Securing Your Dolibarr Instance: Best Practices and Recommendations
   03/04/2025 00:00:00     Dolibarr    0 Comments
Securing Your Dolibarr Instance: Best Practices and Recommendations

Dolibarr is an open-source ERP (Enterprise Resource Planning) and CRM (Customer Relationship Management) solution, widely used by businesses to manage their clients, accounting, inventory, and many other aspects of their operations. However, like any centralized management system, it is vulnerable to security risks if not properly protected.

In this article, we will explore the best practices and recommendations to enhance the security of your Dolibarr instance, protect your sensitive data, and ensure a safe and reliable ERP system.

1. Keep Dolibarr Updated

One of the most common security mistakes is neglecting software updates. Dolibarr frequently receives security patches, performance improvements, and new features.

Why is this important?

  • Each update fixes potential vulnerabilities.
  • Known security flaws in older versions can be exploited by attackers.
  • Modules and extensions need to be compatible with the latest version to avoid security risks.

Best practices

  • Monitor new releases on the official Dolibarr website.
  • Test updates in a pre-production environment before deploying them to production.
  • Back up your data before any update to prevent data loss in case of issues.

2. Secure Access to Dolibarr

Use Strong Passwords

Many security breaches result from weak passwords. Here are some recommendations:

  • Use a long password (at least 12 characters) with uppercase and lowercase letters, numbers, and special characters.
  • Never use simple passwords like "admin123" or "dolibarr".
  • Enable two-factor authentication (2FA) if possible.

Restrict Access to Sensitive Files

Some Dolibarr files and directories should not be publicly accessible. Here’s what you should do:

  • Disable access to the /install/ directory after installation.
  • Protect the conf.php configuration file by setting proper permissions (chmod 400).
  • Restrict access to the .htaccess file to prevent directory listing.

Limit Logins by IP Address

If your company uses Dolibarr internally, you can restrict access to specific IP addresses by configuring the .htaccess file or your firewall.

3. Enable HTTPS Encryption

A website accessible via HTTP transmits data in plain text, making it vulnerable to Man-in-the-Middle (MITM) attacks.

How to Secure Dolibarr with HTTPS?

  1. Install an SSL certificate on your server (Let’s Encrypt, Sectigo, etc.).
  2. Force HTTPS usage by modifying Dolibarr’s configuration file (conf.php):
    php
    $dolibarr_main_force_https = 1;
  3. Configure automatic redirection from HTTP to HTTPS using the .htaccess file:
    apache
    RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
  4. Verify your SSL certificate using tools like SSL Labs to ensure it is properly configured.

4. Manage Users and Permissions

Dolibarr allows for user role management and permissions configuration. Limiting access based on roles ensures better security.

Best Practices for User Management

  • Assign minimal permissions: Each user should only have access to the functionalities they need.
  • Disable inactive accounts to prevent unauthorized access.
  • Regularly update passwords for users with high-level access (administrators, accountants, etc.).
  • Enable audit logs to track logins and detect suspicious activities.

5. Protect the Database

Dolibarr’s database contains critical information such as client data, invoices, and orders. Unauthorized access could have severe consequences.

Steps to Secure the Database

  • Use a strong password for the MySQL/MariaDB database user.
  • Avoid using the root user for Dolibarr; create a dedicated user with limited privileges.
  • Restrict database access to authorized IP addresses only.
  • Perform regular backups and store them securely.

6. Perform Regular Backups

A solid backup strategy allows for quick recovery in case of an attack or server failure.

Backup Best Practices

  • Schedule automatic backups of the database and Dolibarr files.
  • Store backups on an external server or a secure cloud service (Google Drive, AWS, etc.).
  • Test backups regularly to ensure they can be restored properly.

7. Monitor and Detect Suspicious Activities

Implementing a monitoring system helps quickly identify intrusion attempts and malicious activities.

Recommended Tools

  • Fail2Ban: Blocks IP addresses after multiple failed login attempts.
  • Web Application Firewall (WAF): Protects against XSS and SQL Injection attacks.
  • Apache/Nginx Access Logs: Helps track suspicious requests.
  • Dolibarr Audit Logs: Enables monitoring of user activities to detect unusual behavior.

Conclusion

Securing Dolibarr is essential to protect sensitive data and prevent cyberattacks. By applying these best practices – regular updates, HTTPS configuration, permission management, database security, and an effective backup strategy – you ensure a safe and reliable environment for your business.

Additionally, user training is crucial: Educate your team on security best practices and ensure that everyone follows these recommendations daily

Comments

Log in or register to post comments