Total Defensor

 Anti-Spam Protection

Spam is the most common and most visible attack vector. Fake registrations pollute your customer database, spam contact form messages waste support time, and fake reviews damage your store's credibility. Total Defender blocks spam at the source.

• Honeypot fields — invisible form fields that catch automated bots without affecting real customers
• CAPTCHA integration — support for reCAPTCHA v2, v3, and hCaptcha on registration, contact, and comment forms
• Message filtering — keyword-based filtering to block messages containing spam patterns, excessive links, or prohibited terms
• Link validation — detect and block form submissions containing suspicious URLs or redirect chains
• Disposable email blocking — reject registrations from known disposable email providers

 Rate Limiting & Brute-Force Protection

• Per-action throttling — separate rate limits for cart additions, registration, contact form submissions, login attempts, and comments
• Automatic IP blocking — IPs that exceed rate limits are automatically blocked for a configurable duration
• Progressive lockout — repeat offenders face escalating block durations (1 hour → 24 hours → permanent)
• Admin login protection — separate, stricter rate limits for back-office login attempts
• API rate limiting — throttle webservice API requests to prevent abuse and resource exhaustion

 Bot & Crawler Management

• Behavioral detection — identify bots by browsing patterns (speed, mouse movement, JavaScript execution) rather than just user-agent strings
• JavaScript challenges — serve lightweight JS challenges to suspicious visitors that real browsers pass instantly but headless bots fail
• Crawler whitelisting — ensure Google, Bing, and other legitimate crawlers are never accidentally blocked
• TOR exit node detection — identify and optionally block connections from TOR exit nodes
• User-agent filtering — block known malicious bot user-agents and tools

 IP Management & GeoIP

• IP whitelist — ensure your own IPs and trusted partners are never blocked
• IP blacklist — permanently block specific IPs or CIDR ranges
• Penalty scoring — accumulate risk scores based on suspicious behavior before triggering a block
• GeoIP-based rules — allow or block access from specific countries or regions
• Admin panel restriction — limit back-office access to specific IP addresses or ranges

 File Integrity Monitoring

• Baseline snapshots — SHA-256 hash of every monitored file stored as a reference point
• Change detection — identify files that have been added, modified, or removed since the last baseline
• Scheduled scans — automatic integrity checks via cron (hourly, daily, or weekly)
• Exclusion rules — exclude cache, log, and other expected-change directories
• Email alerts — immediate notification when unauthorized modifications are detected
• Diff viewer — side-by-side comparison showing exactly what changed in modified files

 Web Application Firewall & Security Headers

• XSS protection — detect and block cross-site scripting attempts in form inputs and URL parameters
• SQL injection blocking — pattern-based detection of SQL injection payloads in requests
• Custom firewall rules — define your own rules to block specific request patterns
• Content Security Policy (CSP) — visual builder for CSP headers with violation logging
• HSTS, X-Frame-Options, Referrer-Policy — configure all security headers from the admin panel
• Permissions-Policy — restrict browser API access (camera, microphone, geolocation) on your pages

 Vulnerability Scanner

• PrestaShop core CVE check — compare your installed version against known vulnerabilities
• Module vulnerability scanning — check installed modules against known CVE databases
• PHP version check — verify your PHP version is not end-of-life or known-vulnerable
• Severity ratings — each finding includes a severity level (critical, high, medium, low) and remediation advice
• Scheduled scanning — run vulnerability checks on a regular schedule with email alerts for new findings

 Admin 2FA, Backup & Audit

• TOTP two-factor authentication — compatible with Google Authenticator, Authy, and any TOTP app
• Per-employee enforcement — require 2FA for all employees or specific profiles
• Recovery codes — single-use backup codes for employees who lose their 2FA device
• Backup system — full and incremental backups with scheduling and multiple storage adapters
• Session tracking — monitor active visitor sessions with device, IP, and UTM attribution
• Complete audit log — every admin action recorded with IP, user agent, and timestamp
• Email rate limiting — prevent outbound email abuse from compromised forms