight vulnerabilities in the PrestaShop ecosystem. In upcoming articles, we will cover more advanced solutions.