How to Secure OpenCart CMS

OpenCart, like some other CMS, can be called a relatively secure platform. However, as with other content management systems, it is better to immediately take care of the security and protection of your site from hacking by unauthorized persons. In this article, we’ll give you basic tips that will help you to improve the OpenCart Security of your site. First of all, the article is suitable for those who have their own online stores made on the basis of OpenCart, but, on the other hand, the tips are quite universal, so they will be interesting to site owners on other CMS.

1. Hiding the login to the administrative panel

By default, in order to enter the admin panel, usually used the following: your_site/admin. Naturally, the more information the hackers have, the easier it will be for them to hack your site. Therefore, the first recommendation is to change the login address to the admin panel from /admin to another: /manager, /panel or something even more complicated.

How to do it: in the file manager or in phpMyAdmin, first, change the name of the folder “admin” to another; second, make the same replacement in the “config.php” file inside the folder that you renamed; thirdly, sometimes you need to make changes to the “config.php” file in the root folder (check if there is mention of “admin” there).

2. Change the administrator’s login and password

After changing the address to enter the panel it is worth to think about changing the login, which also by default looks like “admin”. It should be noted that this is generally the main login, which is usually used on many CMS, so even if you have a store or site not on OpenCart, I still advise you to immediately change it.

How to do it: go to the admin panel, select “System”, then “Users” and again “Users”. See the line in the login “admin” – go to the settings and change the login to another.

By the way, right there you can change the password – I strongly recommend that you do this by creating a password no shorter than ten characters. If you can not figure it out yourself, use one of the online services for generating passwords, which can be easily found in Google.

3. Change access rights for important files

Two files, namely config.php in the root folder and config.php in the folder that by default is called admin (whose name was changed above) contain important information associated with the database, so it is recommended to change the permissions for these files to “Reading Only”.

How to do it: you can change the rights with any tool that you use to work with files. The easiest way is to change them directly in the hosting control panel.

4. Failure to display errors

As a rule, hacking websites, hackers use different loopholes, and error messages that are displayed on the wrong actions are often very helpful for them. Therefore, I recommend you to refuse displaying these errors.

Here you, most likely, will have a question, but what if you need to look at the mistakes? To do this, you can use the error log file (its name is in the same block in the settings).

You can view it if you go to the root folder of the site, then in system and then in logs.

How to do it: go to the admin panel, point “System”, then “Settings” – and there in the settings open the “Server” tab, at the bottom there will be the “Errors” block, there you should put “No” in “Show errors”.