Inside-out guide to OpenCart Security
OpenCart platform is one of the favorite platforms for E-Commerce owners. Over the time, it has become a target for hackers too. With recent vulnerabilities like Cross Site Scripting, File Inclusion, CSRF etc. being exploited, OpenCart Security has become a major concern. Vulnerabilities like above are exploited to inject malware in making OpenCart installations a popular target for malware injections too. A malware injection and application layer issues result in flagging of website on Google as “not fit for browsing”. This often becomes a major set back for a business owner. With limited OpenCart Security solutions available, the remediation of such injections becomes a major hassle.
An ‘Inside’ approach to harden OpenCart Security:
- Hide your admin page: The first step of every hacker is to find admin page and version of OpenCart installed on the website. By simply putting yoursite.com/admin, hacker gets access to both!
Solution: Open admin/config.php. Wherever the word “admin” is present, replace it with whatever word you want to be used for admin panel. Note: If you are using VQMOZ, here are the additional changes required:
Open vqmod/install/index.php file and replace $admin= “admin” to $admin = “yourword”. Where “yourword” is whatever word you want to use for admin panel. For version older than 2.3.0 of VQMOD, open all the files one-by-one in vqmod/xml and replace all the occurrences of the word “admin” with yourword.
- Upload and Download functionality protection: If download or upload directory is included in your opencart, then add the following code to your .htaccess:
RewriteRule ^download/(.*) /index.php?route=error/not_found [L]
An ‘outside’ approach to Opencart security
Use a Web Application Firewall (WAF): Frequently, OpenCart exploits are discovered by security researchers. Hackers often leverage the exploits to make automatic bots which bypass OpenCart Security. A WAF protects against attacks like these and bad bots which often visit your website. Here are the details about OpenCart Firewall which we have made to protect the websites against ever emerging threats and malware:
ASTRA: An OpenCart Web Application Firewall
- Real-time OpenCart Security: ASTRA protects opencart websites from hackers in real time. Bad bots and hackers trying to exploit opencart issues such as Cross Site Scripting, SQL injection, Directory Traversal and 80+ attacks are blocked there and then.
- Reporting Attacker Information: You can see every detail about the hacker who was trying to hack your website. Apart from his country, IP, browser, operating system etc. you can also see the exact attack vector he was trying and on which URL of the website.
- Login Notifications: Whenever someone logs into your OpenCart website, you get a login notification on your email as well as on your ASTRA dashboard. Additionally, failed login attempts are also logged and blocked to prevent hackers form logging in.
- Customization: This is the best part of ASTRA. If you have written additional code on top of default OpenCart, you can whitelist parameters according to your convenience. If you are parsing something in html which ASTRA can consider as a vulnerability, you simply have to add that parameter in the exceptions list.
- Security Seal: The websites running ASTRA get a security seal to let their customers know that the website is being guarded as they browse through it.
Websites are becoming intelligent, so are website hackers. OpenCart Security is an ever increasing concern as OpenCart expands even though it is known to be a relatively secure CMS. ASTRA protects your website, so that you can concentrate on your business. Apart from above mentioned features, there are a dozen more features of ASTRA. If you have any questions, please feel free to ask. To signup for ASTRA: http://getASTRA.com/