Tutorial 9 - Improving OpenCart Security

It doesn't take a lot of tricks to Improve Opencart Security. We know opencart is open source. This means that anyone can find the bug in it and exploit it.

Don't panic, with a few extra settings in OpenCart we can make it more secure.

1. Securing Admin Folder

Among the steps that are often taken to increase the security of OpenCart is renaming the Admin folder.

Why? Because the admin folder can accessed easily by everyone, when people access /admin, they will easily see the login page.

As you know, attackers can bruteforce the login pages to guess usernames and passwords.

If your website is already online you must have a file manager. Use a CPANEL or FTP client and rename the admin folder to the name what you want. For example /admin_53124.

Now we have to tell this new name to the system. Edit the config.php file. You will find many lines containing the word "admin".

Replace the word according to the name of the new admin folder, namely the HTTP_SERVER, HTTPS_SERVER, and DIR_APPLICATION constants.

// HTTP
define('HTTP_SERVER', 'http://your-store.com/admin_53124/');
define('HTTP_CATALOG', 'http://tokoanda.com/opencart/');
// HTTPS
define('HTTPS_SERVER', 'http://your-store.com/admin_53124/');
define('HTTPS_CATALOG', 'http://your-store.com/');
// DIR
define('DIR_APPLICATION', '/opt/lampp/htdocs/opencart/admin_53124/');

After that, you can save it.

2. Post-Installation Security

The second way to increase security on OpenCart is post-installation security. After installation you can do :

• Make sure to delete the install folder. Use a CPANEL or FTP client.
• Change the permissions of the config.php, index.php files both in the website root directory or the admin folder and startup.php in the system folder. Set permissions (file permissions) to 444.

3. Protect Admin Directory

Protect Admin Directory with Password

If you have changed the admin folder name. You can now add a password to access the changed admin directory. The consequence is that you have to login twice. And maybe with a different password. But this is safer of course.

Make sure that your password is also not easy to guess with a combination of letters, numbers and a combination of capital and non-capital.

How to give password protection to the admin directory, login to your website's cpanel and open the file manager. Right-click on the folder you want to password protect and select Password Protect in the menu option. Then a new page appears for setting username and password.

Prevent Access to Admin folder By IP

By creating a .htaccess file we can deny access from IPs that we don't use. To do this, create a .htaccess file in the website's main directory and add the following code.

# BAN USER BY IP
order deny,allow
deny from all
allow from XX.XX.XX.XX
allow from YY.YY.YY.YY

Replace the allow from section with the IP you are using. Some people say that IP can be manipulated. However to manipulate, other people need to know your real IP. This will secure access to your OpenCart admin folder.

Prevent Illegal Access to FTP

We automatically get an FTP account every time we rent hosting. You can delete unused FTP accounts. The .ftpasses file will specify which folders a specific FTP user can view. Further we can filter by IP.

Create a .ftpaccess file with the following code. Don't forget to put the IP you are using in the allow section.

DenyAll
Allow XX.XX.XX.XX
Allow YY.YY.YY.YY

Then upload it to the folder you want to hide. If the FTP account is accessed other than the IP that is allowed (Allow) then certain folders will be hidden.

Prevent Illegal Access to System Folder

Disallow all direct access to the system folder by creating an .htaccess file with the following code.

Order Deny, Allow
Deny from all

Put it in the /system/ and /system/logs/

Secure Catalog Folder

This folder contains your images, Javascript files, and template files, anything other than that should not be accessible. For that, create an .htaccess file, provide the following code.

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]

Allowed file types jpg, jpeg, png, gif, css, and js will be blocked. So whenever someone or something accesses any prohibited file type (like PHP), they will be redirected to a 404.html file.

Secure Image Folder

This folder contains your images, anything other than that should not be accessible. For that, create an .htaccess file, provide the following code.

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]

Whenever someone or something accesses any prohibited file type (like PHP), they will be redirected to a 404.html file.

4. Setting Up the OpenCart Administration Page

OpenCart Administration Page Settings

Some settings in the OpenCart administration page can increase security.

Limit User Access

If your OpenCart website is managed by multiple users, setting different permissions might be the right choice. For example, if he is only in charge of adding products, then give him the authority to access product pages, etc. This access right is set in System → Users → User Groups and checks according to the authority given for setting the user Group. And System → Users → Users to refer users to certain user groups.

Disable Display Error

By default the feature to display errors is active on OpenCart. This is useful during development. When it is running, it is recommended that this feature be disabled so that sensitive information is not visible to the public when an error occurs. Access on System → Settings. Edit one of the stores. Switch to the Server tab and select No in the Display Errors section.

Enable SSL on OpenCart

SSL (Secure Socket Screen) allows user password data or customer data cannot be interrupted during transmission. To activate it on OpenCart there are several steps. First, edit the config.php file in the admin folder which is in the section:

// HTTPS
define('HTTPS_SERVER', 'http://your-store.com/admin/');
define('HTTPS_CATALOG', 'http://your-store.com');

Change http:// to https://

// HTTPS
define('HTTPS_SERVER', 'https://tokoanda.com/admin/');
define('HTTPS_CATALOG', 'https://tokoanda.com');

Force HTTPS

# redirect from http to https
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

We must enable SSL on the admin page. 

Go to System → Settings → Edit. Then edit your store. Move to the Server Tab and Select "Yes" on Use SSL.

Don't Use Common Words for User

Don't use popular admin user such as admin, administrator, user so that our account is not easy to break.

Use Stong Passwords

Maybe we can say that a good password is one that is not easy to remember because it is so complicated. Or can't be guessed easily. Make sure you have a strong password for the user in Opencart.

5. Remove Opencart Copyright Information

Improve opencart security by removing Opencart Copyright information. There is no problem if we remove "Powered by Opencart" because Opencart itself is open source and developers allow it.

Edit the following files:

catalog/view/theme/[default]/template/common/footer.twig

Then remove :

{{ powered }}

6. Update Opencart Version

Make sure you are using the most recent version of Opencart. 

7. Install the HP Admin Security Module

Install the HP Admin Security module that we have created to improve Opencart security. This module will increase the security for your opencart online store by preventing direct access to the admin folder. Without the need to rename the admin folder, just generate the key included in the URL. Without this key people will not get to the admin login page.

Curious how it works? Read more about HP Admin Security features.

8. Move Storage Directory

Storage directory is the default directory in Opencart that is used to store the internal needs of the Opencart system. Such as cache, upload, and modification. By default this folder is located in system/storage. Of course this is not recommended because you can make security issue. In Opencart version 3, the storage folder can be moved as you wish to increase the security of your OpenCart online store. You can read the tutorial here : Change Storage Directory.

That's the article about Improving OpenCart Security.