Secure your PrestaShop back office with two-factor authentication
Why PrestaFence is the solution we recommend to all merchants today
The PrestaShop back office: a critical gateway… and all too often vulnerable
In the world of e-commerce, security is no longer limited to a strong password. The PrestaShop back office is a strategic target: this is where your orders, customer data, modules, FTP access, payments, and more are stored. If a hacker manages to gain access, your entire shop is in their hands.
However, most shops only protect this back office with a login/password. A major mistake in 2025. A stolen password, an SQL injection, database access… and it’s all over.
Password alone = breaking point
There are numerous attack scenarios:
❌ Brute force on the login screen (unlimited password attempts)
❌ Phishing targeting the administrator via email or SMS
❌ Vulnerable modules giving access to the database or account management
❌ Direct exploit via core vulnerability or malicious upload
❌ Deactivation of protections directly in the database (documented real case)
In all these cases, once access has been gained, the intruder can:
❌create an admin account without triggering a security alert,
❌inject a script to steal payments,
redirect your site to a clone shop……
or even disable all traces of two-factor authentication if it is not properly implemented.
Two-factor authentication (2FA), an essential safeguard
2FA (two-factor authentication) adds a vital control: even if the password is compromised, access remains blocked without secondary validation (SMS code, email, application, etc.).
But beware: not all 2FA is created equal.
A poor 2FA module can give the illusion of security while being very easy to circumvent.
Common flaws in traditional 2FA modules on PrestaShop
Many 2FA modules available on the PrestaShop marketplace are less secure in several ways:
| ❌ Common faults | 🔎 Explanation |
| Vulnerable to SQL injection | Simply set active = 0 on the module line in the ps_module table to deactivate it. |
| Sensitive to technical data leaks | The attacker can extract the OTP secret from the database, add it to their Google Authenticator, and generate the codes. |
| Unique shared QR code | Some extensions use a global 2FA code for all administrators. Once this code is known, all accounts are vulnerable. |
| No post-reset lock | After a ‘forgotten password’ request, some shops do not ask for 2FA, creating a bypass vulnerability. |
And above all: almost all 2FA modules can be neutralised if the attacker has access to the database or FTP.
PrestaFence: a radically different approach
PrestaFence is not like other modules. It is a comprehensive security solution that incorporates essential two-factor authentication, even in the event of database hacking. We have tested several scenarios, including SQLi attack attempts, to test its resistance to 2FA deactivation.
🔎 What makes PrestaFence unique:
| Functionality | PrestaFence | Standard modules |
| Code by email (out-of-band) | Yes – send a code to the admin email address | No – code generated on the same device as the attack |
| No secrets stored in the database without encryption | ✅ | ❌ – often stored in plain text |
| Cannot be disabled via SQL | ✅ – off-base security | ❌ – UPDATE ps_module SET active=0 is sufficient. |
| Logs and alerts for suspicious logins | ✅ – logging + IP blocking | ❌ – often blind modules |
| No QR code to scan or mobile app | ✅ – Simple and robust UX (mail) | ❌ – requires app configuration (barrier for some) |
Admittedly, we can understand the criticism that codes received by email are less secure than codes generated by apps such as Google Authenticator, but we believe that this makes adoption easier and that this risk is more than offset by its resistance to circumvention. You just need to be aware that security is not limited to the back office, but that your email inbox also needs your full attention.
In the event of an attack, PrestaFence holds firm.
Concrete examples observed:
- Attempts to disable the 2FA module via SQL: ineffective, as PrestaFence continues to intercept the connection via a kernel hook or override.
And above all, even in the event of a flaw in PrestaShop itself (such as the one in 2025 that allowed administrators’ logins/emails to be disclosed), PrestaFence intercepts the session and requires the email code. As a result, access remains locked.
Why we recommend PrestaFence to all PrestaShop merchants
PrestaShop is a robust solution, but it does not offer native two-factor authentication. Given the current threats, every merchant should consider 2FA a basic requirement, just like an SSL certificate.
And among all the solutions on the market, PrestaFence is the only one we consider truly resistant to realistic attacks:
- It does not rely on the database (so it cannot be bypassed via SQL).
- It blocks actions before they even reach the back office.
- It protects you without weighing down your daily routine.
That is why we developed and tested it, and why we can now recommend it.
And that is why it is now our standard security feature for PrestaShop.
Conclusion
- If your PrestaShop store does not yet have 2FA, or if it uses a basic module, you may want to audit your store’s security.
- If you think this does not apply to you, be aware that more than 1 million MFA bypass attacks (using the EvilProxy technique) are detected globally every month.
- If you want an effective, robust, easy-to-adopt solution, choose PrestaFence.
Do not leave your back office without double locks.
Protect your shop as it deserves. Maintain your customers’ trust.