OpenCart Security Guide

1. Use the latest OpenCart version

Using old and outdated software is a sure way to get hacked. New versions are released with advanced and more secure features, along with security patches. With a newer version, you can utilize newly added security features to protect your website and thus strengthen your OpenCart security. 

2. Deleting install folder

Once you complete the installation, you need to delete the install folder. If the install folder is still present, anyone can access the folder and once they re-launch the installation, it can overwrite your website.

Thus, to keep your website protected, go to ‘Shop’ in your FTP client and then delete the ‘Install’ folder.

OpenCart also reminds its users if any install folder is detected after completion of setup as a way to ensure strong OpenCart security.

3. Protecting the administrator directory

1. Change the prefix of the OpenCart database:

   During the default installation of OpenCart, the default prefix is ‘oc_’. Thus, it becomes easier for attackers to identify and launch an attack on your website. To safeguard this, change the prefix to something familiar to throw attackers off any trail.

2. Change default login id and password:

   After the basic installation, the default credentials need to be changed. If not changed, an attacker can guess those default passwords and access all your files and folders. Use a combination of alphabets and numerals to create a strong password.

3. Change the default location of your administrator directory:

   In the case of a default installation, anyone can access the admin directory by using the admin URL. Thus, in order to prevent unauthorized access to such important files, you need to change this admin URL to something more customized.

4. Using ‘.htaccess’ file in your admin folder:

   It is better to use additional measures to keep your admin folders and files. To do this you need to use ‘.htaccess’. By using this file you can limit users from accessing such important files thus strengthening OpenCart security. Edit this file and mention the proper checks to allow only certain users access to those files and folders.

4. Manage permissions of files and folders

To protect your files and folders, you need to set permission for those folders. Do not give read and write permission to any folder which does not requires it. Please login to your hosting control panel--> files to update it's permission

5. Enabling SSL for your website and admin panel

Usually, data transferred back and forth is not encrypted. Encryption is necessary since unencrypted data can be accessed by any middle man. This could lead to the stealth of important information such as email IDs or usernames, financial data, etc.

By using SSL or HTTPS, you can effectively encrypt all your data and prevent anyone from snooping on it. The first location you need to protect is your admin panel. If data from your admin panel is not encrypted then attackers can gain access to your login credentials.

Navigate to Settings>>Server. There you’ll find an option “Use SSL”. Just check the radio button next to Yes, Save. That’s all.

As a store owner, you would not want the credentials of your customers from falling into the wrong hands. Thus, this basic step can save you from a lot of attacks and attackers.

6. OpenCart Security through extensions

1. Install authentic extensions:

   Install only those extensions that are supported by OpenCart and preferably available from OpenCart itself. Installing any third party extension can endanger your OpenCart security. Trusted extensions do not have any known security flaws and are continuously updated to keep them safe from getting hacked.

2. Update all your extensions:

   All trusted extensions are regularly updated with the latest security patches and fixes for known bugs. Keeping your extensions updated can protect your website from any known attacks or bugs. Attackers can easily get through an outdated extension with vulnerability and thus weaken your OpenCart security.

3. Uninstall unused or defunct extensions:

   If you do not use certain extensions regularly then removing them is a better option. Since they are not continuously used they might get outdated and be a crucial OpenCart security threat.

7. Two-Factor authentications for logging in

Logging in through an ID and password has become obsolete. In today’s age, 2 Factor Authentication is considered to be more secure than the traditional method of logging in. Bad hackers can gain access to your ID and password and can easily take control of your account. 2FA (2 Factor Authentication) takes away the complete power from a single way of logging in.

In 2FA you first need to login through your usual ID and password, after which a unique code is sent to your mobile number, on entering this, you will be fully logged in. In this case, even if attackers know your password, they cannot log in without getting this unique code in your phone number. As an owner, your customers deserve to be safe and thus enabling 2FA in your OpenCart website is important. With this, you can help your customers stay safe as well as keep bad hackers away.

8. Using ReCAPTCHA to authenticate users

ReCAPTCHA has become a very method for verifying if users are humans or bad bots. Bots often try to crawl through websites and gather important data such as email IDs and usernames. They can also increase the traffic on your website. To prevent bots from accessing your website. OpenCart provides an extension for getting ReCAPTCHA on your website

9. Limiting the types of upload files

By limiting the type of files that can be uploaded on your website, you can protect your website from unnecessary uploads as well as prevent users from uploading harmful files. Attackers can use infected files to make your website vulnerable and then launch attacks.

You can prevent this by:

1. logging into your admin panel
2. going to ‘Systems’>>‘Settings’
3. Under the ‘Option’ tab, you will find ‘Allow upload file extensions’.

Change the types of files that can be uploaded on your website.

10. Regular security audits

As a website owner, you need to be aware of your website’s security flaws. Understanding those security flaws is the first step to a strong security system around your website. Thus, doing an out and out Security Audit of your website can let you know about the state & standard of your website’s security.

11. Check your payment flows

The payments section is one of the most important aspects of an online store. There are numerous plugins that integrate with OpenCart and add functionality to these payment options. However, due to these extensions, your OpenCart security might be compromised. If you are using an outdated extension then you need to update them. These are the most common types of payment hacks:

1. Making purchases without payment
2. Changing the price of products
3. Diverting payments to the attacker’s accounts

Analyze if all your payment options and channels are working fine. Ensure that there are no discrepancies and changes in the basic functioning of these modules

12. Backing up files and data

Having a backup of your website is always a good idea. In case attackers decide to delete important files from your website, you will have your backup to restore those files and get your website back online. Whenever you set up your OpenCart website, always backup the necessary files.