Here is a list of basic security measures you can carry out to protect your store. Use it as a checklist and consider implementing any missing from your server’s security policy. Some of security steps have certain server requirements that may or may not be available to you, depending on your hosting plan. This post is for stores on Linux servers with LAMP (LinuxApacheMysqlPhp) configurations.
These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.
Check and Set Permissions
Permissions are assigned to each folder and file which indicate access rights to specific users or groups.
- Folders should be a maximum of 755, however certain folders – /images; /admin/backups; /tmp; may require 757 for writing to, depending on your server configuration. All files should be 644 (configure.php files 444 if possible)
Disable the ‘Allow Guest to Tell a Friend’ feature
Some carts allow visitors to the site to send emails through this feature. By disabling this feature, you will prevent non-logged-in customers from using your server to send ‘spam’ email messages.
Update your store and module software to the latest versions and patches
With every new software release, there are usually security or bug fixes which improve the functionality and stability of your store. If you donâ¬”t upgrade, hackers will be able to easily exploit your websites from known vulnerabilities.
Use local htaccess files to restrict script execution, access
For local htaccess files to work, the server must be setup to allow this, usually in with the command ‘AllowOverride All’ or ‘AllowOverride Limit’ in the apache/conf/httpd.conf file. Check with your hosting company if this is configured.
- In the htaccess file itself, start by denying access to everything:
Order Deny,Allow Deny from all
Order Allow,Deny Allow from all
Order Allow,Deny Allow from all
Order Deny,Allow Deny from All
Order Allow, Deny Allow from all ForceType application/octet-stream Header set Content-Disposition attachment
Options -Indexes -ExecCGI
(the -ExecCGI is particularly useful as it prevents hackers executing scripts in the folder)
or you can create a blank index.php and upload that to the folder
You’re looking for suspicious entries here – any links that go to pages not on your site; links that have http after the index.php; that sort of thing. Your store my have /error or /debug folders in its directory structure – check here too.
mySQL database – this can be done through Admin/Tools/Mysql Backup. Use whatever compression is available. Avoid downloading the compressed backup over an unsecured (http://) connection. The zipped backup file is created in admin/backups, so consider how to secure this folder too.
Your store can be severely compromised if your hosting company hasn’t correctly secured the server. There are many configuration features that can be enabled by them (eg suHosin, apache config settings and php.ini settings are a few) – so it pays to be clear on what they’re doing to make your store more secure. This is particularly important if you’re running on a shared server and using shared SSL (not recommended.)
This will help in many ways and if you’re serious about presenting a dependable, secure store, these are essential requirements.
If your business warrants, or you still want additional assurance (esp if running forum software on your site, or other scripts outside of your e-cart software), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars.
Check this post about securing your admin with specific points related to this important utility’s function. The admin is often the point of entry for hacking attempts.