Post by gamerevolt » Tue Aug 31, 2010 4:53 am

Version 1.4.9
Clean Install

I have followed the install instructions and the store is working, but I have a question... I don't see anywhere in the documentation or forums on steps to take after installing on how to secure the site... Please advise steps that should be taken to secure. Rename Admin? Move Config outside Root Folder? Un-Chmod folders from install? Thanks!

Newbie

Posts

Joined
Tue Aug 31, 2010 4:49 am

Post by Qphoria » Tue Aug 31, 2010 5:10 am

well there should be a big pink banner in the admin that warns if the install folder wasn't deleted.
Setting config.php and admin/config.php to 444 would be a worthwhile step.
Might also be good to set index.php to 444 to avoid any outside script attacks, as these typically try to edit all index.php and config.php files globally.

You could rename the admin folder if you like. Be sure to also change the paths within the admin/config.php file. Be warned though, if you rename admin, the standard process of uploading custom modules is to drag and drop the catalog and admin folders right into your ftp. You will need to manually copy the files in the "admin" folder of the module to your custom-named admin folder on your site.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by gamerevolt » Wed Sep 01, 2010 4:41 am

Okay I went ahead and moved my configs outside the root folder... I decided to leave the admin folder alone unless someone has a good reason to change name. Any other good Security tips? Thanks!

Newbie

Posts

Joined
Tue Aug 31, 2010 4:49 am

Post by Moggin » Wed Sep 01, 2010 6:34 am

Password protect the admin directory with htpasswd/.htaccess, or use cPanel's built in option.

Or redirect all IP addresses except yours, also using .htaccess:
http://forum.opencart.com/viewtopic.php ... 642#p22346

... though if you don't have a static IP, you have to keep updating the .htaccess with your current IP address.
So, not ideal for dynamic IP addresses.

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by gamerevolt » Wed Sep 01, 2010 10:15 pm

Okay I went ahead and password protected my admin folder... Any other good Security tips? Thanks!

Newbie

Posts

Joined
Tue Aug 31, 2010 4:49 am

Post by buckmajor » Wed Sep 01, 2010 11:20 pm

I had no idea what a 444 until now ;D . I believed that was the reason why my site got hacked, now I can relax a little.

Do we put 444 on the .htaccess file? Most of my files are showing 644, is that good?

http://www.dmaireroa.com


New member

Posts

Joined
Tue May 04, 2010 11:29 am
Location - Brisbane

Post by buckmajor » Wed Sep 01, 2010 11:33 pm

P.S What does SSL do? I'm not sure how to add this to my site, or am I suppose to leave it out?

Thanks

http://www.dmaireroa.com


New member

Posts

Joined
Tue May 04, 2010 11:29 am
Location - Brisbane

Post by Moggin » Thu Sep 02, 2010 3:38 am

buckmajor wrote:P.S What does SSL do? I'm not sure how to add this to my site, or am I suppose to leave it out?

Thanks
The SSL certificate creates the padlock symbol you see when entering a secure site. To the best of my knowledge, it does two main things: 1) verifies the identity of the site, and 2) encrypts sensitive data when the user sends it to the server (and vice versa). So you use it to secure account login, checkout, and other parts of the process where the user is sending personal data to your server.

To add it to your site:

1. Buy an SSL certificate, from your host, or someone else
2. Install the certificate. Your host might do this, or you might need to do it yourself.
3.In the Opencart admin panel, select system > settings > server > Use SSL: yes, and save.
That should bring up the login and checkout pages as SSL secured.

HTH

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by buckmajor » Thu Sep 02, 2010 9:01 am

Thanks moggin, oh I need to buy this SSL then. How do I know if the SSL works? Is this what they use for internet banking? What I've noticed is the URL has a 'https' and my details in the text field is not stored or remembered.

Good news, I changed the permission numbers for index.php and config.php to 444. Do I also change the .htaccess file to 444?

Thanks

http://www.dmaireroa.com


New member

Posts

Joined
Tue May 04, 2010 11:29 am
Location - Brisbane

Post by Moggin » Fri Sep 03, 2010 4:15 am

buckmajor wrote:...How do I know if the SSL works? Is this what they use for internet banking? What I've noticed is the URL has a 'https' and my details in the text field is not stored or remembered.

Thanks
If SSL is working correctly you'll see the https: and padlock in the browser address bar, when you go to a secured page on your Opencart site. Yes, that's what they use in internet banking, except banks use more expensive, rigorous EV certificates which turn the address bar green (you can buy one too if you want!:))

If SSL doesn't work you'll either see a mild warning and no padlock, or your browser will block you from entering the site with a big, dire-looking warning page!
This latter has just happened to my site, but that's another story :-[

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by buckmajor » Fri Sep 03, 2010 5:01 pm

Thanks Moggin, that makes so much sense now.

CHEERS :)

http://www.dmaireroa.com


New member

Posts

Joined
Tue May 04, 2010 11:29 am
Location - Brisbane

Post by Moggin » Fri Sep 03, 2010 11:17 pm

sure, glad to help 8)

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by HTMLCSSNoob » Thu Sep 23, 2010 3:50 pm

Moggin wrote:Password protect the admin directory with htpasswd/.htaccess, or use cPanel's built in option.
Strange, I have 3 websites and OC is installed in subfolders on 2 of those sites while on the other site OC is in my root home folder. When I password protect the admin folder on the 2 sites that are in subfolders, everything works, but when I password protect the admin folder that is in my root home folder, I get a page not found error when I try to visit the admin section.

Any idea why? Oh yeah, I'm using cPanel's built in password protect option.

EDIT - Ok, I found out why it was giving me a page not found error. The .htaccess was wrong. In order to make the password protect work, the order of your .htaccess file should look like this:

Code: Select all

AuthType Basic
AuthName "Whatever you want the name the be"
AuthUserFile "Whatever folder you want password protected"
require valid-user
I had AuthType as number 3 on the list, which is why I was getting an error, so I switched it to the above order and it stated working.

Active Member

Posts

Joined
Fri Aug 20, 2010 7:53 am

Post by glolar » Thu Mar 03, 2011 11:05 am

My config.php and admin/config.php files have a file permissions setting of 644. When I set them to 444, and recheck the permissions, they are still set to 644. Is 644 sufficient? Does anyone know why my 444 settings are not being saved? (I am using Arvixe linux option as my webhost)

Thanks in advance.

Increase Your Child's I.Q.
iPad Wallpapers
Turtle & Tortoise Screen Savers


User avatar
Active Member

Posts

Joined
Thu Jul 29, 2010 12:35 pm
Location - San Diego, CA

Post by Qphoria » Thu Mar 03, 2011 12:16 pm

many hosts run php where they are the owner so you can not change the chmod lower than 644 or higher than 755. This is usually fine and designed to protect everyone. You can usually still force 444 in the cpanel filemanager

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by glolar » Thu Mar 03, 2011 1:07 pm

cPanel is not allowing me to change from 644 to 444, so I will have to settle.

Thanks, Qphoria.

Increase Your Child's I.Q.
iPad Wallpapers
Turtle & Tortoise Screen Savers


User avatar
Active Member

Posts

Joined
Thu Jul 29, 2010 12:35 pm
Location - San Diego, CA

Post by i2Paq » Thu Mar 03, 2011 2:37 pm


Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by strigona » Thu Jul 07, 2011 11:33 pm

Hi, in terms of security has much changed between 1.4.9 and 1.5.0? I haven't found a good thread regarding securing 1.5.0.

Thanks

New member

Posts

Joined
Thu Jul 07, 2011 11:31 pm

Post by Shogun » Sat Sep 10, 2011 3:49 am

I know the thread is old but found this post on Site Fix It...

http://www.sitefixit.com/scripts/openca ... curity.php

Some good tips on keeping it all secure :)

New member

Posts

Joined
Mon Jul 04, 2011 2:00 pm

Post by Jim D » Wed Feb 22, 2012 5:57 am

I installed opencart through simple scripts on ipage how do i get rid of the (install folder still exists flag)on my dashboard? I have deleated the sample store and started adding my own products.I am new to this whole thing so I'm kinda lost.

Newbie

Posts

Joined
Sun Feb 19, 2012 4:17 am
Who is online

Users browsing this forum: No registered users and 15 guests