This OpenCart security guide will help you to protect your store from hackers & how you can fix your hacked OpenCart website
The Ultimate Opencart Security Practices and Malware Removal Guide
OpenCart is an easy to use open source e-commerce platform for aspiring entrepreneurs. Its uniqueness lies in the user’s minimal interaction with the underlying technology. It’s strikingly customizable UI adds to its virtues. Given its stunning features and open-source integration, it is an open target of millions of hackers every day. We at Astra have helped so many OpenCart Customers who were affected by severe malwares and needed help with their OpenCart Security Practices. In today’s times, The cyberspace is plagued with hackers, security of your OpenCart Store should be a priority of the highest order. We have prepared a comprehensive guide on Opencart Security Practices to help you keep your OpenCart Store super secure. This guide will help you implement all the OpenCart Security Practices step by step.
Basic Security Steps
These are the simplest steps for OpenCart Store hardening, They may sound basic, but they aren’t supposed to be neglected in any case. We advise you to follow all the steps in our OpenCart Security Practices guide for the maximum security of your store.
Delete the install folder
Deleting the install folder is advised by OpenCart immediately after installation. You should delete the install folder as soon as possible as there is a huge risk of it being exploited by hackers. OpenCart will warn you in the administration if the install folder is not deleted.
Follow these simple steps to delete your install folder;
- Using an FTP client, log in to your server
- Navigate to the web root, (usually /public_html or /var/www/html folders.
- Delete the folder named ‘install’ in this directory by right-clicking on the folder and selecting ‘Delete’.
As the name suggests admin folder is the control panel for store’s administration. Anyone who can access the admin folder can manipulate sensitive information about customers, products and the store settings in general. Hence, it is vital to secure the admin folder and make it tough for unauthorized users to locate or access it. To make your admin folder hackproof follow these steps:
Renaming the Admin Folder:
- Log into your hosting account cPanel or FTP
- Navigate to the folder containing the “admin” folder. It is usually the “public_html” or “/var/www/html” folders.
- Right click on the “admin” folder and choose the “rename” option from the dropdown
- Enter the new folder name for the “admin” folder. Use an uncommon name which is hard to guess and completely unrelated to your business. (For eg: “STA22R1”, “ROCKETSCIENCE74851”)
- Now, edit the /admin/config.php and replace ALL instances of the word ‘admin’ with the new folder name you have chosen in the above step.
Here is a more detailed tutorial on how to rename your admin folder.
Add .htaccess file & .htpasswd:
It’s advised to have additional security mechanisms incorporated, in case hackers are able to locate the admin folder. Using .htaccess allows you to block a certain amount of web traffic. It can be configured in a way that the store can only be accessed from the admin’s IP address.
Steps to add a .htaccess file:
- Login to your store using via FTP/SFTP.
- Navigate to the folder which is to be protected.
- Create a .htaccess file, and place the following code in the file.
Also, the important thing to note is that it gets applied to all subdirectories in the admin directory, by default.
Using a .htpasswd file will create an extra step of authorization and demand an additional unique password for the approved administrator to access this directory. You can generate an .htpasswd for your OpenCart store here using our own .htpasswd file password generator.
The Catalog can be secured using the traditional .htaccess file, similar to the one we used in the admin folder. File match can be useful for shielding important file types of your OpenCart store. File types such as .php and .txt. The following code can be used for .htaccess in your catalog folder:
Note: After setting the catalog folder .htaccess file, All the template, php & text files will have selective access.
Securing the System folder
In the system folder, only two specific files need to be protected. Those two files are called. logs/error.txt and
start_up.php. Using the logs/error.txt file a malicious attacker can figure out the server’s functioning and can use it for his benefit.
By using a .htaccess file for the system folder one can secure the system folder from unauthorized access. Use the following code for the .htaccess file in your system folder:
Intermediate Security Steps
These are the next level of OpenCart hardening steps.
Configuring File Permissions
By setting up file permissions for the critical files, a user can direct the server on how to provide access/handle requests for these files. It is advised to use 644 or 444 to protect your OpenCart store against file overwriting, malware attacks. 644 provides reading as well as writing options, whereas 444 provides read-only access.
We advise you to have 444 file permissions for these specific files:
Be Cautious while using 3rd Party Plugins
Many times e-commerce store users install plugins for added functionalities, this third-party plugin can potentially contain malware or instigate vulnerabilities into your OpenCart store. Many third-party open-source plugins can be configured to be the carrier of malicious payloads. Hence, we recommend you to be careful while using software or plugins of uncertain origin.
Only install extensions from trusted developers
Like any other popular CMS, OpenCart also has its own marketplace for extensions. To be safe from adversities, download extensions from trusted OpenCart developers only. If any extensions have these things mentioned under the download button:
- Developed by OpenCart Partner
- Documentation Included
It means the extension was developed from in within the community and the developer who made these plugins can be trusted.
Water-Tight/Ultimate Security Steps:
Disable dangerous PHP functions
PHP or Hypertext Preprocessor is a server-side scripting language used in backend web development. If used in the incorrect way with or without intent, it has the capacity of wrecking up the entire web server. This can be a major cause of concern.
In php.ini there exists a setting known as, disable_functions which is often unnoticed. It allows you to disable certain functions for security reasons. You can use the following code to disable dangerous php functions:
disable_functions = "show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval"
Note: Certain risky functions like eval, shell_exec is used by developers for legitimate functions also, so be careful while disabling them.
Avoid using tools like Adminer, File Manager, Unzipper
We sincerely advise you to refrain yourself from using tools like Adminer, File manager, Unzipper. Although most developers tend to use these tools, they are considered a security risk if left unattended on the public domain. Hence, If you plan to use them, do delete them after you’re done using them.
Use a Web Application Firewall
WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Cross Site Scripting(XSS), SQL Injection, File Injection, Server-side attacks to name a few.
One of the best option available at your disposal to prevent your OpenCart website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your OpenCart website.
One of the simplest malware removal techniques is the Core file integrity analysis. For immediate help refer to our detailed guide on OpenCart Malware Removal here.
Core file integrity analysis
All of the OpenCart core files should not be modified unless done through OCMOD/VQMOD for valid reasons. The quickest and the simplest method to analyze the integrity of your OpenCart core file is using the diff command in a Linux terminal. If you aren’t comfortable with command line operations, you can manually check your files using a secure FTP client.