SecurityJanuary 28, 20269 min read

Securing Your Dolibarr Production Instance

Security best practices to protect your Dolibarr ERP: backups, updates, access management and monitoring.

HTTPS and web server security

The first step to securing your Dolibarr is to properly configuré the web server that hosts it. Using HTTPS protocol is absolutely essential, even on an internal network. A free SSL/TLS certificate from Let's Encrypt can be installed in minutes with Certbot. Also configuré recommended HTTP security headers: HSTS to enforce encrypted connections, CSP to prevent script injection, and X-Frame-Options to prevent clickjacking.

Install an SSL/TLS certificate (Let's Encrypt for a free certificate)
Configure HSTS header to enforce HTTPS connections
Enable CSP, X-Frame-Options and X-Content-Type-Options headers
Disable unnecessary HTTP methods (TRACE, OPTIONS)
Configure a firewall (iptables or ufw) to limit access
Hide web server version information (Apache/Nginx)

User permission management

Dolibarr offers a very granular permission system that allows fine-grained control of each user's access. The fundamental principle is least privilege: each user should only have access to features strictly necessary for their role. Create permission groups corresponding to the différent profiles in your organization (accountant, sales, management, administrator) and assign users to groups rather than managing permissions individually.

Apply the principle of least privilege for each user
Create permission groups by role (accountant, sales, management)
Limit the number of administrator accounts to the strict minimum
Disable accounts of employees who leave the company
Regularly audit assigned permissions
Use LDAP or SSO authentication to centralize access management

Robust backup strategy

A solid backup strategy is your best insurance against data loss. For Dolibarr, you need to back up two éléments: the MySQL/MariaDB database and the uploaded documents directory. Set up an automatic daily backup with a tool like mysqldump for the database and rsync for files. Keep at least 30 days of history and store backups on remote media (remote server, cloud or dedicated NAS).

Automatic daily backup of the database (mysqldump)
Daily backup of Dolibarr's documents/ directory
Keep at least 30 days of backup history
Store backups on remote media (cloud, NAS, remote server)
Regularly test backup restoration (at least quarterly)
Encrypt backups containing sensitive data

Update management

Keeping your Dolibarr up to date is essential to benefit from security fixes. Minor updates (e.g., 19.0.1 to 19.0.2) generally contain bug and vulnerability fixes and should be applied quickly. Major updates (e.g., 18 to 19) bring new features but require more préparation. In all cases, always test the update on a staging environment before applying it to production.

Monitor security announcements on the official Dolibarr website
Apply security updates within 48 hours of their release
Test each update on a staging environment
Systematically back up before each update
Also update installed third-party modules
Keep the web server, PHP and MySQL/MariaDB up to date

Monitoring and surveillance

Active monitoring of your Dolibarr instance allows rapid detection of intrusion attempts and abnormal behavior. Enable access and error logs on your web server and analyze them regularly. Dolibarr has an internal audit log that records user actions: check it periodically to verify there is no suspicious activity. Going further, tools like Fail2Ban can automatically block IP addresses that make multiple failed connection attempts.

Enable and analyze web server access and error logs
Regularly check Dolibarr's audit log
Install Fail2Ban to block brute-force attempts
Configure alerts for connections from unusual IPs
Monitor disk space and server performance
Set up a monitoring tool like Uptime Robot or Zabbix

GDPR compliance

If your company processes data of European citizens, GDPR compliance is a légal obligation. Dolibarr integrates features that facilitate this compliance. The consent module allows managing contact consents. The right to be forgotten can be implemented via client record anonymization. Audit logs provide the traceability required by the regulation. Document your data processing and designate a GDPR officer within your organization.

Enable the consent management module for contacts
Set up an anonymization procédure for the right to be forgotten
Document personal data processing in a register
Configure data retention periods according to légal obligations
Limit access to personal data to authorized users only
Train teams on data protection best practices

Recommended security modules

The Dolibarr ecosystem offers several modules that enhance your instance security. The two-factor authentication (2FA) module adds an extra layer of protection during login. The IP restriction module allows limiting Dolibarr access to specific IP addresses only. The advanced audit module provides detailed reports on user actions. Finally, the attachment encryption module protects sensitive documents stored in Dolibarr.

2FA module: two-factor authentication for all users
IP restriction module: access limitation by IP address
Advanced audit module: detailed reports on user activity
Encryption module: protection of sensitive documents and attachments
Password policy module: complexity rules and renewal