25 website security measures for eCommerce developer – Opencart

In this Opencart tips and tricks, we are showing you 25 Opencart security tactics to make Opencart’s website secure by providing a cheat sheet for Opencart eCommerce users, so that the customers can buy products confidently which may increase your conversion rates. Here are the 25 lists of things that you can do to make the Opencart website secure:

Use good and secure hosting

Research and buy good, reliable, and secure hosting.

Check if the install/ folder is still there

Once Opencart is installed, you need to remove/delete the install/ folder. Renaming the folder will also have a security hole. Thus, always delete the install/ folder.

Proper Security settings in the admin

Login to the admin section >> System >> Settings >> Edit required store >> then in the Server tab, select the use SSL to Yes

Use SSL: To use SSL check with your host if an SSL certificate is installed and add the SSL URL to the catalog and admin config files.

Allow Forgotten Password: Allow forgotten passwords to be used for the admin. This will be disabled automatically if the system detects a hack attempt.

Use Shared Sessions: Try to share the session cookie between stores so the cart can be passed between different domains.

Encryption Key: Please provide a secret key that will be used to encrypt private information when processing orders.

Use HTTPS/SSL Certificate

Selecting SSL to Yes on the above setting will not give you an HTTPS URL, your server also need to have SSL installed. Nowadays most servers provide free encrypt SSL certificates which can be setups with just some clicks, or you can use more secure SSL certificates.

One thing you need to take care of is all of your URL links need to start with HTTPS:// instead of HTTP:// else it will not be fully secured. If you are using external URLs, make sure they start with HTTPS://. With proper SSL installation, your URL will look like the below when you clicked on the SSL icon:

Protect your storage/ folder and other files like the config.php file and admin/config.php

Keep storage/ folder outside of the public_html folder. In the image below, my storage folder is v3storage. Similarly, check your file permission and keep it below 0644.

Use the latest PHP version

See the chart the PHP V5.6 is already at the end of its life which means there will be no update of security, and they are exposed to unpatched security vulnerabilities. So for security always use the latest version of PHP.

Watch this session, on how the creator of PHP describes the performance in PHP 7. Performance always good impact.

Use Anti-fraud extension

Opencart by default provides some Anti-fraud extensions, they help store owner to secure their online e-commerce website from malicious fraudsters and make it more secure. Login to admin >> Extensions >> Extensions >> Choose the extension type as Anti-Fraud >> then you will see lists of modules that you can use. You can use some of them for free like 500 queries/month.

Error handling setting

Enable error logging into the error.log file and it will insert into the database. It is a better idea not to display errors. If you display errors then it will show all full paths of files and it may help hackers. While you perform your debugging errors you can enable it but for security reasons keep it checked as No. You can set the error handling at admin >> System >> Settings >> edit Your Store >> Server tab and you will see the error handling section at the end.

Monitor your admin error logs

Analyzing error logs also gives what issues are happening and fixing them is important. Similarly, check logs at admin >> Extensions >> Modifications >> Log tab. Fixing errors makes the site more secure.

Block bad bots

Opencart provides settings for Robots. You can get it at admin >> System >> Settings >> Edit Your Store >> Server tab and you can see the Robots field. A list of web crawler user agents that shared sessions will not be used with. Use separate lines for each user agent.

You can use the following:

abot
dbot
ebot
hbot
kbot
lbot
mbot
nbot
obot
pbot
rbot
sbot
tbot
vbot
ybot
zbot
bot.
bot/
_bot
.bot
/bot
-bot
:bot
(bot
crawl
slurp
spider
seek
accoona
acoon
adressendeutschland
ah-ha.com
ahoy
altavista
ananzi
anthill
appie
arachnophilia
arale
araneo
aranha
architext
aretha
arks
asterias
atlocal
atn
atomz
augurfind
backrub
bannana_bot
baypup
bdfetch
big brother
biglotron
bjaaland
blackwidow
blaiz
blog
blo.
bloodhound
boitho
booch
bradley
butterfly
calif
cassandra
ccubee
cfetch
charlotte
churl
cienciaficcion
cmc
collective
comagent
combine
computingsite
csci
curl
cusco
daumoa
deepindex
delorie
depspid
deweb
die blinde kuh
digger
ditto
dmoz
docomo
download express
dtaagent
dwcp
ebiness
ebingbong
e-collector
ejupiter
emacs-w3 search engine
esther
evliya celebi
ezresult
falcon
felix ide
ferret
fetchrover
fido
findlinks
fireball
fish search
fouineur
funnelweb
gazz
gcreep
genieknows
getterroboplus
geturl
glx
goforit
golem
grabber
grapnel
gralon
griffon
gromit
grub
gulliver
hamahakki
harvest
havindex
helix
heritrix
hku www octopus
homerweb
htdig
html index
html_analyzer
htmlgobble
hubater
hyper-decontextualizer
ia_archiver
ibm_planetwide
ichiro
iconsurf
iltrovatore
image.kapsi.net
imagelock
incywincy
indexer
infobee
informant
ingrid
inktomisearch.com
inspector web
intelliagent
internet shinchakubin
ip3000
iron33
israeli-search
ivia
jack
jakarta
javabee
jetbot
jumpstation
katipo
kdd-explorer
kilroy
knowledge
kototoi
kretrieve
labelgrabber
lachesis
larbin
legs
libwww
linkalarm
link validator
linkscan
lockon
lwp
lycos
magpie
mantraagent
mapoftheinternet
marvin/
mattie
mediafox
mediapartners
mercator
merzscope
microsoft url control
minirank
miva
mj12
mnogosearch
moget
monster
moose
motor
multitext
muncher
muscatferret
mwd.search
myweb
najdi
nameprotect
nationaldirectory
nazilla
ncsa beta
nec-meshexplorer
nederland.zoek
netcarta webmap engine
netmechanic
netresearchserver
netscoop
newscan-online
nhse
nokia6682/
nomad
noyona
nutch
nzexplorer
objectssearch
occam
omni
open text
openfind
openintelligencedata
orb search
osis-project
pack rat
pageboy
pagebull
page_verifier
panscient
parasite
partnersite
patric
pear.
pegasus
peregrinator
pgp key agent
phantom
phpdig
picosearch
piltdownman
pimptrain
pinpoint
pioneer
piranha
plumtreewebaccessor
pogodak
poirot
pompos
poppelsdorf
poppi
popular iconoclast
psycheclone
publisher
python
rambler
raven search
roach
road runner
roadhouse
robbie
robofox
robozilla
rules
salty
sbider
scooter
scoutjet
scrubby
search.
searchprocess
semanticdiscovery
senrigan
sg-scout
shai'hulud
shark
shopwiki
sidewinder
sift
silk
simmany
site searcher
site valet
sitetech-rover
skymob.com
sleek
smartwit
sna-
snappy
snooper
sohu
speedfind
sphere
sphider
spinner
spyder
steeler/
suke
suntek
supersnooper
surfnomore
sven
sygol
szukacz
tach black widow
tarantula
templeton
/teoma
t-h-u-n-d-e-r-s-t-o-n-e
theophrastus
titan
titin
tkwww
toutatis
t-rex
tutorgig
twiceler
twisted
ucsd
udmsearch
url check
updated
vagabondo
valkyrie
verticrawl
victoria
vision-search
volcano
voyager/
voyager-hc
w3c_validator
w3m2
w3mir
walker
wallpaper
wanderer
wauuu
wavefire
web core
web hopper
web wombat
webbandit
webcatcher
webcopy
webfoot
weblayers
weblinker
weblog monitor
webmirror
webmonkey
webquest
webreaper
websitepulse
websnarf
webstolperer
webvac
webwalk
webwatch
webwombat
webzinger
whizbang
whowhere
wild ferret
worldlight
wwwc
wwwster
xenu
xget
xift
xirq
yandex
yanga
yeti
yodao
zao
zippp
zyborg

You can set it in the .htaccess file like below as well, if you are using Nginx then you need to write code that returns 403 or so.

RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]

Allowed File extensions and allowed file mime types permissions

Opencart by default has options to restrict file extensions and file mime types.

Allowed File Extensions: Add which file extensions are allowed to be uploaded. Use a new line for each value.

zip
txt
png
jpe
jpeg
jpg
gif
bmp
ico
tiff
tif
svg
svgz
zip
rar
msi
cab
mp3
qt
mov
pdf
psd
ai
eps
ps
doc

Allowed File Mime type: Add which file mime types are allowed to be uploaded. Use a new line for each value.

text/plain
image/png
image/jpeg
image/gif
image/bmp
image/tiff
image/svg+xml
application/zip
"application/zip"
application/x-zip
"application/x-zip"
application/x-zip-compressed
"application/x-zip-compressed"
application/rar
"application/rar"
application/x-rar
"application/x-rar"
application/x-rar-compressed
"application/x-rar-compressed"
application/octet-stream
"application/octet-stream"
audio/mpeg
video/quicktime
application/pdf

Be sure there are no PHP and JS. In this way, you can secure your file upload buttons.

Review All Users, User group and Grant the Minimum Permissions Necessary

Go to admin >> System >> Users and see all users and verify what user group is assigned. Then check all User groups and see what access permission and modification permissions are given. Try to grant the minimum permissions as necessary. In Opencart you can make as many User groups as you want.

Use a strong username and password

Set a strong password. Better not to use admin as a username.

Opencart V3 has Max Login Attempts

Maximum login attempts are allowed before the account is locked for 1 hour. Customer and affiliate accounts can be unlocked on the customer or affiliate admin pages.

It is available only on Opencart v3 but you can implement this by following the tutorials at https://forum.opencart.com/viewtopic.php?t=218405#p790296

Two-factor Authentication free module

You can use this free two-factor authentication.

https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32882

API security in Opencart

Similarly, check your API access as well. Go to admin >> System >> Users >> API and review all your API usernames and set proper API usernames, API keys, and IP addresses.

Always use the latest Opencart version, theme, modules, and extensions

It is better to use the latest Opencart version, theme, modules, and extensions. You may get problems getting the upgraded version of your custom modules and extensions but if you don’t update it then you risk the security.

Remove unused modules or extensions

Login to admin >> Extensions >> Installer >> you can see a list of modules that are installed. Remove unused modules or extensions. Similarly verify if old files and folders are remaining, especially for custom modules and themes.

Don’t use nulled Opencart theme or modules or extensions

Choose trustworthy plugins and theme providers, it can cost you some but it will protect you a lot.

Monitor your server logs as well

If you are using CPanel hosting then you can check the Resources Usage at Login to Cpanel >> Metrics >> Resources Usage >> Snapshots. You can check that resource limits are being reached, resulting in slow performance or errors. Often resource issues are due to scripting/plugins on your site, development work such as making changes, or an increased amount of traffic. You and your web developer can review the resource usage of your account and take steps to reduce the load. Some scripts which are running long by some IP address means there is some fishy going on, so make sure to keep on checking it and see if you can improve your code and scripts.

Free Opencart website security check & malware scanner

You can check your website security and malware at https://sitecheck.sucuri.net/

Use HTTP security headers

You can get your HTTP security headers to report at https://securityheaders.com/

Cross-Site Scripting (XSS)

If the programmer is tricky then in Opencart it is easy to add the JS script which may easily cause Cross-Site Scripting. Cross-Site Scripting (XSS) is when a malicious script is injected into a trusted website or application. The attacker uses this to send malicious code, typically browser-side scripts, to the end-user without them knowing it. The purpose is usually to grab cookies or session data or perhaps even rewrite HTML on a page. Go to admin>> Extensions >> Extensions >> Choose the Extensions Type as “Analytics” and see in the Google Analytics code field, if only required JS codes are added. If you see suspicious JS code then better to remove it.

Database Security and SQL Injections

Always use a strong database username and strong password. You can check this at config.php and admin/config.php, if you don’t have then you need to change to a strong password and username.

Similarly, if you are using custom modules and there are database queries then you need to verify whether the queries are written properly, whether all the fields are escaped properly or not and so.

One example of how they can inject the extra queries if you don’t escape the fields is below:

YOUR_OTHER_QUERIES_customerid=0&directory=%2Febooks%2F1115.pdf&model=1115%27%2F%2A%2A%2FAND%2F%2A%2A%2FEXTRACTVALUE%282030%2CCONCAT%280x5c%2C0x4c634d6c%2C%28SELECT%2F%2A%2A%2FMID%28%28IFNULL%28CAST%28email%2F%2A%2A%2FAS%2F%2A%2A%2FNCHAR%29%2C0x20%29%29%2C1%2C22%29%2F%2A%2A%2FFROM%2F%2A%2A%60.%%60%2F%2A%2A%%2F%2A%2A%2FBY%2F%2A%2A%2F%%60%2F%2A%2A%2FLIMIT%2F%2A%2A%2F8570%2C1%29%2C0x4c634d6c%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%276538%27%3D%276538&modelfinal=EREM+1115&order_id=30572&product_id=3389

See that bold section in the above queries, another query is concatenated and SQL injected is done.

Denial of Service

This is the most dangerous vulnerability, Denial of Service (DoS) exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised millions of websites and raked in millions of dollars by exploiting outdated and buggy versions of Opencart software with DoS attacks. The hackers keep on running the code and your server CPU usage will be 100%, your server’s Physical Memory Usage is full and the website will not be available for real users or customers.

One of the best recommendations is to use a reputable 3rd party security service like Cloudflare or Sucuri and be sure to use the code and scripts properly.

Back up

Be sure to make as much backup as possible.

Use Google Captcha or Basic Captcha

Using Google Captcha or basic captcha on the form also helps you remove spam and get emails that contain vulnerable links.

Set up Google reCaptcha or Basic Captcha in OpenCart 3.0+ and 2.3.0.1+

These are some of the securities cheat sheets for Opencart. Please let us know if you are using any other tactics to make the Opencart website secure. Hope you liked this article, please subscribe to our YouTube Channel for Opencart video tutorials. You can also find us on Twitter and Facebook. Happy learning.