Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

The Ultimate Opencart Security Practices and Malware Removal Guide

This OpenCart security guide will help you to protect your store from hackers & how you can fix your hacked OpenCart website

The Ultimate Opencart Security Practices and Malware Removal Guide

OpenCart is an easy to use open source e-commerce platform for aspiring entrepreneurs. Its uniqueness lies in the user’s minimal interaction with the underlying technology. It’s strikingly customizable UI adds to its virtues. Given its stunning features and open-source integration, it is an open target of millions of hackers every day. We at Astra have helped so many OpenCart Customers who were affected by severe malwares and needed help with their OpenCart Security Practices. In today’s times, The cyberspace is plagued with hackers, security of your OpenCart Store should be a priority of the highest order. We have prepared a comprehensive guide on Opencart Security Practices to help you keep your OpenCart Store super secure. This guide will help you implement all the OpenCart Security Practices step by step.

Basic Security Steps

These are the simplest steps for OpenCart Store hardening, They may sound basic, but they aren’t supposed to be neglected in any case. We advise you to follow all the steps in our OpenCart Security Practices guide for the maximum security of your store.

Delete the install folder

Deleting the install folder is advised by OpenCart immediately after installation. You should delete the install folder as soon as possible as there is a huge risk of it being exploited by hackers. OpenCart will warn you in the administration if the install folder is not deleted.

Follow these simple steps to delete your install folder;

  1. Using an FTP client, log in to your server
  2. Navigate to the web root, (usually /public_html or /var/www/html folders.
  3. Delete the folder named ‘install’ in this directory by right-clicking on the folder and selecting ‘Delete’.

Directories Safeguarding

Admin Folder:

As the name suggests admin folder is the control panel for store’s administration. Anyone who can access the admin folder can manipulate sensitive information about customers, products and the store settings in general. Hence, it is vital to secure the admin folder and make it tough for unauthorized users to locate or access it. To make your admin folder hackproof follow these steps:

Renaming the Admin Folder:

  1. Log into your hosting account cPanel or FTP
  2. Navigate to the folder containing the “admin” folder. It is usually the “public_html” or “/var/www/html” folders.
  3. Right click on the “admin” folder and choose the “rename” option from the dropdown
  4. Enter the new folder name for the “admin” folder. Use an uncommon name which is hard to guess and completely unrelated to your business.  (For eg: “STA22R1”, “ROCKETSCIENCE74851”)
  5. Now, edit the /admin/config.php and replace ALL instances of the word ‘admin’ with the new folder name you have chosen in the above step.

Here is a more detailed tutorial on how to rename your admin folder.

Add .htaccess file & .htpasswd:

It’s advised to have additional security mechanisms incorporated, in case hackers are able to locate the admin folder. Using .htaccess allows you to block a certain amount of web traffic. It can be configured in a way that the store can only be accessed from the admin’s IP address.

Steps to add a .htaccess file:

      1. Login to your store using via FTP/SFTP.
      2. Navigate to the folder which is to be protected.
      3. Create a .htaccess file, and place the following code in the file.

Also, the important thing to note is that it gets applied to all subdirectories in the admin directory, by default.

Code for .htaccess in admin folder, Basic OpenCart Security Practices.

Using a .htpasswd file will create an extra step of authorization and demand an additional unique password for the approved administrator to access this directory. You can generate an .htpasswd for your OpenCart store here using our own .htpasswd file password generator.

Catalog Security

The Catalog can be secured using the traditional .htaccess file, similar to the one we used in the admin folder. File match can be useful for shielding important file types of your OpenCart store. File types such as .php and .txt. The following code can be used for .htaccess in your catalog folder:

Note: After setting the catalog folder .htaccess file, All the template, php & text files will have selective access.

Securing the System folder

In the system folder, only two specific files need to be protected. Those two files are called. logs/error.txt and 
start_up.php. Using the logs/error.txt file a malicious attacker can figure out the server’s functioning and can use it for his benefit.

By using a .htaccess file for the system folder one can secure the system folder from unauthorized access. Use the following code for the .htaccess file in your system folder:

Intermediate Security Steps

These are the next level of OpenCart hardening steps.

Configuring File Permissions

By setting up file permissions for the critical files, a user can direct the server on how to provide access/handle requests for these files. It is advised to use 644 or 444 to protect your OpenCart store against file overwriting, malware attacks. 644 provides reading as well as writing options, whereas 444 provides read-only access.

We advise you to have 444 file permissions for these specific files:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

Be Cautious while using 3rd Party Plugins

Many times e-commerce store users install plugins for added functionalities, this third-party plugin can potentially contain malware or instigate vulnerabilities into your OpenCart store. Many third-party open-source plugins can be configured to be the carrier of malicious payloads. Hence, we recommend you to be careful while using software or plugins of uncertain origin.

Only install extensions from trusted developers

Like any other popular CMS, OpenCart also has its own marketplace for extensions. To be safe from adversities, download extensions from trusted OpenCart developers only. If any extensions have these things mentioned under the download button:

It means the extension was developed from in within the community and the developer who made these plugins can be trusted.

Water-Tight/Ultimate Security Steps:

Disable dangerous PHP functions

PHP or Hypertext Preprocessor is a server-side scripting language used in backend web development. If used in the incorrect way with or without intent, it has the capacity of wrecking up the entire web server. This can be a major cause of concern.

In php.ini there exists a setting known as, disable_functions which is often unnoticed. It allows you to disable certain functions for security reasons. You can use the following code to disable dangerous php functions:

disable_functions = "show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval"

Note: Certain risky functions like eval, shell_exec is used by developers for legitimate functions also, so be careful while disabling them.

Avoid using tools like Adminer, File Manager, Unzipper

We sincerely advise you to refrain yourself from using tools like Adminer, File manager, Unzipper. Although most developers tend to use these tools, they are considered a security risk if left unattended on the public domain. Hence, If you plan to use them, do delete them after you’re done using them.

Use a Web Application Firewall

WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Cross Site Scripting(XSS), SQL Injection, File Injection, Server-side attacks to name a few.

One of the best option available at your disposal to prevent your OpenCart website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your OpenCart website.

Malware Removal

One of the simplest malware removal techniques is the Core file integrity analysis. For immediate help refer to our detailed guide on OpenCart Malware Removal here.

Core file integrity analysis

All of the OpenCart core files should not be modified unless done through OCMOD/VQMOD for valid reasons. The quickest and the simplest method to analyze the integrity of your OpenCart core file is using the diff command in a Linux terminal. If you aren’t comfortable with command line operations, you can manually check your files using a secure FTP client.

Opencart Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading
Opencart security codng checklist

OpenCart Secure Coding Checklist

This checklist will help you with practices that you should implement while developing a OpenCart store.

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

OpenCart Security Checklist

Every day hundreds of OpenCart store websites get compromised because of malware infections. One of the prominent reason behind OpenCart hacks is poor coding practices.

OpenCart security is a cumbersome process, especially as it involves a lot of lot sharing of personal data like name, credit card details etc. Our OpenCart security checklist contains easy to implement steps for beginners and experts alike. Following this OpenCart secure coding checklist will help you to protect your website from hackers and make your website stand out and shine.

Here are some quick tips that you can follow while developing an OpenCart store.
  1. The integrity of configuration files, libraries, executables, and interpreted code should be verified by the usage of checksums or hashes.
  2. Shared variables and resources must be secured from improper concurrent access.
  3. User-supplied data should not be passed to any dynamic execution function.
  4. Any third party code, secondary applications or libraries that are used must be properly reviewed in order to determine their business necessity and confirm its safe functionality, in order to avoid any new vulnerabilities.
  5. Rename the admin folder to some uncommon name.
    It is recommended to rename the admin folder with some uncommon name in order to conceal it from scripts and hackers targeted specifically at the ‘admin’ folder of OpenCart.
    After the folder’s name is modified, access your admin dashboard using the new path. It can be done by updating the admin/config.php file and replacing instances of ‘admin’ with the new name. There should be 5 instances which need to be modified.

For more tailored security practices for OpenCart download our checklist & don’t forget to share it with your friends if you like it.

Rock solid security, amazing support

Super Secure My Business

Continue reading

OpenCart Malware Scanner & Backdoor Removal Module

The page contain details about our OpenCart malware scanner & how can you use it to clean your website

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

OpenCart Malware Scanner

Accurate, fast & machine learning powered OpenCart malware scanner now at your finger tips. Astra’s OpenCart scanner detects all malware, backdoors & core file changes on your website without effecting speed of your website in any way

Super Fast

Astra’s malware scanner optimizes itself with each scan making subsequent scans visibly faster making malware scanning a 5 minute affair for you

Ever Evolving

Our malware scanner is powered by machine learning which intelligently detects early signs of malware & flags them for you

Intuitive Reports

Malware, backdoors & core file changes are beautifully visualized telling the exact instances of malware within your code making everything super simple for you

Astra's OpenCart Malware Scanner

Unveil all Malware & Backdoors

One-Click Start from Dashboard

Now scan your OpenCart store by just a click of button, anytime as per your convenience 

Detects Hidden Malware & Backdoors

Our Malware scanner is highly tailored for all OpenCart versions & detects the hidden, encrypted malware 

Beyond Malware Signature Matching

Our malware scanner is deeply coupled with our firewall, security audit & community security offerings helping us stay on top of the security world & bringing in that intelligence to malware scanner 

Community Powered

Astra’s community powered OpenCart malware scanner brings collective intelligence of thousands of website to your website’s security, helping you stay a step ahead of hackers 

Resource Optimized

Unlike other malware scanners, Astra’s malware scanner would never slow your website. Our intelligent scanning technology helps us scan faster than other scanners without slowing down your website 

Astra's Rock Solid Security For Your OpenCart Store

Web Aplication Firewall

Astra’s Web Application Firewall is highly tailored for OpenCart websites and stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time

Manual Malware Cleanup

Apart from automated scan, our engineers perform in-depth malware cleanup of your website & assure it remains secure throughout the year, no questions asked

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website

FAQs - OpenCart Malware Scanner

Our Malware scanner can be installed as a OpenCart module. You can download the plugin from Astra dashboard after the sign-up.

Our OpenCart malware scanner which will give you a well detailed report of all malware & backdoors. Then you need to go to the file path & delete the malicious code or file.

Yes, with malware scanner you get access to Astra firewall which stops all malware attacks in real time.

Hosting malware scanners are not tailored as per CMS & they scan only limited files of your website. You need a scanner that is tailored for your CMS & updates periodically with the hacks

Still have a question? Read more FAQ’s or feel free to contact us

Astra is amazing!!! I bought Astra after having used malcare and webarx religiously. I run a digital marketing agency so having web security is extremely important. First I had malcare do a manual cleaning of my site cause they had said there were some malicious code in my site. They send me the email when they complete it and my site is in the clear…so I think. I immediately installed Astra about an hour later on my main site (no client sites yet). Astra did it’s initial scan and came back with 9 malicious codes installed!

I am thoroughly amazed and impressed by Astra and its abilities let alone the support response time. The report isn’t generalized in any way, it’s extremely specific and detailed about your specific site. This is a must in my opinion if you have any type of website. The security it gives me in knowing that I have a capable company like Astra watching over my site and if something goes wrong they are there to rid the problem. Astra is a major relief and weight of security off my shoulders.

Ferdinand Mehlinger

owner of Bluoo Digital & Laptop Lyfestyle

Astra's OpenCart Malware Scanner

Disclose all Malware & Backdoors

Top Brands Using Astra Security

What Our Customers Have to Say

Continue reading

OpenCart Security Audit & VAPT

This contains all details of tests, pricing & sample OpenCart Security Audit report.

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

Astra Uncovers Security Vulnerabilities in your OpenCart Store - OpenCart Security Audit

The OpenCart security audit focuses on evaluating the vulnerabilities in your store by methodically validating & verifying the effectiveness of security controls. The process involves an active analysis of the OpenCart store for any weaknesses, technical flaws, or vulnerabilities.

Comes with 150+ security tests followed by tests tailored to your tech stack & needs.

  • Detailed Code Analysis
  • Business Logic Testing
  • Dedicated Engineer
  • Prevent Credit Card Hack

Our team that has helped to secure

Buffer App

Super Secure My Business

OpenCart Security Audit - Features

Vulnerability Assessment and Penetration Testing

Exhaustive VAPT for your OpenCart store is performed that would identify security loopholes in the Web Application which could potentially allow a malicious user to gain access to the system or perform malicious operations.

Static & Dynamic Code Analysis

Astra’s Web Application Security Testing is based on the OWASP Testing Methodologies and the OWASP Testing Framework. We perform over 150+ ‘active’ tests that have been classified on the basis of type of vulnerabilities found.

Business Logic Testing

It is the core logic of your OpenCart store. Here we check Price Manipulation, Getting More Discounts, Privilege Escalation, Bypass Security Restrictions, Access to Unauthorized Information. You can read more about it here.

Payment Handling & Integration

Checkout Portals and Payment Gateways are thoroughly checked for credit card hacks, formjacking, price manipulation vulnerabilities and more. Such vulnerabilities in a web application’s payment flow directly affects the business. 

Server Infrastructure Testing & DevOps

Securing the perimeter becomes the initial step here. The key activities would involve Auditing Existing Configurations, Ensuring Encryption & Safe Data Storage, Optimizing DevOps Processes & suggesting best practices.

Network Devices Configuration Audit​​

An assessment of the device patch level, the logging & auditing implementation, authentication mechanisms. Audit based on device configuration, administrative and authentication services, network filtering, protocol analysis.

Testing for Known CVEs

While OpenCart security audit we test for common vulnerabilities and exposures. This will ensure that your store is protected from all known vulnerabilities that were exploited in the past.

Assistance in Patching Security Vulnerabilities

Our engineers will share a detailed report with step by step POC (screenshots/videos) and detailed fix information with code/config examples that will help your developer to patch vulnerabilities. 

Dashboard for Vulnerability Reporting​​

Vulnerabilities are reported on our intuitive dashboard where your developers can interact directly with our security engineers. Also, you can request for a re-scan to make sure that vulnerability is patched .

Top Security Issues Tested - OpenCart Security Audit

  • Configuration and Deployment Misconfiguration

    Tests HTTP Methods, HTTP Strict Transport Security, Network/Infrastructure Configuration, Application Platform configuration

  • Application or Framework Specific Vulnerabilities

    We test for all possible major causes of OpenCart hacks such as SQLi, XSS, RCE, CSRF, LFI, RFI etc.

  • Broken or Improper Authentication

    Tests for Weak & Guessable passwords, Tests for lack of appropriate session Timeouts, User Enumeration, use of default credentials, Account Lockout Policy, Session ID randomness etc.

  • Identifying Technical & Business Logic Vulnerabilities

    We test for OWASP Top 10, WASC Top Threats, etc. and our Testing methodology is based on OWASP Testing Guide v4.

  • Over 150+ Active Security Tests

    Tests for Input Validation issues, SSL issues, Authorization/Authentication issues, security best practices etc.

Astra Pricing For OpenCart Security Audit

CMS Scan

A comprehensive security audit for your website built with Magento, OpenCart, WordPress and other CMSs. We perform 80+ active tests with the right mix of automated & manual testing.

Be safe from critical issues like CC theft, Malware, Known Exploits, Security Misconfigurations, Vulnerable Plugins & more.

  • Cloud Dashboard
  • Steps to Fix
  • Amazing Support
Flat fee of

Business Logic Scan

An in-depth VAPT (Vulnerability Assessment & Penetration Testing) for custom built web-apps or CMSs with custom development. We perform 120+ active tests specific to your tech stack.

We pinpoint Business Logic Errors, Payment Gateway flaws, Price Manipulation Vulnerabilities, Customer Data Theft & more.

  • Security Manager
  • Cloud Dashboard
  • Steps to Fix
Starts from
Contact Us

Astra's Rock Solid Security For OpenCart

Web Aplication Firewall

Our Web Application Firewall is highly tailored for OpenCart & stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time.

On-Demand Malware Cleanup

Astra’s on demand malware scanner is super fast. It detects all malware & backdoors in your OpenCart store. You can run scan as per your convenience.

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website.

Top Brands Using Astra Security

What Our Customers Have to Say

Frequently Asked Questions

Yes, a security audit is an in-depth exercise that requires hours of effort of human & technology resources. That’s why an upfront payment is expected.

Definitely, once you’ve fixed the vulnerabilities you can request a scan simply by clicking a button on your dashboard. Following which, our engineers are notified and they plan a re-scan. If you are a business plan customer, you get a re-scan every month. If you’ve opted for a security audit separately then one re-scan is available to you.

Not at all, the security audit and VAPT are agnostic of the technology stack and work well on all websites.

You start seeing vulnerabilities reported by us from the day testing is started. You can ask for support in fixing the vulnerabilities for 30-days, starting from the day our engineers finish testing. During these 30 days, our engineers will be available to work with you or your developers and assist them in fixing bugs via the comment system of our dashboard. At any point, if the engineers feel that there is a need for a chat, they’ll be happy to talk to you over a chat too.

Yes, for sure. We assist your developers in fixing the vulnerabilities reported. Your developer can comment under each vulnerability if they have any questions regarding the fixation process.

Definitely, we test mobile apps too. You can learn more about them here.

Still have a question? Read more FAQ's or drop us a message in the chat box

Super Secure My Business

Continue reading