X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   Forum FAQs and guides (https://forum.x-cart.com/forumdisplay.php?f=30)
-   -   Security Checklist for a Live Store (https://forum.x-cart.com/showthread.php?t=9163)

joestern 08-30-2004 07:06 PM

Security Checklist for a Live Store
I can never find a comprehensive post of security issues, so I've started a list. I'm definitely no XCart pro, but I'll try to maintain the list and update this top post with input from the more experienced users.

That said, I'm listing the top issues I've found with security, and what to do to prevent their abuse:

1 - After installation, remove your install.php file, and any other install files from add-on modules.

2 - Lock your "log" and "sql" directories. Best way is to use ".htaccess" files denying permission entirely. To check the effectiveness, browse to a link like:


If you don't get access, that's good. If you can see files, you've got a potential hole.

3 - Don't keep backups in th "log" directory. Make a backup when you need one, copy it away, and remove the original. I have a script that makes a backup each night into a secure directory.

4 - Always log into your admin area with https:


5 - Force all cart pages to be used by customers in secure (https) mode. - Check these boxex in General Settings:

Do not redirect customers from HTTPS to HTTP:

Use HTTPS for users' login and registration:

Warning: You need to make sure you have your https configured correctly at the server level before you do this or you will lock yourself out of the store! For non-windows servers, you need to set up a symlink, which links the http and https directories.

6 - Put an "index.php" file in each subdirectory of the cart to prevent directory browsing. The only text you need in these files is a re-direct to your homepage. Alternatively, some hosts will disable directory listing for you.

7 - (NOTE: FOR 4.0 versions only) Change your SALT code at installation. To do this, you NEED to be logged in as "master", then change config.php and re-upload it. Change this section:


85 and 100 are the defaults. Change them. Then, before logging out, change your "master" password. Then log out and back in.

This changes all encryption of passwords and credit card info. So if you already have that info in there, DON'T change this, or it will be unreadable. See other threads for more details, or download all of your cc info before doing this.

balinor 01-08-2006 04:42 AM

Just to add a few things to this that I see way too often:

1 - Never keep the 'Master' account. When you first log in to X-Cart, create a new admin account, log out, log back in with the new account and delete the master account.

2 - Password protect your Admin and Provider directories. One extra level of protection will discourage hackers. This can usually be done via your hosts Control Panel.

3 - Turn OFF the option of sending CC info via e-mail - in General Settings/E-mail options.

4 - Change your permissions:

.php - 644
.tpl - 644
.pl - 755
.sh - 755


templates_c - always 777
catalog - 777 - (to be able to write catalog and then 755 once catalog has been written)
files - 777 - (to be able to write to the folder / upload pics etc)
log - 777

All others - 755

You can do this via FTP, your hosting control panel, or by using SSH with a command like this:

find ./ -name "*.php" -print -exec chmod 644 {} \;

5 - Disable storing of CC info in the database (unless you are using manual credit card processing). Open up config.php (found in your root directory) and change this line:

$store_cc = true;


$store_cc = false;

All times are GMT -8. The time now is 06:26 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.