OpenCart Secure File/Folder Permissions - 3.x

OpenCart has helped millions of users around the globe to indulge in e-commerce activities. However, maintenance of OpenCart installations is necessary to protect the critical resources from cyber threats. Thus, it is important to ensure that proper OpenCart File Permissions is set such that users can access resources only intended for them. This article will give an overview of File Permissions in OpenCart and how to manage them for the different type of users. According to the book OpenCart 1.4 Beginner’s Guide,

OpenCart system uses its several directories dynamically to create, change, and delete the files when needed. Because of this, we have to be sure that the correct file permissions are applied on these files and folders.

Setting OpenCart File Permissions Using GUI

In order to edit your OpenCart permissions using GUI, visit System>User Group as shown in the image below.

OpenCart file permission

 

As evident from the image, the permissions are divided into Access Permission and Modify Permission. Therefore, the users with access permission can only view the resources while users with modifying permission can edit the resources in OpenCart.

Setting OpenCart File Permissions Using SSH

Permission to resources in the OpenCart is controlled via their controller files. Therefore, when such a resource is assigned to a particular user group, they can only execute the actions mentioned in the controller file. In case you have access to the server via SSH, simply run the following commands. These commands will automatically set the permissions right.

chmod 0755 <your-file>

i.e. chmod 0755 system/storage/cache/

Similarly, all such files which need to be set at 0755 especially after a fresh install are:

  • system/storage/logs/
  • system/storage/download/
  • system/storage/upload/
  • system/storage/modification/
  • image/
  • image/cache/
  • image/catalog/
  • config.php
  • admin/config.php

Here, setting the permissions to 0755 means, these files are writable. It is necessary that these files are writable so that OpenCart can function properly. Similarly, the permission for these files can be set in a similar manner by using an FTP client.

Setting OpenCart File Permissions via AddPermission() Method

Access or modify permission for a user can also be defined using the addPermission() method. To accomplish this, look at the code snippet given below:

public function install() {

$this->load->model(‘catalog/controller name’);

$this->load->model(‘user/user group’);

$this->model _ user_ user_ group->addPermission($this->user->getId(), ‘access’, ‘catalog/controller_name’);

$this->model user user_group->addPermission($this->user->getId(), ‘modify’, ‘catalog/ controller_name’);

}

Here, the user needs to write code for an install function. In the code snippet given above, user_group model is loaded by the function first. Thereafter, it calls the addPermission() method. The addPermssion() method is called with the following 3 arguments: currently login user_id, access_level, controller_name.

Confused with Opencart file permissions? Drop us a message on the chat widget and we’d be happy to help you.

Using VQMOD

At times the OpenCart user may feel the desire to edit or modify some core OpenCart files. However, it comes with a security trade-off as doing so can hamper the ability for future updates. vQmod is a workaround solution against this issue. Using vQmod, the modules which need to be modified can be installed without affecting the core integrity of the OpenCart system. This can be accomplished by keeping a comprehensive list of filenames along with the changes required within them. All this information is saved in the form of an XML file for each extension. Therefore, the cached copies of all such files are executed while the original ones are kept intact.

To use vQmod, simply download and uncompress it to the root directory of your site via an FTP client. This can be seen in the image given below. To view this folder, simply visit the root i.e. public_html/opencart.

OpenCart file permission 3.x

 

It is also recommended to set the permissions to writable for the following files and folders:

  • index.php.
  • admin/index.php.
  • vqmod/vqcache folders.

In any FTP client, this can be done via right-clicking on a file or folder and then selecting the ‘File Permissions’ and typing 755 or 777 in the ‘Numeric value’.

OpenCart file permission

Security Tips for OpenCart

Remove the install folder

The install folder may contain some crucial files which give critical info to the attackers. Therefore, it is advisable to remove the install folder.

Rename admin folder

Renaming the admin directory can prevent brute force attacks and password guessing by the attackers. For example, if the admin folder was changed to ‘Astra’, the login location would become www.yourstore.com/Astra. Don’t forget to update the admin/config.php file. However, it is recommended to use vQMod for renaming the admin folder.

Catalog Protection

Protect the catalog using the .htaccess file. This file can deny permissions to certain files and folders in OpenCart. Also, only certain files matching a file type can be protected instead of all files. To protect certain file types, append the following code to your .htaccess file.

<FilesMatch ".(php|twig|txt)$">
Order Deny,Allow
Deny from all
Allow from "your ip address"
</FilesMatch>

OpenCart File permissions to Protect Editing

While some files need to be writable for OpenCart to run smoothly, some crucial files need to be protected from editing. Therefore, set these file permissions to 644 or. Some of these files are:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

Use a OpenCart Security Solution

Securing each and every file and folder in OpenCart can be a tedious task for an average user. Therefore, it is recommended to use a security solution for your OpenCart store. Astra is a complete package to protect your OpenCart store against multiple types of attack vectors. Even the small OpenCart users can afford it with prices starting as low as $9. Astra ensures complete security of crucial components like the catalog for OpenCart stores. Custom tailored for OpenCart users, Astra is a must have for every OpenCart user.

Web Application Firewall Magento, Opencart Prestashop

Get your free demo today!

Need professional help in setting Opencart file permission? Drop us a message on the chat widget and we’d be happy to help you. 

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close