Module Manager

Menu
  • Modules
  • securitypro
  • Configure

Configure

Security Pro

Security Pro

Dashboard

Logs

TitleSizeLast modifiedPathActivated
Brute force0B10/04/2025/home/rekerdk/public_html/demo/var/logs/sp_bruteforce.log
Firewall0B10/04/2025/home/rekerdk/public_html/demo/var/logs/sp_firewall.log
Page not found277B10/21/2025/home/rekerdk/public_html/demo/var/logs/sp_pagenotfound.log
Malware scan0B10/04/2025/home/rekerdk/public_html/demo/var/logs/sp_malwarescan.log
File changes0B10/04/2025/home/rekerdk/public_html/demo/var/logs/sp_filechanges.log
Login attempts0B10/04/2025/home/rekerdk/public_html/demo/var/logs/sp_loginattempts.log
Cronjobs134B10/25/2025/home/rekerdk/public_html/demo/var/logs/sp_cron.log

Employee statistics

NameE-mailLast password generatedLast connectionActivated
John Doemathias@reker.dk11/13/2020 08:10:1111/13/2020 Edit
Jane Doedemo@demo.com11/13/2020 08:36:0511/01/2025 Edit

Cronjobs

Please set up below cronjobs. It is recommended to run the cronjobs once a day: 0 3 * * * {cronjob}
If your host does not allow you to set up cronjobs, you can use this service instead: https://cron-job.org/en/members/jobs/add/
Learn more about cronjobs here.
TitleCronjob
Malware scanwget -q -O - "https://reker.dk/demo/en/module/securitypro/cron?name=MalwareScanner&token=2765b6293e3e287adddc51ce10dac5d5" >/dev/null 2>&1 Run cronjob
Delete old cartswget -q -O - "https://reker.dk/demo/en/module/securitypro/cron?name=DeleteOldCarts&token=2765b6293e3e287adddc51ce10dac5d5" >/dev/null 2>&1 Run cronjob
Monitoringwget -q -O - "https://reker.dk/demo/en/module/securitypro/cron?name=Monitoring&token=2765b6293e3e287adddc51ce10dac5d5" >/dev/null 2>&1 Run cronjob

Cache

TitleSizeDescription
Cache57.7kBClear cache and statistics generated by this module.
General Settings
Some features in this module use external free services (no paid subscription is required for any services). To use these features, you must get an API key/token from the services.
As some of the modules in this module are based on time, you must choose the correct time zone. Your current chosen time zone is Europe/London. Change the time zone.
Please save the following link to a safe place: https://reker.dk/demo/en/module/securitypro/unlock?token=2f772f4bfbf9675ab6207dddf9f20773
Running this link will disable brute force protection, two-factor authentication and admin stealth login. This link can be useful if you get locked out from your back office.

Google Drive

  1. Access https://console.cloud.google.com/apis/library/drive.googleapis.com from your browser.
  2. Log on to your Google account. Sign up if you do not have one yet.
  3. Enable Google Drive API.
  4. Select a project or create a new one.
  5. Copy your product ID into the field above.
  6. Access https://console.cloud.google.com/apis/credentials/consent from your browser.
  7. Click 'Configure Consent Screen'.
  8. Select 'External' and click Create.
  9. Enter 'Security Pro' in the App name.
  10. Enter your e-mail in 'User Support email'.
  11. Scroll down to developer contact information and enter the same e-mail address that you used above.
  12. Once the app is created, click 'Set in production'.
  13. Click 'Save and Continue' until you have finished all the steps.
  14. Access https://console.developers.google.com/apis/credentials/oauthclient from your browser.
  15. Click 'Create credentials' and select 'OAuth client ID' from the list.
  16. Select 'Desktop app' from the dropdown.
  17. Enter 'Security Pro' as name and continue by hitting 'create'.
  18. Copy your client ID and your secret ID into the fields above.
  19. Save module settings by hitting 'Save'.

  1. Access (the link is generated once the connection to Google Drive is established) from your browser.
  2. Select your Google account from the list.
  3. Now a warning will appear. Click on advanced settings and click on the continue link.
  4. Grant permission to the app.
  5. Now a code for your application should be displayed. Copy that code into 'Client Auth' above.

Dropbox

  1. Access https://www.dropbox.com/developers/apps/create from your browser.
  2. Log on to your Dropbox account. Sign up if you do not have one yet.
  3. Choose 'Scoped access' API on the first step.
  4. Choose 'App folder' in the second step.
  5. Give your app a name. That name will become a folder in your Dropbox account.
  6. Click the 'Create app' button.
  7. Go to the 'Permissions' tab. Scroll down to 'Files and folders' and enable following: 'files.metadata.write', 'files.content.write', 'files.content.read'. Then submit the changes.
  8. Go to the 'Settings' tab. Scroll down to the 'OAuth 2' block and select 'No expiration' from the dropdown near the 'Access token expiration' text.
  9. Then generate a token by hitting the 'Generate' button near the 'Generated access token' text.
  10. After the token is generated, you'll see a string of letters and numbers. This is your Dropbox API access token. You should now copy this token into the field above.

Google reCAPTCHA

  1. Access https://www.google.com/recaptcha/admin/create from your browser.
  2. Log on to your Google account. Sign up if you do not have one yet.
  3. Select the reCAPTCHA v2 radio button.
  4. Register your domain.
  5. Copy your Site key and your Secret key into the fields above.

  1. Access https://www.google.com/recaptcha/admin/create from your browser.
  2. Log on to your Google account. Sign up if you do not have one yet.
  3. Select the reCAPTCHA v3 radio button.
  4. Register your domain.
  5. Copy your Site key and your Secret key into the fields above.

Choose where to show the badge.

Choose the color theme of the badge.

Google Safe Browsing

  1. Access https://console.developers.google.com/apis/library/safebrowsing.googleapis.com from your browser.
  2. Log on to your Google account. Sign up if you do not have one yet.
  3. Enable Safe Browsing API.
  4. Select a project or create a new one.
  5. Click Credentials.
  6. Click Create credentials.
  7. Copy your API key into the field above.

Honeypot

  1. Access https://www.projecthoneypot.org/account_login.php from your browser.
  2. Log on to your Honeypot Project account. Sign up if you do not have one yet.
  3. Your API key is found on the top left of your Project Honey Pot Dashboard. It will be the first line under 'Your Stats'.
  4. Copy your Honeypot API key into the field above.

Montastic

  1. Access https://montastic.com/me?tab=form_profile from your browser.
  2. Log on to your Montastic account. Sign up if you do not have one yet.
  3. Go to the Profile menu.
  4. Click on 'Developer Information'
  5. Copy your REST API key into the field above.

General

You can enable e-mail notifications on some of the features. To use these features, you must enter your e-mail in the above field. You can add multiple e-mails. Separate the e-mail addresses by a comma (',') without space.

If one of your cronjobs fails, you can enable this option to find the problem. Run your cronjob manually in your browser to see the error.

Admin Brute Force Protection
A brute force attack is one of the simplest methods to gain access to a website. The hacker tries various combinations of usernames and passwords again and again until he gets in. The module can limit the tries to protect you from the attack. Read more.

Brute force protection

Enable brute force protection to limits the greatest amount of login tries to your back office.

times

Wrong answers before the ban. The default value is 5.

minutes

A host is banned if it has generated 'Max retry' during the last 'Request timeout'. Enter time in minutes. The default value is 10.

minutes

Time a host is banned. Enter time in minutes. The default value is 30.

You can list your IP addresses to avoid getting an e-mail if you write the password wrong. You can still get banned for some time if you fail to login according to your own rules above.
The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

Monitoring

Receive an e-mail if someone inputs a wrong password. This setting can only be enabled if brute force protection is activated.

Receive an e-mail in case someone inputs the correct password. This feature is great to give you the information if anyone else got access. This setting can only be enabled if brute force protection is activated.

Record banned users into a log file. The log can be found on your dashboard.

Log admin login attempts with IP address, timestamp, e-mail and information about whether the user was logged in.

Two-Factor Authentication
Two-factor authentication is an extra layer of security for your PrestaShop admin panel, designed to make sure that you are the only person who can get access to your back office, even if someone knows your password. Read more.
Please write down and store this 12-character recovery code somewhere safe. In case you lose access to your device, you can use this code to pass the 2FA-step: 7DE1 BC09 9E34

  1. Download a 2FA app on your phone: Google Authenticator, Microsoft Authenticator, or any app supporting the TOTP algorithm.
  2. Open the app and scan the QR code below:
  3. If you for some reason cannot scan the QR-code, you can use this code for manual input instead: VGH2 27FZ K6MR 5MAN TJ4E HYW4 AHLD PPFD
  4. Insert the code you see on your phone in the code field below to verify that everything is working.
  5. Save settings in the module before the code expires.

To confirm that everything is correct, you must enter your code from your app before you save settings.

You can list your IP addresses if you want to skip the Two-Factor Authentication when you are on a specific network.
The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

By default, if you sign in from the same network, same browser and same computer, and you have recently solved the 2FA you will not have to solve the 2FA again. However, if you want to force the second verification step every single time you sign in on your back office even though your device is trusted, you can enable this feature.

If any of your employees need the ability to skip the two-factor authentication, they can use the links below. These links have an extra parameter in the login URL. When accessing this link, the two-factor authentication is skipped.
Important information for the webmaster: The 2FA-token is linked to the e-mail and the password of the employee, so if the employee changes his e-mail or resets his login-password, the 2FA-token will change as well due to security reasons.
NameE-mailLink
John Doemathias@reker.dkhttps://reker.dk/demo/admin-dev/index.php?controller=AdminLogin&token=73ee4357dded997d39a48997dd88d810&2fa=96eddcde19946a9cfc856c0d3986e162
Jane Doedemo@demo.comhttps://reker.dk/demo/admin-dev/index.php?controller=AdminLogin&token=73ee4357dded997d39a48997dd88d810&2fa=8b46f9baa49f4c0476d2d23674426849
Second Login
PrestaShop's login already secures your shop, but you can add another layer of security by adding a second login from your web server itself. This is done using .htpasswd (Apache-servers only). The second login is the same for each employee, as this is set on the server level.
This feature is for advanced users only. It is recommended to leave this feature off in most cases.

Activate a second login from your web server itself.

It would help if you used another username then you do for your regular back office login. Generate a secure username.

It would help if you used another password than you do for your regular back office login. Generate a secure password.

Admin Stealth Login
Admin Stealth Login makes your admin directory invisible for hosts with unknown IP addresses.
This feature is for advanced users only. It is recommended to leave this feature off in most cases.

Block access to the back office for everyone except the IP addresses on the list below. You must have a static IP address. Read more.

List all the IP addresses that should have access to back office.
The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

HTTP Security Headers
Security headers are HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict browsers from running into easily preventable vulnerabilities. This module makes the configuration of these security headers easy.

Prevent browsers from framing your site. This will defend you against attacks like click-jacking.

Set secure configuration for the cross-site scripting filters built into most browsers.

Stop browsers from trying to MIME-sniff the content type and forces it to stick with the declared content-type.

Strengthens your implementation of TLS by getting the user agent to enforce the use of HTTPS.

Please follow this link to understand these settings: https://hstspreload.org/?domain=https://reker.dk/demo/en/.

Signals to the user agent that compliance with the certificate transparency policy should be enforced.

The browser will send a full URL along with requests from a TLS-protected environment settings object to a potentially trustworthy URL and requests from clients which are not TLS-protected to any origin.

The server responds and says that only POST, GET, OPTIONS are viable methods to query the resource in question.

Prevent Adobe Flash and Adobe Acrobat from loading content on your site. This protects against cross-domain middleware.

This disables the option to open a file directly on download. Internet Explorer only supports this header. Other browsers will ignore it.

Remove all 'Powered-by' HTTP headers and hide server information.


Analyze security HTTP headers
Security Pro can fix all warnings and errors reported by https://securityheaders.com, helping you get a A+ score!

Password Strength

Add a meter under the password field giving your customers instant feedback on the strength of their passwords, thus giving your customers a more secure shopping experience.

Web Application Firewall
This web application firewall helps to protect your web applications against common web exploits that may affect availability, compromise security, or consume excessive resources. It makes your applications secure by enabling security rules that block common attack patterns, such as SQL injection, cross-site scripting, etc. Once you have configured the firewall, remember to test that everything normally works in your front office. Read more.

Firewall rules

Anti-flood/DDoS protection. This feature is great for preventing most DDoS attacks and automatic multiple requests. Read more.

requests

Allowed page requests for the user. The default value is 100.

seconds

Time interval to start counting page requests. The default value is 5.

seconds

The duration of the ban. The default value is 600.

The honeypot project has a big database of bad bots/spammers. If this feature is enabled, the module will look up the IP of clients accessing your site against this database. If there is a match, the client will need to solve a reCAPTCHA to continue using the website. Search engines are excluded from this check. Read more.

In some cases, TOR browsers are used by criminals to hide while buying from a stolen credit card. If you are having this problem, you can block TOR IPv4 and IPv6 addresses with this feature. Read more. It is recommended to leave the feature off in most cases.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. If the request looks like an attack, choose whether the client can proceed after solving a challenge (reCAPTCHA v2), get blocked (403) or get redirected to 'page not found' (404). Read more.

XSS (Cross-Site Scripting) injection is a web security vulnerability that allows an attacker to inject code (basically client-side scripting) to the remote server. If the request looks like an attack, choose whether the client can proceed after solving a challenge (reCAPTCHA v2), get blocked (403) or get redirected to 'page not found' (404). Read more.

Command injection is a web security vulnerability that allows an attacker to inject code into the remote server. If the request looks like an attack, choose whether the client can proceed after solving a challenge (reCAPTCHA v2), get blocked (403) or get redirected to 'page not found' (404). Read more.

Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. Block the request if the request looks like an RFI attack. This feature is for advanced users. Watch the firewall log if you enable this feature, in case you have installed a third-party module that gets blocked by this feature due to the design of the request. Read more.

Cross-Site Tracing (XST) is a network security vulnerability exploiting the HTTP TRACE method. Enable this option to block HTTP TRACK and HTTP TRACE requests. Read more.

Directory traversal attacks use the webserver software to exploit inadequate security mechanisms and access directories and files stored outside of the webroot folder. This option protects against traversal attacks. Read more.

Block the ability to upload files in the front office. Do not enable this if you are using the contact form or another front office module with a file transfer function.

Scan uploaded files in the front office for trojans, viruses, malware and, other threats and block the request if the file is suspicious.

Whitelisted IP addresses that should not be should be blocked by the firewall.
The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

Custom rules

Block hosts with below IP addresses from your website. You cannot block hosts that are already on this whitelist. If you want to ban a country, please use this built-in PrestaShop feature: Ban countries. It is generally not recommended to block countries. Blocking countries could lockout customers that are using a VPN or customers that are on vacation, etc. If the client is on the blacklist, choose whether the client can proceed after solving a challenge (reCAPTCHA v2) or get blocked (403).

The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

Block user agents with the below names from your website.

Separates by a comma (',') without space.

Monitoring

Record hacking attempts into a log file. This is recommended.

Anti-SPAM
SPAM (Shit Posing As Mail) is a problem for most businesses. There are still people who fall victim to cyber-attacks, such as spamming and phishing.

Contact form

If you want to disable the contact form, you can enable this feature.

reCAPTCHA v3 returns a risk score for each request without user friction. The module uses this risk-score to decide whether the user is a bot or a human. Bots will be prevented from sending e-mails. Read more.

Prevent users from sending e-mails with links to known phishing and deceptive sites using Google safe browsing API. The safe browsing API automatically checks the URLs in the message against Google's constantly updated lists of unsafe web resources. If any URL in the message is found on the safe browsing list, the message will be not be sent. Read more.

Block message if it contains at least one word from your custom list of blacklisted words.

Custom list of bad words Separates by a comma (',') without space.

Block e-mails from disposable providers.

Block e-mails with specific top-level domains.

Custom blacklist of top-level domains. Separates by a comma (',') without space.

Block specific e-mails addresses.

Custom blacklist of email addresses. Separates by a comma (',') without space.

Registration form

This module does not use overrides. Therefore, it is not possible to add these checks on the registration at the checkout process. These checks are limited to this registration form: https://reker.dk/demo/en/login?create_account=1

Prevent bots from making fake accounts and secure against CSRF (Cross-site request forgery) attacks.

Prevent bots from making fake accounts by verifying that first name and last name is not a URL.

reCAPTCHA v3 returns a risk score for each request without user friction. The module uses this risk-score to determine whether the user is a bot or a human. Bots will be prevented from register accounts. Read more.

Block e-mails from disposable providers.

Block e-mails with a custom list of top-level domains.

Custom blacklist of top-level domains. Separates by a comma (',') without space.

Anti Malware
The term malware refers to software that damages devices, steal data, and causes chaos. There are many types of malware — viruses, trojans, spyware, ransomware, and more. Read more.

Scan all your directories for malware and let you know by e-mail if something was found. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Scan all your directories for malware and log it if something was found. The log can be found on your dashboard.

Whitelist false positives, caused by custom modules, etc. You must enter the unique ID of 40 characters in parentheses after the malware report's file name. This ID is a SHA1 hash of the content of the file. If the file changes, this ID will change as well. Separate files by a comma (',') without space.

Track every 'page not found' (error 404) and log them into a log file. This is very useful to detect hacking attempts.

When you link to another site, you can expose your site to security issues. Enabling this feature will add the following tags to all external links on your website: rel="noopener", rel="noreferrer", rel="nofollow", target="_blank". Read more.

Anti-Fake Carts
The module can automatically delete abandoned carts. Abandoned carts can be generated both by users and by crawlers, resulting in a massive amount of useless data that severely affects your shop database's performances.

Delete unused carts after a certain number of days. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

days

Allowed days a cart must be saved before it is automatically deleted. 14 days is recommended.

Crawlers that do not respect your robot.txt rules might click the add to cart button. This can lead to a lot of unused carts that will slow down your site. This feature will block crawlers from adding to cart.

Website Monitoring Service
By connecting up with Montastic, you can be notified by e-mail if your website is down. The free plan allows you to ping your website(s) every 30 min. You can have up to 9 checkpoints at the same time. Try it out!
You can manage your checkpoints here: https://montastic.com/checkpoints.
You need to add your API key in 'General Settings' to get access to this content. You can get an API key here at https://montastic.com/me?tab=form_profile (You can choose the free plan).
Change Monitoring
If you cannot monitor changes, you cannot manage them. To control your environment, you need the ability to analyze and respond to changes. The module allows you to monitor some important changes, like file changes.

Track every file change on your server and let you know by e-mail if something has changed. The module also does reports file changes during PrestaShop update, module update, theme update, etc. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up. Cache files, images etc. are excluded.

Track every file change on your server and log it if something has changed. The module does also reports file changes during PrestaShop update, module update, theme update, etc. The log can be found on your dashboard. Cache files, images etc. are excluded.

Get notified if the server IP changes. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Get notified if the location of the server country changes. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Get notified if the name of your ISP changes. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Get notified if your TLS certificate is about to expire. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Fraud Detection
The module can analyze your orders on different criteria. A score is established to determine whether the order looks suspicious or not.

Display a section on each order that tells if the order looks suspicious.

Choose your default distance unit. 'km' for kilometre, 'mi' for mile.

Choose where you want to display the section at the admin order page.

Protect Content
The module allows you to disable a list of mouse- and key-events. These settings make it harder for users that manually try to steal your content. These settings will affect the front office only.

Disable right-click mouse event. Input and Textarea fields are excluded from this rule.

Disable drag and drop mouse event. Input and Textarea fields are excluded from this rule.

Disable copy with the keyboard shortcut (Ctrl + c / ⌘ + c). Input and Textarea fields are excluded from this rule.

Disable cut with the keyboard shortcut (Ctrl + x / ⌘ + x). Input and Textarea fields are excluded from this rule.

Disable text selection with the mouse and keyboard shortcut (Ctrl + a / ⌘ + a). Input and Textarea fields are excluded from this rule.

Disable print with the keyboard shortcut (Ctrl + p / ⌘ + p).

Disable save keyboard shortcut. (Ctrl + s / ⌘ + s).

Disable developer tool shortcuts.

This feature will clear the console when something is displayed.

You can list your IP addresses if you want to bypass your rules above.
The module can handle IPv4 and IPv6 addresses and IP ranges, in CIDR formats like ::1/128 or 127.0.0.1/32 and pattern format like ::*:* or 127.0.*.*. Separates by a comma (',') without space.

Automatic Backups
Keeping a backup may be your easiest and best protection; allowing you to turn back the clock after an attack. While this does not prevent attacks, it does cure them when needed. Read more.
Security Pro is not responsible for your database/files, its backups, and/or recovery.
You should back up your data regularly (both files and databases).
Security Pro can back up your database and files and save it locally, to Google Drive and Dropbox.
Always verify the quality and integrity of your backup files!
Always verify that your backup files are complete, up-to-date, and valid, even if you had a success message appear during the backup process.
Always check your data.
Never restore a backup on a live site.

Backup database

Save a backup of your database to your Google Drive. Statistical data are excluded. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Save a backup of your database to your Dropbox. Statistical data are excluded. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Save a local backup of your database. Statistical data are excluded. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

backups

Old backups will be deleted when a newer one is generated. How many backups do you want to keep at the time? Write, '0' for unlimited backups.

Protect the compressed database with a password using AES (Advanced Encryption Standard) with a 256-bit key.

Backup files

Save a backup of your database to your Google Drive. Statistical data are excluded. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Save a full backup of your files to your Dropbox. Cache and log files are excluded. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

Save a full backup of your files on your PrestaShop installation. Once this option is enabled, a cronjob will appear in your dashboard that you need to set up.

backups

Old backups will be deleted when a new one is generated. How many backups do you want to keep at the time? Write '0' for unlimited backups.

Admin Folder
It would be best if you always kept the path to your admin login secret. If you need to change it, you can change it with this tool.

You will be redirected to the new URL once you click 'Save' if this option is set to 'Yes'.

https://reker.dk/demo/

Your admin folder name should include both letters and numbers. Make it hard to guess; do not use admin123, administrator, backoffice, etc. Generate a secure folder name.

Tools
These tools can fix some known vulnerabilities. Some of these tools need up to 2 min. to run. Please wait until the page has finished loading.
TitleDescription
File permissionsCheck the systems file- and folder permissions. This tool can fix insecure file- and folder permissions. File permission must be 644 and folder permissions must be 755.
Generate a report to see permissions that must be changed. Start by generating a report to see the consequence.
Directory traversalCheck the system for directory traversal security vulnerability. This tool can add missing index.php files to the theme- and module directories.
Generate a report to see which paths are missing the index.php file.
Delete filesCheck the system for files that should be removed due to security reasons. This tool can remove these files. These files could be files leftover from the installation.
Generate a report to see which files should be deleted. Deleting files is permanent. Start by generating a report to see the consequence.
Password Generator
It would be best to use a strong and unique password for each of MySQL database, FTP, hosting panel/cPanel, SSH access, and back office. You can use this tool to generate passwords. Read more.

The password is not saved anywhere by this module.

Analyze System

Check for insecure PrestaShop settings

Recommend more secure options for your installation.
CheckStatusDescriptionHow to fix
PrestaShop version (1.7.6.8)It is strongly recommended to upgrade the store to the latest PrestaShop as new versions include bug fixes and security fixes.Update PrestaShop to the latest version (1.7.8.11)
PHP version (7.2.34)----
SSL enabled----
SSL enabled everywhere----
Security token----
ModSecurity----
Admin folder name----
Cookie's IP address----
HTML Purifier----
Debug mode----

Check for common vulnerabilities and exposures

Scan your PrestaShop website for common vulnerabilities and exposures.
CVEStatusBase scoreDescriptionHow to fix
CVE-2021-21398------
CVE-2021-21308----Update PrestaShop to the latest version.
CVE-2021-21302----Update PrestaShop to the latest version.
CVE-2020-26224----Update PrestaShop to the latest version.
CVE-2020-15162------
CVE-2020-15161------
CVE-2020-15160------
CVE-2020-15083------
CVE-2020-15082------
CVE-2020-15081------
CVE-2020-15080------
CVE-2020-15079------
CVE-2020-5293------
CVE-2020-5288------
CVE-2020-5287------
CVE-2020-5286------
CVE-2020-5285------
CVE-2020-5279------
CVE-2020-5278------
CVE-2020-5276------
CVE-2020-5272------
CVE-2020-5271------
CVE-2020-5270------
CVE-2020-5269------
CVE-2020-5265------
CVE-2020-5264------
CVE-2020-5250------
CVE-2020-4074------
CVE-2019-13461------
CVE-2019-11876------
CVE-2018-8824------
CVE-2018-8823------
CVE-2018-19355------
CVE-2018-19125------
CVE-2018-19126------
CVE-2018-19124------
CVE-2018-13784------
CVE-2018-7491------
CVE-2017-9841------
Analyze Domain

Domain information

CheckResult
Domainreker.dk (178.20.216.31)
Server countryDenmark
ISP (Internet Service Provider)--
ASN (Autonomous System Number)
Name serversns6.chosting.dk, ns7.chosting.dk, ns5.chosting.dk

Domain security checks

CheckStatusDescriptionHow to fix
SPF----

Global blacklists

Check if your website is blacklisted somewhere.
Name
GoogleCheck status
YandexCheck status
McAfeeCheck status
SecuriCheck status
VirusTotalCheck status
Green SnowCheck status
Spam RatsCheck status
Is it hacked?Check status
Analyze Server Configuration
Here are some advanced tips to secure your PHP configuration file. Your PHP configuration file is named php.ini. This file could be stored in different locations according to your setup. If you are not familiar with php.ini, you can ask your host for help.
According to your system, the loaded php.ini file is located here: /opt/cpanel/ea-php72/root/etc/php.ini, but keep in mind that this php.ini file could be overridden somewhere, depending on your setup.
Current settingRecommended settingStatusDescription
session.auto_start = Offsession.auto_start = Off --
session.use_cookies = Onsession.use_cookies = On --
session.use_only_cookies = Onsession.use_only_cookies = On --
session.cookie_httponly = Onsession.cookie_httponly = On --
session.use_trans_sid = Offsession.use_trans_sid = Off --
session.cookie_secure = Offsession.cookie_secure = On Cookie secure specifies whether cookies should only be sent over secure connections. This setting requires SSL/TLS to be enabled.
session.use_strict_mode = Onsession.use_strict_mode = On --
session.cookie_lifetime = Offsession.cookie_lifetime = Off --
session.lazy_write = Onsession.lazy_write = On --
session.sid_length = 32session.sid_length = 128 Increasing the session ID length will make it harder for an attacker to guess it (via brute force or more likely side-channel attacks).
session.gc_probability = Onsession.gc_probability = On --
session.gc_divisor = 0session.gc_divisor = 1000 Defines the probability that the 'garbage collection' process is started on every session initialization.
session.sid_bits_per_character = 4session.sid_bits_per_character = 6 The more bits result in stronger session ID.
allow_url_fopen = Onallow_url_fopen = On --
allow_url_include = Offallow_url_include = Off --
display_errors = Offdisplay_errors = Off --
log_errors = Onlog_errors = On --
error_reporting = Onerror_reporting = Off Error reporting should be different based on context.
display_startup_errors = Offdisplay_startup_errors = Off --
expose_php = Offexpose_php = Off --
register_argc_argv = Onregister_argc_argv = Off Whether to declare the argv & argc variables (that would contain the GET information).
short_open_tag = Offshort_open_tag = Off --
file_uploads = Onfile_uploads = On --
upload_max_filesize = 20Mupload_max_filesize = 20M --
post_max_size = 22Mpost_max_size = 22M --
max_input_vars = 20000max_input_vars = 20000 --
max_input_time = 60max_input_time = 300 --
memory_limit = 512Mmemory_limit = 512M --
max_execution_time = 300max_execution_time = 300 --
default_charset = utf-8default_charset = utf-8 --
Analyze SSL/TLS
All sites should be protected with HTTPS, even ones that do not handle sensitive data. This includes avoiding mixed content, where some resources are loaded over HTTP despite the initial request being served over HTTPS. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users and is a prerequisite for HTTP/2 and many new web platform APIs.

Check implementation

TitleCheckDescription
HSTS headerHSTS (HTTP Strict Transport Security) protects from protocol downgrade attack and cookie hijacking. HSTS is a way for sites to elect always to use HTTPS. You can enable this feature in HSTS Security headers.
HSTS listedCheck if your site is listed on the preload list. It is best practice to be on the preload list. You need to submit your site to hstspreload.org to ensure that it is successfully preloaded, to get the full protection of the intended configuration.
Redirecting to HTTPSCheck if your web server automatically redirects visitors from HTTP to HTTPS. HTTPS gives your users a safe and secure connection to your website. It is recognizable by the padlock in your web browser.
Secure cookiesCookie secure specifies whether cookies should only be sent over secure connections. This setting requires SSL/TLS to be enabled.

Basic information

TitleDescription
Is valid
Common name*.reker.dk
Alternative names*.reker.dk, reker.dk
IssuerE7
Valid from10/31/2025
Valid to01/29/2026
Expires in90 days

Analysis

TitleCheckDescription
Version (TLS 1.3)Your client uses TLS 1.3, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.Learn more
Ephemeral Key SupportEphemeral keys are used in some of the cipher suites your client supports. This means your client may be used to provide forward secrecy. If the server supports it. This greatly increases your protection against snoopers, including global passive adversaries who scoop up large amounts of encrypted traffic and store them until their attacks (or their computers) improve.Learn more
Session Ticket SupportSession tickets are supported in your client. Services you use will be able to scale out their TLS connections more easily with this feature.Learn more
TLS CompressionYour TLS client does not attempt to compress the settings that encrypt your connection, avoiding information leaks from the CRIME attack.Learn more
Heartbleed VulnerabilityThe Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.Learn more
CCS Injection VulnerabilityOpenSSL's ChangeCipherSpec processing has a serious vulnerability. This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys exposed to the malicious nodes.Learn more
DROWN VulnerabilityDROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.Learn more
POODLE VulnerabilityThe POODLE attack (Padding Oracle on Downgraded Legacy Encryption) exploits a vulnerability in the SSL 3.0 protocol. This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3. The vulnerability is no longer present in the Transport Layer Security protocol (TLS), the successor to SSL.Learn more
BEAST VulnerabilityYour client is not vulnerable to the BEAST attack because it uses a TLS protocol newer than TLS 1.0. The BEAST attack is only possible against clients using TLS 1.0 or earlier using Cipher-Block Chaining cipher suites that do not implement the 1/n-1 record splitting mitigation.Learn more
Insecure Cipher SuitesYour client does not use any cipher suites that are known to be insecure.Learn more
Given cipher suitesThe cipher suites your client said it supports, in the order it sent them, are:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CCM
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CCM
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_CCM
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CCM
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV		Learn more
Mixed contentMixed content occurs when initial HTML is loaded over a secure HTTPS connection. However, other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate that this page contains insecure resources.Scan for mixed content
Analyze SSL/TLSScan your website with SSL Labs. It can give you a better understanding of how your SSL/TLS is deployed.Analyze SSL/TLS
Analyze Modules
Modules that are nonnative PrestaShop modules or are not bought from PrestaShop Addons are untrusted. This means that PrestaShop does not verify them. These modules can be safe even though PrestaShop does not verify them, but be careful - in some cases, these modules do not follow PrestaShop guidance and can be insecure. Generally, third party modules provide additional security risks. Sometimes websites are hacked though insecure third-party modules. If there are any modules that you do not need, it is recommended to uninstall them.
Technical module nameDisplay module nameTrusted
blockreassuranceCustomer reassurance block
ps_bannerBanner
ps_categorytreeCategory tree links
ps_contactinfoContact information
ps_customersigninCustomer "Sign in" link
ps_customtextCustom text
ps_emailsubscriptionE-mail subscription form
ps_featuredproductsFeatured products
ps_imagesliderImage slider
ps_mainmenuMain menu
contactformContact form
ps_currencyselectorCurrency selector
ps_customeraccountlinksCustomer account links
ps_facetedsearchFaceted search
ps_languageselectorLanguage selector
ps_searchbarSearch bar
ps_shoppingcartSopping cart
ps_linklistLink List
ps_themecustoTheme Customization
securityproSecurity Pro
Documentation

Step 1: Configuration of Security Pro

It is recommended doing a manual configuration of the module. However, if the many features seem overwhelming, you can run a basic auto-configuration of the module. Then you can afterwards fine-tune the settings depending on your needs.

Before we go on it is highly recommended, to add the following keys at General Settings.

  1. Site key (reCAPTCHA v2)
  2. Secret key (reCAPTCHA v2)
  3. Honeypot API

Step 2: Fix vulnerabilities on your system

Go to Tools. There you will find tools to fix insecure file permissions, directory traversal vulnerability, and a tool to delete files that make your shop vulnerable. It is possible to generate a report, to understand what changes the tools will do.

Step 3: Analyze your system

Go to Analyze System and fix as many vulnerabilities as possible.

Step 4: Analyze your server configuration

Go to Analyze Server Configuration and have a look at the analysis. Here you will see some advanced tips to improve your PHP configuration file. If you are not familiar with this kind of configuration, you can ask your host for help.

Step 5: Analyze your modules

Go to Analyze Modules. Here you will see all modules installed in your shop. If you are not using some of the modules, it is recommended to uninstall them, especially if those modules are not trusted.

Step 6: Test your shop

Now test your website to confirm that everything is running:

  1. Register a new customer
  2. Make a test order
  3. Navigate to different products
  4. Navigate to different categories

Step 7: Setup cronjobs

Go to the Dashboard. There you will see a section named 'Cronjobs'. Cronjobs are time-based job scheduler in Unix-like computer operating systems. The cronjobs are used to run features like the malware scanner, the monitoring service, backups, etc. It is recommended to set up these cronjobs to run once a day. If you are not familiar with cronjobs, you can ask your host for help.

Help

Thanks for using Security Pro! Questions, issues, or feature requests?

Contact module developer

Would you like to translate this module into your language or improve the wording?

  1. Click 'Translate' (flag icon) in the upper right corner.
  2. Choose language.
  3. Make your changes and save.

If you improve the wording, please export your translation and send it to the module developer. Your improvements will be merged into the next release. Your contribution is appreciated!



PrestaShop logs all errors in a folder along with some other logs. These logs can be useful for the developer if you have a problem with the module.