Friday, June 22, 2012

How To Secure / Protect Your OpenCart E Commerce Website ( Fix security in open cart as much as possible )

OpenCart the most customizable shopping cart ever created  is not inherently secure, and the fact that it is open-source (with everyone being able to know it’s internal code and file/folder structure) makes it even more susceptible to attacks. Here are several methods to teach you how to secure your OpenCart website.



Essential Steps To Do After Installation

  1. Immediately delete the /install/ directory
  2. chmod the config.php file in both the root and /admin/ directories to 444

Creating A Proper 404 Error Page

Create a file named 404.html in your store root (this is the base directory of your OpenCart store). You can put anything in the file. This file will be served to anyone who tries to access something inappropriately.

Securing The /admin/ Folder

  1. To obscure the /admin/ folder, rename it to a more uncommon name, such as /hahaha/. Next, edit the file /admin/config.php and replace the folder name admin with hahaha (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); todefine(‘HTTP_SERVER’, ‘http://www.plastictravelbottles.com/hahaha/’);
  2. Password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.

Securing The /system/ Folder

Certain files are wide-open by default. If you have installed OpenCart in your root directory, just go tohttp://www.yourdomain.com/system/logs/error.log and you should be able to download your error log, even if you’re a public user. You should protect these files, so create a .htaccess with the following code:

Order Deny,Allow
Deny from all
Then put that .htaccess file in the following 2 directories:
  1. /system/
  2. /system/logs/

Securing The /catalog/ Folder

This folder contains your images, Javascript files, and template files. Anything other than that should not be served, but that’s not the case. Just look at http://www.yourdomain.com/catalog/controller/account/address.php. You can see that the file is still being attempted to run, which poses a security risk. Either a malicious user can get more clues about your system from these error codes, or if the malicious user can find a way to upload his own malicious PHP file, then your whole system could be at jeopardy.
The solution is to put a .htaccess file (we really love .htaccess) in the /catalog/ folder with the following code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]
This way, anything other than the allowed file types of jpg, jpeg, png, gif, css, and js are blocked. So whenever someone or something accesses any prohibited file types (such as PHP), they’ll be redirected to the 404.html file that you created in the first step of this tutorial.

Securing The /image/ Folder

As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]
Note: If you use other file types in your /catalog/ or /image/ directories such as .swf or .flv, then you have to add another RewriteCond line to the .htaccess for that specific file extension.


1 comment:

  1. Anonymous6/2/13

    Hey just wanted to give you a quick heads up and
    let you know a few of the pictures aren't loading correctly. I'm not sure why but I think its a linking
    issue. I've tried it in two different browsers and both show the same results.
    Look into my web-site :: perfumes baratos

    ReplyDelete