OpenCart Security Guide – 16 Steps For Rock Solid OpenCart Security
Do you own an online store? Chances are that your website is built using OpenCart. In today’s scenario, the popularity of online stores has thrust OpenCart into the limelight. It is one of the most common open-sourced platforms for e-commerce websites.
Since it is open-sourced, anyone can take a look into the source codes and understand what is going on. Thus, OpenCart runs the risk of getting hacked. As an owner, you need to be careful of your website and take steps to strengthen your OpenCart security. Below are a few steps to protect your website and keep all attackers away.
Steps to Protect Your OpenCart Website
1. Get a secure hosting server
There are many hosting servers that offer their services for a very little price. However, not all these hosting servers are secure. They often are shared hosting and usually host thousands of other websites. Having multiple websites on the same bandwidth can affect individual website performance. It also opens your website to a lot of security risks.
As an owner of an online store, you need to get a secure server for hosting your website. With a stronger hosting service, you can rest assured that your website is safe from server-side attacks (such as DDoS attacks) and other possible attacks.
2. Use the latest OpenCart version
Using old and outdated software is a sure way to get hacked. New versions are released with advanced and more secure features, along with security patches. With a newer version, you can utilize newly added security features to protect your website and thus strengthen your OpenCart security. At the time of writing this, the latest version of OpenCart – OpenCart 220.127.116.11.
3. Deleting install folder
Once you complete the installation, you need to delete the install folder. If the install folder is still present, anyone can access the folder and once they re-launch the installation, it can overwrite your website.
Thus, to keep your website protected, go to ‘Shop’ in your FTP client and then delete the ‘Install’ folder.
OpenCart also reminds its users if any install folder is detected after completion of setup as a way to ensure strong OpenCart security.
4. Protecting the administrator directory
Change the prefix of the OpenCart database:
During the default installation of OpenCart, the default prefix is ‘oc_’. Thus, it becomes easier for attackers to identify and launch an attack on your website. To safeguard this, change the prefix to something familiar to throw attackers off any trail.
Change default login id and password:
After the basic installation, the default credentials need to be changed. If not changed, an attacker can guess those default passwords and access all your files and folders. Use a combination of alphabets and numerals to create a strong password.
Change the default location of your administrator directory:
In the case of a default installation, anyone can access the admin directory by using the admin URL. Thus, in order to prevent unauthorized access to such important files, you need to change this admin URL to something more customized.
Using ‘.htaccess’ file in your admin folder:
It is better to use additional measures to keep your admin folders and files. To do this you need to use ‘.htaccess’. By using this file you can limit users from accessing such important files thus strengthening OpenCart security. Edit this file and mention the proper checks to allow only certain users access to those files and folders.
5. Manage permissions of files and folders
To protect your files and folders, you need to set permission for those folders. While setting permissions you need to understand the various categories:
- Read-users can only view and read your files
- Write-users can edit your files
- Execute-users can execute those files
Also, there are three types of users one can assign permission to:
- User-This is the owner of the file
- Group-This includes a group of users. For example, a group of site members
- World-This includes any visitor
You can either set all permissions to either 755 or 644. You can check out this blog on Recommended OpenCart Files & Folder Permissions for more information.
6. Enabling SSL for your website and admin pane
Usually, data transferred back and forth is not encrypted. Encryption is necessary since unencrypted data can be accessed by any middle man. This could lead to the stealth of important information such as email IDs or usernames, financial data, etc.
By using SSL or HTTPS, you can effectively encrypt all your data and prevent anyone from snooping on it. The first location you need to protect is your admin panel. If data from your admin panel is not encrypted then attackers can gain access to your login credentials.
Navigate to Settings>>Server. There you’ll find an option “Use SSL”. Just check the radio button next to Yes, Save. That’s all.
As a store owner, you would not want the credentials of your customers from falling into the wrong hands. Thus, this basic step can save you from a lot of attacks and attackers.
7. Enabling fraud detection in OpenCart
OpenCart lets you detect fraud in your online store. A company name MaxMind has a system that lets you do this. This service analyzes IPs that visit your storefront and detects any fraud based on these IPs. You need to subscribe to this service to enable it.
Go to Settings. You will find this option under ‘General’ as ‘Fraud’.
8. OpenCart Security through extensions
Install authentic extensions:
Install only those extensions that are supported by OpenCat and preferably available from OpenCart itself. Installing any third party extension can endanger your OpenCart security. Trusted extensions do not have any known security flaws and are continuously updated to keep them safe from getting hacked.
Update all your extensions:
All trusted extensions are regularly updated with the latest security patches and fixes for known bugs. Keeping your extensions updated can protect your website from any known attacks or bugs. Attackers can easily get through an outdated extension with a vulnerability and thus weaken your OpenCart security.
Uninstall unused or defunct extensions:
If you do not use certain extensions regularly then removing them is a better option. Since they are not continuously used they might get outdated and be a crucial OpenCart security threat.
9. Two-Factor authentications for logging in
Logging in through an ID and password has become obsolete. In today’s age, 2 Factor Authentication is considered to be more secure than the traditional method of logging in. Bad hackers can gain access to your ID and password and can easily take control of your account. 2FA (2 Factor Authentication) takes away the complete power from a single way of logging in.
In 2FA you first need to login through your usual ID and password, after which a unique code is sent to your mobile number, on entering this, you will be fully logged in. In this case, even if attackers know your password, they cannot log in without getting this unique code in your phone number. As an owner, your customers deserve to be safe and thus enabling 2FA in your OpenCart website is important. With this, you can help your customers stay safe as well as keep bad hackers away
10. Using ReCAPTCHA to authenticate users
ReCAPTCHA has become a very method for verifying if users are humans or bad bots. Bots often try to crawl through websites and gather important data such as email IDs and usernames. They can also increase the traffic on your website. To prevent bots from accessing your website. OpenCart provides an extension for getting ReCAPTCHA on your website
11. Limiting the types of upload files
By limiting the type of files that can be uploaded on your website, you can protect your website from unnecessary uploads as well as prevent users from uploading harmful files. Attackers can use infected files to make your website vulnerable and then launch attacks.
You can prevent this by:
- logging into your admin panel
- going to ‘Systems’>>‘Settings’
- Under the ‘Option’ tab, you will find ‘Allow upload file extensions’.
Change the types of files that can be uploaded on your website.
12. Implementing firewalls
Bots and attackers are always on the lookout and they can launch attacks without any warnings. To keep your online store protected from all such threats, you need to implement a strong firewall that will guard your website round the clock. A good firewall will block all bad bots and any attempted attack by hackers.
13. Regular security audits
As a website owner, you need to be aware of your website’s security flaws. Understanding those security flaws is the first step to a strong security system around your website. Thus, doing an out and out Security Audit of your website can let you know about the state & standard of your website’s security.
You can use this tool to do a free automated Security Audit of your website. If you are looking for a more comprehensive result. Opt for this in-depth VAPT program (aka security audit) by Astra. This picture below depicts Astra’s VAPT process.
Vulnerability Assessment & Penetration Testing by Astra
14. Malware scans for threat detection
Malware is a common way for attackers to make your website vulnerable. From stealing information to spreading the infection to users, malware can be programmed to achieve any objective. To make them more effective, malware is generally programmed to stay hidden and be difficult to identify.
This is where malware scans come handy. An effective malware scanner can detect hidden malware and remove them.
15. Check your payment flows
The payments section is one of the most important aspects of an online store. There are numerous plugins that integrate with OpenCart and add functionality to these payment options. However, due to these extensions, your OpenCart security might be compromised. If you are using an outdated extension then you need to update them. These are the most common types of payment hacks:
- Making purchases without payment
- Changing the price of products
- Diverting payments to the attacker’s accounts
Analyze if all your payment options and channels are working fine. Ensure that there are no discrepancies and changes in the basic functioning of these modules
16. Backing up files and data
Having a backup of your website is always a good idea. In case attackers decide to delete important files from your website, you will have your backup to restore those files and get your website back online. Whenever you set up your OpenCart website, always backup the necessary files. OpenCart provides you an option to do so.
Once you log into your account, under ‘Settings’, you will find ‘Maintenance’ and then ‘Backup/Restore’. Within this option, you will have a choice of selecting all those tables that you need to backup. Those tables will be saved as SQL Whenever you need to restore those backup files, go to the ‘Restore’ tab and upload the SQL file. Backing up your files is an additional step to ensure strong OpenCart security.
The above steps will definitely protect you from common and not so common threats to your website. Also, the right OpenCart Security measure will keep your customer data from being stolen, misused or manipulated. As an online store owner, you need to be careful round the clock.
Even though we truly stand by these DIYs, it does not compare to having a dedicated security system enabled on your website. Astra Security has been securing thousands of websites through its state-of-the-art technology, tools, and expertise. Right from a Web Application Firewall to Malware Scanner to one-click malware removal it has all that your website needs.
Get an Astra Demo now.