How to Secure Opencart Admin from Hackers? By Changing Admin Path & Adding htpassword
Opencart is a platform for e-commerce merchants to buy and sell things online. The most remarkable thing being that everything is simplified for the business owner. With ready-made design and easy UI, all you needs to focus is the business. However, platforms like OpenCart often remain on the radar of hackers & it’s important to take care of the first base of security – which is securing the OpenCart admin.
Hackers are always looking for a loophole to penetrate in your shop and steal important customer information. To save yourself from them, you need to have a better security. As opencart is open source, you need to take precautions too.
Contents of This Guide
Is Your OpenCart Admin being Targeted by Hackers?
There are certain signs like too many login attempts in Opencart admin that tell that your website is on the radar of hackers. It’s obvious when you are using your site, you are well aware of your login detail, but when a hacker tries to log in, you would know that and you can take the necessary step to avoid and stop that.
If someone is trying to break into your OpenCart security, they will try to log in from an unknown location and you would find number login attempt failed. They would add harmful pages and try to steal valuable information from your customer. The only way you can stop that is using OpenCart admin brute force protection. That is why we are going to discuss how to secure your Opencart.
Related Guide – The Ultimate Guide to OpenCart Security
How to Secure Your Opencart Admin?
There are numbers of the way you can make sure you can save your site from hackers. You can simply hide your admin panel and that will prevent any hacker attack to your site. There are three way you can do it.
1. Renaming OpenCart Admin Panel
We know that they are trying to get in from your opencart admin by login in, so why not make it more difficult it for them and rename the admin panel. If they can’t find it, they won’t bother it. You can do it by simply changing the address of your login page by renaming it. The method mentioned blow can be used in Opencart version 1.5, and in an newer version like version 2 and 3.
Related Blog – How to fix File & Folder Permission in OpenCart
You need to change your admin folder to something else, something unrelated. For example, you can try kingslanding, so you need to change it in the folder like below:
Once you change the admin name there, you need to create a new path to your admin panel. You need to update the admin/config.php and change admin to kingslanding, like below:
After that, your login id will change to www.opencart.com/admin to www.opencart.com/kingslanding which is now your Opencart admin name.
But if you are using vQmod than there are certain things which also need to be changed.
You need to change index.php located in vqmod/install/index.php and change the following line
$admin = 'admin';
$admin = 'kingslanding';
After that, you need to make sure everything is running properly. In a later version of vQmode 2.3.0, there will be a file name pathReplaces.php. it will change the admin name fully in your XML file.
$replaces = array('~^admin\b~', 'kingslanding');
If you are using older version than vQmod 2.3.0 than you need to make changes in vqmod/xm and replace everything with your new name instead of admin
Should be changed to:
That is how you can change your admin name and make harder for a hacker to find the path and you can hide Opencart Admin.
Related Blog post – How to fixed hacked OpenCart Admin Panel
2. Adding htpassword Protection to OpenCart
A .htассеѕѕ and .htраѕѕwd fіlе іn thе administration fоldеr wіll prevent hackers frоm accessing уоur store, еvеn іf they discover the lоgіn lосаtіоn оf the administrator. With .htaccess, уоu саn dеnу аll IP addresses tо уоur ѕtоrе, with the exception оf the IP address оf the administrator. A .htpasswd іn thе administration fоldеr wіll rеԛuіrе аn additional password fоr the authorized administrator tо ассеѕѕ this directory. Steps to add htpassword protection:
Crеаtе thе .htраѕѕwd fіlе bу аddіng users
- Oреn a tеxt еdіtоr оn уоur соmрutеr. Wе recommend uѕіng Nоtераd (Wіndоwѕ), SimpleText (Macintosh).
- Save thе fіlе (in аn easy-to-find location) ѕuсh аѕ .htpasswd (іnсludіng thе ѕtаrtіng роіnt).
- Nоw, mаkе ѕurе уоur text еdіtоr hаѕ nоt аddеd a .txt ѕuffіx tо thе file nаmе. (On Windows, уоu саn dо this bу right-clicking оn the text file icon and selecting “Properties”). If the file nаmе hаѕ a .txt ѕuffіx (that іѕ, “.htраѕѕwd.txt”), remove the ѕuffіx when changing the fіlе nаmе.
- Bеfоrе еntеrіng thе соdе іntо уоur nеw file, mаkе ѕurе thаt “Word Wrap” іѕ dіѕаblеd. (In Nоtераd, select “Fоrmаt …” іn thе tор nаvіgаtіоn bar аnd mаkе ѕurе thаt “Tеxt Adjustment” іѕ unсhесkеd.
- Use the GetAstra .htpasswd Generation tool to create the content of the .htpasswd file.
- Enter thе uѕеrnаmе & password in the tool.
- Cору the username and encrypted password frоm the tool and paste іt into уоur .htраѕѕwd fіlе. Bе ѕurе tо rеmоvе аnу ѕрасеѕ that mау precede оr fоllоw the password. Yоur fіlе should lооk lіkе this: username:WvеPMzусіLRIо
- Now create an .htaccess file in the directory you wish to protect and add the following code to it. Before saving the file, update the ‘absolute’ path of the .htpasswd file. It would be similar to “/home/username/.htpasswd”
- Save the file & visit the directory. You should be prompted to enter the username and password.
For added security, you can also protect your OpenCart admin using Astra which comes with best security practices that our engineers deploy when you use Astra.