Version 1.4.9
Clean Install
I have followed the install instructions and the store is working, but I have a question... I don't see anywhere in the documentation or forums on steps to take after installing on how to secure the site... Please advise steps that should be taken to secure. Rename Admin? Move Config outside Root Folder? Un-Chmod folders from install? Thanks!
well there should be a big pink banner in the admin that warns if the install folder wasn't deleted.
Setting config.php and admin/config.php to 444 would be a worthwhile step.
Might also be good to set index.php to 444 to avoid any outside script attacks, as these typically try to edit all index.php and config.php files globally.
You could rename the admin folder if you like. Be sure to also change the paths within the admin/config.php file. Be warned though, if you rename admin, the standard process of uploading custom modules is to drag and drop the catalog and admin folders right into your ftp. You will need to manually copy the files in the "admin" folder of the module to your custom-named admin folder on your site.
Setting config.php and admin/config.php to 444 would be a worthwhile step.
Might also be good to set index.php to 444 to avoid any outside script attacks, as these typically try to edit all index.php and config.php files globally.
You could rename the admin folder if you like. Be sure to also change the paths within the admin/config.php file. Be warned though, if you rename admin, the standard process of uploading custom modules is to drag and drop the catalog and admin folders right into your ftp. You will need to manually copy the files in the "admin" folder of the module to your custom-named admin folder on your site.
Okay I went ahead and moved my configs outside the root folder... I decided to leave the admin folder alone unless someone has a good reason to change name. Any other good Security tips? Thanks!
Password protect the admin directory with htpasswd/.htaccess, or use cPanel's built in option.
Or redirect all IP addresses except yours, also using .htaccess:
http://forum.opencart.com/viewtopic.php ... 642#p22346
... though if you don't have a static IP, you have to keep updating the .htaccess with your current IP address.
So, not ideal for dynamic IP addresses.
Or redirect all IP addresses except yours, also using .htaccess:
http://forum.opencart.com/viewtopic.php ... 642#p22346
... though if you don't have a static IP, you have to keep updating the .htaccess with your current IP address.
So, not ideal for dynamic IP addresses.
Okay I went ahead and password protected my admin folder... Any other good Security tips? Thanks!
I had no idea what a 444 until now 
. I believed that was the reason why my site got hacked, now I can relax a little.
Do we put 444 on the .htaccess file? Most of my files are showing 644, is that good?
. I believed that was the reason why my site got hacked, now I can relax a little.Do we put 444 on the .htaccess file? Most of my files are showing 644, is that good?
P.S What does SSL do? I'm not sure how to add this to my site, or am I suppose to leave it out?
Thanks
Thanks
The SSL certificate creates the padlock symbol you see when entering a secure site. To the best of my knowledge, it does two main things: 1) verifies the identity of the site, and 2) encrypts sensitive data when the user sends it to the server (and vice versa). So you use it to secure account login, checkout, and other parts of the process where the user is sending personal data to your server.buckmajor wrote:P.S What does SSL do? I'm not sure how to add this to my site, or am I suppose to leave it out?
Thanks
To add it to your site:
1. Buy an SSL certificate, from your host, or someone else
2. Install the certificate. Your host might do this, or you might need to do it yourself.
3.In the Opencart admin panel, select system > settings > server > Use SSL: yes, and save.
That should bring up the login and checkout pages as SSL secured.
HTH
Thanks moggin, oh I need to buy this SSL then. How do I know if the SSL works? Is this what they use for internet banking? What I've noticed is the URL has a 'https' and my details in the text field is not stored or remembered.
Good news, I changed the permission numbers for index.php and config.php to 444. Do I also change the .htaccess file to 444?
Thanks
Good news, I changed the permission numbers for index.php and config.php to 444. Do I also change the .htaccess file to 444?
Thanks
If SSL is working correctly you'll see the https: and padlock in the browser address bar, when you go to a secured page on your Opencart site. Yes, that's what they use in internet banking, except banks use more expensive, rigorous EV certificates which turn the address bar green (you can buy one too if you want!:))buckmajor wrote:...How do I know if the SSL works? Is this what they use for internet banking? What I've noticed is the URL has a 'https' and my details in the text field is not stored or remembered.
Thanks
If SSL doesn't work you'll either see a mild warning and no padlock, or your browser will block you from entering the site with a big, dire-looking warning page!
This latter has just happened to my site, but that's another story
Strange, I have 3 websites and OC is installed in subfolders on 2 of those sites while on the other site OC is in my root home folder. When I password protect the admin folder on the 2 sites that are in subfolders, everything works, but when I password protect the admin folder that is in my root home folder, I get a page not found error when I try to visit the admin section.Moggin wrote:Password protect the admin directory with htpasswd/.htaccess, or use cPanel's built in option.
Any idea why? Oh yeah, I'm using cPanel's built in password protect option.
EDIT - Ok, I found out why it was giving me a page not found error. The .htaccess was wrong. In order to make the password protect work, the order of your .htaccess file should look like this:
Code: Select all
AuthType Basic
AuthName "Whatever you want the name the be"
AuthUserFile "Whatever folder you want password protected"
require valid-user
My config.php and admin/config.php files have a file permissions setting of 644. When I set them to 444, and recheck the permissions, they are still set to 644. Is 644 sufficient? Does anyone know why my 444 settings are not being saved? (I am using Arvixe linux option as my webhost)
Thanks in advance.
Thanks in advance.
Increase Your Child's I.Q.
iPad Wallpapers
Turtle & Tortoise Screen Savers
cPanel is not allowing me to change from 644 to 444, so I will have to settle.
Thanks, Qphoria.
Thanks, Qphoria.
Increase Your Child's I.Q.
iPad Wallpapers
Turtle & Tortoise Screen Savers
Also look at: Good ideas for Website security
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
I know the thread is old but found this post on Site Fix It...
http://www.sitefixit.com/scripts/openca ... curity.php
Some good tips on keeping it all secure
http://www.sitefixit.com/scripts/openca ... curity.php
Some good tips on keeping it all secure
I installed opencart through simple scripts on ipage how do i get rid of the (install folder still exists flag)on my dashboard? I have deleated the sample store and started adding my own products.I am new to this whole thing so I'm kinda lost.
Who is online
Users browsing this forum: No registered users and 22 guests
