Security Revolution
Security Revolution images
30 days return right
Easy return - no questions asked
Plug & Play Modules
Install, set up and take profit
Dedicated Support First
Priority Help & Satisfaction Over Sales
Security Revolution
Security & Firewall Module - File Integrity Monitor, Brute-Force Protection, 2FA + Audit Log
Price:
€299.00
Tax excluded
Comprehensive Security Hardening and Monitoring for Your PrestaShop Store
Security Revolution is a complete security suite that protects your PrestaShop store from hackers, malware, and unauthorized access. File integrity monitoring detects changes to your codebase. Brute-force protection stops automated login attacks. Two-factor authentication secures admin access. A security audit log records every critical action for forensic analysis.
- File integrity monitoring — detects added, modified, and removed files across your entire installation
- IP blocking — manual blacklist/whitelist plus automatic blocking after brute-force attempts
- Two-factor authentication — TOTP-based 2FA for all admin/employee accounts
- Brute-force protection — progressive lockout after failed login attempts with configurable thresholds
- Malware scanning — signature-based detection of known malware patterns in PHP files
- Security audit log — records all admin logins, configuration changes, file modifications, and API calls
- HTTP security headers — one-click implementation of CSP, HSTS, X-Frame-Options, and more
Compatible with PrestaShop 1.7 through 9.x. One license, lifetime updates, 90 days of dedicated support.
Your Store Is a Target — Protect It
Every e-commerce store is a target for attackers. Customer data, payment credentials, and admin access are valuable prizes. PrestaShop installations are regularly targeted by automated bots that scan for known vulnerabilities, brute-force admin passwords, and inject malicious code. A single breach can cost you customer trust, regulatory fines, and months of cleanup work.
Security Revolution adds enterprise-grade security layers to your PrestaShop store. File integrity monitoring catches unauthorized changes within minutes. Brute-force protection stops credential-stuffing attacks cold. Two-factor authentication ensures that even if a password is compromised, attackers cannot access your admin panel. And the comprehensive audit log gives you forensic visibility into every critical action taken in your store.
File Integrity Monitoring
If an attacker gains access to your server, the first thing they do is modify files — injecting backdoors, credit card skimmers, or redirect scripts. File integrity monitoring creates a baseline snapshot of every file in your installation and continuously checks for unauthorized changes.
- Full installation scanning — monitors all PHP, JS, CSS, and template files across PrestaShop core, modules, and themes
- Change detection — identifies added, modified, and removed files since the last baseline
- Hash verification — SHA-256 hashing detects even single-byte modifications to any monitored file
- Scheduled scans — run integrity checks hourly, daily, or weekly via cron job
- Exclusion rules — exclude cache directories, log files, and other expected-change locations from monitoring
- Email alerts — immediate notification when unauthorized file changes are detected
- Diff viewer — see exactly what changed in a modified file with a side-by-side diff view
- Baseline management — update the baseline after legitimate changes (module updates, theme modifications)
IP Blocking & Brute-Force Protection
- Manual IP blacklist — block specific IPs or CIDR ranges from accessing your store entirely
- IP whitelist — ensure your own IP addresses are never accidentally blocked
- Automatic brute-force blocking — after X failed login attempts from an IP within Y minutes, the IP is automatically blocked for Z hours
- Progressive lockout — increasing block durations for repeat offenders (1 hour → 24 hours → permanent)
- Country-level blocking — block or allow access from entire countries using GeoIP data
- Admin panel restriction — restrict back-office access to specific IP addresses or ranges
- Bot detection — identify and block known malicious bot user-agents
- Rate limiting — limit API and form submission rates per IP to prevent abuse
Two-Factor Authentication
Passwords alone are not enough. Credential stuffing attacks use billions of leaked username/password combinations to access accounts. Two-factor authentication adds a second verification layer that requires a time-based code from a mobile app — even if your password is compromised, your admin panel stays secure.
- TOTP-based 2FA — compatible with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP app
- Per-employee enforcement — require 2FA for all employees or only specific profiles (e.g., SuperAdmin)
- QR code setup — one-scan setup process with clear instructions for non-technical employees
- Recovery codes — generate single-use recovery codes in case employees lose their 2FA device
- Trusted devices — optionally remember trusted devices for a configurable number of days
- Forced enrollment — require 2FA setup on next login for employees who haven't enrolled yet
Malware Scanning & File Permission Checker
- Signature-based scanning — detect known malware patterns, backdoors, and web shells in PHP files
- Suspicious code detection — flag files containing base64-encoded payloads, eval() calls, and obfuscated code
- Quarantine — move detected malware to quarantine rather than deleting, preserving evidence for investigation
- File permission audit — identify files and directories with overly permissive permissions (world-writable, etc.)
- Permission auto-fix — one-click correction of file permissions to recommended values
- Core file verification — compare PrestaShop core files against official release checksums to detect modifications
Security Audit Log
When a security incident occurs, the first question is always: "What happened?" The security audit log records every critical action in your store, providing a forensic timeline for incident investigation and compliance reporting.
- Admin login tracking — every login attempt (successful and failed) with IP, timestamp, and user agent
- Configuration changes — records who changed what configuration setting, when, and what the old/new values were
- Employee management — tracks employee creation, modification, permission changes, and deletions
- Module activity — records module installation, uninstallation, configuration changes, and updates
- File access — logs access to sensitive files like payment module configurations
- API calls — tracks webservice API usage with endpoint, method, and response codes
- Export & retention — export logs as CSV, configure retention period, and set up automatic archival
- Search & filter — search logs by date range, action type, user, IP address, or keyword
HTTP Security Headers & Admin URL Randomization
- Content Security Policy (CSP) — visual builder for CSP headers that prevent XSS attacks
- HTTP Strict Transport Security (HSTS) — force HTTPS connections with configurable max-age
- X-Frame-Options — prevent clickjacking by controlling iframe embedding
- X-Content-Type-Options — prevent MIME type sniffing attacks
- Referrer-Policy — control how much referrer information is sent with requests
- Permissions-Policy — restrict browser API access (camera, microphone, geolocation) on your pages
- Admin URL randomization — change the back-office URL path to a random string, preventing automated admin panel discovery
Why is this module unique?
- The only PrestaShop security module that combines file integrity monitoring, brute-force protection, 2FA, malware scanning, audit logging, and security headers in a single package
- File integrity monitoring with SHA-256 hashing and diff viewing catches unauthorized changes that other security modules miss entirely
- The security audit log provides GDPR-compliant activity tracking that can satisfy regulatory auditors and incident investigators
- CSP header visual builder eliminates the notoriously difficult process of writing Content Security Policy rules manually
- Progressive brute-force lockout with automatic IP blocking stops credential-stuffing attacks without generating false positives for legitimate users
Use Cases
- Stores processing payments — PCI DSS compliance requires file integrity monitoring, access logging, and strong authentication — this module provides all three
- Stores handling personal data — GDPR requires audit trails of data access and modification, which the security audit log provides
- Stores with multiple employees — 2FA and audit logging ensure accountability when multiple people have admin access
- Stores previously compromised — file integrity monitoring and malware scanning provide ongoing assurance that the store remains clean after a breach cleanup
- Agency-managed stores — the audit log provides transparency into all changes made by agency developers and administrators
- High-value stores — where the financial and reputational cost of a breach justifies comprehensive, defense-in-depth security measures
Related Resources
Read our guide on admin security best practices. For complete protection, combine this with Total Defender and reCAPTCHA & hCaptcha Protection.
-
Referencemprsecurityrevolution
-
PrestaShop CompatibilityPS 1.7 – 9.x
-
Pricing ModelOne-time Purchase
-
Module TypeFront & Back-office
-
GDPR RelevantNo
-
Business GoalLegal & Compliance
-
External Account NeededNo
-
Module ComplexityComplete Solution
-
Customer Journey StageManage Store
-
Works With PlatformNo External Platform
MPR Total Defender
Version: 3.1.0 Author: mypresta.rocks License: Commercial PrestaShop Compatibility: 1.7.0 - 1.7.8.x
Comprehensive security and anti-spam protection module for PrestaShop. Protects your store from bots, spam registrations, malicious attacks, and provides complete security monitoring.
Table of Contents
- Features Overview
- Installation
- Module Architecture
- Admin Controllers
- Security Features
- Configuration
- Database Schema
- Roadmap
- Changelog
Features Overview
Current Features (v3.0.0)
Anti-Spam Protection
- Registration Protection - Blocks spam registrations using honeypot fields, gibberish detection, disposable email blocking
- Contact Form Protection - Rate limiting and content analysis for contact forms
- Product Comment Protection - Prevents spam reviews and comments
- Cart Protection - Rate limits cart operations to prevent abuse
Bot & Crawler Management
- Crawler Detection - Identifies and categorizes web crawlers
- Bot Fighting - Challenge-response system for suspicious visitors
- Known Bot Database - Pre-seeded database of legitimate crawlers (Google, Bing, etc.)
- Custom Rules - Allow/block specific user agents
IP Management
- Automatic Banning - Auto-ban IPs that exceed rate limits
- Manual IP Banning - Block specific IPs with custom reasons
- IP Whitelisting - Exempt trusted IPs from all checks
- IP Penalty System - Assign penalty points to suspicious IPs
Session & Activity Monitoring
- Session Tracking - Track all visitor sessions with device info
- Activity Monitor - Real-time view of blocked attempts
- Request Logging - Log all requests for analysis
- Page View Tracking - Track navigation patterns
File Integrity Monitor
- Baseline Creation - Create cryptographic baseline of all monitored files
- Quick Scan - Fast modification time-based scanning
- Full Scan - Complete MD5 hash verification with malware pattern detection
- Alert Management - Track and acknowledge file changes
- Suspicious Pattern Detection - Detects obfuscated code, shell access, backdoors
Security Headers
- X-Frame-Options - Clickjacking protection
- X-XSS-Protection - XSS filter control
- X-Content-Type-Options - MIME sniffing prevention
- Referrer-Policy - Control referrer information
- HSTS - Force HTTPS connections
- CSP - Content Security Policy with violation reporting
Vulnerability Scanner
- PrestaShop Version Check - Detect outdated core versions
- PHP Version Check - Identify insecure PHP versions
- Module Vulnerability Scan - Check installed modules for known CVEs
- Configuration Audit - Review security-related settings
Firewall
- IP Blocking - Manual and automatic IP blocking
- GeoIP Blocking - Block traffic from specific countries
- TOR Exit Node Blocking - Block anonymous TOR traffic
- Custom Rules - Create pattern-based blocking rules
- Request Logging - Log all blocked requests
Installation
- Upload the module to
/modules/mprtotaldefender/ - Install via PrestaShop Back Office > Modules
- Configure settings in Total Defender > Configuration
- Create file integrity baseline in Total Defender > File Monitor
Module Architecture
mprtotaldefender/
├── mprtotaldefender.php # Main module class
├── README.md # This file
├── sql/
│ ├── install.php # Database installation
│ └── uninstall.php # Database removal
├── src/
│ ├── Classes/
│ │ ├── MPRTotalDefenderConfig.php # Configuration management
│ │ ├── MPRTotalDefenderRateLimit.php # Rate limiting logic
│ │ ├── MPRTotalDefenderBannedIP.php # IP ban management
│ │ ├── MPRTotalDefenderBlockedAttempt.php # Blocked attempts logging
│ │ ├── MPRTotalDefenderCustomerInfo.php # Customer tracking
│ │ ├── MPRTotalDefenderSpamDetector.php # Spam detection algorithms
│ │ ├── MPRTotalDefenderCrawler.php # Crawler management
│ │ ├── MPRTotalDefenderBotFight.php # Bot challenge system
│ │ ├── MPRTotalDefenderGlobalRateLimit.php # Global rate limiting
│ │ ├── MPRTotalDefenderSession.php # Session tracking
│ │ ├── MPRTotalDefenderFileIntegrity.php # File integrity monitoring
│ │ ├── MPRTotalDefenderSecurityHeaders.php # HTTP security headers
│ │ ├── MPRTotalDefenderVulnerabilities.php # Vulnerability scanning
│ │ └── MPRTotalDefenderFirewall.php # Firewall rules
│ └── Traits/
│ └── AdminController/
│ ├── AdvancedFilters.php # List filtering functionality
│ ├── ColumnsManager.php # Column visibility management
│ └── DismissableAlert.php # Alert dismissal tracking
├── controllers/
│ ├── admin/
│ │ ├── AdminMPRTotalDefenderDashboardController.php
│ │ ├── AdminMPRTotalDefenderConfigController.php
│ │ ├── AdminMPRTotalDefenderBlockedController.php
│ │ ├── AdminMPRTotalDefenderCrawlersController.php
│ │ ├── AdminMPRTotalDefenderActivityController.php
│ │ ├── AdminMPRTotalDefenderIntegrityController.php
│ │ ├── AdminMPRTotalDefenderSessionsController.php
│ │ ├── AdminMPRTotalDefenderFileIntegrityController.php
│ │ ├── AdminMPRTotalDefenderFirewallController.php
│ │ ├── AdminMPRTotalDefenderVulnerabilitiesController.php
│ │ ├── AdminMPRTotalDefenderSecurityHeadersController.php
│ │ └── AdminMPRTotalDefenderAjaxController.php
│ └── front/
│ └── Ajax.php # Front-end AJAX handler
└── views/
├── templates/
│ └── admin/ # Admin panel templates
└── js/
└── admin/
└── file_integrity.js # File scanning UI
Admin Controllers
| Controller | Tab Name | Description |
|---|---|---|
| Dashboard | Dashboard | Overview with key metrics and quick actions |
| Activity | Activity Monitor | Real-time blocked attempts and activity log |
| Blocked | Blocked Attempts | Detailed log of all blocked actions |
| Sessions | Sessions | Active and historical session tracking |
| Crawlers | Crawler Management | Bot/crawler detection and rules |
| Config | Configuration | Module settings and options |
| Integrity | System Integrity | Legacy integrity checks |
| FileIntegrity | File Monitor | File baseline and scanning |
| Firewall | Firewall | IP blocking and custom rules |
| Vulnerabilities | Vulnerabilities | Security vulnerability scanner |
| SecurityHeaders | Security Headers | HTTP header configuration |
Security Features
Rate Limiting
Configurable rate limits for:
- Cart operations (add/remove/update)
- User registrations
- Contact form submissions
- Product comments/reviews
- Login attempts
Spam Detection Methods
- Honeypot Fields - Hidden form fields that bots fill out
- Gibberish Detection - Identifies nonsensical input
- Non-Latin Character Detection - Blocks Cyrillic/other scripts in name fields
- Disposable Email Blocking - Rejects temporary email services
- Link Density Analysis - Flags messages with excessive URLs
- Timing Analysis - Detects forms submitted too quickly
File Integrity Patterns
The scanner detects these malicious patterns:
eval(base64_decode(...))- Obfuscated code executionshell_exec(),system(),exec()- Shell accessfile_put_contents($_POST...)- File write from user inputinclude($_GET...)- Remote file inclusionpreg_replace('/e')- Deprecated eval modifier- Hex-encoded variables and obfuscation
Configuration
Key Configuration Options
// Rate Limiting
'rate_limit_cart' => 30, // Max cart ops per minute
'rate_limit_registration' => 5, // Max registrations per hour
'rate_limit_contact' => 3, // Max contact submissions per hour
// Protection Toggles
'honeypot_enabled' => true,
'gibberish_detection' => true,
'disposable_email_blocking' => true,
// Auto-Ban Thresholds
'auto_ban_threshold' => 10, // Penalty points before ban
'auto_ban_duration' => 86400, // Ban duration in seconds
// File Integrity
'file_integrity_scan_on_save' => false, // Scan after module saves
'file_integrity_alert_email' => true, // Email on suspicious files
Database Schema
Core Tables
| Table | Purpose |
|---|---|
mprtotaldefender_config |
Module configuration storage |
mprtotaldefender_rate_limit |
Rate limit tracking |
mprtotaldefender_banned_ip |
Banned IP addresses |
mprtotaldefender_blocked_attempts |
Blocked action log |
mprtotaldefender_customer_info |
Customer tracking data |
mprtotaldefender_crawler |
Known crawler database |
mprtotaldefender_request_log |
Request logging |
mpr_sessions |
Session tracking (shared with other MPR modules) |
Security Revolution Tables
| Table | Purpose |
|---|---|
mprtotaldefender_file_baseline |
File integrity baseline hashes |
mprtotaldefender_file_alerts |
File change alerts |
mprtotaldefender_admin_login_attempts |
Admin login tracking |
mprtotaldefender_admin_2fa |
Two-factor authentication settings |
mprtotaldefender_audit_log |
Admin action audit trail |
mprtotaldefender_input_threats |
Input protection threat log |
mprtotaldefender_csp_violations |
CSP violation reports |
mprtotaldefender_vuln_scans |
Vulnerability scan results |
mprtotaldefender_vulnerabilities |
Individual vulnerabilities |
mprtotaldefender_blocked_ips |
Firewall blocked IPs |
mprtotaldefender_whitelist |
Firewall whitelist |
mprtotaldefender_firewall_rules |
Custom firewall rules |
mprtotaldefender_firewall_log |
Firewall action log |
mprtotaldefender_tor_nodes |
TOR exit node cache |
mprtotaldefender_geoip_cache |
GeoIP lookup cache |
Email Security Tables (v3.1.0)
| Table | Purpose |
|---|---|
mprtotaldefender_email_log |
Email send/block log with rate limiting |
mprtotaldefender_email_alerts |
Email abuse detection alerts |
mprtotaldefender_email_domains |
Blocked/suspicious email domains |
Roadmap
Version 3.1.0 - Email Security (Current)
Email Rate Limiting
- Rate limit transactional emails per customer
- Rate limit emails per IP address
- Configurable limits per email type (order confirmation, password reset, etc.)
Email Abuse Detection
- Detect unusual email volume spikes
- Alert on mass email sending patterns
- Track failed email deliveries as security indicators
Email Address Protection
- Block emails to disposable email addresses
- Suspicious email domain detection (built-in + custom domains)
- Email validation before sending
Version 3.2.0 - Admin Security (Planned)
Two-Factor Authentication
- TOTP-based 2FA for admin accounts
- Backup codes for emergency access
- Per-employee 2FA enforcement
Admin Login Protection
- Brute force protection with progressive delays
- Login attempt logging with IP tracking
- Suspicious login alerts (new IP, unusual time)
- Force password change on security events
Audit Trail
- Log all admin actions
- Track configuration changes
- Employee activity reports
Version 3.3.0 - Advanced Firewall (Planned)
Enhanced Rules
- Request body pattern matching
- Header-based rules
- Time-based rules (block during off-hours)
- Rate-based rules (auto-block on threshold)
Country Blocking
- MaxMind GeoIP integration
- Block/allow by country
- Country-specific rate limits
WAF Features
- SQL injection detection
- XSS attack prevention
- Path traversal blocking
- Request size limits
Version 3.4.0 - Reporting & Alerts (Planned)
Dashboard Enhancements
- Real-time threat map
- Attack trend graphs
- Top blocked IPs/countries
- Security score calculation
Alerting System
- Email alerts for critical events
- Slack/Discord webhook integration
- SMS alerts for emergencies
- Daily/weekly security digest
Reports
- PDF security reports
- Scheduled report generation
- Executive summary reports
Version 4.0.0 - Enterprise Features (Future)
Multi-Store Support
- Per-shop configuration
- Centralized security dashboard
- Cross-shop threat sharing
API Protection
- API endpoint rate limiting
- API key management
- OAuth protection monitoring
Compliance
- GDPR data protection features
- PCI-DSS compliance helpers
- Security policy templates
Changelog
Version 3.1.0 (2024-12)
- NEW: Email Security module with rate limiting
- NEW: Disposable email domain blocking (60+ built-in domains)
- NEW: Email volume spike detection
- NEW: Mass sending alert system
- NEW: Custom blocked domain management
- NEW: Email log with detailed statistics
- NEW: Email security dashboard with alerts
Version 3.0.0 (2024-12)
- NEW: File Integrity Monitor with baseline/scan system
- NEW: Security Headers configuration (HSTS, CSP, X-Frame-Options)
- NEW: Vulnerability Scanner for PrestaShop and modules
- NEW: Firewall with custom rules and GeoIP support
- NEW: Modal-based file scanning with progress UI
- NEW: Quick navigation dropdown for all security tabs
- IMPROVED: Admin controller architecture with traits
- IMPROVED: Session tracking with page view counters
Version 2.x
- Initial release with anti-spam protection
- Bot detection and crawler management
- Rate limiting system
- IP banning functionality
Support
For support, feature requests, or bug reports:
- Email: info@mypresta.rocks
- Website: https://mypresta.rocks
License
This module is proprietary software. Use is restricted to licensed domains only.
Copyright (c) mypresta.rocks. All rights reserved.
v3.3.1 — 2026-01-22
- ▸Added PS 9.1 compatibility with updated security headers handling
- ▸Fixed CSP (Content Security Policy) header blocking Hummingbird theme inline scripts
- ▸Added rate limiting configuration for REST API endpoints
- ▸Fixed two-factor authentication QR code not generating on PHP 8.4
- ▸Improved brute force detection accuracy reducing false positives by 30%
v3.3.0 — 2025-09-05
- ▸Added PS 9.0 compatibility
- ▸New Web Application Firewall (WAF) rule engine with custom pattern matching
- ▸Added automated security scan scheduler with email reports
- ▸Fixed session fixation detection causing logout on legitimate cart updates
- ▸Added IP reputation database integration for known malicious IPs
- ▸Improved file integrity monitoring with real-time notification webhooks
v3.2.0 — 2025-04-28
- ▸New admin login notification via email with device fingerprinting
- ▸Added HTTP security headers manager (HSTS, X-Frame-Options, CSP, Permissions-Policy)
- ▸Added SQL injection pattern detection in search and contact form inputs
- ▸Fixed CAPTCHA challenge not rendering on password reset form
- ▸Improved bot detection with JavaScript challenge verification
v3.1.0 — 2024-12-15
- ▸Added malware scanner for uploaded files (images, CSV imports, attachments)
- ▸New security dashboard with threat timeline visualization
- ▸Added automatic IP blocking after configurable failed login attempts
- ▸Fixed security log export timeout for logs exceeding 100k entries
- ▸Added support for security.txt standard file generation
v3.0.0 — 2024-08-01
- ▸Major rewrite with event-driven security monitoring architecture
- ▸Added PS 8.2 compatibility
- ▸New two-factor authentication (TOTP) for back-office employees
- ▸Added admin directory rename recommendation with automatic .htaccess update
- ▸Added file permission audit tool for PrestaShop directory structure
- ▸Breaking: security log format changed to structured JSON (migration tool included)
v2.5.0 — 2024-04-08
- ▸Added country-level IP blocking with GeoIP database
- ▸New login attempt monitoring with geographic visualization
- ▸Added automatic backup creation before detected security events
- ▸Fixed SSL certificate expiration checker showing wrong timezone
- ▸Support for PS 1.7.6+ and PS 8.x
What customers say about us
5.0
★
★
★
★
★
(1 review)
Great work and support
Great work and support
5.0
★
★
★
★
★
(3 reviews)
Niesamowite doświadczenie i znajomość Prestashop. Każdy minimalny błąd analizowany i poprawiany. Bardzo dobry kontakt podczas realizacji zlecenia
Jest to najlepszy informatyk / programista jakiego znam. Gość jest geniuszem do wszystkich spraw związanych z prowadzeniem strony internetowej oraz sklepu internetowego. Usługi warte każdych pieniędzy, polecam!
Very professional service. The store staff has a customer-focused approach. They effectively helped us select the most optimal solution for our store, then efficiently guided us through the technical aspects of the implementation process. They also provide ongoing support in managing and promoting our website. We highly recommend them!
1
Planned
7
Implemented
8
requests
Two-factor authentication for admin
Implemented
Add TOTP-based 2FA (Google Authenticator, Authy) for back-office employee logins. Critical for store security.
Response:
Implemented in v1.4.0! TOTP-based 2FA with QR code setup, backup codes, and per-employee enforcement. Compatible with Google Authenticator, Authy, and any TOTP app.
Two-factor authentication for admin login
Implemented
Passwords alone are not secure enough. Add TOTP-based 2FA (Google Authenticator compatible) for back office login.
Response:
Core feature since v1.0.0! TOTP 2FA compatible with Google Authenticator, Authy, and Microsoft Authenticator. Per-employee enforcement, QR setup, recovery codes, and trusted devices.
Malware scanning with suspicious code detection
Implemented
Scan all PHP files for suspicious patterns like base64_decode, eval(), obfuscated code. Alert when compromised files are detected.
Response:
Shipped in v1.2.0! Signature-based scanning for base64/eval/obfuscation patterns. Quarantine, core file verification against official checksums, and one-click permission fix.
Geo-blocking by country for admin panel
Implemented
Allow restricting back-office access to specific countries. If someone from an unexpected country tries to log in, block them automatically.
Response:
Added in v1.5.0. Configurable country whitelist for admin access with automatic IP geolocation. Blocked attempts are logged.
Admin login audit log with IP tracking
Implemented
Log every admin login attempt (successful and failed) with IP address, user agent, and timestamp. Essential for security forensics.
Response:
Added in v1.3.0! Full audit log: admin logins, configuration changes (old/new values), employee management, module activity, file access, and API calls. CSV export with search and filter.
Country-level IP blocking via GeoIP
Implemented
Block all traffic from specific countries where we never sell. Reduces bot traffic and attack surface significantly.
Response:
Available since v1.1.0! Country-level blocking via GeoIP database, plus CIDR range blocking, ASN-level blocking for known bot networks, and admin panel IP restriction.
CSP header builder with visual configuration
Implemented
Content Security Policy headers are complex to write manually. A visual builder where you add allowed sources per directive would be much easier.
Response:
Done in v1.4.0! Visual CSP builder plus HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy configuration.
Automatic malware scanning of uploaded files
Planned
Scan files uploaded through the back office (images, documents) for malware signatures before allowing them.
Response:
On the roadmap. We're evaluating ClamAV integration for server-side scanning. Will cover product images, attachments, and theme uploads.
IP whitelist blocks Cloudflare proxy IPs instead of real visitor IPs
When the store is behind Cloudflare, the firewall sees Cloudflare's IP addresses instead of real visitor IPs. All legitimate traffic gets blocked. Added Cloudflare IP range detection and CF-Connecting-IP header parsing.
Fixed in v3.1.0 — commit a4c7e29
Two-factor authentication locks out admin when SMS service is down
If the SMS provider is unreachable, admins cannot complete 2FA login and are permanently locked out. Added emergency bypass via a time-limited console command that generates a one-time recovery code.
Fixed in v3.1.0 — commit d8f3b14
Brute force protection triggers on AJAX search requests
The rate limiter counts AJAX search autocomplete requests as login attempts. After 10 rapid searches, the customer's IP gets temporarily blocked. Excluded non-authentication endpoints from brute force detection.
Fixed in v3.0.1 — commit 7e2a5c8
Password strength meter shows 'Strong' for dictionary words
Common passwords like 'Password123!' score as 'Strong' because the checker only validates length and character diversity, not dictionary attacks. Integrated zxcvbn library for proper password strength estimation.
Fixed in v3.2.0 — commit c1d94e7
Security scan reports false positive for 'vulnerable override files'
The security audit flags all module override files as potential threats, even legitimate ones. This creates noise in the report. Added override signature verification against known safe module overrides.
Fixed in v3.2.1 — commit 5b8f3a2
Admin login notification email sent on every page load in some PS 8.1 setups
A race condition in the employee session handler causes the module to detect each page load as a new login event, flooding the admin email. Changed detection to check the actual authentication event rather than session renewal.
Fixed in v3.1.1 — commit e4a7c31
Backup file names predictable — sequential numbering allows enumeration
Database backup files are named backup_001.sql, backup_002.sql, making them guessable if the backup directory is exposed. Changed to random UUID-based filenames with configurable backup directory path.
Fixed in v3.2.0 — commit 8d5c1b9
Cron-based security scan fails silently when PHP exec() is disabled
The malware scanner uses exec() for file comparison, which many shared hosting providers disable. No error is shown. Added pure-PHP fallback scanner and admin notification when exec() is unavailable.
Fixed in v3.3.0 — commit a2e7f43
Content Security Policy header breaks Google Analytics and Stripe
Enabling CSP headers blocks third-party scripts including Google Analytics, Stripe.js, and font providers. The default policy is too strict. Added configurable whitelist with presets for common services (Stripe, GA, Cloudflare, Google Fonts).
Fixed in v3.2.0 — commit f1c8d52
File integrity check reports theme files as 'modified' after CCC compilation
When CCC is enabled, compiled CSS/JS files don't match the original checksums, triggering false 'file modified' alerts. Excluded CCC output directories from integrity monitoring.
Fixed in v3.3.1 — commit 3e9b4a8
Admin activity log grows unbounded — database table exceeds 500MB
The activity log has no rotation or cleanup mechanism. On active stores with multiple admins, the log table grows to 500MB+ within a year. Added configurable auto-cleanup (default: 90 days) and log archival to compressed files.
30 days return right
Easy return - no questions asked
Plug & Play Modules
Install, set up and take profit
Dedicated Support First
Priority Help & Satisfaction Over Sales
More From This Category
No reviews yet. Be the first to leave a review!
Write a Review