• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

02 7903 0216

     

Open Ticket

    

Client Area

FASTDOT Web Hosting Australia

FASTDOT Web Hosting Australia

Australian Cloud Hosting

  • Web Design
    • eCommerce Development
    • Branding
    • Web Design
  • Domains
    • Register
    • Domain FAQ
    • Domain Extensions
    • MyDNS Manager
    • Domain Transfer
  • Hosting
    • WordPress Hosting
    • Sydney cPanel Hosting
    • Magento Hosting – eCommerce Website
    • eCommerce Options
      • Managed Magento Hosting
      • PrestaShop Hosting
      • OpenCart Hosting
      • CS-Cart Hosting
    • Business Emails
  • Cloud Servers
    • VMware ESXi Hypervisor
    • Equinix – ISO Certified Data Centres
    • Cloud Hosting Info
    • Virtual Machines
  • Resources
    • Partner Program
    • Transferring Websites
    • WordPress Tips
    • Email Tutorials
    • Hosting in Australia
    • Apps Galore
    • Tutorials & News
      • SEO
      • VMware VPS Cloud
      • PHP and MySQL
      • Security
      • Linux Guides
      • Server Management
Order Now

Fast Web Hosting on our Enterprise Cloud

Turbo Charged cPanel HOSTING

Get Started

October 3, 2006 by Editor

This tutorial will provide advice on securing your Zencart store

SSL Security Protection Tips

Without applying extra efforts to your connection on the Internet you are wandering around an unsecured environment. Before you make administrative modifications to secure your Zencart store and its database, you need to equip yourself with secure ways to make these modifications. Otherwise if someone is watching / listing to the information you transmit, it might not be long before your private business information becomes public. The bare minimum tools you should have are a shared SSL and FTP over SSL/TLS. These tools will encrypt the information you transmit and receive.

The following is a list of several steps you can take to secure your ZenCart site:

1. Delete the /zc_install folder
Once the zencart store installation  is complete, delete the /zc_install folder from the server. Don’t simply rename the folder, as this leaves you vulnerable if someone were to discover this renamed folder.

2. Rename your “/admin” folder
It is recommended for additional security that you rename your admin directory after installation. This way, it will be significantly harder for hackers to find your admin area or attempt any attack on breaking into it.

Zencart Store

(Before making the following changes, make sure to have a current backup of your files and your database.)

A – Open your admin/includes/configure.php, using a simple text editor like notepad. Change all instances of admin to your chosen new admin folder-name. For maximum security, you may want to consider that new folder name should include numbers and a combination of upper and lower case letters. The longer you make this folder’s name the more secure it will be. Make sure you leave all the / intact.

Change this section:

define(‘DIR_WS_ADMIN’, ‘/admin/’);
define(‘DIR_WS_CATALOG’, ‘/’);
define(‘DIR_WS_HTTPS_ADMIN’, ‘/admin/’);
define(‘DIR_WS_HTTPS_CATALOG’, ‘/’);
And this section:
define(‘DIR_FS_ADMIN’, ‘/home/mystore.com/www/public/admin/’);
define(‘DIR_FS_CATALOG’, ‘/home/mystore.com/www/public/’);

B – Find your Zen Cart /admin/ directory, using your FTP software or your webhost File Manager. Rename the directory of your Zencart Store to match the settings you just made in step A.

C – To login to your admin system you will now have to visit a new URL that matches the new name used in steps A and B above. For example instead of visiting http://www.example.com/admin/ visit http://www.example.com/NeW_NamE4u/ Use of SSL is highly recommonded to protect your and your customers information. To protect the new admin folder name from packet sniffers, use https in the example link above (this of course depends on your server having an SSL certificate installed).

D – You should also protect your admin area by using a .htaccess file similar to the one shown below, and placing it into /admin/includes. (This should already exist in Zen Cart versions 1.2.7 and greater.)

3. Set configure.php files read-only
It’s important that you CHMOD (set permissions) on the two configure.php files as read-only. Typically this means setting them to “644”, or in some cases “444”.

If you cannot do this with your FTP software, try using the File Manager supplied with your webhosting account.

If you’re using a Windows server, simply set the file as “Read-Only” for “Everyone” and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the “System” account or “apache user” if running Apache.

4. Delete any unused Admin accounts
Admin->Tools->Admin Settings

In your admin area, open the Tools menu, and choose Admin Settings – Check for any unused admin accounts, and delete them. Especially the “Demo” account, if it exists.

5. Admin Password Security
It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.

You can change your admin password in Admin->Tools->Admin Settings, and click on the “Reset Password” button, or click on the icon that looks like a recycle symbol.

We recommend that you use passwords that are at least 8 characters long.

Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps too.

If you are going to use normal words it is a good idea to join together two normal words that don’t normally go together.

6. Protect your “define pages” content in “html_includes”
After you have finished editing your define pages (Admin->Tools->Define Pages Editor), you should protect them:

A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes area.

B. Make them CHMOD 644 (or “read-only” for Windows hosts). See notes above on CHMOD. /includes/languages/english/html_includes and all files/folders underneath

If you make them read-only, then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the read-only status, which is more complicated.

NOTE: Of course, once you set them read-only, then you’ll have to go and set them read-write before making additional changes using the define-pages editor.

7. Use .htaccess files to protect against unwanted snooping
In several folders, there are .htaccess files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to “any” .PHP scripts, since it’s expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security. If you delete these files, you run the risk of leaving yourself open to people snooping around.

There are also some semi-“blank” index.html files in several folders. These files are there to protect you in case your FTP software won’t upload .htaccess files, or your server won’t accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It’s a good “alternative”, although using .htaccess files in ALL of these folders is the better choice, for servers that accept them.

Suggested content for .htaccess files in folders where there is an index.html file but NOT yet an .htaccess file would be something like the following (depends on your server configuration):

#.htaccess to prevent unauthorized directory browsing or access to .php files IndexIgnore */*

Order Deny,Allow
Deny from all

If your webhost configuration doesn’t allow you to create/use your own .htaccess files, sometimes they provide an interface in your hosting admin control panel where you can set the desired .htaccess settings.

It is recommended that you work with your host to configure these settings if this is the method they require. You need to choose — and use — the appropriate method for your server. As mentioned above, it’s best to work with your web hosting company to select and implement the best method for your specific server. We can’t tell you what to use for your specific server, but we offer these guidelines as a starting point.

8. Disable “Allow Guest To Tell A Friend” feature
You may wish to go to Admin->Email Options->Allow Guest To Tell A Friend and set the option to ‘false’. This will prevent non-logged-in customers from using your server to send unwanted email messages.

9. Protect your “images” and other folders
During initial installation, you are advised to set your images folder to read/write, so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.

However, leaving the images (or ANY other) folder in read/write mode means that hackers “might” be able to put malicious files in this (or other) folder and thus create access points from which to attempt nasty exploits.

Thus, once your site is built and your images have been created/loaded, you should drop the security down from read/write to read. ie: change from CHMOD 777 down to 644.

File/Folder permissions settings
On Linux/Unix hosts, GENERALLY, permission-setting recommendations for basic security are: – folders/directories: 755 – files: 644

On Windows hosts, setting files read-only is usually sufficient. Should double-check that the Internet Guest Account has limited (read-only) access.

Folder Purposes
The folders for which installation suggests read-write access for setup are these. If your Zencart Store supports .htaccess protection, then you should use it for these folders.

/cache
This is used to cache session and database information. The BEST security protection for your Zencart Store is to move it to a folder “above” the public_html/htdocs/www area, so that it’s not accessible via a browser. (Requires changes to DIR_FS_SQL_CACHE setting in configure.php files as well as Admin->Configuration->Sessions->Session Write Directory)
/images
See other suggestions earlier.
/includes/languages/english/html_includes
See other suggestions earlier.
/media
This is only suggested read-write for the sake of being able to upload music-product media files via the admin. Could be done by FTP as an alternative. /pub
This is used on Linux/Unix hosts to have downloadable products made available to customers via a secure delivery method which doesn’t disclose the ‘real’ location of files/data on your server (so that people can’t share a URL and have their friends steal downloads from your site) /admin/backups
This is used by automated backup routines to store database-backups. Optional. /admin/images/graphs
This is used by the Admin->Tools->Banner Manager for updating/displaying bar-graphs related to banner usage. If not writable, feature is ignored.
Retrieved from “http://www.zen-cart.com/wiki/index.php/Important_Site_Security_Recommendations”

 

WordPress Hosting

 

More great articles

How to Set Up a Successful Affiliate Program for Your Magento 2 Store?
Need of Magento PWA and Success Stories Behind It
Using ModSecurity on your VPS
Security Issues with allow_url_fopen

Category iconeCommerce Hosting,  Security

Primary Sidebar

Recent Posts

  • How to Upload Files Using the cPanel File Manager?
  • How To Increase the PHP Max Upload Size in cPanel®?
  • Choosing a hosting platform in 2021
  • VARCHAR vs. TEXT for MySQL Databases
  • What Are the Best Shopify® Alternatives in 2021?
Top 6 Tips to Manage Spam
Clearing your DNS Cache on your Windows PC
What is ModSecurity?
10 Tips To Make Your Computer More Secure

Categories

  • Application Hosting
  • Australian Cloud Hosting
  • cPanel Hosting
  • DNS and Domains
  • eCommerce Hosting
  • Email Tutorials
  • Legals
  • Linux Tutorials
  • Operating Systems
  • PHP and MySQL
  • Register a Domain Name
  • Search Engine Optimization
  • Security
  • Server Management
  • Tutorials
  • VMware Cloud Hosting
  • Web Hosting Tutorials
  • WordPress Tips & Tricks
Australian web hosting

Footer

Recent Posts

  • How to Upload Files Using the cPanel File Manager?
  • How To Increase the PHP Max Upload Size in cPanel®?
  • Choosing a hosting platform in 2021
  • VARCHAR vs. TEXT for MySQL Databases
  • What Are the Best Shopify® Alternatives in 2021?

Legals

  • Terms&Conditions
  • SLA
  • Acceptable Usage Policies
  • Privacy Policies
  • About FASTDOT
  • ISO Certified

Contact

Australia: +61 02 7903 0216
Submit a Support Ticket

Company

FASTDOT.COM.AU PTY/LTD
ACN 002 454 631
200 Bourke Rd, Alexandria NSW 2015 Australia
Processing by eWay, PayPal and Bitcoin

blankNSW Government Provider

Made with in Sydney/Australia
  • Facebook
  • Twitter

Copyright © 2022 FASTDOT.COM

All rights reserved. Return to top