How To Secure Your OpenCart Website (Improve OpenCart Security)

OpenCart is not inherently secure, and the fact that it is open-source (with everyone being able to know it’s internal code and file/folder structure) makes it even more susceptible to attacks. Here are several methods to teach you how to secure your OpenCart website.

How To Secure Your OpenCart Website (Improve OpenCart Security)

Essential Steps To Do After Installation

  1. Immediately delete the /install/ directory
  2. chmod the config.php file in both the root and /admin/ directories to 444

Creating A Proper 404 Error Page

Create a file named 404.html in your store root (this is the base directory of your OpenCart store). You can put anything in the file. This file will be served to anyone who tries to access something inappropriately.

Securing The /admin/ Folder

  1. To obscure the /admin/ folder, rename it to a more uncommon name, such as /hahaha/. Next, edit the file /admin/config.php and replace the folder name admin with hahaha (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); to define(‘HTTP_SERVER’, ‘http://www.plastictravelbottles.com/hahaha/’);
  2. Password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.

Securing The /system/ Folder

Certain files are wide-open by default. If you have installed OpenCart in your root directory, just go to http://www.yourdomain.com/system/logs/error.log and you should be able to download your error log, even if you’re a public user. You should protect these files, so create a .htaccess with the following code:

<Files *.*>
Order Deny,Allow
Deny from all
</Files>

Then put that .htaccess file in the following 2 directories:

  1. /system/
  2. /system/logs/

Securing The /catalog/ Folder

This folder contains your images, Javascript files, and template files. Anything other than that should not be served, but that’s not the case. Just look at http://www.yourdomain.com/catalog/controller/account/address.php. You can see that the file is still being attempted to run, which poses a security risk. Either a malicious user can get more clues about your system from these error codes, or if the malicious user can find a way to upload his own malicious PHP file, then your whole system could be at jeopardy.

The solution is to put a .htaccess file (we really love .htaccess) in the /catalog/ folder with the following code:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /404.html [NC]

This way, anything other than the allowed file types of jpg, jpeg, png, gif, css, and js are blocked. So whenever someone or something accesses any prohibited file types (such as PHP), they’ll be redirected to the 404.html file that you created in the first step of this tutorial.

Securing The /image/ Folder

As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /404.html [NC]

Note: If you use other file types in your /catalog/ or /image/ directories such as .swf or .flv, then you have to add another RewriteCond line to the .htaccess for that specific file extension.

, , , , , , , , ,

About Site Fixit!

Sam is a professional web designer and web developer. He has over 15 years of experience with web-related technologies, and loves making things work.

View all posts by Site Fixit!

47 Responses to “How To Secure Your OpenCart Website (Improve OpenCart Security)”

  1. Jan Says:

    Thanks for posting. Great article. I will twit this to all my followers, thank you.

    Reply

  2. Pat Says:

    Thanks for sharing, please keep an update about this info. love to read it more

    Reply

  3. Newb Says:

    Thanks a lot really helpful!

    Reply

  4. Geoff Says:

    Dude, this post is nonsense. Placing a .htaccess in your root folder with “Deny from all” will break your site as no *.php scritps can be displayed.

    Reply

  5. Mirakl Says:

    Thanks for sharing

    Reply

  6. Suz Says:

    Very useful, especially when we just started with Opencart for our business. Thanks!

    Reply

  7. Marvin M Says:

    Hi, thanks for the tips.However,I don’t agree with “OpenCart is not inherently secure”, Opencart is one of the most secure carts I’ve used, All the recommendations given are just, as you title clearly states, ways to improve opencart (or any other website) security…These are common practices any web developer should implement in any website.

    Reply

  8. gaffy Says:

    none of this makes a difference.. files and .css and images are still accessible through page source.
    you can test this for yourself, go to your website, right-click the homepage, click on view page source, scroll down a little and youll see the link to your .css stylesheet file, click it and it opens up in a text window
    then file and save the stylesheet.

    how do we prevent this then?
    well i know how :)

    Reply

    • Site Fixit! Says:

      CSS and images *should* be allowed to load, *if* they are legit files from legit locations, otherwise your site wouldn’t display properly. We are only interested in preventing them from running in unauthorised places.

      Reply

      • Jeremy Says:

        Unless I’m misunderstanding this, when I add that .htaccess file to my image folder, I can still go and create a new webpage, use the image source from my product page on a test.htm page, upload it to a completely different domain name, and image still displays. Should I be expecting it to reject it since it’s hotlinking directly from my website to another website?

        Thanks for the tips!

        Reply

        • Site Fixit! Says:

          Well, if you have hotlinking protection. However, the article actually is referring to the running of prohibited file-types in an images directory.

          Reply

  9. tk Says:

    Hello,

    Thanks for sharing. May I know how to secure downloadable products and folder?

    Reply

  10. Sara Says:

    Thanks for this!

    Reply

  11. Nando Says:

    Hi Site Fixit!
    I followed the steps but when I create the .htaccess file in the /catalog/ folder, the site breaks!, no CSS, no formatting.. I’m running everything local (locahost) does it matter?
    Thanks for the tips and the help..

    Reply

    • Site Fixit! Says:

      Does using a blank .htaccess file cause the same problems?

      Reply

      • Tony Says:

        We had the same problem with the htaccess file in the /catalog/ folder. I discovered this issue because our web host was blocking our IP from using FTP and accessing the website in our browsers. Our host says they discovered “Options +FollowSymlinks” in the .htaccess file was generating too many 500 errors and our IP was getting blocked. Does this sound plausible? Any ideas for a workaround? We want our site to be secure but don’t have the option to change web hosts.

        Reply

        • UF Says:

          Hi there

          Me too, followed your instructions and no no images will appear, and no css – very odd.

          Any pointers – was just about to put my site live this week.

          HELP

          Reply

          • Answer Says:

            The .htaccess is case-sensitive. So if your extensions are like *.JPG AND *.jpg use both versions in the .htaccess-file:

            RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
            RewriteCond %{REQUEST_FILENAME} !^(.+)\.JPG$

            … and for all other extesnsion that use upper case do the same.
            Helped us out.

  12. fred Says:

    very useful tips thanks for sharing

    Reply

  13. Rao Says:

    I just started using OpenCart & this article helped me secure my site. Thanks!

    Reply

  14. vending Says:

    thank you. it helps very much

    Reply

  15. Lori Says:

    Great article and very useful tips I’ve now implemented. Having had my former cart software hacked on one of my stores, any little measures I can take to prevent that nightmare is great. Thanks for the info.

    Reply

  16. bierman Says:

    how can i fix this, i tried the first step, im now trying to acess my admin page and i get a 403 error, i tried setting the chmod back to default but still this is giving me the page 403 error. how can i fix this ?

    Reply

  17. Suhas Shinde Says:

    You r gr8 man, its very good solution
    but only 404.html page is not getting diverted

    Reply

  18. lin Says:

    Awesome! I was looking for some help with this. Thanks!

    Reply

  19. Moe Says:

    Thank you i am in the process of creating a website using OpenCart and have followed your simple instructions. I got it to work first time well done!

    Reply

  20. scale a chiocciola Says:

    There is a module to rename admin folder, I hope someone will build the module to add also all of these tips to secure opencart without loose so much time manually.

    Reply

  21. krokodylowy3 Says:

    Good page. Very necessary because Daniel delete on opencart forum all threads with security tips and alarms!

    Look at http://blog.spiderlabs.com
    Default OC installation vat be succesfully attacked with exploit
    uses dauto_prepend_file security hole in php.
    Just check your access logs for urls like
    GET /index.php?-dallow_url_include%3don+-dauto_prepend_file …
    or POST /config.php?w1566t=1

    Check your php.ini for
    allow_url_fopen = Off;
    allow_url_include = Off;
    #disable injection
    auto_prepend_file =none;
    expose_php = Off;
    display_errors = Off;
    display_startup_errors = Off ;
    register_globals = Off;
    #add eval to list
    disable_functions = exec,shell_exec,passthru,system,eval,show_source,proc_open,popen,parse_ini_file,dl;

    If you are not apache administrator then modify .htaccess with
    #Block access to configuration files like config.php

    Order deny,allow
    Deny from all

    # Use this rule if you can’t configure apache or php.ini
    RewriteCond %{QUERY_STRING} auto_prepend_file
    RewriteRule ^(.*)$ – [F,L]

    Apache adminitrators can also filter out all request with auto_prepend_file

    Reply

  22. Bharat Veeranki Says:

    Is it possible to redirect to the default opencart error page instead of having a custom 404.html page? I am not sure what I need to put in the htaccess to go to that page.

    Reply

  23. John Reeves Says:

    NO, you should NOT password-protect the admin directory because if you do, then vqmod will no longer work because the xml files depend on reading from that directory structure. Also, if you rename the admin folder, you will need to edit many of the vqmod xml files because they are hard-coded with admin as the folder name.

    Reply

  24. John Reeves Says:

    Vqmod will NOT install properly if you rename the admin folder because it writes to the index.php file in the admin folder. “admin” is hard-coded into vqmod.

    Reply

  25. Mika Says:

    Hi mate, thanks for posting such useful article :D regards.

    Reply

  26. ideep13 Says:

    ok i guess i am the only one who doesnt get it.. :/

    1. After I changed the name for admin folder, as well the (‘HTTP_SERVER’, ‘http://www.yourdomain.com/admin/’); to define(‘HTTP_SERVER’, ‘http://www.plastictravelbottles.com/hahaha/’);
    I get the error:
    Notice: Error: Could not load language english! in /home/content/70/8653470/html/vqmod/vqcache/vq2-system_library_language.php on line 27

    2. Is creating a .htaccess file a simple text file with no extension (made in text edit for example..)?

    3. Does a .htaccess file include anything else beside instructions of Site Fixit? Is this made correct?

    a) first .htacess = system+ system/log + root? folder

    Order Deny,Allow
    Deny from all

    b) second .htaccess= image folder

    Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
    RewriteRule ^(.+)$ /404.html [NC]

    c) third htacess = catalog folder
    Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
    RewriteRule ^(.+)$ /404.html [NC]

    4. I dont use cpanel..
    how to protect admin password on godaddy? Is htpasswd different from the on on goddady? I have options to check.. what do I need to check?

    5. How to check if 404.html is working ?

    I hope if anyone can answer this. My life would be easier. Thank you.

    Best regards

    Reply

  27. Henry Says:

    Thanks for the post. Does this only work immediately after you have installed or is it ok to make changes after tweaks have been made?

    I guess back up first and try is the obvious answer!

    Thanks anyway bro

    Reply

  28. Yossarian Says:

    Thank you, Sam!

    Reply

  29. jake Says:

    Is it possible to secure the downloads folder, to prevent direct link downloads and to stop search engines crawling the downloads folder?
    thanks

    Reply

  30. satya Says:

    Hi ,

    Thanks a lot for this great tutorial.
    I have implemented all steps (Admin folder name is not hahaha:-) )

    now i feel safe….

    Reply

  31. Dev Chauhan Says:

    Hi Sam , Thanks A Lot !!
    Love You

    Reply

  32. Alvin Says:

    Wow, amazing blog layout!

    you made blogging look easy. The overall look of your
    website is fantastic, let alone the content!

    Reply

  33. satish Says:

    How do i stop hotlink for images ?

    Reply

    • Site Fixit! Says:

      In your website control panel (CPanel is an example), you should be able to find the link for “Hotlink protection”. That allows you to stop hotlinking of images. I use Vodien hosting and it’s working great for me.

      Reply

  34. Maria Says:

    Hi,

    Great, very helpful article, thanks so much!

    One question: Someone indicated in the comments that renaming the admin folder and password protecting it interferes with VQmod. Is this still correct? I’m using OpenCart version 2.0.3.1.

    Many thanks!

    Reply

Leave a Reply