OpenCart is a popular open-source e-Commerce solution that attracts many retailers by its extensive customization possibilities and ease of use. Since the platform is open-source, its internal code and file framework are available to a wide public. While it's a good thing for developers, it also means that hackers are well familiar with OpenCart structure and can occasionally detect and exploit its security vulnerabilities. Read on to find out how to deal with OpenCart security issues.
Attackers seek to compromise a website and add pages with spam information or inject malicious content into the already existing pages on a site. They are mainly aimed at accessing email accounts and stealing sensitive information to misuse it against customers and store owners. Eventually, it will lead to a bad brand reputation and ruined customer trust that usually takes tremendously a lot of time and effort to be restored. Subsequent huge financial losses will also have a detrimental effect on the online retail business. Nevertheless, you can easily avoid website breaches and negative consequences by implementing basic security practices for an OpenCart store.
OpenCart Security Issues: 1. Delete the Install Folder
Install folder or directory has to be deleted immediately after installation. The point is that someone can potentially access the installation folder and relaunch the installer to overwrite a website. To wipe out the directory open FTP client then go to ‘Shop’ and choose the 'Install’ folder to delete it. Note that OpenCart always warns their users in the administration if an install folder is not deleted after setup.
OpenCart Security Issues: 2. Protect Directories
Admin folder
Admin folder provides access to a store's administration, and everyone who gains control over it can edit information about customers and products, modify store settings or even steal some sensitive data. Thus, it is crucial to protect the admin directory and make it difficult to discover and access it. To hack-proof the directory, you should do the following things:
Rename the admin folder
First of all, rename the admin folder with some uncommon name like 'nomansland' in order to conceal it from scripts and hackers targeted specifically at the 'admin' folder of OpenCart.
After the folder's name is modified, it's necessary to use the new path to access your admin dashboard. It can be done by updating the admin/config.php file and replacing instances of ‘admin’ with the new name, like, ‘nomansland’. There should be five instances changed.
Finally, the admin login URL will be changed from default ‘www.opencartstore.com/admin’ to ‘www.opencartstore.com/nomansland’.
How to Migrate Your Online Business to OpenCart. A Time-Tested Guide
Use .htaccess & .htpasswd in the admin folder
It’s recommended to add additional layers of protection in case hackers discover the location of an admin folder. Using .htaccess file lets users block specific traffic from being able to view a website. For example, it’s possible to give the right to access the store only from admin’s IP and deny all the rest. To do so, go to the FTP, pick up the folder you want to protect and create a file .htaccess. Choose to edit it and insert the code below:
Order Deny,Allow
Deny from all
Allow from "admin ip address"
Note that it will be applied to all subfolders in the admin directory.
Also, there is an option to password protect an admin directory with .htpasswd file. It will create an additional step of authorization and demand an extra password for the approved administrator to access this directory. It's preferable to do that via cPanel, where you can choose a directory you want to secure with a password and create a user to access it.
Catalog
Catalog protection can be accomplished with the mentioned .htaccess file in order to allow access exclusively from admin’s IP address. There is no necessity to secure all files in catalog except the most important ones like template, .php, and .txt files. It can be done through FTP in the same way like with admin folder. You can use the following code:
Order Deny,Allow
Deny from all
Allow from "admin ip address"
Take into account that access will be blocked to specific file types: template, php, and txt files.
System folder
There are two types of files need to be protected: logs/error.txt and start_up.php. The logs/error.txt provides valuable information about how the server functions and hackers can use it to create a successful breach.
The implementation of .htaccess will secure System folder files from being accessed by unauthorized administrator. Simply insert the code below into .htaccess file in the system folder:
Order Deny,Allow
Deny from all
Allow from "admin ip address"
OpenCart Security Issues: 3. Set Up File Permissions
One can set up appropriate permissions to a range of important files and thus give directions to the operating system how to deal with access requests to the files. There are three following types of access:
- Read - files will be only displayed to the user
- Write - the user will be able to modify such files
- Execute - the user is allowed to execute files as programs
There are three types of users you can grant permission to:
- User is the owner of the file
- Group is a group of users, e.g. site members
- World is any person connected to the internet, including store visitors
It is recommended to assign 444 or 644 permission types to eliminate chances of file overwriting or malware injection. The first variant (444) allows only reading, while the second (644) provides reading and writing options.
The following types of files have to be set up:
- config.php
- index.php
- admin/config.php
- admin/index.php
- system/startup.php
Catch up this long-expected chance!
Start free demo and get a brand-new store just in a few clicks.
Migrate nowOpenCart Security Issues: 4. Be Cautious With 3rd Party Plugins
E-Commerce retailers often install various plugins and modules to expand the functionality of their stores. Third-party add-ons can provoke Opencart security issues since they can potentially contain some random or deliberate vulnerabilities. It happens that hackers create new or make changes to already existing open-source plugins to compromise websites that install them. Thus, users have to be especially cautious with 3rd party extensions and avoid utilizing software of dubious origin.
Hackers prefer plain sailing and target poorly protected and vulnerable websites. Implementing basic but at the same time efficient measures will help to hack-proof a store and avoid possible negative outcomes of security breaches. Find more info on how to secure your OpenCart in this guide.
If you are willing to use OpenCart platform for developing a highly lucrative online business, Cart2Cart offers an automated service for seamless migration to OpenCart. It allows you to transfer numerous entities like products, categories, customers, images, manufacturers, etc., accurately and securely.
Try out an absolutely Free Demo Migration to evaluate the advantages of an automated data import and test the look and functionality of a new OpenCart store.
Comment by Sophia Brown
Hello!! Almost every point in your article is very informative, I loved your article. Reading your article, I got to know many new things.
Comment by Livingstone
Hello, thanks for the tips.
I want to ask, how can one using dynamic data networks implement the code below without problems.
Order Deny,Allow
Deny from all
Allow from “admin ip address”
Is there a way of implementing it without locking out the admin from the site when admin IP changes?
Thanks.
Comment by Raul Moscardo Ferrando
Great, thanks a lot for explain this question.
Comment by Natalia Bohdanets
It’s a pleasure for us to bring our readers the most actual eCommerce-related info. Stay with us!
Comment by Zahid
Very descriptive and informative article describing the security breaches that can be avoided with some simple methods added to the back end of a store front.
Thanks for sharing. Keep up the good work.