Opencart Security

OpenCart Security Guide – 16 Steps For Rock Solid OpenCart Security

Updated on: September 3, 2020

OpenCart Security Guide – 16 Steps For Rock Solid OpenCart Security

Do you own an online store? Chances are that your website is built using OpenCart. In today’s scenario, the popularity of online stores has thrust OpenCart into the limelight. It is one of the most common open-sourced platforms for e-commerce websites.

Since it is open-sourced, anyone can take a look into the source codes and understand what is going on. Thus, OpenCart runs the risk of getting hacked. As an owner, you need to be careful of your website and take steps to strengthen your OpenCart security. Below are a few steps to protect your website and keep all attackers away.

Is your website security up to date? Find out in 15 seconds.

Steps to Protect Your OpenCart Website

1. Get a secure hosting server

There are many hosting servers that offer their services for a very little price. However, not all these hosting servers are secure. They often are shared hosting and usually host thousands of other websites. Having multiple websites on the same bandwidth can affect individual website performance. It also opens your website to a lot of security risks.

As an owner of an online store, you need to get a secure server for hosting your website. With a stronger hosting service, you can rest assured that your website is safe from server-side attacks (such as DDoS attacks) and other possible attacks.

2. Use the latest OpenCart version

Using old and outdated software is a sure way to get hacked. New versions are released with advanced and more secure features, along with security patches. With a newer version, you can utilize newly added security features to protect your website and thus strengthen your OpenCart security. At the time of writing this, the latest version of OpenCart – OpenCart 3.0.3.2

3. Deleting install folder

Once you complete the installation, you need to delete the install folder. If the install folder is still present, anyone can access the folder and once they re-launch the installation, it can overwrite your website.

Thus, to keep your website protected, go to ‘Shop’ in your FTP client and then delete the ‘Install’ folder.

OpenCart also reminds its users if any install folder is detected after completion of setup as a way to ensure strong OpenCart security.

OpenCart Installation Folder
OpenCart Installation Folder

4. Protecting the administrator directory

  1. Change the prefix of the OpenCart database:

    During the default installation of OpenCart, the default prefix is ‘oc_’. Thus, it becomes easier for attackers to identify and launch an attack on your website. To safeguard this, change the prefix to something familiar to throw attackers off any trail.

  2. Change default login id and password:

    After the basic installation, the default credentials need to be changed. If not changed, an attacker can guess those default passwords and access all your files and folders. Use a combination of alphabets and numerals to create a strong password.

  3. Change the default location of your administrator directory:

    In the case of a default installation, anyone can access the admin directory by using the admin URL. Thus, in order to prevent unauthorized access to such important files, you need to change this admin URL to something more customized.

  4. Using ‘.htaccess’ file in your admin folder:

    It is better to use additional measures to keep your admin folders and files. To do this you need to use ‘.htaccess’. By using this file you can limit users from accessing such important files thus strengthening OpenCart security. Edit this file and mention the proper checks to allow only certain users access to those files and folders.

5. Manage permissions of files and folders

To protect your files and folders, you need to set permission for those folders. While setting permissions you need to understand the various categories:

  1. Read-users can only view and read your files
  2. Write-users can edit your files
  3. Execute-users can execute those files

Also, there are three types of users one can assign permission to:

  1. User-This is the owner of the file
  2. Group-This includes a group of users. For example, a group of site members
  3. World-This includes any visitor

You can either set all permissions to either 755 or 644. You can check out this blog on Recommended OpenCart Files & Folder Permissions for more information.

6. Enabling SSL for your website and admin pane

Usually, data transferred back and forth is not encrypted. Encryption is necessary since unencrypted data can be accessed by any middle man. This could lead to the stealth of important information such as email IDs or usernames, financial data, etc.

By using SSL or HTTPS, you can effectively encrypt all your data and prevent anyone from snooping on it. The first location you need to protect is your admin panel. If data from your admin panel is not encrypted then attackers can gain access to your login credentials.

Navigate to Settings>>Server. There you’ll find an option “Use SSL”. Just check the radio button next to Yes, Save. That’s all.

ssl for opencart security
SSL settings in OpenCart

As a store owner, you would not want the credentials of your customers from falling into the wrong hands. Thus, this basic step can save you from a lot of attacks and attackers.

7. Enabling fraud detection in OpenCart

OpenCart lets you detect fraud in your online store. A company name MaxMind has a system that lets you do this. This service analyzes IPs that visit your storefront and detects any fraud based on these IPs. You need to subscribe to this service to enable it.

Go to Settings. You will find this option under ‘General’ as ‘Fraud’.

fraud detection for opencart security

8. OpenCart Security through extensions

  1. Install authentic extensions:

    Install only those extensions that are supported by OpenCat and preferably available from OpenCart itself. Installing any third party extension can endanger your OpenCart security. Trusted extensions do not have any known security flaws and are continuously updated to keep them safe from getting hacked.

  2. Update all your extensions:

    All trusted extensions are regularly updated with the latest security patches and fixes for known bugs. Keeping your extensions updated can protect your website from any known attacks or bugs. Attackers can easily get through an outdated extension with vulnerability and thus weaken your OpenCart security.

  3. Uninstall unused or defunct extensions:

    If you do not use certain extensions regularly then removing them is a better option. Since they are not continuously used they might get outdated and be a crucial OpenCart security threat.

9. Two-Factor authentications for logging in

Logging in through an ID and password has become obsolete. In today’s age, 2 Factor Authentication is considered to be more secure than the traditional method of logging in. Bad hackers can gain access to your ID and password and can easily take control of your account. 2FA (2 Factor Authentication) takes away the complete power from a single way of logging in.

TFA for OpenCart Security
Free Two Factor Authentication Extension for OpenCart

In 2FA you first need to login through your usual ID and password, after which a unique code is sent to your mobile number, on entering this, you will be fully logged in. In this case, even if attackers know your password, they cannot log in without getting this unique code in your phone number. As an owner, your customers deserve to be safe and thus enabling 2FA in your OpenCart website is important. With this, you can help your customers stay safe as well as keep bad hackers away

10. Using ReCAPTCHA to authenticate users

ReCAPTCHA has become a very method for verifying if users are humans or bad bots. Bots often try to crawl through websites and gather important data such as email IDs and usernames. They can also increase the traffic on your website. To prevent bots from accessing your website. OpenCart provides an extension for getting ReCAPTCHA on your website

Recaptcha: OpenCart Security
Google ReCaptcha for OpenCart

11. Limiting the types of upload files

By limiting the type of files that can be uploaded on your website, you can protect your website from unnecessary uploads as well as prevent users from uploading harmful files. Attackers can use infected files to make your website vulnerable and then launch attacks.

You can prevent this by:

  1. logging into your admin panel
  2. going to ‘Systems’>>‘Settings
  3. Under the ‘Option’ tab, you will find ‘Allow upload file extensions’.

Change the types of files that can be uploaded on your website.

12. Implementing firewalls

Bots and attackers are always on the lookout and they can launch attacks without any warnings. To keep your online store protected from all such threats, you need to implement a strong firewall that will guard your website round the clock. A good firewall will block all bad bots and any attempted attack by hackers.

Firewall working
How Astra Web Application Firewall protects your OpenCart website

13. Regular security audits

As a website owner, you need to be aware of your website’s security flaws. Understanding those security flaws is the first step to a strong security system around your website. Thus, doing an out and out Security Audit of your website can let you know about the state & standard of your website’s security.

You can use this tool to do a free automated Security Audit of your website. If you are looking for a more comprehensive result. Opt for this in-depth VAPT program (aka security audit) by Astra. This picture below depicts Astra’s VAPT process.

Vulnerability Assessment & Penetration Testing by Astra

Vulnerability Assessment & Penetration Testing by Astra

14. Malware scans for threat detection

Malware is a common way for attackers to make your website vulnerable. From stealing information to spreading the infection to users, malware can be programmed to achieve any objective. To make them more effective, malware is generally programmed to stay hidden and be difficult to identify.

This is where malware scans come handy. An effective malware scanner can detect hidden malware and remove them.

15. Check your payment flows

The payments section is one of the most important aspects of an online store. There are numerous plugins that integrate with OpenCart and add functionality to these payment options. However, due to these extensions, your OpenCart security might be compromised. If you are using an outdated extension then you need to update them. These are the most common types of payment hacks:

  1. Making purchases without payment
  2. Changing the price of products
  3. Diverting payments to the attacker’s accounts

Analyze if all your payment options and channels are working fine. Ensure that there are no discrepancies and changes in the basic functioning of these modules

16. Backing up files and data

Having a backup of your website is always a good idea. In case attackers decide to delete important files from your website, you will have your backup to restore those files and get your website back online. Whenever you set up your OpenCart website, always backup the necessary files. OpenCart provides you an option to do so.

Once you log into your account, under ‘Settings’, you will find ‘Maintenance’ and then ‘Backup/Restore’. Within this option, you will have a choice of selecting all those tables that you need to backup. Those tables will be saved as SQL Whenever you need to restore those backup files, go to the ‘Restore’ tab and upload the SQL file. Backing up your files is an additional step to ensure strong OpenCart security.

Conclusion

The above steps will definitely protect you from common and not so common threats to your website. Also, the right OpenCart Security measure will keep your customer data from being stolen, misused or manipulated. As an online store owner, you need to be careful round the clock.

Even though we truly stand by these DIYs, it does not compare to having a dedicated security system enabled on your website. Astra Security has been securing thousands of websites through its state-of-the-art technology, tools, and expertise. Right from a Web Application Firewall to Malware Scanner to one-click malware removal it has all that your website needs.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Tags:

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany