Securing Zen Cart
Securing your Zen Cart is not a very challenging task, but not doing so can be a very expensive venture. In this age where hackers are the best programmers on the planet and credit card company fine up to $10K, there is no excuse not to hold your site’s security at a high priority. Ignorance is not an excuse either… Visa, MasterCard Amex etc will still fine you even if “you didn’t know”. It’s your website and thus your responsibility to know. My intention today is to give you a list of easy to intermediate things to do to secure your Zen Cart.
Keep in mind that different hosting configurations have different strengths and weaknesses. It is always a good idea to ask your hosting support for help and advice. If you have any comments, questions and even suggestions to add we would love to hear from you.
After installing your Zen Cart there are several things which need done to improve it’s performance and security.
- Remove the following installation and tool folders. Here is a list of free FTP programs.
/your_catalog/install.txt (this file can be removed, too)
- You will need to rename your admin directory if you haven’t already. Here is a tutorial from Zen Cart.
- Now you will need to lower the permissions on your configure files. These should be as low as you can go. Start at CHMOD 400 and go up from there and no higher than 644. You will likely need to login to your hosting control panel file manager to do so.
- If you do not sell downloadable products in your cart then in your admin navigate to Configuration >> Attribute Settings and set Enable Downloads to false. Then remove the following folders from your installation.
- In /your_catalog/ for Apache users (this is most all of you) edit the .htaccess. If you haven’t one create and upload a text file named .htaccess. When using both FTP or file manager you will need to have “show hidden files” enabled for this. Add the following lines and save. I have specifically kept this rather basic, if your site crashed when you save it… remove the .htaccess and send it to your webhost to format better for your server config.
Options +FollowSymLinks All -Indexes
deny from all
Operation & Performance
- Go to Admin > Configuration > Email Options > Allow Guest To Tell A Friend and set the option to false. This will prevent non-logged-in customers from using your server to send unwanted email messages.
- Go to Admin > Configuration > Email Options > Emails must send from known domain? = True
- Go to Admin > Configuration > Email Options > Audience-Select Count Display = False (for performance)
- Go to Admin > Configuration > GZip Compression = True (performance)
- Go to Admin > Configuration > Sessions > Verify that the Session Directory is correct
- Go to Admin > Configuration > Sessions > Force Cookie Use = True (this is optional and does not perform correctly on all servers)
- Go to Admin > Configuration > Sessions > Recreate Session = True If your webhost tells you otherwise, then find proper hosting. This WILL allow session hijacking if set to false.
- Go to Admin > Configuration > My Store > Server Uptime = False, security PCI fail
- In your images folder and cache folder an .htacess should already exist, but if not get one from a fresh Zen Cart installation copy.
- Folders should be CHMOD 755 and files (except your configure files) should be 644.
- Remove the print URL feature from your browser (Zen Cart tutorial)
- Limit admin access to only the required people. Create each their OWN admin account in Tools > Admin settings. Then install the admin logging report module so you can see what people are accessing and catch access issues when needed.
- Do not leave your admin open and walk away. Avoid having your admin open with other webpages in the same browser.
- DO NOT access your admin on an open or unsecured public network and NEVER access your admin with a mobile device.
- Enable log archiving in cPanel or other hosting control panel.
- Make certain (check with your webhost) that FrontPage Extensions are not installed.
- Make certain your webhost is running a proper server firewall application.
- If you have SSH access and you use it, its password should be exceptionally strong, 16 random characters or more. If you have SSH access and you don’t use it, disable SSH so nobody can use it. There is sometimes an SSH control switch in cPanel. For reseller accounts and dedicated servers, there is a switch in WHM.
- Turn off the following in your PHP config (will likely need your webhost to do this). register_globals, expose_php and safe_mode.
Maintenance & Procedure
- Change all passwords every 90 days. Use strong passwords with numbers, letters, mixed case and symbols. Here is a great generator for passwords. Your are required by PCI/DSS standards to do this, have the procedure documented in your companies procedures and log the changes as they happen.
- Do not store credit card information anywhere.
- Get a PCI scanner to scan your website and office network every 3 months minimum. We use Trust Guard, but any approved scanner is fine.
- Make frequent backups of your shop and database. Your hosting company can setup a daily backup for you. We run daily backups and keep the most recent daily, weekly and monthly backups on hand for restore.
- DO NOT store your passwords in any digital format. email, Word Docs, etc… Pen and paper only if you must write them down.
- Scan your computer regularly and keep your virus definitions up to date at all times.
- Keep ALL software on your computers up to date (especially Adobe products). This includes browser plugins.
- Check /your_catalog/cache/ frequently for debug files which would indicate an error or issue.
- Create specific admin, FTP and other access for each vendor allowing them only the required access and remove access when completed.
- Keep all web software (Zen Cart, WordPress etc) patched and up to date.
- Always use SFTP or FTPS to access your files.
- Do not rename files to .bak, .old, nor any other invalid file extension. Use .txt for example.
- Protect new directories. Every single directory should be protected from directory browsing. This is most easily accomplished by using a blank index.html in each.
- Keep a complete list of your site files in a “known good” backup on a disk other than your webhost, such as your own computer.
Remember ignorance will not save you from fines, loss of merchant processing and being sued. You must take action and secure your website, it is simply not optional.