Post by art123 » Sun Sep 04, 2016 2:05 am

Hi,

How do I improve the security of Opencart 2.3.0.2?

I know I should use a strong password, and change the name of the Admin folder. But, are there any other things I should do to improve the security of Opencart 2.3.0.2?

For example, I read I should change the Read/Write permissions of the config.php files, and add a 404.html file to the root folder, amongst other things.

Should I be doing these things? And what else should I be doing to improve the security of Opencart 2.3.0.2?

Thanks

New member

Posts

Joined
Thu Jul 31, 2014 8:28 pm

Post by rjcalifornia » Sun Sep 04, 2016 6:06 am

Well:
The following files need to be set to 644 or 444 to prevent anyone else from writing to them:

config.php
index.php
admin/config.php
admin/index.php
system/startup.php

I strongly recommend to read the OpenCart Docs on Security Practices:

http://docs.opencart.com/administration/security/

Image


Active Member

Posts

Joined
Fri Sep 02, 2011 1:19 pm
Location - Worldwide

Post by art123 » Sun Sep 04, 2016 8:44 pm

Hi,

1. I also read that you should create a file named 404.html, and put it in your store root. This file will be served to anyone who tries to access something inappropriately.

2. I also read that certain files are wide-open by default. And you should protect these files by creating a .htaccess file with the following code:

<Files *.*>
Order Deny,Allow
Deny from all
</Files>

Then put that .htaccess file in the directories:
/system/
/system/logs/

3. I also read that I should put a .htaccess file in the /catalog/ folder with the following code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]

4. As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]

Should I also be doing the 4 things mentioned above for Opencart 2.3.0.2?

New member

Posts

Joined
Thu Jul 31, 2014 8:28 pm

Post by rjcalifornia » Mon Sep 05, 2016 12:42 am

Yes, you should, but be cautious when editing code.

Image


Active Member

Posts

Joined
Fri Sep 02, 2011 1:19 pm
Location - Worldwide

Post by tingwing » Mon Sep 05, 2016 3:43 pm

thanks,I need these methods too.

my extension:https://www.opencart.com/index.php?rout ... estshop24h
email :support@bestshop24h.com
site:http://www.bestshop24h.com


Active Member

Posts

Joined
Tue Aug 02, 2016 9:01 pm

Post by art123 » Sun Sep 11, 2016 2:20 am

Hi,

On this page 'http://docs.opencart.com/administration/security/' it says the following:

A .htaccess and .htpasswd file in the admin folder will prevent hackers from accessing your store, even if they discover the admin login location. Using .htaccess, you can deny all IP addresses from viewing your store, except the admin's IP address. A .htpasswd in the admin folder will require an additional password for the allowed administrator to access this directory.

What should be written in these files?

Thanks

New member

Posts

Joined
Thu Jul 31, 2014 8:28 pm

Post by tingwing » Tue Sep 13, 2016 8:34 pm

the following two articles will teach you how to write .htaccess and .htpasswd
http://tools.dynamicdrive.com/password/
http://www.htaccesstools.com/htpasswd-g ... r-windows/

they works ,I have successfully made them.

my extension:https://www.opencart.com/index.php?rout ... estshop24h
email :support@bestshop24h.com
site:http://www.bestshop24h.com


Active Member

Posts

Joined
Tue Aug 02, 2016 9:01 pm
Who is online

Users browsing this forum: No registered users and 28 guests