Stopping OpenCart From Being Hacked

I had the pleasure of an OpenCart installation I was maintaining being hacked. Here is what I did to prevent further attacks…

Remove The /install/ Directory

As soon as you’ve installed OpenCart, remove the /install/ directory and all it’s files, you won’t need them again!

Change Some File Permissions To 444

By default, all files have the permission level 644. Some vital ones can be further restricted to 444 to prevent anyone from changing them. The files to change are:

  • index.php
  • config.php
  • admin/config.php

Rename The /admin/ Folder

Plenty of attacks will be from bots which crawl the web, looking for specific pages which signify you are running opencart. One of these would be to check www.yourshopnamehere.com/admin. Renaming the admin folder prevents these bots from finding the page.

Firstly, rename the admin folder to a harder to guess name. Then replace all the occurances of /admin/ with your new path name in the files /config.php and /yournewadminfolder/config.php. Then browse to www.yourshopnamehere.com/yournewadminfolder, and the admin backend should work as normal!

Also, I checked out the vqMod plugins, and pretty much all of them had the admin folder path hardcoded into the scripts. These will need to be changed, otherwise your plugins will break. I ran the command:

while in the /vqmod/xml directory to rename all occurances of admin to yournewadminfolder.

Change Your Passwords

This is only really relevant if your looking at a way to hacker-proof your site after it has been hacked. If you are being pro-active about security, then don’t worry about this step!

Get A Admin-Area Logging Plugin

There are a few plugins (most cost US$10-15) that allow you to monitor acitivty on the admin section of your OpenCart install. These plugins normally log user login attemps, what admin pages they visit, and what changes they make. They log the user (if registered), their IP address, and other details.

One example is Activity Logger With Invalid Login Attempt Monitor, which uses vQmod and costs US$15.

Posted: February 18th, 2014 at 8:03 pm
Last Updated on: February 23rd, 2014 at 4:27 pm

  • Eugene

    you can also limit admin area access based on per ip via htaccess

    just create a .htaccess and put it under your admin folder

    Inside of the .htaccess, you can limit as
    order deny,allow
    deny from all
    allow from xxxx.xxxx.xxxx.xxxx ( your ip here )

    • Thanks for the tip! If a non-IT person is going to be logging onto the admin area, I guess you have to make sure they have a fixed IP address.

      • Eugene

        most users of opencart are business users, they should have used static ip instead of dynamic ip, but that is in an ideal business environment. Furthermore, if they really have to use dynamic ip, they can request IT guy to put their ip there for a short period of time via FTP or hosting control panel file manager. Dynamic ip address changes only when the user re-sign into their ISP or the ip time lease is up or ISP server is restarted. These days, security is very important.

    • Thanks for the tip! If a non-IT person is going to be logging onto the admin area, I guess you have to make sure they have a fixed IP address.

  • Pingback: Installing OpenCart on Digital Ocean – Oshane's Blog()

  • Pingback: Installing OpenCart on Digital Ocean – Oshane The Developer()

  • Pingback: Installing OpenCart on Digital Ocean - Oshane Bailey()