In the ever-evolving digital landscape, ensuring the security of your online store has become more critical than ever. As a company committed to protecting our customers from various threats, we developed PrestaScan Security, a powerful PrestaShop module designed to identify malware and known vulnerabilities in the PrestaShop core and its modules.
Thanks to the support of the Friends Of Presta association (FOP), we decided not only to share this module to the entire PrestaShop community, but also to make it free. PrestaScan Security is now a free and open-source module that provides all users with the best possible alert system for their online stores.
The module is easy to install and use, keeping you updated on the latest security threats to your website.
Summary
Main contributors
This module is fueled by the collective energy of the members of the Friends Of Presta security cell. Here is the list of the most significant contributors in terms of security research, publication of CVE, or development:
Features
- Scan your modules to identify vulnerabilities and required updates
- Identify unused modules, with the ability to disable and remove modules in one place
- Be alerted when a new vulnerability is discovered in your module (email and back office notification)
- List known vulnerabilities in PrestaShop Core for your current version
- List unprotected directories
With even more features coming.
At-risk modules
This scan will list at-risk modules. These include vulnerable modules and modules that require updates.
When a module is vulnerable in its current version, it will be displayed in the list with a color label indicating the risk level (red = critical, yellow = medium, green = low). The number in the label indicates the number of vulnerabilities detected in the module for your version. You may click on the arrow next to the module list to get the details:
Unused modules
This scan provides a list of all disabled and uninstalled modules in your shop. You can also uninstall and delete a module directly from this list (however, make sure to confirm the action first with your web agency/developer).
Core vulnerabilities
This scan lists all core vulnerabilities for your current version of PrestaShop.
User Guide
How to install the module
- Download the latest version of the module from this link.
- Log in to your PrestaShop back office.
- Go to the “Modules” section.
- Click on “Upload a module” and select the downloaded ZIP file.
- Depending of your PrestaShop version, the module will be installed automatically or you will need to click the install button
How to use the module
- Once installed, go to the “Modules” section in your back office.
- Find “PrestaScan Security” in the list of modules and click on “Configure.”
- Follow the instructions to register and run your first scan.
Check the FAQ below if you need any additional information or help to use the module.
FAQ
How can I update the module?
When an update is available, a notification will be displayed in your back office.
A button will allow you to update the module in one click.
It’s required to maintain the module up to date to continue being alerted to new vulnerabilities.
You may also check the latest change from our GitHub repository.
How does the module handle vulnerability alerts?
When a vulnerability is discovered and publicly revealed or known to be exploited, a security notification is sent to all users that have done at least one scan of module vulnerabilities in the module. Be sure to run this scan at least once.
I have an error message trying to create my account, what can I do?
Error messages during account creation are displayed directly in the form. Most of the time, the issue is related to the website you are trying to connect, which is blocking our scan server. The module will not work with sites that are not publicly accessible (such as development environments or websites in maintenance).
You may also be trying to create a second account from the same email address. Currently, the system allows only one email address to be used, and only one site can be linked to this email. You can, for the time being, overcome this restriction by creating an alias of your email (such as myemail+alias@testcompany.test).
I didn’t receive the verification email to validate my email, what can I do?
During registration, we make sure your email is valid as you will later receive security alerts on it. If you didn’t receive the verification email, please check your SPAM folder. If you do not find the email in SPAM, try to resend the verification email from the dedicated green button.
If you have still not received the email, make sure you entered a valid email. You can check your profile from this link:
I was able to register but cannot finish the setup or cannot start a scan due to token or connectivity error, what can I do?
If you encounter errors trying to finish the setup, please follow the steps below:
Delete your PrestaScan account. You can do that from your user profile:
Disconnect the account in the module (in the top right corner, click on “log out”)
Check if you are using the latest version of the module, and reset the module (or uninstall it and install it again), this will remove all existing data/sessions.
Repeat the registration process.
If the problem persists, contact our support.
The scan seems to never complete, what’s the issue?
If you see that the scan is in progress and does not complete after some time (typically more than 5~10 minutes), there might be a communication issue (your server is no longer reachable by our server) or another issue during the scan.
Firstly, note that the module will detect scans that are stuck and will display an option to force retrieving the result of the scan.
If you still have the scan in progress after trying again, consider checking your server logs to verify if the notification (webhook) is received. You can contact our support for more details.
Are there any paid plans or limitations?
The module will always remain free. However, we may introduce paid plans in the future to unlock specific features such as automated scans and reduce some limitations (e.g., the number of scans that can be performed within a specific timeframe). No paid plans are defined yet, but ads from partners might be displayed from time to time.
For more information, visit the PrestaScan Security GitHub repository.
Compatibility
As the security targets all kinds of merchants, using sometimes outdated versions of PrestaShop, we do our best for the moment to keep the module at least compatible with PrestaShop 1.5, 1.6, 1.7, and 8.
| PrestaShop version tested | Status | Comments |
|---|---|---|
| 8.X (8.0.2) | OK | Stable |
| 1.7.X (1.7.8.8) | OK | Stable |
| 1.6.1.X (1.6.1.24) | OK | Stable |
| 1.6.0.X (1.6.0.9) | OK | Stable |
| 1.5 | OK since 1.1.2 | Stable (but will not be actively maintained) |