Is your PrestaShop site secure from hackers? In e-commerce security should be one of your top concerns, because in the end it can cost you everything. Over the last few weeks we have dealt with over 100 security breaches in PrestaShop sites and it does not look like it is slowing down yet. We have seen over 3 dozen sites totally deleted from their servers. We have seen sites that look and act fine, but have backdoors present, we have seen others that have been converted into phishing sites for stealing passwords and credit card information.

 

Is your site safe?

Sadly the answer is more than likely not. One thing I would like to stress going into this is that there have been no vulnerabilities found in PrestaShop itself. Everyone we have seen is in a 3rd party module or theme. That being said, even PrestaShop’s paid modules have been affected as well as other modules for sale by 3rd party vendors on the addons store. The vulnerable modules are not just limited to the addons store either, ThemeForest (Envato) has been affected as well, and also the PrestaShop forum where you can download free modules has been affected too.

The reason that I would say that no site is safe is because the full extent of the hacks are still coming in. Hackers are finding new modules everyday that can be hacked. This is making our efforts increasingly difficult in stopping the hacks, almost impossible from our perspective of managing our clients sites. With the time and cost involved in checking all of the PrestaShop modules it is simply impossible to do at this point.

 

What are we recommending?

This is something that I have set up and thought about for a while. At this point I am recommending monitoring the files on your server for file changes. Since there are so many different modules that are affected and no one knows which ones could be added to the list at a later date, this seems like the best choice currently.

 

CodeGuard

Codeguard is a service that will make daily backups of your site and store them on their remote server. They will also let you know if any files have been changed since the last backup which is a great way of detecting if your site has been hacked. One of the main reasons we recommend them is with our time in the business we have learned to not trust web hosting company backups.  Most of the time they don’t actually exist or they charge a huge fee to access them. Codeguard can restore your site automatically if hackers happen to delete your site. With plans from $4 a month it is the most affordable of the solutions we are recommending and the most comprehensive.

PrestaVault

PrestaVault is a module that we recommend as well. What it does is pretty simple, it will let you know of any file changes on your server. Using this module in conjunction with a backup service recommend because once you know there are changes, you will have to manually fix the changes.

Automatic PrestaShop Backup

Automatic PrestaShop Backup creates a backup of your site automatically. You can set the interval which you want to create the backups and you can even have them emailed to you or sent to Amazon AWS servers to store the backup offsite. The ability to store the backups off site is great, because if your website gets hacked, there is a great possibility that the backups could be deleted if you store them on your server.

 

Another line of defense

Nothing is perfect for protecting your store, but we have found something that is working better than other methods. There is a software package that can be configured and run on your server called CXS. This package will actually stop most attacks in the process. Most of the attacks center around uploading files through insecure modules. The files the hackers upload then give them access to your server, so they can do as they please with it. This is where CXS comes in. It actively works on your server and scans new files as they are uploaded, compare it to an active virus scanner on your computer. When a file that matches a malicious file’s fingerprint is uploaded the system automatically disables the file. This kind of active protection is great, but it cannot be found at most hosts. If you have a managed dedicated server you might be able to get your host to install the software, but if you have a shared or VPS you are more than likely out of luck.

StrikeHawk Ecommerce

StrikeHawk Ecommerce is a US based hosting company that is ran by an active member of the PrestaShop community, they specialize in secure ecommerce hosting. They actively run CXS on all of their hosting accounts so you know that your site will be secure even with vulnerabilities that have yet to be discovered. A couple community members actually tested several of the recent hacks out on sites from their servers and they blocked all of them. If you are in the US and you are considering moving to a more secure hosting environment I would look into them.

Jolt Hosting

Jolt Hosting is a United Kingdom based hosting company that also uses CXS on their servers as well. This will give you an active level of defense against the undiscovered vulnerabilities. They have been in business almost a decade and have an excellent reputation for being one of the best hosts in the UK.

 

Like I mentioned at the beginning of this post, I wish there was a more definitive way to know if your site is vulnerable. Unfortunately there is not. There are so many free modules that have been made by developers that use bad security practices that it is impossible to tell what all modules are affected.

 

A bit more about the hacks

For the readers that want to know a bit more about what is going on, on a technical level let me explain what we have been dealing with. Last month two automated tools were released that would hack the Warehouse theme and Attribute Wizard Pro. Both of the modules had the same vulnerability, they did not check if you were logged in when you uploaded files. This has since been fixed in both the theme and the module, but not everyone is patched. At the same time, the people that released the hacks found more modules that had the same vulnerabilities in them. They have created an automatic scanner that scans websites looking for the modules and tries to hack them. Below is a list that be have seen in logs of modules that have been being scanned.

/home/###/www/modules/columnadverts
/home/###/www/modules/soopamobile
/home/###/www/modules/soopabanners
/home/###/www/modules/vtermslidesshow
/home/###/www/modules/simpleslideshow
/home/###/www/modules/productpageadverts
/home/###/www/modules/homepageadvertise
/home/###/www/modules/advancedslider
/home/###/www/modules/cartabandonmentpro
/home/###/www/modules/videostab
/home/###/www/modules/wg24themeadministration
/home/###/www/modules/fieldvmegamenu
/home/###/www/modules/wdoptionpanel
/home/###/www/modules/idx_config
/home/###/www/modules/attributwizardpro

 

But wait, there is more

It is normal when a site is hacked for backdoors to be left all around the site for the attackers to get back in. We are finding some things that are out of the ordinary though. On a site over the weekend we found where one of the hackers uploaded a modified PayPal module file. They were attempting to steal the site’s customers PayPal login information. This hack specifically targeted the PayPal Europe module, we have not seen anything that would target the PayPal US / CA module yet. We have also seen other payment modules targeted as well, such as the Braintree module too. This makes these hacks even worse. The cases where we have seen payment modules modified there was not visible evidence of a hack anywhere really. The hackers did not want to disturb too many things so the hack would go unnoticed for as long as possible.

 

In a good backup solution is going to be your best bet. That is why I recommend CodeGuard. It will let you know if files are modified daily, this will let you know if your site has been hacked, then you can take the appropriate action. I wish I could give everyone a 100% sure way of sealing things off, but it is just not possible at this time.