if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below
<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error)
Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.
regards
<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error)
Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.
regards
Maybe this help also.Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.
Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);
SERVER_NAME doesn't contain port part.
The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.krokodylowy3 wrote:Maybe this help also.Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.
Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);
SERVER_NAME doesn't contain port part.
David
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
Nice part of a layered security approach, if your server allows it. FYI, you really should have a fixed, dedicated IP on the site itself. This helps improve, or allows improvements in other aspects of site security and operational stability. Things such as not ending up on an RBL as a spammer because you share an IP with one....werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below
<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error)
Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.
regards
David
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!
My opencart 1.5.1.3 - Going Out Dresses
Just edit the image htaccess file adding additional lines to include the extension you are trying to upload in place of the xxxx below, including capitalization of them. By default it would let you upload .jpg for example but your images may be .JPG or .JPEG which it would block.al24 wrote:Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!
RewriteCond %{REQUEST_FILENAME} !^(.+)\.xxxx$
Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.
Did you mean $_SERVER['SERVER_NAME']? It is already filtered by '$_SERVER = $this->clean($_SERVER);' code.Nimitz1061 wrote:The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.krokodylowy3 wrote:setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
SERVER_NAME doesn't contain port part.
David
What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.
But this means the folder is still visible and accessible, right?werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below
<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"
Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?
The files tags are fundamental elements of the Apache configuration system. So, no.iMpr324 wrote:But this means the folder is still visible and accessible, right?werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below
<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"
Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?
You might want to change "put your ip address here" to something more appropriate, like, say - your own IP address.
David
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
Hi David,
Sorry somehow I missed your reply.
Thank you for your help. Some of the questions I was able to figure out myself. If you have a moment can you please check my website for security, it is: http://www.springofhealth.ca maybe you will have some recommendations.
Thanks again,
Bob
Sorry somehow I missed your reply.
Thank you for your help. Some of the questions I was able to figure out myself. If you have a moment can you please check my website for security, it is: http://www.springofhealth.ca maybe you will have some recommendations.
Thanks again,
Bob
Just released an opencart admin additional security module. Able to add, captcha, change login url, ban after failed attempts. Details here http://forum.opencart.com/viewtopic.php?f=123&t=71518
Opencart Options Pro, Reward Points For Review, DISQUS Comment Form,
Dolrich Fortich - Freelance web developer
Hello and thank you for the invaluable info in this post.
My question is, what the devil do you mean by "Create a map called circkel"??? a sitemap? my google research for this question hasn't resulted in a conclusive answer, so please help me understand this.
cheers,
Todd.
p.s. I suspect it's an incorrect translation due to automated translation.
p.s. now i get it. i downloaded the zip file at the bottom of the post and cirkel is simply a folder. so where it says "map" it was supposed to say "folder". I thought I'd leave this info here for the next person who searches for it, to hopefully save them some time.
My question is, what the devil do you mean by "Create a map called circkel"??? a sitemap? my google research for this question hasn't resulted in a conclusive answer, so please help me understand this.
cheers,
Todd.
p.s. I suspect it's an incorrect translation due to automated translation.
p.s. now i get it. i downloaded the zip file at the bottom of the post and cirkel is simply a folder. so where it says "map" it was supposed to say "folder". I thought I'd leave this info here for the next person who searches for it, to hopefully save them some time.
Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444
I don't get what is CHmod 444
Also could someone clarify this step please?
Create a map called "circkel" in your store root.
Put a .htaccess file in there with:
Deny from all
What is a map?
Instantly set config.php in admin and root at CHmod 444
I don't get what is CHmod 444
Also could someone clarify this step please?
Create a map called "circkel" in your store root.
Put a .htaccess file in there with:
Deny from all
What is a map?
See the post above yours. map = foldersleepykidX wrote:Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444
I don't get what is CHmod 444
Also could someone clarify this step please?
Create a map called "circkel" in your store root.
Put a .htaccess file in there with:
Deny from all
What is a map?
Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.
I am pretty new to OC and am running the latest version. I am ready to open up my site to the (potentially) many hundreds of people whom I hope will have a look, like something and then buy it!
My problem is the last bit, being the the security of the site before I launch it
I have read the 3 pages of good ideas for website security and I am a little confused.
Can some explain in quite easy terms what I need to do and an idiots guide on how to do it. I would like to make my site as secure as possible,or at least as much by a newb possibly can without wrecking it.
Thanks in advance
My problem is the last bit, being the the security of the site before I launch it
I have read the 3 pages of good ideas for website security and I am a little confused.
Can some explain in quite easy terms what I need to do and an idiots guide on how to do it. I would like to make my site as secure as possible,or at least as much by a newb possibly can without wrecking it.
Thanks in advance
My 3 best security practices:What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.
1.We have the entire site running in ssl and it is forced through htaccess. There is really no reason not to have your whole site running in SSL. The speed decrease is really no issue anymore with today's servers. This should prevent the above legitimate statement.
2. Get a good host!!! We pay serious money for a superb hosting company. We also get charged for the CPU use on the server. But they are very serious about their security and have extensive support to improve my webshop security.
3. We don't store customer data. WHAT??? Yes... we don't store it. This means you have to enter your data everytime you purchase something. But... There is also nothing to steal.
Hello,
Why not just make sure your server is running PHP Support in FastCGI and not Apache module, then you will be done with security issues? The permissions are no longer a worry to set right. Plus you are secure!
Why not just make sure your server is running PHP Support in FastCGI and not Apache module, then you will be done with security issues? The permissions are no longer a worry to set right. Plus you are secure!
Thanks!
Gilmore
aresn wrote:What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.
Ok I will also like to know why nobody is answering this guy regarding the cookie vulnerability. I am also confused why there is now dedicated section to security on this forum. There is no system that is 100 % safe and we should discuss all the problems that can occur and find fixes. Obscurity is not security this is the first thing anybody should know.
Who is online
Users browsing this forum: No registered users and 87 guests