Securing Zen Cart

Securing your Zen Cart is not a very challenging task, but not doing so can be a very expensive venture. In this age where hackers are the best programmers on the planet and credit card company fine up to $10K, there is no excuse not to hold your site’s security at a high priority. Ignorance is not an excuse either… Visa, MasterCard Amex etc will still fine you even if “you didn’t know”. It’s your website and thus your responsibility to know. My intention today is to give you a list of easy to intermediate things to do to secure your Zen Cart.

Keep in mind that different hosting configurations have different strengths and weaknesses. It is always a good idea to ask your hosting support for help and advice. If you have any comments, questions and even suggestions to add we would love to hear from you.


After installing your Zen Cart there are several things which need done to improve it’s performance and security.

  • Remove the following installation and tool folders. Here is a list of free FTP programs.

/your_catalog/install.txt (this file can be removed, too)

  • You will need to rename your admin directory if you haven’t already. Here is a tutorial from Zen Cart.
  • Now you will need to lower the permissions on your configure files. These should be as low as you can go. Start at CHMOD 400 and go up from there and no higher than 644. You will likely need to login to your hosting control panel file manager to do so.


  • If you do not sell downloadable products in your cart then in your admin navigate to Configuration >> Attribute Settings and set Enable Downloads to false. Then remove the following folders from your installation.


  • In /your_catalog/ for Apache users (this is most all of you) edit the .htaccess. If you haven’t one create and upload a text file named .htaccess. When using both FTP or file manager you will need to have “show hidden files” enabled for this. Add the following lines and save. I have specifically kept this rather basic, if your site crashed when you save it… remove the .htaccess and send it to your webhost to format better for your server config.

Options +FollowSymLinks All -Indexes
RewriteEngine On
RewriteBase /
ServerSignature Off
<Files .htaccess>
order allow,deny
deny from all

Operation & Performance

  • Go to Admin > Configuration > Email Options > Allow Guest To Tell A Friend and set the option to false. This will prevent non-logged-in customers from using your server to send unwanted email messages.
  • Go to Admin > Configuration > Email Options > Emails must send from known domain? = True
  • Go to Admin > Configuration > Email Options > Audience-Select Count Display = False (for performance)
  • Go to Admin > Configuration > GZip Compression = True (performance)
  • Go to Admin > Configuration > Sessions > Verify that the Session Directory is correct
  • Go to Admin > Configuration > Sessions >