OpenCart is an open-source eCommerce CMS that saw significant growth in popularity in the early 2010s. The latest trends suggest that while it is yet to carve out a sizeable portion of the eCommerce industry share, it is undoubtedly one of the most secure eCommerce platforms in the market today.
OpenCart’s core software only revealed 2 or 3 moderately critical vulnerabilities in 2019, which is a pretty decent number compared to other platforms.
However, having a generally secure core software doesn’t mean you can mark your OpenCart store safe from cyber attacks. In today’s digital world, all platforms are vulnerable in some way or the other, as long as they have customers who trust them with sensitive information.
In this OpenCart security guide, we will explore everything you can do from your end to make your store.
Table of Content:
- 11 Actionable Tips for OpenCart Security:
- Delete the Install Folder
- Be Careful with Third-Party Plugins
- Follow eCommerce Security Best Practices
- Protect your Directories and Files
- Setup Secure File Permissions
- Implement Firewalls
- Get a Secure Hosting Service
- Use the Latest Version of OpenCart
- Enable SSL for your Admin Panel as well
- Use ReCAPTCHA
- Regular Malware Scans & Security Audits
11 Actionable Tips for OpenCart Security
1. Delete the Install Folder
It is recommended to delete the install folder or directory immediately after installation is complete. If an attacker gains access to the installation folder, then he/she can relaunch it and overwrite your website. The install folder will anyways be of no use once you’ve installed and set up your store. It is standard practice to delete unwanted or unused folders in order to reduce the risk of exploitation.
In order to remove the install folder, open your FTP client, go to ‘Shop’ and choose the ‘install’ folder and delete it.
2. Be Careful with Third Party Plugins
Third-party plugins are notorious for exposing websites to vulnerabilities across all platforms, and OpenCart is no exception. Studies suggest that plugin vulnerabilities are one of the most common reasons why hackers are able to open a gateway to online stores and infect them.
Hackers often make changes to OpenSource plugins in order to exploit websites that install them. This is why you should always install extensions from a trusted and high-rated vendor. Also keep all your extensions updated, and remove the ones that are not in use. You can also periodically scan all your plugins for vulnerabilities or infected code.
3. Follow eCommerce Security Best Practices
3.1 Complex Passwords
Dictionary attacks like brute force attacks aim to crack user passwords through hit and trial methods. If you set up passwords that are complex and uncommon, then the probability of dictionary attacks succeeding will be considerably less.
Your password should be at least 15-20 characters long and contain a mixture of numbers, alphabets, and symbols. This way, if a hacker is attempting a brute force attack, it will take time for even computer programs to figure out the correct combination.
The attack might fail altogether, or your firewalls and developers will be able to detect breaching attempt in time.
3.2 Two-Step verification
Through two-step verification (2SV), you can prevent a hacker from accessing your account even if he/she has gotten hold of your login credentials. Once you’ve filled in your password, a 2SV will generate an OTP and send it to your mobile phone or email.
There is a very low chance that a hacker has cracked your password and also has access to your mobile phone at the same time.
3.3 Limit Login Attempts
If you limit login attempts to your website, then dictionary attacks will have will not be able to crack your password easily or quickly. You can temporarily or permanently block a user after they’ve exhausted the attempt limit set by you. You can also block the IP address of the user account exhibiting malicious intent.
You can download Webkul’s excessive attempt lock extension for this.
3.4 Take Regular Backups
You might be aware that it is always recommended to take a backup of your store if you’re making any modifications to it. This is because in case something goes wrong, you can always return back to your store’s latest configuration.
From a security point of view, if a hacker infiltrates your website and deletes data or infects it, you can easily return to the previous setup of your store, without having to start from scratch. Keep in mind, that you should store multiple backups of your site, preferably in an offsite location. If your servers are hacked, then at least your backups will not get compromised.
3.5 SSL certificate
Whenever we visit a website and take action on it, an information exchange takes place. Anyone with basic hacking knowledge can listen in on this exchange and steal important information.
A Secure Socket Layer (SSL) certificate encrypts the communication happening between client computers and websites. Meaning, the data being exchanged becomes unreadable to any third party trying to spy on the data transmission. Nowadays, it mandatory for all websites to procure an SSL certificate, otherwise search engines penalize them.
4. Protect your Directories and Files
Your store files and directories contain all the data and configurations of your website. If a hacker is able to access them or inject them with malicious code, then you can lose all your data, or your website can be overwritten. Concealing all important directories and making them difficult for hackers to discover is a fundamental step towards better OpenCart security.
4.1 Rename the Admin folder
Renaming your admin folder with some uncommon name will protect it from hackers or crawlers specifically looking for the ‘admin’ folder on your website. Once you’ve modified the folder’s name, you will have to use a new path to access the admin dashboard. To do so, update the admin/config.php file by replacing the ‘admin’ instances with the new name you’ve chosen.
Once this is done, your admin account URL will change from the default www.opencartstore.com/admin to www.opencartstore.com/examplename.
It is also advised to add another layer of protection by using the .htaccess file for the admin folder so that you can block unauthorized traffic from accessing your website. You can give the admin’s page access only to the admin’s IP address through this method.
4.2 Secure Catalog Files
Catalog files can also be protected using the .htaccess file, by allowing exclusive access to the admin’s IP address. You don’t necessarily have to safeguard all catalog files, except for the important ones like .php and .txt, and template files. You can do this through your FTP client.
Navigate to the catalog file, choose ‘edit’ and use the following code:
Order Deny,Allow Deny from all Allow from "admin ip address"
Please take note that access will only be blocked to the file types: template, php, and txt files.
4.3 Protect the System Folder
In the system folder, there are two types of files that you need to protect: logs/error.txt and start_up.php. The error log file contains important information like the errors encountered by the server since the file was created, and informational messages like the start date of the server, etc.
Implementing .htaccess here as well will secure the system folder files from being breached by unauthorized parties. Insert the following code in the systems folder in your FTP client:
Order Deny,Allow Deny from all Allow from "admin ip address"
5. Setup Secure File Permissions
Setting up permissions for important files will help you manage and control who does what on your store. In OpenCart, there are three types of access permissions:
- Read: where users are only allowed to view the file
- Write: where user can modify the file
- Execute: where users are allowed to run or execute files as programs
Users of an OpenCart are divided in into three types:
- User i.e., file owner
- Group of users or site members
- World i.e., store visitors
To minimize the chances of malware injection or file overwriting by hackers, you should assign 444 or 644 permissions. 444 allows only reading or viewing of a file, while 644 gives the user an option to write files as well.
If you don’t want any user on the server to read or write certain files, then you should set their permission either to port 400 or 440.
6. Implement Firewalls
Once a website is online, it is accessible to all kinds of traffic, good or bad. A firewall is a sturdy layer of protection sitting between your website network and the internet. It monitors and scans all requests directed towards your website server, and filters out the ones with malicious intent.
Firewalls follow certain in-built protocols to look for tell-tale signs of a cyber attack or bad actor. They can block traffic, further challenge server requests to confirm their authenticity, and identify vulnerabilities within the application that can be misused by hackers. There are various types of firewalls, such as network firewalls, Web Application Firewalls, stateful firewalls, etc
7. Get a Secure Hosting Service
Your store’s directories, important files, website data, etc are all stored on a web server. Most attacks will target your website’s server, so securing it should be a priority. There are many types of hosting services you can look into. Many times, eCommerce store owners fall for the $5 tag and go for shared hosting services. While this may not be such a bad idea, it is not a good one either.
Shared hosting means you will have to share your resources and bandwidth with other websites. In the case of server attacks, you are not only vulnerable to attacks targeting your website but also the ones targeting other websites on hosted your server.
It is recommended to go for cloud-based servers or fully managed hosting services. With managed services, you will not have to worry about following security best practices or round the clock monitoring of your website for loopholes and threats. Your hosting provider will do that for you.
8. Use the Latest Version of OpenCart
Websites using old platform versions are just sitting ducks waiting to get hacked. Perpetrators often look for gaps in a platform’s source code to target multiple websites at the same time. Updating your OpenCart website as soon as a new version is released is the most basic, yet effective step you can take to safeguard your store.
At the time of writing this article, OpenCart’s latest version is 184.108.40.206, released in July 2020.
9. Enable SSL for your Admin Panel as well
In OpenCart, communication from the admin panel is not encrypted by default. So apart from procuring SSL for your website, you will have to manually enable it for your admin panel as well. This will ensure that the data transmitted to and from the admin panel will remain safe.
In order to do this, click on the ‘settings’ of your OpenCart store, and navigate to server. There, check on the option ‘Use SSL’ and save your changes.
10. Use ReCAPTCHA
Sometimes bad bots and crawlers index your page to steal important information like email IDs, usernames, product information, pricing, etc. Captcha challenges users with puzzles or questions designed for humans. Bots will not able to get past a CAPTCHA or reCAPTCHA quiz. You can add Google’s reCAPTCHA extension to your OpenCart store.
11. Regular Malware Scans & Security Audits
OpenCart security requires constant scanning and monitoring, so that no suspicious activity skips your eye. Periodical audits will look for any existing or potential code vulnerabilities and injections in your website. Moreover, you will get an overview of your website’s security status.
It is advisable to choose from the plugins present on OpenCart’s platform itself to avoid further security issues. You can find a lot of security scanner extensions on OpenCart’s extension store.
Online store owners need to be vigilant 24×7 and follow all security best practices meticulously. If you keep a track of the latest vulnerabilities and don’t fall short in employing OpenCart security measures, then there is a high chance your store will always remain safe.
If you have any feedback or queries, do mention in the comments below!
Divya loves writing and is passionate about marketing. When not trying to hone her skills, you’ll find her either reading or binging on TV shows.