Reading though the 'Security Practices' in the documentation - how important is all of this?
I've deleted the install directory.
I've not renamed the admin folder because this seems like it would cause issues, and it doesn't seem like it would fool a determined hacker.
Are the .htaccess and .htpasswd recommendations worth doing - considering that my IP address changes on a regular basis?
I also have the file permissions set as recommended.
Please share your thoughts
Last edited by Matt Horton on Tue Oct 03, 2023 4:27 am, edited 2 times in total.
Apache Server
OC 3.0.3.8
No theme installed
General recommendations:
- Don't use warez modules;
- Use complex passwords. Don't invent them yourself, use generators;
- Don't use the default names like admin, rename them;
- Create separate accounts (FTP / admin panel) for contractors (freelancers), disable them upon completion of work;
- Watch for changes in files;
- Use backup;
My FREE extensions in marketplace. [ security | flexibility | speedup ]
Thanks for the recommendations. Do you have any preferred software for checking for changes in files?
Apache Server
OC 3.0.3.8
No theme installed
I always use a firewall on my OC sites. Personally I think it's good practice now to have one. I use Ninja Firewall which has a file guard feature:
Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition
Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
All good things to do.Matt Horton wrote: ↑Fri Aug 18, 2023 8:56 pmReading though the 'Security Practices' in the documentation - how important is all of this?
A lot of hacks are caused by bots that try adding /admin to random domains so changing that is a good thing usually.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Yes, this extension named FSMonitor. You can find it here.Matt Horton wrote: ↑Mon Aug 21, 2023 8:38 pmThanks for the recommendations. Do you have any preferred software for checking for changes in files?
My FREE extensions in marketplace. [ security | flexibility | speedup ]
That looks pretty interesting.halfhope wrote: ↑Tue Aug 22, 2023 4:50 amYes, this extension named FSMonitor. You can find it here.Matt Horton wrote: ↑Mon Aug 21, 2023 8:38 pmThanks for the recommendations. Do you have any preferred software for checking for changes in files?
Also our OpenCart Technical Audit checks all core files against the correct version of OpenCart:
https://www.antropy.co.uk/services/technical-audit/
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
For the System folder, the documentation recommends:
However, for the Catalog, it only recommends:
Why not just deny access to all files in the Catalog folder?
Should I use the code that is recommended for the System folder in the Admin folder too?
Code: Select all
<Files *.*>
Order Deny,Allow
Deny from all
Allow from "your ip address"
</Files>However, for the Catalog, it only recommends:
Code: Select all
<FilesMatch "\.(php|twig|txt)$">
Order Deny,Allow
Deny from all
Allow from "your ip address"
</FilesMatch>Should I use the code that is recommended for the System folder in the Admin folder too?
Apache Server
OC 3.0.3.8
No theme installed
Some of the theme assets will be in the catalog/view directory.Matt Horton wrote: ↑Tue Aug 29, 2023 9:01 pmWhy not just deny access to all files in the Catalog folder?
Should I use the code that is recommended for the System folder in the Admin folder too?
It's a good idea if you only access from a fixed IP address to limit access to the admin from your own IP addresses.
I've done everything suggested in 'Basic Security Practices' except I don't quite understand this:
"The system folder contains two files that need to be protected: logs/error.txt and start_up.php. The logs/error.txt can be renamed if necessary."
Is the .htaccess that blocks every IP address apart from mine enough to protect these files?
Is it a security recommendation to rename logs/error.txt, or would it be renamed for another reason?
"The system folder contains two files that need to be protected: logs/error.txt and start_up.php. The logs/error.txt can be renamed if necessary."
Is the .htaccess that blocks every IP address apart from mine enough to protect these files?
Is it a security recommendation to rename logs/error.txt, or would it be renamed for another reason?
Apache Server
OC 3.0.3.8
No theme installed
No, you can't just rename those. You just need to make sure they can't be browsed by the general public which is the case by default anyway.Matt Horton wrote: ↑Sat Sep 30, 2023 5:10 amIs it a security recommendation to rename logs/error.txt, or would it be renamed for another reason?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Thanks for the reassurance and help, everyone! I'm pretty happy with all that now. I'll mark this one as solved.
Apache Server
OC 3.0.3.8
No theme installed
@halfhope, the FSMonitor, is it checking for modified date, or file size change? Because if it's checking for date, if I'm monitoring the modification directory, doesn't every file in the directory get an new date when a mod is refreshed, so I wouldn't be able to see which file someone actually changed? Vs if it compares file size.
v3.0.4.0 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.
FSMonitor checks the CRC32 of file content, creation/modification time, file size, and permissions at the same time. So in any case, FSMonitor would react to any changes. What exactly was changed will be highlighted in a table. Also, you can always exclude storage/modification from scanning.Joe1234 wrote: ↑Tue Oct 03, 2023 10:46 am@halfhope, the FSMonitor, is it checking for modified date, or file size change? Because if it's checking for date, if I'm monitoring the modification directory, doesn't every file in the directory get an new date when a mod is refreshed, so I wouldn't be able to see which file someone actually changed? Vs if it compares file size.
P.S. todo: add modification and database structure monitoring.
My FREE extensions in marketplace. [ security | flexibility | speedup ]
Ok, so when all the files in the modification dir get flagged because of a refresh date change, I can go to this table and look for the one that hade a change in the size or content and that would be the file that actually got "tampered" with? If so ounds good and I've been wanting something exactly like this (minus searching through all the modification files for the particular one with the size/content change lol but i guess thats understandable by the nature of this). I'll put this on my "to get" list.
v3.0.4.0 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.
Who is online
Users browsing this forum: Majestic-12 [Bot], paola_84, paulfeakins and 62 guests
