/ OpenCart

Securing your OpenCart 1.5.x store

I thought I would post this one as I have been getting a lot of messages recently from people who have had their site hacked or disabled by some shady characters. Some people have had site data taken and others appear not to have lost anything apart from face but getting your site hacked can leave that shaky, intrusive feeling attributed to those who have their house robbed!

So, I’m going to share a few tips here on how to increase the security of your OpenCart store and protect yourself from shady people who want your store down for fun or fortune! Remember, you should approach things like passwords with due care as well as following the tips in this tutorial. I’m not saying that choosing “password” for your password is asking for it exactly, but you’re definitely not doing yourself any favours…

Security tip 1: Delete your OpenCart installation folder

This is a fairly common tip across any software which you install on a site but remember to delete the installation folder once everything is up and running. OpenCart has a little error message which pops up when in the Admin section if the folder is still present but do yourself a fovour and delete it right away, you don’t want people to be able to reset all of your connections and overwrite all of your hard work!

Security tip 2: Secure the OpenCart config files

Second to deleting your OpenCart store’s installation folder, you want to be making sure that no one can trick their way into your config files. If they get in then they know the details of your site structure as well as your database details. Keep the files safe and change the permissions to 444 for both of these files:

  • config.php
  • admin/config.php

Security tip 3: Change your admin folder location

OpenCart, much like WordPress, has a default admin login page which anybody who has used the software before will be familiar with. As WordPress has wp-admin, OpenCart has the [DOMAIN_NAME]/admin section which anybody can get onto. not many people realise that it is fairly easy to change this folder and hide it somewhere else, easily telling OpenCart where it is for later.

Rename your admin folder to something else which is far harder for a hacker to get into, such as [DOMAIN_NAME].com/RJKJKSU. The just open up:

  • config.php
  • admin/config.php

Then just do a quick “Find and Replace” to change all instances of the word admin with the folder name you have chosen, in this case RJKRSU. Your config file should look something like:

define('HTTP_SERVER', 'http://domain.com/ocart/');
define('HTTP_IMAGE', 'http://domain.com/ocart/image/');
define('HTTP_ADMIN', 'http://domain.com/ocart/RJKJKSU/');

define('HTTPS_SERVER', 'http://domain.com/ocart/');
define('HTTPS_IMAGE', 'http://domain.com/ocart/image/');

// DIR
define('DIR_APPLICATION', 'domain.com/httpdocs/ocart/catalog/');
define('DIR_SYSTEM', 'domain.com/httpdocs/ocart/system/');
define('DIR_DATABASE', 'domain.com/httpdocs/ocart/system/database/');
define('DIR_LANGUAGE', 'domain.com/httpdocs/ocart/catalog/language/');
define('DIR_TEMPLATE', 'domain.com/httpdocs/ocart/catalog/view/theme/');
define('DIR_CONFIG', 'domain.com/httpdocs/ocart/system/config/');
define('DIR_IMAGE', 'domain.com/httpdocs/ocart/image/');
define('DIR_CACHE', 'domain.com/httpdocs/ocart/system/cache/');
define('DIR_DOWNLOAD', 'domain.com/httpdocs/ocart/download/');
define('DIR_LOGS', 'domain.com/httpdocs/ocart/system/logs/');

// DB
define('DB_DRIVER', 'mysql');
define('DB_HOSTNAME', 'localhost');
define('DB_PREFIX', 'pre_');

Then just login into the OpenCart admin panel at the new URL and you will be one step closer to protecting your store.

Security tip 4: Password protect your admin folder

Whatever you decide to name your folder in the previous tip, make sure you set a password on the directory in order to boost access to the OpenCart admin area. It means you have to login twice but in terms of security having a password before they can even see the login area is a blessing. Make sure it is a decent password which is difficult to guess with a mix of numbers, letters and symbols.

Although it may bug you to begin with, you’ll soon be typing it without thinking and keeping your hackers at bay.

Security tip 5: Restrict access to your admin area

You can create a simple .htaccess file which will deny access to anyone accessing your admin area who are not from a specified IP address. Some people may crop up saying that IP addresses can be faked which is of course true, however, they would need actually know your IP address in order to access it which puts the odds in your favour. It’s also just a step in the process of securing your site and should be completed in addition to the other steps.

Just copy the simple .htaccess file below, substituting the example IP address which all of the IP addresses of people who will need to access your administration area:

<Limit GET POST>
 order deny,allow
 deny from all
 allow from XX.XX.XX.XX
 allow from YY.YY.YY.YY

Then just upload the .htaccess file to your administration folder on the website to begin restricting access by IP. Note that many broadband plans do not come with a static IP so make sure that you add your different IP addresses when they change and sign up for a static one if you’re able.

Security tip 6: Restrict FTP access to your site

A lot of store owners like the idea of having an FTP account on their server which can be dished out to any developer who needs it but I would always recommend deleting any FTP accounts which aren’t being used regularly as they provide a route to your store which is unnecessary. If you do have an FTP account then restrict who can see your store by using a .ftpaccess file.

A .ftpaccess file works in almost the same way as a.htaccess file but defines which directories are visible for anyone who connects via FTP by their IP address. Simply copy the code below, save it as .ftpaccess and upload to a directory which you want to hide (remember to put your IP address in):


The same limitations apply for an .ftpaccess file as a .htaccess file regarding static IP addresses so remember this when restricting access to your OpenCart store.

Whilst I would always recommend supporting OpenCart with a backlink if you haven’t donated, it is also a great (and effective) way of letting hackers running a crawler know that you run an OpenCart store.

Security tip 8: Hide OpenCart PHP errors

Its useful to see errors displayed on a page if something goes wrong so you know what needs fixing, however, it’s also convenient for hackers. Turn this feature off by logging into your admin area and going to System->Settings->Edit->Server and switch the “Display Errors” option to “No”. You can always see your error log by looking at the link further down the page.

Security tip 9: Get yourself some secure hosting

If you’re paying $3 a month for web hosting then don’t expect much in the way of security or support. Shared hosting is simply a folder on a server which is shared by thousands of others. If you are running a store then consider getting a more professional hosting service on a closed system like a Virtual Private Server or a Dedicated One.

So that is it for now, I will add to this blog post when I think of anything else but in the meantime, feel free to recommend any security tips of your own and I will add them as well!

Jack W. Davis

Jack W. Davis

I am a software engineer specialising in PHP/MySQL based web applications. Originally from a marketing background, I enjoy coding, reading and gaming. Currently exploring NodeJS.

Read More