|
|
OpenCart is not inherently secure, and the fact that it
is open-source (with everyone being able to know it’s internal code and
file/folder structure) makes it even more susceptible to attacks. Here
are several methods to teach you how to secure your OpenCart website.
The solution is to put a .htaccess file (we really love .htaccess) in the /catalog/ folder with the following code:
Source: http://www.sitefixit.com/scripts/opencart/
Essential Steps To Do After Installation
- Immediately delete the /install/ directory
- chmod the config.php file in both the root and /admin/ directories to 444
Creating A Proper 404 Error Page
Create a file named 404.html in your store root (this is the base directory of your OpenCart store). You can put anything in the file. This file will be served to anyone who tries to access something inappropriately.Securing The /admin/ Folder
- To obscure the /admin/ folder, rename it to a more uncommon name, such as /hahaha/. Next, edit the file /admin/config.php and replace the folder name admin with hahaha (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); to define(‘HTTP_SERVER’, ‘http://www.plastictravelbottles.com/hahaha/’);
- Password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.
Securing The /system/ Folder
Certain files are wide-open by default. If you have installed OpenCart in your root directory, just go to http://www.yourdomain.com/system/logs/error.log and you should be able to download your error log, even if you’re a public user. You should protect these files, so create a .htaccess with the following code:<Files *.*>Then put that .htaccess file in the following 2 directories:
Order Deny,Allow
Deny from all
</Files>
- /system/
- /system/logs/
Securing The /catalog/ Folder
This folder contains your images, Javascript files, and template files. Anything other than that should not be served, but that’s not the case. Just look at http://www.yourdomain.com/catalog/controller/account/address.php. You can see that the file is still being attempted to run, which poses a security risk. Either a malicious user can get more clues about your system from these error codes, or if the malicious user can find a way to upload his own malicious PHP file, then your whole system could be at jeopardy.The solution is to put a .htaccess file (we really love .htaccess) in the /catalog/ folder with the following code:
Options +FollowSymlinksThis way, anything other than the allowed file types of jpg, jpeg, png, gif, css, and js are blocked. So whenever someone or something accesses any prohibited file types (such as PHP), they’ll be redirected to the 404.html file that you created in the first step of this tutorial.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]
Securing The /image/ Folder
As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:Options +FollowSymlinksNote: If you use other file types in your /catalog/ or /image/ directories such as .swf or .flv, then you have to add another RewriteCond line to the .htaccess for that specific file extension.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]
Source: http://www.sitefixit.com/scripts/opencart/
0 comments:
Post a Comment