The state of PrestaShop stores in 2026: what we learned scanning 130 of them

Rafa Pastor — Thu, 23 Apr 2026 14:11:47 +0000

A few weeks ago we shipped a free audit scanner for PrestaShop stores — 21 checks
across security, SEO, performance, platform hygiene, and internationalization. Before promoting it, we wanted to know:
where does the average PrestaShop store actually stand?

So we pulled 174 real stores from BuiltWith's public PrestaShop lists across Spain, France, Italy, Southern Europe,

and the global tier. 130 of them responded to the scan (the other 44 blocked bots, had expired certs, or were dev
environments). Here's what we found.

The headline

Median global score: 50 / 100. Only 2 stores out of 130 cleared 75. Thirty-nine percent scored under 45 (the
red zone).

That's not a "few outliers drag the average down" story. That's the whole market.

The dataset isn't small-shop cherry-pick either — it includes stores from Repsol, Auchan, Michelin, Penguin Libros,
Pathé, Kickers, bpifrance, ADEME, Curie, CNES, and the PrestaShop project itself. Enterprise-grade brands. Still
mid-pack.

Methodology

Source: BuiltWith Trends public lists (trends.builtwith.com/websitelist/PrestaShop/...), 5 geographies, top stores by traffic.
Deduped across overlapping country buckets → 174 unique domains.
Scans ran from Cloudflare Workers, server-side only. No third-party browser instrumentation. Core Web Vitals come from Google's public PageSpeed Insights API (lab + field data when available).
21 checks per store: HTTPS, HSTS, CSP, X-Content-Type, X-Frame-Options, Referrer-Policy, PrestaShop detection & version, meta title, meta description, Open Graph, canonical, structured data, hreflang, multilingual, language switcher, sitemap, LCP, CLS, FCP, and presence of a chatbot module.
Emails harvested from homepage + /contact style pages via regex (yes, there's a CSV; no, we're not spamming it — the scanner CTA just points to sales@smart-shop-ai.com).

Category breakdown

Median score per category, across all 130 scans:

Category	Median	What this means
SEO	60	The best-performing area. Titles and canonical tags are handled; structured data is not.
PrestaShop hygiene	53	Most stores expose their PS version. Some still run 1.7.
Security	48	HTTPS is universal, but the header stack above TLS is usually absent.
Performance	45	Mobile PageSpeed median is 48. Over half of stores ship slower than 50.
i18n	0	Almost nobody declares hreflang or ships a proper multilingual setup, even stores visibly serving multiple countries.

The top failures (sorted by how common they are)

Check	Stores failing or warning	%
Rich Search Results (structured data / JSON-LD)	128 / 130	98.5%
Largest Contentful Paint	124 / 130	95.4%
First Contentful Paint	124 / 130	95.4%
AI shopping assistant present	105 / 130	80.8%
Content-Security-Policy	97 / 130	74.6%
X-Content-Type-Options	80 / 130	61.5%
Open Graph tags	80 / 130	61.5%
Meta description	75 / 130	57.7%
HSTS	70 / 130	53.8%
X-Frame-Options	68 / 130	52.3%
Sitemap.xml	67 / 130	51.5%
Canonical URL	66 / 130	50.8%

A few of these deserve comment.

Structured data is the silent killer

98.5% of stores don't emit proper JSON-LD for products. Google's product rich results — price, availability, star

ratings in the SERP — depend on it. Without it your listings render as a plain blue link next to competitors showing
stars and a €. In 2026 that's leaving free conversions on the table.

PrestaShop's default theme (classic) ships some microdata, but it's old schema.org syntax that Google increasingly
deprioritizes. Only 2 stores in the dataset had modern product-level JSON-LD we could parse.

Core Web Vitals are a massacre

95% of stores fail LCP and FCP. Median PageSpeed performance is 48/100, and 53% of stores score below 50. Causes

we see repeatedly:

Unoptimized hero images (no <picture>, no WebP, no explicit dimensions → layout shift)
Blocking third-party scripts in <head> (chat widgets, analytics, Cookiebot)
PrestaShop's combine-compress-cache toggle turned off in Performance settings
No HTTP/2 server push or preload hints

None of these are hard to fix. Most of them take 30 minutes. Yet they're universal.

CSP is missing everywhere

74.6% of stores serve zero Content-Security-Policy. That's the one header that blocks script injection even if your

admin gets compromised. It takes one line in .htaccess:

  Header set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' https:; object-src
  'none'"

Start in report-only mode, watch the console for a week, tighten, deploy. Two hours of work, full mitigation.

The chatbot gap

80.8% of stores have no chat at all. Of the 11.5% that do, most ship Zendesk Chat or Tawk.to — support tools,
not commerce assistants. Only a handful ship actual AI product advisors. (We build one of these, so take the
observation with the appropriate grain of salt, but the raw number is what it is.)

What's actually installed: the module leaderboard

Across 130 stores, these were the most commonly detected PrestaShop modules:

Google Sitemap — 85 installs
Share Buttons — 70
Email Subscription — 68
PrestaShop Checkout (the official payment aggregator) — 55
PayPal — 54
PS Google Analytics — 46
Stripe — 24
Brevo (formerly Sendinblue) — 23
Klarna — 14
Page Cache — 14
Zendesk Chat — 13
Mollie — 10
Redsys — 9 (Spain-only, makes sense)
Pretty URLs — 8
Google Analytics (legacy) — 8

The tell: 85 stores have the Google Sitemap module installed. But only 63 actually serve a valid sitemap.xml.

Installing ≠ configuring.

Themes

Theme fragmentation is severe. Out of stores where we could identify the theme, the top 10 was:

classic — 11 (default)
warehouse — 8
warehousechild — 5
classic-rocket — 4
ZOneTheme — 4
miin_ecco_bella — 4
sleedex-jdsports — 2
Various custom one-offs — the rest

That's a lot of custom builds. Custom themes are also where Core Web Vitals regressions usually live (untested image

pipelines, inlined stylesheets, fonts loaded without display:swap). The data seems to agree.

What a merchant should actually do, in priority order

If you run a PrestaShop store and want to pick only three fixes:

Fix LCP and FCP. Enable combine-compress-cache in Advanced Parameters → Performance. Switch hero image to WebP with explicit width/height. Defer all non-critical JS. You'll typically gain 20–30 PageSpeed points in a single afternoon.
Add Rich Snippets via a JSON-LD module (there are several free ones in Addons) or via a theme override. One hour of work, potentially meaningful SERP click-through lift within 2–4 weeks.
Add the security headers. Three lines in .htaccess for HSTS, X-Content-Type-Options, X-Frame-Options. Add CSP in report-only mode and iterate. One line each, done forever.

If you want the full list for your own store, it's free — scan it. No account

required.

Caveats

44 of 174 stores timed out, 403'd, or returned non-HTML to our scanner. Those are missing from the dataset. The real distribution is probably even skewed — stores with good perimeter defenses are overrepresented in the "unreachable" bucket.
Some BuiltWith-listed stores actually run a non-PrestaShop frontend and proxy to a PS backend. Our scanner flags these as "not confirmed PrestaShop" (73.1% of our dataset confirms as PS; the rest might be running a WordPress/Next.js layer over a PS admin).
Field performance data only exists for stores with enough Chrome UX Report traffic. Smaller shops fall back to lab data only.

Raw data

If you want to reproduce or extend: the scanner is at audit.smart-shop-ai.com. The
dataset files and analysis script live on the repo (private for now, will open-source the scoring once the baseline
stabilizes).

If you run a PrestaShop store and this post made you uncomfortable, that's the intended effect. Scan yours and fix the
top three. Two hours of work changes the score from 50 to 75.

This analysis was run on 2026-04-18 with SmartShop Audit. Methodology, dataset counts, and check definitions are

reproducible with a single curl against https://audit.smart-shop-ai.com/api/scan.

DEV Community: SmartShop AI