Zen Cart™ Site Security
While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store.
Donations can be made at: The Zen Cart™ Team Page
We appreciate your support.
The Zen Cart™ Team
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under the GNU General Public License
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.
STEPS IN SECURING YOUR ZEN CART™ STORE
The following is a list of several steps you can take to secure your Zen Cart™ site:
1. Delete the /zc_install folder
Once installation is complete, delete the /zc_install folder from the server.
2. Rename your "/admin" folder
Renaming the "admin" folder makes it much harder for would-be hackers to get into your admin area.
(Before making the following changes, make sure to have a current backup of your files and your database.)
A- Open your admin/includes/configure.php, using a simple text editor like notepad.
Change this section:
And this section:
B- Find your Zen Cart /admin/ directory, using your FTP software or your webhost File Manager.
C - To login to your admin system you will now have to visit a new URL that matches the new name used in steps A and B above. For example instead of visiting http://www.example.com/admin/ visit http://www.example.com/NeW_NamE4u/.
D - You should also protect your admin area by using a .htaccess file similar to the one shown below, and placing it into /admin/includes. (This should already exist in Zen Cart versions 1.2.7 and greater.)
3. Set configure.php files read-only
It's important that you CHMOD (set permissions) on the two configure.php files as read-only.
The configure.php files are located in:
Quite often setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been. You must verify the correct setting by entering the store and seeing if there is a warning message on the top of the screen. "Warning: I am able to write to the configuration file:..." In this case you will need to use the "File Manager" supplied with your webhosting account.
If you're using a Windows server, simply set the file as Read-Only for Everyone and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the System account or apache user if running Apache.
4. Delete any unused Admin accounts
5. Admin Password Security
It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.
We recommend that you use passwords that are at least 8 characters long.
Admin Access Protection
It is wise to observe caution while working in your admin area:
6. Protect your "define pages" content in "html_includes"
After you have finished editing your define pages (Admin->Tools->Define Pages Editor), you should protect them:
A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes area.
B. Make them CHMOD 644 or 444 (or “read-only” for Windows hosts). See notes above on CHMOD.
If you make them read-only, then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the read-only status, which is more complicated.
7. Use .htaccess files to protect against unwanted snooping
In several folders, there are .htaccess files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to "any" .PHP scripts, since it's expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security.
There are also some semi-"blank" index.html files in several folders. These files are there to protect you in case your FTP software won't upload .htaccess files, or your server won't accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It's a good "alternative", although using .htaccess files in ALL of these folders is the better choice, for servers that accept them.
Suggested content for .htaccess files in folders where there is an index.html file but NOT yet an .htaccess file would be something like the following (depends on your server configuration):
#.htaccess to prevent unauthorized file access files
In order for the above suggestions to work, your host must include either 'All' or all of these: 'Limit Options Indexes' parameters to the AllowOverride configuration in the server's apache/conf/httpd.conf file.
If your webhost configuration doesn't allow you to create/use your own .htaccess files, sometimes they provide an interface in your hosting admin control panel where you can set the desired .htaccess settings.
It is recommended that you work with your host to configure these settings if this is the method they require. You need to choose -- and use -- the appropriate method for your server. As mentioned above, it's best to work with your web hosting company to select and implement the best method for your specific server. We can't tell you what to use for your specific server, but we offer these guidelines as a starting point.
Disable "Allow Guest To Tell A Friend" featureYou may wish to go to Admin->Configuration->Email Options->Allow Guest To Tell A Friend and set the option to 'false'. This will prevent non-logged-in customers from using your server to send unwanted email messages.
Protect your "images" and other foldersDuring initial installation, you are advised to set your images folder to read/write, so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.
However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits.
Thus, once your site is built and your images have been created/loaded, you should drop the security down from read/write to read. ie: change from CHMOD 777 down to 644 for files, and to 755 for folders.
File/Folder permissions settings
On Linux/Unix hosts, generally, permission-setting recommendations for basic security are:
On Windows hosts, setting files read-only is usually sufficient. Should double-check that the Internet Guest Account has limited (read-only) access.
The folders for which installation suggests read-write access for setup are these. If your site supports .htaccess protection, then you should use it for these folders. (The .htaccess files included with v1.3.9 and newer should already cover the basics.)
Remove the print URL from your browser's headers
To stop the browser from printing a URL on the invoice or any other document on the web, follow these steps:
For Internet Explorer:
Things to Check Up on Regularly