Security

Critical PrestaShop flaw: the /install/ folder can hand your store to hackers

PrestaShop security alert. Over 200 stores currently vulnerable. Check yours in 30 seconds (dedicated section below). Security researchers at Sansec have just published an alert: over 200 PrestaShop stores are currently vulnerable to a total takeover through...

21 April 2026 5 min read 10 views
Critical PrestaShop flaw: your /install/ folder can hand your store to hackers

Security researchers at Sansec have just published an alert: over 200 PrestaShop stores are currently vulnerable to a total takeover through a single forgotten folder. The worst part? The fix takes 2 minutes. But if you do nothing, an attacker can become administrator of your store, steal your customers' data, and install backdoors on your server.

Here is what you need to know and how to protect yourself.

What is this flaw?

When you install PrestaShop, an /install/ folder (or /install-dev/ on development versions) is created on your server. This folder holds the setup wizard: database connection, admin account creation, site configuration.

In theory, you should delete this folder after installation. In practice, many merchants don't. And PrestaShop doesn't always remove it automatically.

Result: anyone can go to your-store.com/install/ and rerun the installation.

What an attacker can do

The exploit is ruthlessly simple:

  • Rewrite the database config — The installer accepts parameters like dbServer, dbName, dbLogin, dbPassword. The attacker redirects your store to their own database.
  • Create an admin account — By rerunning the install step (?step=process), the attacker creates an admin with their own credentials.
  • Execute code on your server — Once admin, they upload a malicious module. PrestaShop uses eval() on override files during module install, which allows arbitrary code execution.
  • Install backdoors — Web shells, data-stealing scripts, credit card skimmers... The attacker has total, persistent access.

Who is affected?

You are potentially vulnerable if:

  • You installed PrestaShop manually (not through an auto-installer from your host)
  • You never checked whether the /install/ or /install-dev/ folder still exists on your server
  • You've done a migration or update that may have recreated the install folder
  • You're on a development build with the /install-dev/ folder still present
  • Your host restored a backup that included the install folder
All PrestaShop versions are affected: 1.6, 1.7, 8.x and 9.

How to check if you're vulnerable (30 seconds)

Open your browser and type:


https://your-store.com/install/
https://your-store.com/install-dev/

If you see the PrestaShop setup wizard or any content other than a 404 error: you're vulnerable. Act immediately.

If you get a 404 or "Not Found" page: the folder is not accessible. But still verify via FTP that the folder doesn't exist at all on the server (it may be .htaccess-protected but still present).

How to fix it

1. Delete the install folders

Connect to your server via FTP (FileZilla, WinSCP) or SSH and delete:

rm -rf /path/to/your-store/install/
rm -rf /path/to/your-store/install-dev/

This is the main fix. Without the folder, the attack is impossible.

2. Disable debug mode

Make sure debug mode is off in production. In config/defines.inc.php:

define('_PS_MODE_DEV_', false);

Debug mode exposes technical details that make attacks easier.

3. Check no unknown admin was created

In your back-office, go to Advanced parameters > Team > Employees. If you see an account you don't recognise: your store may already be compromised. Delete it immediately and run a full security audit.

4. Scan your store

Even after deleting the folder, if it was exposed for a while an attacker may have already acted. Look for:

  • Unknown PHP files in /modules/, /override/, /upload/, /img/
  • Recent modifications on core files (check modification dates)
  • Admin accounts you didn't create
  • Suspicious redirects (test your store from Google in incognito mode)

Not comfortable doing it yourself? We handle it.

If you're not at ease with FTP, SSH or file scanning, don't take the risk. Our PrestaShop experts intervene within minutes:

  • Full server check (exposed folders, suspicious files, admin accounts)
  • Secure removal of install folders and any malicious code
  • Anti-malware scan of your entire store
  • Detailed report of what was found and fixed
  • Preventive hardening so it doesn't happen again

Go further: audit your PrestaShop security

This flaw is just one of dozens that can hit your store. Outdated modules, tampered files, overly open permissions, weak passwords... A full security audit finds every weakness before an attacker does.

Frequently asked questions

Some hosts do, others don't. Don't rely on it — check yourself. Auto-installers (Softaculous, Installatron) usually remove the folder, but manual installs don't always do so.

If the folder does not exist at all on the server, you're not vulnerable to this specific flaw. But your store may have other weaknesses. A full security audit is recommended.

It's possible. Check admin accounts in your back-office, scan recently modified files, and monitor your store over the coming days. When in doubt, get a professional security audit.

Yes, every PrestaShop version that uses an /install/ or /install-dev/ folder is affected. The vulnerability is not in PrestaShop's code itself, but in the fact that the install folder stays reachable after deployment.

Add a check in your deployment process. If you use SSH, add a post-update script that automatically deletes the folder. You can also block access via .htaccess or your web server config.

Go further

Having the same issue?

Describe your problem, our team will respond in under 10 minutes with a free diagnosis.

Get a free diagnosis
Related articles
PrestaSecure: We Launch Our Cybersecurity Solution for PrestaShop
08 Apr 2026
Bots, Spam & Credit Card Testers: 261 Interventions Protecting Online Stores
18 Mar 2026
Hacked Sites: Analysis of 329 Security Interventions Since 2018
18 Mar 2026
Sponsored
🚀 Hébergement privatif & Infogérance
VPS et serveurs dédiés haute performance. Monitoring 24/7, migration gratuite, support expert. Chaque milliseconde compte.
Learn more