General ideas for Website Security

if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error)

Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.

regards

Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this

Maybe this help also.
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.

Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);

SERVER_NAME doesn't contain port part.

krokodylowy3 wrote:

Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this

Maybe this help also.
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.

Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);

SERVER_NAME doesn't contain port part.

The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.

David

werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error)

Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.

regards

Nice part of a layered security approach, if your server allows it. FYI, you really should have a fixed, dedicated IP on the site itself. This helps improve, or allows improvements in other aspects of site security and operational stability. Things such as not ending up on an RBL as a spammer because you share an IP with one....

David

Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!

al24 wrote:Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!

Just edit the image htaccess file adding additional lines to include the extension you are trying to upload in place of the xxxx below, including capitalization of them. By default it would let you upload .jpg for example but your images may be .JPG or .JPEG which it would block.

RewriteCond %{REQUEST_FILENAME} !^(.+)\.xxxx$

Nimitz1061 wrote:

krokodylowy3 wrote:

Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this

setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);
SERVER_NAME doesn't contain port part.

The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.
David

Did you mean $_SERVER['SERVER_NAME']? It is already filtered by '$_SERVER = $this->clean($_SERVER);' code.

What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.

werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

But this means the folder is still visible and accessible, right?
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"
Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?

iMpr324 wrote:

werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

But this means the folder is still visible and accessible, right?
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"
Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?

The files tags are fundamental elements of the Apache configuration system. So, no.

You might want to change "put your ip address here" to something more appropriate, like, say - your own IP address.

David

Hi David,
Sorry somehow I missed your reply.
Thank you for your help. Some of the questions I was able to figure out myself. If you have a moment can you please check my website for security, it is: http://www.springofhealth.ca maybe you will have some recommendations.
Thanks again,
Bob

Just released an opencart admin additional security module. Able to add, captcha, change login url, ban after failed attempts. Details here http://forum.opencart.com/viewtopic.php?f=123&t=71518

Hello and thank you for the invaluable info in this post.

My question is, what the devil do you mean by "Create a map called circkel"??? a sitemap? my google research for this question hasn't resulted in a conclusive answer, so please help me understand this.

cheers,
Todd.

p.s. I suspect it's an incorrect translation due to automated translation.
p.s. now i get it. i downloaded the zip file at the bottom of the post and cirkel is simply a folder. so where it says "map" it was supposed to say "folder". I thought I'd leave this info here for the next person who searches for it, to hopefully save them some time.

Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444

I don't get what is CHmod 444

Also could someone clarify this step please?

Create a map called "circkel" in your store root.
Put a .htaccess file in there with:

Deny from all

What is a map?

sleepykidX wrote:Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444

I don't get what is CHmod 444

Also could someone clarify this step please?

Create a map called "circkel" in your store root.
Put a .htaccess file in there with:

Deny from all

What is a map?

See the post above yours. map = folder

I am pretty new to OC and am running the latest version. I am ready to open up my site to the (potentially) many hundreds of people whom I hope will have a look, like something and then buy it!
My problem is the last bit, being the the security of the site before I launch it
I have read the 3 pages of good ideas for website security and I am a little confused.
Can some explain in quite easy terms what I need to do and an idiots guide on how to do it. I would like to make my site as secure as possible,or at least as much by a newb possibly can without wrecking it.

Thanks in advance

This guide works perfect!!! thankz for all and special thkz for rph developer, "Secure Random Password" Extention works perfect!!!!! BIG THANKZ!!!!!!! all the best!!!

What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.

My 3 best security practices:

1.We have the entire site running in ssl and it is forced through htaccess. There is really no reason not to have your whole site running in SSL. The speed decrease is really no issue anymore with today's servers. This should prevent the above legitimate statement.

2. Get a good host!!! We pay serious money for a superb hosting company. We also get charged for the CPU use on the server. But they are very serious about their security and have extensive support to improve my webshop security.

3. We don't store customer data. WHAT??? Yes... we don't store it. This means you have to enter your data everytime you purchase something. But... There is also nothing to steal.

Hello,
Why not just make sure your server is running PHP Support in FastCGI and not Apache module, then you will be done with security issues? The permissions are no longer a worry to set right. Plus you are secure!

aresn wrote:What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.

Ok I will also like to know why nobody is answering this guy regarding the cookie vulnerability. I am also confused why there is now dedicated section to security on this forum. There is no system that is 100 % safe and we should discuss all the problems that can occur and find fixes. Obscurity is not security this is the first thing anybody should know.