Back to the list
16 February 2026

Our recommendations following the PrestaShop alert ‘Recommended verification of your shops’

Following the sending of the email below by PrestasShop, we would like to clarify a number of points.

– We are not aware of any new security vulnerabilities or hacking techniques in PrestaShop or any of its modules. There are many types of malware actively used on PrestaShop, and the malware mentioned in this email is not the subject of a particularly active campaign. To date, we do not know why PrestaShop chose to communicate about this particular malware.

– The principle behind a skimmer is to remain discreet. Consequently, hackers regularly modify the signature (the code or location) of their skimmers, sometimes from one hack to the next. Performing this search is obviously necessary, but the absence of the file in question does not guarantee that the shop has not been compromised.

– For shops that are not properly supervised, subtle signs are the first indication of hacking: unusual behaviour in the back office, customer support requests, etc.

In any case, we do not believe that this message draws attention to the real issues at stake: open source CMSs are very powerful tools whose security is the responsibility of the operator and which are delivered without any protection. It is therefore up to the retailer and its service providers to put in place a set of measures to protect the shop.

Unfortunately, currently, the vast majority of PrestaShop shops do not have any security system in place. Without any security measures, the shop is exposed to constant analysis (crawling) by hackers, is vulnerable to the slightest flaw (security updates not applied within hours of publication, leaked credentials, security holes in the developer’s code, etc.) and intrusions go undetected.

Security solutions exist…

As SaaS software is responsible for security, it implements all the standard security measures for an application that is freely accessible on the internet, in addition to securing its own software:

  • Traffic detection and blocking = WAF specifically configured for the software,
  • Access management = two-factor authentication, logging and monitoring of all accesses with modification rights
  • Change tracking = FIM to detect any changes to the code
  • etc…

Without these measures, hacking of freely accessible applications on the internet is  inescapable.

… you need to set them up on your PrestaShop!

For PrestaShop, in February 2026, the minimum security requirements are:

  • Flawless maintenance of your PrestaShop: updating the CMS and its modules + Apache-PHP-PrestaShop configurations
  • Mandatory two-factor authentication on all Back Office accounts
  • PrestaShop-specialised WAF
    • Note 1: even in paranoid mode, Cloudflare does not block most attacks specific to PrestaShop (as it is a generic WAF): you must create custom rules adapted to the CMS.
    • Note 2: unless specifically mentioned in the offer, your host/IT manager does not implement a PrestaShop-specific WAF.

Are you a technical expert? Read our guide to securing a PrestaShop shop (coming soon).

It was in this context that Prestafence was created: a simple solution to protect PrestaShop shops. Prestafence includes a specialised PrestaShop WAF and a two-factor authentication solution for the back office, with logging of all accesses and their geographical location.

Do not wait for hacking to occur: if these security measures have not been implemented, install Prestafence .

Email from PrestaShop dated 12 February 2026

We recently identified a security threat affecting certain online shops in the PrestaShop ecosystem. A malicious script (‘digital skimmer’) was detected and may have resulted in the theft of certain customers’ payment information.

This malware works by replacing legitimate payment buttons on the order page with fraudulent buttons. When a customer clicks on one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their payment information.

The skimmer is simply loaded via a <script> tag, written directly into the _partials/head.tpl file of the shop’s active theme. This means that the attacker was able to modify a file in the shop.

Inside the <script> tag, the following code can be found:

Script removed for security reasons, see PrestaShop website

The part aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz changes each time, but the structure of the code remains the same, and the atob() function is always used. Code may be present before or after (the skimmer attempts to conceal itself by being slightly different on each shop).

At this point, we strongly recommend that you perform a complete security check of your PrestaShop shops and ensure that none of them have been compromised. You can also visit this page for more details on the situation.

Our technical teams are actively investigating the source of this attack and implementing all necessary measures to prevent any further impact.

We thank you for your vigilance and cooperation.