• Posted by Melanie
• 09 November 2011
• E-Commerce Design

Securing Zen Cart

Securing your Zen Cart is not a very challenging task, but not doing so can be a very expensive venture. In this age where hackers are the best programmers on the planet and credit card company fine up to $10K, there is no excuse not to hold your site's security at a high priority. Ignorance is not an excuse either... Visa, MasterCard Amex etc will still fine you even if "you didn't know". It's your website and thus your responsibility to know. My intention today is to give you a list of easy to intermediate things to do to secure your Zen Cart.

Keep in mind that different hosting configurations have different strengths and weaknesses. It is always a good idea to ask your hosting support for help and advice. If you have any comments, questions and even suggestions to add we would love to hear from you.

Installation

After installing your Zen Cart there are several things which need done to improve it's performance and security.

• Remove the following installation and tool folders. Here is a list of free FTP programs.

/your_catalog/docs
/your_catalog/extras
/your_catalog/zc_install
/your_catalog/install.txt (this file can be removed, too)

• You will need to rename your admin directory if you haven't already. Here is a tutorial from Zen Cart.
• Now you will need to lower the permissions on your configure files. These should be as low as you can go. Start at CHMOD 400 and go up from there and no higher than 644. You will likely need to login to your hosting control panel file manager to do so.

/your_catalog/your_admin/includes/configure.php
/your_catalog/includes/configure.php

• If you do not sell downloadable products in your cart then in your admin navigate to Configuration >> Attribute Settings and set Enable Downloads to false. Then remove the following folders from your installation.

/your_catalog/download
/your_catalog/media
/your_catalog/pub

• In /your_catalog/ for Apache users (this is most all of you) edit the .htaccess. If you haven't one create and upload a text file named .htaccess. When using both FTP or file manager you will need to have "show hidden files" enabled for this. Add the following lines and save. I have specifically kept this rather basic, if your site crashed when you save it... remove the .htaccess and send it to your webhost to format better for your server config.

Options +FollowSymLinks All -Indexes
RewriteEngine On
RewriteBase /
ServerSignature Off
<Files .htaccess>
order allow,deny
deny from all
</Files>

Operation & Performance

• Go to Admin > Configuration > Email Options > Allow Guest To Tell A Friend and set the option to false. This will prevent non-logged-in customers from using your server to send unwanted email messages.
• Go to Admin > Configuration > Email Options > Emails must send from known domain? = True
• Go to Admin > Configuration > Email Options > Audience-Select Count Display = False (for performance)
• Go to Admin > Configuration > GZip Compression = True (performance)
• Go to Admin > Configuration > Sessions > Verify that the Session Directory is correct
• Go to Admin > Configuration > Sessions > Force Cookie Use = True (this is optional and does not perform correctly on all servers)
• Go to Admin > Configuration > Sessions > Recreate Session = True If your webhost tells you otherwise, then find proper hosting. This WILL allow session hijacking if set to false.
• Go to Admin > Configuration > My Store > Server Uptime = False, security PCI fail
• In your images folder and cache folder an .htacess should already exist, but if not get one from a fresh Zen Cart installation copy.
• Folders should be CHMOD 755 and files (except your configure files) should be 644.
• Remove the print URL feature from your browser (Zen Cart tutorial)
• Limit admin access to only the required people. Create each their OWN admin account in Tools > Admin settings. Then install the admin logging report module so you can see what people are accessing and catch access issues when needed.
• Do not leave your admin open and walk away. Avoid having your admin open with other webpages in the same browser.
• DO NOT access your admin on an open or unsecured public network and NEVER access your admin with a mobile device.
• Enable log archiving in cPanel or other hosting control panel.
• Make certain (check with your webhost) that FrontPage Extensions are not installed.
• Make certain your webhost is running a proper server firewall application.
• If you have SSH access and you use it, its password should be exceptionally strong, 16 random characters or more. If you have SSH access and you don't use it, disable SSH so nobody can use it. There is sometimes an SSH control switch in cPanel. For reseller accounts and dedicated servers, there is a switch in WHM.
• Turn off the following in your PHP config (will likely need your webhost to do this). register_globals, expose_php and safe_mode.

Maintenance & Procedure

• Change all passwords every 90 days. Use strong passwords with numbers, letters, mixed case and symbols. Here is a great generator for passwords. Your are required by PCI/DSS standards to do this, have the procedure documented in your companies procedures and log the changes as they happen.
• Do not store credit card information anywhere.
• Get a PCI scanner to scan your website and office network every 3 months minimum. We use Trust Guard, but any approved scanner is fine.
• Make frequent backups of your shop and database. Your hosting company can setup a daily backup for you. We run daily backups and keep the most recent daily, weekly and monthly backups on hand for restore.
• DO NOT store your passwords in any digital format. email, Word Docs, etc... Pen and paper only if you must write them down.
• Scan your computer regularly and keep your virus definitions up to date at all times.
• Keep ALL software on your computers up to date (especially Adobe products). This includes browser plugins.
• Check /your_catalog/cache/ frequently for debug files which would indicate an error or issue.
• Create specific admin, FTP and other access for each vendor allowing them only the required access and remove access when completed.
• Keep all web software (Zen Cart, WordPress etc) patched and up to date.
• Always use SFTP or FTPS to access your files.
• Do not rename files to .bak, .old, nor any other invalid file extension. Use .txt for example.
• Protect new directories. Every single directory should be protected from directory browsing. This is most easily accomplished by using a blank index.html in each.
• Keep a complete list of your site files in a "known good" backup on a disk other than your webhost, such as your own computer.

Remember ignorance will not save you from fines, loss of merchant processing and being sued. You must take action and secure your website, it is simply not optional.

• Posted by Melanie
• 08 November 2011
• E-Commerce Design, Ecommerce SEO

The very nature of the term actionable implies the creation or motivation of your content's ability to convert. However, since the Google Rater Handbook leak, we also know that Google uses words (content) to determine, rank and display search results based on the users intent to buy. When a searcher queries something like "Buy US Flag", this searcher's intent is to shop.

According to Google, search queries can be classified into action queries ("do"), information queries ("know") and navigation queries ("go").

So the very content we use on our pages to drive conversions can also help Google deliver you more "doers" than"knowers". The challenge, as it has always been, is to create content which:

• Answers all of the shoppers questions
• Engages him
• Causes him to make a purchase (add to cart)

Some of these things we are inherently going to be quite good at, based on our own personality and experiences.... However, I rarely see shop owners who hit all 3. Lets have a look at some examples:

This example is your basic "Information Overachiever". There is so much information here that as a shopper I am perhaps even overwhelmed. The lack of natural content coupled with the very direct add to cart area may make this page uncomfortable for many shoppers. Kind of like that guys who follows you around the store from the door and won't leave you alone.

Here we have a much softer sell, but it lacks the "wow" of the informational listing. This format creates trust better and delivers a more comfortable feel to the decision to make a purchase. Keep in mind that many times your needs will be specific to your products or niche as well.

This is a nice product page layout. Easy to read, scan and understand. It is a significantly "softer" sell, but instills confidence to make the purchase. Visually the images are large enough and plenty, while the information is both natural and detailed.

So we can see that different layouts have different strengths, but what about the actual words?

The words that you use to describe your content should be presented naturally in the same manner as you would attempt to sell the product on the phone. Using alternate names, slang and layman terminology will help Google deliver your products for the natural language people search with. There is not point in ranking number 1 for a roro widget, when everyone refers to it as a rooo for example.

Lastly, to help the search engines understand the actionable nature of your product pages you should includes words such as "buy", "purchase", "shop online" etc. When including these types of action phrases it will be most effective to string them along a keyword for the product. something such as "When buying a roo online, you have several options for color, size and delivery". It's way too easy to get spammy when trying to create actionable content... so pay close attention to the perceived intent of the words you chose.