OpenCart is not inherently secure, and the fact that it
is open-source (with everyone being able to know it’s internal code and
file/folder structure) makes it even more susceptible to attacks. Here
are several methods to teach you how to secure your OpenCart website.
Essential Steps To Do After Installation
- Immediately delete the /install/ directory
- chmod the config.php file in both the root and /admin/ directories to 444
Creating A Proper 404 Error Page
Create a file named
404.html in your store root (this is the
base directory of your OpenCart store). You can put anything in the
file. This file will be served to anyone who tries to access something
inappropriately.
Securing The /admin/ Folder
- To obscure the /admin/ folder, rename it to a more uncommon name, such as /hahaha/. Next, edit the file /admin/config.php and replace the folder name admin with hahaha (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); to define(‘HTTP_SERVER’, ‘http://www.plastictravelbottles.com/hahaha/’);
- Password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.
Securing The /system/ Folder
Certain files are wide-open by default. If you have installed OpenCart in your root directory, just go to
http://www.yourdomain.com/system/logs/error.log
and you should be able to download your error log, even if you’re a
public user. You should protect these files, so create a .htaccess with
the following code:
<Files *.*>
Order Deny,Allow
Deny from all
</Files>
Then put that .htaccess file in the following 2 directories:
- /system/
- /system/logs/
Securing The /catalog/ Folder
This folder contains your images, Javascript files, and template
files. Anything other than that should not be served, but that’s not the
case. Just look at
http://www.yourdomain.com/catalog/controller/account/address.php. You
can see that the file is still being attempted to run, which poses a
security risk. Either a malicious user can get more clues about your
system from these error codes, or if the malicious user can find a way
to upload his own malicious PHP file, then your whole system could be at
jeopardy.
The solution is to put a .htaccess file (we really love .htaccess) in the
/catalog/ folder with the following code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]
This way, anything other than the allowed file types of jpg, jpeg,
png, gif, css, and js are blocked. So whenever someone or something
accesses any prohibited file types (such as PHP), they’ll be redirected
to the 404.html file that you created in the first step of this
tutorial.
Securing The /image/ Folder
As above, the
/image/ folder requires protection as well,
and you need a similar .htaccess file to achieve this. Create another
.htaccess file in your
/image/ folder with this code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]
Note: If you use other file types in your
/catalog/ or
/image/
directories such as .swf or .flv, then you have to add another
RewriteCond line to the .htaccess for that specific file extension.
Source: http://www.sitefixit.com/scripts/opencart/