Opencart Security
In order to configure HTTPS for Opencart, there are a few steps to follow.
-
You will need to have a valid SSL Certificate installed for your domain
-
You will need to open the
config.php
andadmin/config.php
files and modify the following:
Find the HTTP and HTTPS section at the top of each file. You’ll need to add an ’s’ after the http in the HTTP and HTTPS section of both files. Save the files and upload them to the server.
Example of config.php After you have edited it
// HTTP
define('HTTP_SERVER', 'https://www.your-domain.com/');
// HTTPS
define('HTTPS_SERVER', 'https://www.your-domain.com/');
Example of admin/config.php After you have edited it
// HTTP
define('HTTP_SERVER', 'https://www.your-domain.com/admin/');
define('HTTP_CATALOG', 'https://www.your-domain.com/');
// HTTPS
define('HTTPS_SERVER', 'https://www.your-domain.com/admin/');
define('HTTPS_CATALOG', 'https://www.your-domain.com/');
- Add the following redirect rule in your
.htaccess file
on the next line belowRewriteBase /
If you are using www in your config.php files, add this rule:
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
If you are not using www in your config.php files, add this rule:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%{HTTP_HOST}/$1 [R=301,L]
- Login to your Opencart admin area and go to System > Settings > Edit and click on the Server tab. Select the Radio Button to Use SSL and click save.
Whether you’re processing credit cards or not, we strongly recommend you have an SSL certificate for your website. This will also build trust with your customers and help you store their information as well as yours more securely.
If you are not seeing a padlock for every page, visit whynopadlock.com to learn why.
On all of our servers, you should upload with the following permissions
- Folders
- 755
-
Chmod 755 (chmod a+rwx,g-w,o-w) sets permissions so that, (U)ser / owner can read, can write and can execute. (G)roup can read, can’t write and can execute. (O)thers can read, can’t write and can execute.
- Files
- 644
-
Chmod 644 (chmod a+rwx,u-x,g-wx,o-wx) sets permissions so that, (U)ser / owner can read, can write and can’t execute. (G)roup can read, can’t write and can’t execute. (O)thers can read, can’t write and can’t execute.
By default, the file is named htaccess.txt
. If you have not already, rename the file to .htaccess
which is now a hidden file on the server.
Open your .htaccess or .htaccess.txt file add the following to the top of your file
# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
If you choose to install Opencart using a subdomain or subfolder, make sure you modify the following in your .htaccess or .htaccess.txt file:
Change RewriteBase /
to RewriteBase /subfolder-name/
- Folders to Remove
- /install/
Remove any extra files and/or folders including .zip files that are not needed from the server
It’s important to update your Database Username password and Opencart Admin Login passwords on a regular basis.
- DO
- Use a password generator
- Include upper case, lower case, numbers and characters
- Have a plan put together to remind yourself to update passwords every month or every other month
- DON’T
- Use the same password for every site you access
- Use the name ‘admin’ for your username
- Use a password less than 8 characters
- Use password or password12345 as your password
As an additional security layer, we highly recommend adding one of these free extensions to secure the Admin area of your Opencart website with Two Factor Authentication (2FA)
Opencart Two Factor Authentication Extensions
Here are a few lines of code that you can add to your .htaccess
or .htaccess.txt
file to block a few of the common Bad Bots
Add this code below the RewriteBase /
line within your .htaccess
or .htaccess.txt
file in order to block know bad bots
# deny access to evil robots site rippers offline browsers and other spam
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
We do not provide any support through tickets or any other means as the topics posted here fall outside the scope of web hosting support.
You may also want to browse the Opencart Community Forums for additional tips and tricks and other Opencart news.