Best Practices for OpenCart Website Security
OpenCart is taking the e-commerce world by surprise, growing to become one of the most secure e-commerce platforms and also one of the most recently used. Although OpenCart security has been widely acknowledged, it is still recommended that these four steps be followed for the security of an OpenCart e-commece store.
1. Rename the OpenCart admin directory
By default, the OpenCart’s admin login page is at http://yourURL/admin/. This makes it quite easy for someone to start trying to get into the admin console. You can change this in a few, relatively easy steps: Start by opening /admin/config.php in a text editor and changing anything that says /admin/ to a unique name of your choice.
To make the admin folder unknown to outsiders, you will have to do two things.
The first is to rename the /admin/ folder to a more uncommon name, such as /private/. Next, edit the file /admin/config.php and replace the folder name admin with private (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); to define(‘HTTP_SERVER’, ‘http://www.domain.com/private/’);
The second will be to password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.
2. Secure The /system/ Folder
If you have installed OpenCart in a unique folder, then go to http://www.yourdomain.com/system and use the .htaccess file to secure yout OpenCart installation. If you installed in our root directory, just go to http://www.yourdomain.com/system/l to create a .htaccess file and input the following code:
<Files *.*>
Order Deny,Allow
Deny from all
</Files>
Then put that .htaccess file in the following 2 directories:
/system/
/system/logs/
3. Secure The /catalog/ Folder
This folder contains your images, Javascript files, and template files. Anything other than that should not be served, but that’s not the case. Just look at http://www.yourdomain.com/catalog/controller/account/address.php. You can see that the file is still being attempted to run, which poses a security risk. Either a malicious user can get more clues about your system from these error codes, or if the malicious user can find a way to upload his own malicious PHP file, then your whole system could be at jeopardy.
The solution is to put a .htaccess file in the /catalog/ folder with the following code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]
This way, anything other than the allowed file types of jpg, jpeg, png, gif, css, and js are blocked. So whenever someone or something accesses any prohibited file types (such as PHP), they’ll be redirected to the 404.html file.
4. Secure The /image/ Folder
As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]
Passwords must be at least 10 characters in length.
Passwords should include at least two alphabetical characters.
Passwords should yse both lower-case and upper-case letters.
Passwords should have at least two numerical digits.<br />
Passwords should have at least two special characters (such as &amp; ^ % * $).
Passwords should not include any words in the dictionary or any commonly-used IT login names (ex: administrator, dba, admin).
Passwords shouldn’t have use personal information (such as names or birth-dates).
Other important password-related best practices include:
Never use the same password for different accounts.
Make sure not to store your passwords on your computer, or even on the cloud
Always make immediate changes to passwords after outside developers or third-parties finish their work.
5. Enable SSL for Admin
Data sent back and forth from the Admin Panel is not encrypted by default. Enabling SSL/HTTPS protocol will ensure that information like admin user passwords and customer transaction details are safe from interference during transmission.
6. Enable SSL for your storefront
It is recommended that you enable encryption for your online store itself. This can be done by going to: System Settings, Edit for the default store. Under the Server tab, set Use SSL to Yes and hit Save.
These six steps can make a huge difference in improving the security of your OpenCart store.