OpenCart Community

How do I rename the /admin/ directory?

I tried simply renaming the directory via FTP, but that did not work. Presumably I need to amend the htaccess to rewrite my custom directory name to /admin/. I think this should be explained in the online manual:
http://docs.opencart.com/display/openca ... +practices

OK I found the answer by chance in the comments of another post.

To change the /admin/ dir you have to change the directory name by FTP and then also update the /admin/config.php to use the new directory name. This info should be put in the documentation.

Whats the difference between using for the catalog and images directory the recommended .htaccess from the

1)Opencart documentation:

<FilesMatch "\.(php|tpl|txt)$">
Order Deny,Allow
Deny from all
</FilesMatch>


2)What the OP recommends:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /circkel/ [NC]

3)And if I change the RewriteRule to:
RewriteRule ^([^?]*) /index.php?_route_=$1 [L,QSA]

or if I have a 404.html page:
RewriteRule ^(.+)$ /404.html [NC]

What's the difference between ^(.+)$ and ^([^?]*)
And between [NC] and [L,QSA]?

Thanks!

When I try to access /catalog/controller/account/account.jpg the server actually shows me that account.php exists. Any way to hide it?

Multiple Choices
The document name you requested (/catalog/controller/account/account.jpg) could not be found on this server. However, we found documents with names similar to the one you requested.

Available documents:

/catalog/controller/account/account.php (common basename)


Is it also secure if I added this for 404?
ErrorDocument 404 /index.php?_route_=$1

I found topics about the 300 error multiple choice, which is a problem with 1and1. The solution was to add to the root .htaccess file this line:
CheckSpelling off

And then I added also:
ErrorDocument 404 /index.php?_route_=$1
ErrorDocument 403 /index.php?_route_=$1

Do I need the [NC] or [L,QSA]?

With these lines, most of the errors I encounter from wrong or restricted addresses send me to the opencart file not found page.

In the catalog and image folders, I followed the OP's method, but changed the last line to:
RewriteRule ^([^?]*) /index.php?_route_=$1 [NC]

Any security issues with what I've done?
Thanks

I can't understand why the opencart team, don't public an official/full guide about security improvements.
Thanks.

spirit wrote:I can't understand why the opencart team, don't public an official/full guide about security improvements.
Thanks.

That's pretty much what this thread is. There are different server configurations and not hosts allow users to make changes in a shared environment so trying to publish 1 complete guide would be pretty difficult.

labeshops wrote:

spirit wrote:I can't understand why the opencart team, don't public an official/full guide about security improvements.
Thanks.

That's pretty much what this thread is. There are different server configurations and not hosts allow users to make changes in a shared environment so trying to publish 1 complete guide would be pretty difficult.

Not exactly mate; there are tons of good practices that you can use on any linux server really.
This topic is just adding an extra confusion to many people.

Why the team not order all useful information? Like a guide.

Unfortunately i'm not part of the team and i'm not an expert on security too, so i can't do something to help people.

For the same reason of labeshops, I added [NC] tag after each rewritecond in htaccess. In this way .JPG, etc. are not blocked!

M

labeshops wrote:

al24 wrote:Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!

Just edit the image htaccess file adding additional lines to include the extension you are trying to upload in place of the xxxx below, including capitalization of them. By default it would let you upload .jpg for example but your images may be .JPG or .JPEG which it would block.

RewriteCond %{REQUEST_FILENAME} !^(.+)\.xxxx$

After renaming admin folder all vqmod extensions stops working
what can be done for that?

I think about whether its conceivable to simply make a module/add-on that will immediately do all these prescribed movements.If its all the same to its a conceivable module, I paying for it, in the event that its not excessively dear.

.

mameha wrote:How do I rename the /admin/ directory? I tried simply renaming the directory via FTP, but that did not work.

If you try to rename a directory via some FTP Clients, it will work out only if no Browser is linked with an 'active' page from this sub, so temporarely preventing the sub from beeing renamed. So try it repeated times, until it's 'free' to accept your command. ACTIVE means a page containing certain 'active' elements.

I had such occurences, because of this, I know...
Ernie

Hi, I followed this advice from this thread when setting up my store:

The folder: admin
Well it starts with the name, which is wrong, take a pretty cryptic name eg "not4you_min"
Then change the admin\config.php and replace "admin" with "the_new_name"
Contrary to claims in another topics, always use a .htpasswd / .htaccess "admin" (mostly done via your CPanel or Flexpanel)
Its unlikely that a hacker knows how to find your admin with the new name, and if found the .htpasswd stops him at a very high level.
The chances are a lot smaller to get past the .htaccess and if they do they still have to get past the second Admin login.

What I did was password protect my admin folder from cPanel. It worked fine...until today when I made my store live. Then I kept getting a 404 error when going to the admin address. I removed the .htaccess file and could then get to the OC default log in page. I can't work out why it's not working now (but worked fine when in maintenance mode). I would really like the extra layer of protection. Can anyone suggest please what should be in the file?

I found out what to add it's:

ErrorDocument 401 default

at the top of the .htaccess file. Just thought I'd add it in case anyone else has the same problem.