Best Practices for OpenCart Website Security

OpenCart is taking the e-commerce world by surprise, growing to become one of the most secure e-commerce platforms and also one of the most recently used. Although OpenCart security has been widely acknowledged, it is still recommended that these four steps be followed for the security of an OpenCart e-commece store.

Further reading:

How to Prevent an Exploitation of Your Website by An Attacker

How to secure your website from attacks using the .htaccess file

Keep Your Website Safe From Hackers with these Easy Steps

Best Practices for Magento Website Security

How to Prevent an Exploitation of Your Website by An Attacker

How to Prevent an Exploitation of Your Website by An Attacker

6 Ways to Protect Your Website From Security Hacks

A checklist against cybercrime

A Detailed Guide to Safe Website Updating

A Practical Guide to Secure and Maintain Your Website


1. Rename the OpenCart admin directory

By default, the OpenCart's admin login page is at http://yourURL/admin/. This makes it quite easy for someone to start trying to get into the admin console. You can change this in a few, relatively easy steps: Start by opening /admin/config.php in a text editor and changing anything that says /admin/ to a unique name of your choice.

To make the admin folder unknown to outsiders, you will have to do two things.

The first is to rename the /admin/ folder to a more uncommon name, such as /private/. Next, edit the file /admin/config.php and replace the folder name admin with private (or whatever name you renamed the folder to). There should be 5 instances of admin that you have to change. E.g. change define(‘HTTP_SERVER’, ‘’); to define(‘HTTP_SERVER’, ‘’);

The second will be to password protect your admin folder with htpasswd. If you’re on cPanel web hosting, then you can do this easily with the Password Protect Directories feature. This method will require you to login twice, but it’s well worth it.


Further reading:

Best Drupal Security Modules


Best Practices for Magento Website Security


Guard Your Website Reputation: Stay Protected with SSL


Hackers Exploit Expired Domains to Steal Vital Data


How to build your website trust and credibility


How to Find and Clean Backdoors in a Hacked WordPress Site


How to Fix The WordPress White Screen of Death


How to Prevent the most common Application Attacks against websites


How to Protect Your Website From Hackers


How to secure your website from attacks using the .htaccess file

2. Secure The /system/ Folder

If you have installed OpenCart in a unique folder, then go to and use the .htaccess file to secure yout OpenCart installation. If you installed in our root directory, just go to to create a .htaccess file and input the following code:

    <Files *.*>
    Order Deny,Allow
    Deny from all

Then put that .htaccess file in the following 2 directories:


3. Secure The /catalog/ Folder

This folder contains your images, Javascript files, and template files. Anything other than that should not be served, but that’s not the case. Just look at You can see that the file is still being attempted to run, which poses a security risk. Either a malicious user can get more clues about your system from these error codes, or if the malicious user can find a way to upload his own malicious PHP file, then your whole system could be at jeopardy.

The solution is to put a .htaccess file in the /catalog/ folder with the following code:

    Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
    RewriteRule ^(.+)$ /404.html [NC]

This way, anything other than the allowed file types of jpg, jpeg, png, gif, css, and js are blocked. So whenever someone or something accesses any prohibited file types (such as PHP), they’ll be redirected to the 404.html file.


4. Secure The /image/ Folder

As above, the /image/ folder requires protection as well, and you need a similar .htaccess file to achieve this. Create another .htaccess file in your /image/ folder with this code:

    Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
    RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
    RewriteRule ^(.+)$ /404.html [NC]

Passwords must be at least 10 characters in length.
Passwords should include at least two alphabetical characters.
Passwords should yse both lower-case and upper-case letters.
Passwords should have at least two numerical digits.&lt;br /&gt;
Passwords should have at least two special characters (such as &amp;amp; ^ % * $).
Passwords should not include any words in the dictionary or any commonly-used IT login names (ex: administrator, dba, admin).
Passwords shouldn't have use personal information (such as names or birth-dates).

Other important password-related best practices include:

Never use the same password for different accounts.
Make sure not to store your passwords on your computer, or even on the cloud
Always make immediate changes to passwords after outside developers or third-parties finish their work.

5. Enable SSL for Admin

Data sent back and forth from the Admin Panel is not encrypted by default. Enabling SSL/HTTPS protocol will ensure that information like admin user passwords and customer transaction details are safe from interference during transmission.

6. Enable SSL for your storefront

It is recommended that you enable encryption for your online store itself. This can be done by going to: System Settings, Edit for the default store. Under the Server tab, set Use SSL to Yes and hit Save.

These six steps can make a huge difference in improving the security of your OpenCart store.

Comments (0)

Leave a comment

Powered by Simple Blog