
In today’s digital economy, managing enterprise data safely is critical—especially when it comes to your ERP and CRM platform. Dolibarr, a popular open-source ERP/CRM solution, has been widely adopted by small and medium-sized businesses, freelancers, and nonprofits due to its ease of use, modularity, and affordability. However, with great flexibility comes great responsibility: securing your Dolibarr installation is not optional—it’s essential.
Whether you are self-hosting Dolibarr or using a cloud instance, improper configurations, outdated systems, or lack of security policies can lead to serious vulnerabilities. Cyberattacks are not just a concern for large corporations—small organizations are often prime targets because they are perceived as easier to breach.
This comprehensive guide outlines best practices and actionable steps to secure your Dolibarr setup in 2025. We will cover security measures for server environments, application-level settings, network protection, user access controls, regular maintenance, and compliance considerations.
Why Securing Dolibarr Matters
Dolibarr handles critical business functions such as customer data, financial records, inventory tracking, and project management. A breach or data loss can result in:
-
Legal liability for compromised customer information
-
Financial losses and operational downtime
-
Reputational damage that affects trust and business continuity
-
Regulatory fines for non-compliance with laws such as GDPR, HIPAA, or PCI-DSS
Taking a proactive approach to security helps prevent these outcomes and builds trust with your clients and users.
Choosing the Right Hosting Environment
1. Use a Secure Hosting Provider
If you are not self-hosting, choose a reliable hosting provider that offers:
-
Dedicated or VPS environments (avoid shared hosting for business-critical applications)
-
Regular backups and snapshots
-
Server-level firewalls
-
DDoS protection
-
Physical and network security audits
Cloud platforms like AWS, DigitalOcean, and OVH offer customizable options to deploy and secure Dolibarr.
2. Harden the Server
If you manage your own server:
-
Use a secure Linux distribution (e.g., Debian, Ubuntu LTS, CentOS Stream)
-
Keep your operating system and packages up to date
-
Disable unnecessary services
-
Implement fail2ban to block brute-force attacks
-
Use UFW or iptables to restrict open ports
Server hardening is your first line of defense.
3. Use HTTPS for All Connections
Always secure your Dolibarr installation with HTTPS using an SSL certificate. Let’s Encrypt offers free certificates, and most hosting panels support automatic renewals.
Benefits of HTTPS:
-
Encrypts data in transit
-
Prevents session hijacking
-
Improves SEO and trust indicators
Securing the Dolibarr Application
4. Keep Dolibarr Updated
Regularly update Dolibarr to the latest stable version. New releases often patch security vulnerabilities and improve code robustness.
If you use modules from Dolistore, ensure they are compatible with your version and are actively maintained.
5. Change Default Paths and Settings
Change default settings that could be exploited:
-
Rename or restrict access to the /install/ directory after setup
-
Use a non-default admin username
-
Set strong, unique passwords
Also configure:
-
Secure email settings (SMTP with TLS/SSL)
-
Timezone and language for accurate logs
6. Configure Permissions Properly
File and folder permissions should be restrictive:
-
PHP files: 644
-
Folders: 755
-
Sensitive files (conf.php): 600 or 640
Disable directory browsing and use .htaccess
files to prevent access to restricted areas.
7. Enable Logging and Audit Trails
Enable Dolibarr’s built-in logging for:
-
Login attempts
-
Module changes
-
User activity
Maintain these logs for a set retention period. Use log rotation tools (like logrotate) to avoid disk space issues.
User Access Control
8. Use Role-Based Access Control (RBAC)
Dolibarr allows you to assign permissions by user role. Define roles based on actual job functions (e.g., sales, finance, warehouse) and apply the principle of least privilege.
-
Avoid giving admin rights to non-admin users
-
Regularly review user access
-
Immediately revoke access when users leave the organization
9. Enforce Strong Password Policies
Dolibarr supports password complexity rules. Ensure that users:
-
Use a minimum of 12 characters
-
Include uppercase, lowercase, numbers, and symbols
-
Change passwords periodically (e.g., every 90 days)
Consider using two-factor authentication (2FA) with plugins available on Dolistore or via reverse proxy integrations.
10. Limit Login Attempts and Monitor Sessions
-
Use fail2ban or a similar tool to block repeated failed login attempts
-
Set session expiration timeouts (e.g., 15 minutes of inactivity)
-
Monitor active sessions and disconnect idle users
Database and Data Security
11. Use Secure Database Configuration
For MySQL/MariaDB:
-
Create a dedicated database user for Dolibarr with limited permissions
-
Disable remote root login
-
Use socket connections or localhost
-
Use strong passwords for database access
12. Encrypt Sensitive Data
Dolibarr stores some information in plaintext. Consider encrypting:
-
Backup files
-
Email logs
-
Configuration files with credentials
At-rest encryption can be achieved using encrypted file systems (e.g., LUKS, VeraCrypt).
13. Backup Regularly and Test Recovery
Automate backups:
-
Daily database dumps
-
Weekly full application backups
-
Off-site storage (S3, Dropbox, FTP server)
Periodically test restoring backups to ensure data integrity.
Network and Perimeter Security
14. Firewall and Port Restrictions
Allow only necessary ports (e.g., 443 for HTTPS, 22 for SSH). Block:
-
Unused services
-
ICMP ping (optional)
-
Access to internal services from public IPs
Use intrusion detection systems (IDS) like Snort or Suricata for advanced protection.
15. Web Application Firewall (WAF)
Deploy a WAF to filter malicious traffic and block:
-
SQL injection
-
Cross-site scripting (XSS)
-
Path traversal attacks
Popular options include:
-
ModSecurity with OWASP rules
-
Cloudflare WAF (for hosted instances)
16. Use Reverse Proxies for Additional Security
Tools like NGINX or Apache as a reverse proxy can:
-
Terminate SSL connections
-
Filter requests before reaching the Dolibarr application
-
Rate limit connections
You can also enforce geo-blocking or country-based access restrictions.
Email and Communication Security
17. Configure Secure SMTP
Avoid using PHP mail(). Configure SMTP with:
-
TLS/SSL encryption
-
Authentication credentials
-
SPF, DKIM, and DMARC records for domain validation
This ensures secure and reliable email delivery.
18. Use Notification Systems for Alerts
Integrate Dolibarr with:
-
Email alerting
-
Slack or Discord (via webhook)
-
SMS for critical failures
This ensures you're immediately aware of anomalies or errors.
Compliance and Data Privacy
19. Align with Data Protection Regulations
Make sure Dolibarr complies with:
-
GDPR (EU)
-
CCPA (California)
-
HIPAA (if dealing with medical data)
Implement:
-
Consent forms for data collection
-
Data minimization practices
-
Right-to-be-forgotten procedures
20. Maintain a Security Policy Document
Create a living document that includes:
-
Password and access policies
-
Backup and recovery strategies
-
Incident response plan
Train all users on security awareness regularly.
Regular Maintenance and Monitoring
21. Schedule Security Audits
Perform routine security audits:
-
Monthly patch management
-
Quarterly vulnerability scans
-
Annual penetration testing
Document findings and remediate promptly.
22. Monitor System Health
Use monitoring tools like:
-
Nagios, Zabbix, or UptimeRobot for uptime and load
-
Logwatch for log monitoring
-
Cron alerts for failed scheduled tasks
Visibility is key to early detection.
23. Use Staging Environment for Testing
Before applying updates or installing new modules, use a staging environment to test compatibility and security impact.
Never update directly on the production system without validation.
Conclusion
Securing Dolibarr in 2025 requires more than just a strong password or regular updates. It’s a holistic process that involves network hardening, application configuration, access control, data protection, and user awareness. While Dolibarr offers flexibility and modularity, that same openness can introduce risks if not properly managed.
By following these best practices, you can ensure your Dolibarr environment remains a secure, compliant, and dependable core of your business operations. Security isn’t a one-time task—it’s a continuous commitment to safeguarding what matters most: your data and your trust.