Opencart Security

Setting OpenCart Secure File/Folder Permissions – 3.x [Video Tutorial Included]

Updated on: August 13, 2020

Setting OpenCart Secure File/Folder Permissions – 3.x [Video Tutorial Included]

OpenCart has helped millions of users around the globe to indulge in e-commerce activities. However, the maintenance of OpenCart installations is necessary to protect the critical resources from cyber threats. Thus, it is important to ensure that proper OpenCart File Permissions is set such that users can access resources only intended for them. This article will give an overview of File Permissions in OpenCart and how to manage them for the different types of users. According to the book OpenCart 1.4 Beginner’s Guide,

OpenCart system uses its several directories dynamically to create, change, and delete the files when needed. Because of this, we have to be sure that the correct file permissions are applied on these files and folders.

Setting OpenCart File Permissions Using GUI

In order to edit your OpenCart permissions using GUI, visit System>User Group as shown in the image below.

OpenCart file permission

As evident from the image, the permissions are divided into Access Permission and Modify Permission. Therefore, the users with access permission can only view the resources while users with modifying permission can edit the resources in OpenCart.

Setting OpenCart File Permissions Using SSH

Permission to resources in the OpenCart is controlled via their controller files. Therefore, when such a resource is assigned to a particular user group, they can only execute the actions mentioned in the controller file. In case you have access to the server via SSH, simply run the following commands. These commands will automatically set the permissions right.

chmod 0755 <your-file>

i.e. chmod 0755 system/storage/cache/

Similarly, all such files which need to be set at 0755 especially after a fresh install are:

  • system/storage/logs/
  • system/storage/download/
  • system/storage/upload/
  • system/storage/modification/
  • image/
  • image/cache/
  • image/catalog/
  • config.php
  • admin/config.php

Here, setting the permissions to 0755 means, these files are writable. It is necessary that these files are writable so that OpenCart can function properly. Similarly, the permission for these files can be set in a similar manner by using an FTP client.

Setting OpenCart File Permissions via AddPermission() Method

Access or modify permission for a user can also be defined using the addPermission() method. To accomplish this, look at the code snippet given below:

public function install() {

$this->load->model(‘catalog/controller name’);

$this->load->model(‘user/user group’);

$this->model _ user_ user_ group->addPermission($this->user->getId(), ‘access’, ‘catalog/controller_name’);

$this->model user user_group->addPermission($this->user->getId(), ‘modify’, ‘catalog/ controller_name’);


Here, the user needs to write code for an install function. In the code snippet given above, user_group model is loaded by the function first. Thereafter, it calls the addPermission() method. The addPermssion() method is called with the following 3 arguments: currently login user_id, access_level, controller_name.

Confused with Opencart file permissions? Drop us a message on the chat widget and we’d be happy to help you.


At times the OpenCart user may feel the desire to edit or modify some core OpenCart files. However, it comes with a security trade-off as doing so can hamper the ability for future updates. vQmod is a workaround solution against this issue. Using vQmod, the modules which need to be modified can be installed without affecting the core integrity of the OpenCart system. This can be accomplished by keeping a comprehensive list of filenames along with the changes required within them. All this information is saved in the form of an XML file for each extension. Therefore, the cached copies of all such files are executed while the original ones are kept intact.

To use vQmod, simply download and uncompress it to the root directory of your site via an FTP client. This can be seen in the image given below. To view this folder, simply visit the root i.e. public_html/opencart.

OpenCart file permission 3.x

It is also recommended to set the permissions to writable for the following files and folders:

  • index.php.
  • admin/index.php.
  • vqmod/vqcache folders.

In any FTP client, this can be done via right-clicking on a file or folder and then selecting the ‘File Permissions’ and typing 755 or 777 in the ‘Numeric value’.

OpenCart file permission

Security Tips for OpenCart

Remove the install folder

The install folder may contain some crucial files which give critical info to the attackers. Therefore, it is advisable to remove the install folder.

Rename admin folder

Renaming the admin directory can prevent brute force attacks and password guessing by the attackers. For example, if the admin folder was changed to ‘Astra’, the login location would become Don’t forget to update the admin/config.php file. However, it is recommended to use vQMod for renaming the admin folder.

Catalog Protection

Protect the catalog using the .htaccess file. This file can deny permissions to certain files and folders in OpenCart. Also, only certain files matching a file type can be protected instead of all files. To protect certain file types, append the following code to your .htaccess file.

<FilesMatch ".(php|twig|txt)$">
Order Deny,Allow
Deny from all
Allow from "your ip address"

OpenCart File permissions to Protect Editing

While some files need to be writable for OpenCart to run smoothly, some crucial files need to be protected from editing. Therefore, set these file permissions to 644 or. Some of these files are:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

Use an OpenCart Security Solution

Securing each and every file and folder in OpenCart can be a tedious task for an average user. Therefore, it is recommended to use a security solution for your OpenCart store. Astra is a complete package to protect your OpenCart store against multiple types of attack vectors. Even the small OpenCart users can afford it with prices starting as low as $9. Astra ensures complete security of crucial components like the catalog for OpenCart stores. Custom tailored for OpenCart users, Astra is a must-have for every OpenCart user.

Web Application Firewall Magento, Opencart Prestashop

Experience Astra Web Protection Yourself With Our 7 Day Free Trial!

Astra stops 7 million+ nasty attacks every month! Secure your site with Astra before it is too late.

Need professional help in setting Opencart file permission? Drop us a message on the chat widget and we’d be happy to help you. 

Tags: , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
4 years ago

OK, that kind of hosed my system in that it did not have the permissions to install and it does not allow me to uninstall it. Sounds like a backdoor scenario.
The error when uninstalling is:

SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany