OpenCart platform is one of the favorite platforms for E-Commerce owners. Over the time, it has become a target for hackers too. With recent vulnerabilities like Cross Site Scripting, File Inclusion, CSRF etc. being exploited, OpenCart Security has become a major concern. Vulnerabilities like above are exploited to inject malware in making OpenCart installations a popular target for malware injections too. A malware injection and application layer issues result in flagging of website on Google as “not fit for browsing”. This often becomes a major set back for a business owner. With limited OpenCart Security solutions available, the remediation of such injections becomes a major hassle.

An ‘Inside’ approach to harden OpenCart Security:

  1. Hide your admin page: The first step of every hacker is to find admin page and version of OpenCart installed on the website. By simply putting yoursite.com/admin, hacker gets access to both!
    OpenCart Security ASTRA Firewall
    Both location of admin page and openCart version visible

    Solution: Open admin/config.php. Wherever the word “admin” is present, replace it with whatever word you want to be used for admin panel. Note: If you are using VQMOZ, here are the additional changes required: 
    Open vqmod/install/index.php file and replace $admin= “admin” to  $admin = “yourword”. Where “yourword” is whatever word you want to use for admin panel. For version older than 2.3.0 of VQMOD, open all the files one-by-one in vqmod/xml and replace all the occurrences of the word “admin” with yourword.

  2. Upload and Download functionality protection: If download or upload directory is included in your opencart, then add the following code to your .htaccess:

    RewriteRule ^download/(.*) /index.php?route=error/not_found [L]

An ‘outside’ approach to Opencart security

Use a Web Application Firewall (WAF): Frequently, OpenCart exploits are discovered by security researchers. Hackers often leverage the exploits to make automatic bots which bypass OpenCart Security. A WAF protects against attacks like these and bad bots which often visit your website. Here are the details about OpenCart Firewall which we have made to protect the websites against ever emerging threats and malware:

ASTRA: An OpenCart Web Application Firewall

  • Real-time OpenCart Security: ASTRA protects opencart websites from hackers in real time. Bad bots and hackers trying to exploit opencart issues such as Cross Site Scripting,  SQL injection, Directory Traversal and 80+ attacks are blocked there and then.
  • Reporting Attacker Information: You can see every detail about the hacker who was trying to hack your website. Apart from his country, IP, browser, operating system etc. you can also see the exact attack vector he was trying and on which URL of the website.
    ASTRA Firewall for OpenCart
    OpenCart Security: ASTRA
    Threats page of ASTRA. Showing every detail about the attacker
  • Login Notifications: Whenever someone logs into your OpenCart website, you get a login notification on your email as well as on your ASTRA dashboard. Additionally, failed login attempts are also logged and blocked to prevent hackers form logging in.
    OpenCart plugin ASTRA Firewall
    OpenCart logging on ASTRA dashboard
    Login alerts OpenCart security
    Login Alerts right in your inbox
  • Customization: This is the best part of ASTRA. If you have written additional code on top of default OpenCart, you can whitelist parameters according to your convenience. If you are parsing something in html which ASTRA can consider as a vulnerability, you simply have to add that parameter in the exceptions list.
    Customize ASTRA Firewall for OpenCart
    Exceptions can be added here. Insanely easy
  • Security Seal: The websites running ASTRA get a security seal to let their customers know that the website is being guarded as they browse through it.
    ASTRA's Security Seal for your website
    ASTRA’s Security Seal for your website

    Websites are becoming intelligent, so are website hackers. OpenCart Security is an ever increasing concern as OpenCart expands even though it is known to be a relatively secure CMS. ASTRA protects your website, so that you can concentrate on your business. Apart from above mentioned features, there are a dozen more features of ASTRA. If you have any questions, please feel free to ask. To signup for ASTRA: http://getASTRA.com/

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close