Contact Us:
CheapDeveloper » Webmaster » OpenCart » How to protect OpenCart Store against hacking

How to protect OpenCart Store against hacking

28 November 2021, Sunday By Priyanka Boruah

OpenCart, like some other CMS, can be called a relatively secure platform. However, as is the case with other content management systems, it is better to immediately take care of the security and protection of your site from hacking by unauthorized persons. In this article, I will provide basic tips to help you improve the security of your site. First of all, the article is suitable for those who have their own online store, made on the basis of OpenCart, but, on the other hand, the tips are quite universal, so they will be of interest to owners of sites on other CMS.

protect OpenCart

1. Change the path to the administrative panel

By default, in order to log into the admin panel, this path is usually used: Naturally, the more information hackers have, the easier it will be for them to hack your site. Therefore, the first recommendation is to change the login address to the administrative panel from /admin to another: /manager, /panel or something even more complex.

How to do it: in the file manager or phpMyAdmin, first, change the name of the “admin” folder to something else; secondly, make the same replacement in the config.php file inside the folder you renamed; third, sometimes changes need to be made to the config.php file in the root folder (check if there is a mention of admin).

If everything is done correctly, now the administrative panel will be available at the new address - most importantly, do not forget it.

2. Change administrator login (and password)

After changing the address to enter the panel,  it is worth thinking about changing the login, which by default also looks like admin. It should be noted that this is generally the main login, which is usually used on many CMS, so even if your store or site is not on OpenCart, I still advise you to change it immediately.

How to do it: go to the admin panel, select "System" (in a hidden form it looks like a gear), then "Users" and again "Users". You will see the line in the login “admin” - go to the settings and change the login to another.

By the way, you can change the password right there - I strongly recommend that you do this by coming up with a password of at least ten characters. If you can't think of it yourself, use one of the online password generation services that can be easily found on Google.

Attention! Don't use duplicate passwords! Each password must be individual, in no case set the same password to enter the admin panel as, for example, to enter the mail.

3. Change access rights for important files

Two files, config.php in the root folder and config.php in the folder named admin by default (whose name has changed above), contain important information related to the database, so it is recommended to change the permissions for these files to “Only reading".

How to do it: You can change permissions using any tool that you use to work with files. The easiest way is to change them right in your hosting control panel. In the cpanel, you need to find the file in the "File Manager" section, select it, and then click on "Permissions":

cPanel permissions

You can set the numbers there to 444 (read-only for the owner and for everyone else), or mark the same parameters with the sliders.

You can also use an FTP client - for example, Filezilla - and set the permissions there.

4. Disable display errors

As a rule, hackers use different loopholes when hacking, and error messages that are displayed for incorrect actions often help them in this. Therefore, I recommend that you refuse to display these errors.

How to do this: go to the admin panel, select "System", then "Settings" - and there in the settings, open the "Server" tab, there will be a "Errors" block at the bottom, that's where you need to put "No" at "Show errors".

Here you will most likely have a question, but what to do if you need to look at errors? To do this, you can use the error log file (it is in the same block in the settings).

You can view it if you go to the root folder of the site, then to system and then to logs.

5. Adding a bunch of words to log in to the admin panel

As with everything else, this will make it harder to hack your admin panel in the first place. However, this method is more complicated than the others, since it involves working with code.

How to do it: In the file manager you need to find and open the login.tpl file. You will find it along this path: public_html/admin/view/template/common/login.tpl
(If you have previously changed the name of the admin folder to something else, then in this path also replace it with the desired one.)

Next, you need to copy the following lines to the very top of the file:

if (isset($_GET['secretkey']))
{$seckey = $_GET['secretkey'];
setcookie ("secretkey", $_GET['secretkey']);}
else if
{$seckey = $_COOKIE['secretkey']; }
else {$seckey = '';}
if ($seckey != 'secretkeyvalue') {header("HTTP/1.0 404 Not Found");
exit; } else { ?>

But that's not all the work that needs to be done in this file. You need to replace the words “secretkey” and “secretkeyvalue” with others (arbitrary). This must be done very carefully, without removing or correcting other signs. In this case, you definitely need to remember this couple of words, otherwise you will not be able to get into the admin panel of your site.


After that, at the very end of the file, you need to add:

<?php } ?>

Save the file.

Now, in order to enter the admin panel, you need to use a link like this:

Let's go back to the fact that if you have already renamed the admin folder above, then you need to put the name you gave to this folder in this link instead of admin. Only in this case you will see a page where you need to enter the authorization data in the administration panel.

Another action that needs to be performed in addition to this is to prevent search services from indexing the page for authorization.

Change to the directory mentioned above (where login.tpl is located) and open the header.tpl file. After the <head> tag, add a line below:

<meta name="robots" content="noindex" />

header code

Now search robots will not index this page. If before in the file robots.txt you wrote something like Disallow: /admin (in order to prohibit indexing of this page), then delete this entry. Don't forget that robots.txt – this is a file accessible to everyone, which can be viewed by everyone, including hackers. Therefore, you should not write the address of the administration panel there.


Read also:

Add a comment
Comments (0)