Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Security Checklist for a Live Store

 
Reply
   X-Cart forums > Forum FAQs and guides
 
Thread Tools Search this Thread
  #1  
Old 08-30-2004, 07:06 PM
 
joestern joestern is offline
 

Senior Member
  
Join Date: Apr 2004
Posts: 187
 

Default Security Checklist for a Live Store

I can never find a comprehensive post of security issues, so I've started a list. I'm definitely no XCart pro, but I'll try to maintain the list and update this top post with input from the more experienced users.

That said, I'm listing the top issues I've found with security, and what to do to prevent their abuse:

1 - After installation, remove your install.php file, and any other install files from add-on modules.

2 - Lock your "log" and "sql" directories. Best way is to use ".htaccess" files denying permission entirely. To check the effectiveness, browse to a link like:

http://www.mysite.com/cart/sql

If you don't get access, that's good. If you can see files, you've got a potential hole.

3 - Don't keep backups in th "log" directory. Make a backup when you need one, copy it away, and remove the original. I have a script that makes a backup each night into a secure directory.

4 - Always log into your admin area with https:

https://www.mysite.com/cart/admin

5 - Force all cart pages to be used by customers in secure (https) mode. - Check these boxex in General Settings:

Do not redirect customers from HTTPS to HTTP:

Use HTTPS for users' login and registration:

Warning: You need to make sure you have your https configured correctly at the server level before you do this or you will lock yourself out of the store! For non-windows servers, you need to set up a symlink, which links the http and https directories.

6 - Put an "index.php" file in each subdirectory of the cart to prevent directory browsing. The only text you need in these files is a re-direct to your homepage. Alternatively, some hosts will disable directory listing for you.

7 - (NOTE: FOR 4.0 versions only) Change your SALT code at installation. To do this, you NEED to be logged in as "master", then change config.php and re-upload it. Change this section:

$CRYPT_SALT = 85
$START_CHAR_CODE = 100

85 and 100 are the defaults. Change them. Then, before logging out, change your "master" password. Then log out and back in.

This changes all encryption of passwords and credit card info. So if you already have that info in there, DON'T change this, or it will be unreadable. See other threads for more details, or download all of your cc info before doing this.
__________________
X-Cart version 4.7.12
Reply With Quote

The following 12 users thank joestern for this useful post:
cday (09-26-2010), Esexy (10-07-2010), fuatefe (12-27-2018), Gabe (12-09-2010), just wondering (04-14-2010), Leafgreen1 (11-13-2010), SCUBA1609 (06-04-2009), shepint (11-10-2011), Sherman (08-16-2009), thornomad (05-10-2009), tom437 (07-08-2010), TrevorH (03-05-2015)
  #2  
Old 01-08-2006, 04:42 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default

Just to add a few things to this that I see way too often:

1 - Never keep the 'Master' account. When you first log in to X-Cart, create a new admin account, log out, log back in with the new account and delete the master account.

2 - Password protect your Admin and Provider directories. One extra level of protection will discourage hackers. This can usually be done via your hosts Control Panel.

3 - Turn OFF the option of sending CC info via e-mail - in General Settings/E-mail options.

4 - Change your permissions:

.php - 644
.tpl - 644
.pl - 755
.sh - 755
VERSION - 644

FOLDERS

templates_c - always 777
catalog - 777 - (to be able to write catalog and then 755 once catalog has been written)
files - 777 - (to be able to write to the folder / upload pics etc)
log - 777

All others - 755

You can do this via FTP, your hosting control panel, or by using SSH with a command like this:

find ./ -name "*.php" -print -exec chmod 644 {} \;

5 - Disable storing of CC info in the database (unless you are using manual credit card processing). Open up config.php (found in your root directory) and change this line:

$store_cc = true;

to

$store_cc = false;
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote

The following 21 users thank balinor for this useful post:
cday (09-26-2010), conradp24 (01-18-2010), Esexy (10-07-2010), Freeprawn (02-23-2010), fuatefe (12-27-2018), Gabe (12-09-2010), gman (04-23-2011), just wondering (04-14-2010), jvbargains (11-07-2010), Leafgreen1 (11-13-2010), marketology (03-23-2011), mickey (05-09-2012), Momtreprenuer (07-10-2009), necroflux (06-14-2009), Phoenix Tech (04-26-2009), SCUBA1609 (06-04-2009), Sherman (08-16-2009), thornomad (05-10-2009), tom437 (07-08-2010), TrevorH (03-05-2015), vasilis (10-03-2011)
Reply
   X-Cart forums > Forum FAQs and guides



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:43 PM.

   

 
X-Cart forums © 2001-2020