How to increase the security of Odoo ?

August Doo

Hi community, I've been using Odoo v8 for a while, and recently when I read the log and found it was under serious attack. I used Cloudflare which I don't know much and just noticed when Cloudflare is turned on, I can't edit my website. I know it is recommened to install Nginx ans SSL certificate. Is that the only solution? Will that affect editing website? What's your suggestion to increase the security of Odoo? Cheers

1 Answer
Best Answer

From our vast experience on Odoo implementations so far, we suggest following steps to secure your Odoo.

  • Set private ssh key for your Odoo server.

  • Start your Odoo in SSL mode.

  • Install Nginx in your Ubuntu Server.

  • Stop access of all unnecessary ports from firewall of your Ubuntu Server.

  • Set proper data access rights & access rules into your Odoo instance.

  • Set proper authentication method for your PostgreSQL database user.

  • Set tricky password for PostgreSQL user.

  • Apply encryption on Database and Odoo user passwords.

  • Set Tricky password for Super Admin.

  • Request all your ERP users to set difficult password.

  • Give FTP access for your ERP users and don't allow them to create files out of their directory on your Ubuntu Server.

  • Set proper access rights on your custom addons and default Odoo addons via chmod and chown commands.

  • Have a look on /var/log/postgresql/postgresql-9.1-main.log file for malware attack on your database.

  • Manage your Odoo log file properly.

  • Transfer database & custom addons backup to remote place at frequent amount of time.

  • Change and set tricky password for detault postgres user in your database server.

  • Stop xmlrpc if you don't want your ERP to connect from 3rd party systems. ( set xmlrpc=False in your config file )

  • Remove "Manage Database" link from home page of your live Odoo instance. ( it's suggestion only )

  • Ignore installation of Odoo where multiple other websites are hosted.

  • We highly recommend to ignore creation of any kind of demo database in Live Odoo instance. 

  • Ignore to host your Odoo in Web hosting servers, always host Odoo in trusted VPS sites. ( Amazon, Raskspace, DigitalOcen, Myhosting etc..)

  • Monitor Incoming and outgoing TCP/IP traffics in your Ubuntu Server.  Few of our customers for whom we have implemented Odoo for more then 150+ users, they hired their own server administrator to monitor incoming and outgoing TCP/IP traffics. ( Visit this link )

  • Never give full access of your server to your Odoo service providers, always give them folder access of their own custom addons with their separate user. ( It's advisable to not share root user password to anyone. )

  • If customer can afford healthy cost, we always suggest them to set up their own in-house hosting server instead of VPS.

You can direct ask any Odoo related problem to us via a tweet. Tweet us to @EmiproTech 


Very good list and arguments. I'd like to argue about the fact from an in-house hosting server though. Why would that be better than a VPS that usually has a lot of pre-configgured security measures?

Off course VPS is good choice but for highly secured data and in big projects our customers prefers their own server instead of VPS. Another problem we have observed is some cheapest VPS gets shutdown automatically so Odoo automatic processes gets disturbed..

August Doo

many thanks for such a good synthesis, voted!

Thanks @August & @Yenthe

Tarek Mohamed Ibrahim

I think that this question and answer is eligible to be added to the standard odoo documentation.

The clue is to never go with very cheap VPS'es, they have poor performance and poor uptimes. :) But really a +1 for this great list!

@Yenthe, Please write in a note ( I will sign on that note ) "In near by future Odoo will face 2 mejor issues Server security and Database performance issues & Speed optimization issues." Emipro is very much sincere and we have started our thinking in those direction

Axel Mendoza

Very good security list, just add that SFTP is more secured than FTP and you could find scriptable solutions out there or customize your own based on paramiko like I did with