Setting OpenCart Secure File/Folder Permissions – 3.x [Video Tutorial Included]
Updated on: August 13, 2020
Ananda Krishna
6 mins read
![Setting OpenCart Secure File/Folder Permissions – 3.x [Video Tutorial Included]](https://cdn-blog.getastra.com/2019/03/OpenCartFilePermissions_3fa2961ee3a1ee18270e3aca07a7b526_2000.png)
OpenCart has helped millions of users around the globe to indulge in e-commerce activities. However, the maintenance of OpenCart installations is necessary to protect the critical resources from cyber threats. Thus, it is important to ensure that proper OpenCart File Permissions is set such that users can access resources only intended for them. This article will give an overview of File Permissions in OpenCart and how to manage them for the different types of users. According to the book OpenCart 1.4 Beginner’s Guide,
OpenCart system uses its several directories dynamically to create, change, and delete the files when needed. Because of this, we have to be sure that the correct file permissions are applied on these files and folders.
Setting OpenCart File Permissions Using GUI
In order to edit your OpenCart permissions using GUI, visit System>User Group as shown in the image below.
As evident from the image, the permissions are divided into Access Permission and Modify Permission. Therefore, the users with access permission can only view the resources while users with modifying permission can edit the resources in OpenCart.
Setting OpenCart File Permissions Using SSH
Permission to resources in the OpenCart is controlled via their controller files. Therefore, when such a resource is assigned to a particular user group, they can only execute the actions mentioned in the controller file. In case you have access to the server via SSH, simply run the following commands. These commands will automatically set the permissions right.
chmod 0755 <your-file>
i.e. chmod 0755 system/storage/cache/
Similarly, all such files which need to be set at 0755 especially after a fresh install are:
- system/storage/logs/
- system/storage/download/
- system/storage/upload/
- system/storage/modification/
- image/
- image/cache/
- image/catalog/
- config.php
- admin/config.php
Here, setting the permissions to 0755 means, these files are writable. It is necessary that these files are writable so that OpenCart can function properly. Similarly, the permission for these files can be set in a similar manner by using an FTP client.
Setting OpenCart File Permissions via AddPermission() Method
Access or modify permission for a user can also be defined using the addPermission() method. To accomplish this, look at the code snippet given below:
public function install() {
$this->load->model(‘catalog/controller name’);
$this->load->model(‘user/user group’);
$this->model _ user_ user_ group->addPermission($this->user->getId(), ‘access’, ‘catalog/controller_name’);
$this->model user user_group->addPermission($this->user->getId(), ‘modify’, ‘catalog/ controller_name’);
}
Here, the user needs to write code for an install function. In the code snippet given above, user_group model is loaded by the function first. Thereafter, it calls the addPermission() method. The addPermssion() method is called with the following 3 arguments: currently login user_id, access_level, controller_name.
Confused with Opencart file permissions? Drop us a message on the chat widget and we’d be happy to help you.
Using VQMOD
At times the OpenCart user may feel the desire to edit or modify some core OpenCart files. However, it comes with a security trade-off as doing so can hamper the ability for future updates. vQmod is a workaround solution against this issue. Using vQmod, the modules which need to be modified can be installed without affecting the core integrity of the OpenCart system. This can be accomplished by keeping a comprehensive list of filenames along with the changes required within them. All this information is saved in the form of an XML file for each extension. Therefore, the cached copies of all such files are executed while the original ones are kept intact.
To use vQmod, simply download and uncompress it to the root directory of your site via an FTP client. This can be seen in the image given below. To view this folder, simply visit the root i.e. public_html/opencart.
It is also recommended to set the permissions to writable for the following files and folders:
- index.php.
- admin/index.php.
- vqmod/vqcache folders.
In any FTP client, this can be done via right-clicking on a file or folder and then selecting the ‘File Permissions’ and typing 755 or 777 in the ‘Numeric value’.
Security Tips for OpenCart
Remove the install folder
The install folder may contain some crucial files which give critical info to the attackers. Therefore, it is advisable to remove the install folder.
Rename admin folder
Renaming the admin directory can prevent brute force attacks and password guessing by the attackers. For example, if the admin folder was changed to ‘Astra’, the login location would become www.yourstore.com/Astra. Don’t forget to update the admin/config.php file. However, it is recommended to use vQMod for renaming the admin folder.
Catalog Protection
Protect the catalog using the .htaccess file. This file can deny permissions to certain files and folders in OpenCart. Also, only certain files matching a file type can be protected instead of all files. To protect certain file types, append the following code to your .htaccess file.
<FilesMatch ".(php|twig|txt)$">
Order Deny,Allow
Deny from all
Allow from "your ip address"
</FilesMatch>
OpenCart File permissions to Protect Editing
While some files need to be writable for OpenCart to run smoothly, some crucial files need to be protected from editing. Therefore, set these file permissions to 644 or. Some of these files are:
- config.php
- index.php
- admin/config.php
- admin/index.php
- system/startup.php
Use an OpenCart Security Solution
Securing each and every file and folder in OpenCart can be a tedious task for an average user. Therefore, it is recommended to use a security solution for your OpenCart store. Astra is a complete package to protect your OpenCart store against multiple types of attack vectors. Even the small OpenCart users can afford it with prices starting as low as $9. Astra ensures complete security of crucial components like the catalog for OpenCart stores. Custom tailored for OpenCart users, Astra is a must-have for every OpenCart user.
Need professional help in setting Opencart file permission? Drop us a message on the chat widget and we’d be happy to help you.
Ananda Krishna
OK, that kind of hosed my system in that it did not have the permissions to install and it does not allow me to uninstall it. Sounds like a backdoor scenario.
The error when uninstalling is:
SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
OK