OpenCart captures the e-commerce world by surprise, expanding to become one of the most secure e-commerce web platforms and one of the most widely used. OpenCart is built-in more reliable, and the fact that OpenCart is an open-source web platform (with everyone being able to know it's internal web code and file/folder structure) makes it even more defenseless to attacks. Whereas OpenCart store security has been popularly acknowledged, the below-mentioned steps can be followed for the security of an OpenCart eCommerce store:
1. Necessary Steps To Do After OpenCart Store Installation
i) Immediately remove the /install/ directory via FTP or cPanel/Plesk File Manager
ii) chmod (fix permission) the config.php file in both the webroot and /admin/ directories to 444
2. Create a suitable 404 Error web Page
Create a file named 404.html in your OpenCart store webroot directory. You can put anything as per your choice in the file. This web file will be served to anyone who tries to access something inappropriately.
3. Securing The OpenCart store /admin/ Folder
i) For hiding the /admin/ folder, rename it to a rare name. Also, edit the file /admin/config.php and replace the folder name admin with "your_rare_name" (or whatever name you renamed the folder). Example, change define(‘HTTP_SERVER’, ‘http://www.example.com/admin/’); to define (‘HTTP_SERVER’, ‘http://www.example.com/your_rare_name/’);
ii) Password protect your OpenCart store admin folder with .htpasswd. If you're using cPanel web hosting, you can do this smartly with the cPanel Password Protect Directories feature. This custom method will require you to login twice, but it's well worth it.
4. Securing The OpenCart store /system/ Folder
OpenCart Website files are wide-open by default. If you have installed OpenCart in your root directory, go to http://www.example.com/system/logs/error.log, and you should be able to download your error log, even if you're a public/anonymous user. You have to protect these files, so create a .htaccess file with the following code:-
<Files *.*>
Order Deny, Allow
Deny from all
</Files>
Then put that .htaccess file in the following two OpenCart web directories:-
i) /system/
ii) /system/logs/
5. Securing The OpenCart store /catalog/ Folder
This /catalog/ folder keeps your OpenCart store images, Javascript files, and template files. Just look at http://www.example.com/catalog/controller/account/address.php. You can see that the OpenCart website file is still being attempted to run, which poses a security risk. A hacker user can get more clues about your system from these error codes, or if the hacker user can find a way to upload his malicious PHP file, then your whole web system could be at risk.
The solution is to put a .htaccess file in the OpenCart store /catalog/ folder with the below-mentioned code:-
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]
This way, anything other than the allowed web file types of jpg, jpeg, png, gif, CSS, and js are blocked. So whenever someone or something accesses any prohibited web file types (such as PHP), they'll be redirected to the 404.html file that you created in the second step of this blog.
6. Securing The OpenCart store /image/ Folder
As above, the OpenCart store /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your installed OpenCart /image/ folder with this code :-
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]
Note: If you use other web file types in your installed OpenCart /catalog/ or /image/ directories like .swf or .flv, then add another RewriteCode line to the .htaccess for that specific web file extension.
7. Be careful while using 3rd Party OpenCart Plugins
Many times OpenCart store users install plugins for added web performance; most third-party plugins can potentially enclose malware or urge vulnerabilities into your OpenCart store. Most third-party open-source plugins can be configured to be the carrier of malicious payloads. Hence, E2E Networks suggest you be careful while using software or plugins of uncertain origin for your OpenCart store.
8. Only install OpenCart Store extensions from trusted Developers
Like other popular CMS, OpenCart also has its own marketplace for extensions. To be safe from adversities, download or install extensions from trusted OpenCart developers only. If any OpenCart Store extensions have these things below-mentioned under the download button:-
i) Developed by OpenCart Partner
ii) Documentation Included
Both means the OpenCart Store extension was developed from within the OpenCart community, and the developer who made these plugins can be trusted.
9. Enable SSL for your OpenCart admin and storefront
It is recommended that you enable encryption for your online OpenCart store itself. This can be done by going to OpenCart System Settings, Edit for the default store. Under the Server tab, set Use SSL to Yes and click to Save.
10. Use a Web Application Firewall like Imunify360
WAF is an application that websites in front of your application to protect it from multiple attacks and malicious things. These malicious things include Cross-Site Scripting(XSS), SQL Injection, File Injection, Server-side attacks, etc.
One of the best options available at your cPanel hosting to prevent your OpenCart website is to use a Website Firewall, like Imunify360. Imunify360 and cPanel Security packages help to automatically secure your installed OpenCart store and virtually patch software by preventing malicious requests from ever reaching your OpenCart Store. Imunify360 also detects Malware and content and ensures your installed OpenCart store is secure.