Securing your store
Some points below are taken from the following forum topics:
Thanks to joestern and balinor.
We strive to insure the most secure setup of your store but encourage you to check the notes below in your store.
If you have problems with any of this, please contact support so we can do that for you.
1 - Make sure there is no install.php file or any other install files from add-on modules inside store/ folder.
2 - Lock your "log" and "sql" directories. Best way is to use ".htaccess" files denying permission entirely. To check the effectiveness, browse to a link like:
If you don't get access, that's good. If you can see files, you've got a potential hole.
3 - Don't keep backups in the "log" or "files" directory. Make a backup when you need one, copy it away, and remove the original.
4 - Always log into your admin area with https:
Contact support if you are still using a shared SSL certificate for correct url to your admin area.
5 - Force all cart pages to be used by customers in secure (https) mode. - Check boxes in General Settings:
- Do not redirect customers from HTTPS to HTTP:
- Use HTTPS for users' login and registration:
6 - Put an "index.php" file in each subdirectory of the cart to prevent directory browsing. The only text you need in these files is a re-direct to your homepage.
7 - Change your SALT code at installation (!!! Do not do this if you already have users in the store).
You NEED to be logged in as "master", then change config.php and re-upload it. Change this section:
$CRYPT_SALT = 85
$START_CHAR_CODE = 100
85 and 100 are the defaults. Change them. Then, before logging out, change your "master" password. Then log out and back in.
This changes all encryption of passwords and credit card info. So if you already have that info in there, DON'T change this, or it will be unreadable. See other threads for more details, or download all of your cc info before doing this.
8) Do not keep the 'master' account. When you first log in to X-Cart, create a new admin account, log out, log back in with the new account and delete the master account.
9) Password protect your Admin and Provider directories. One extra level of protection will discourage hackers. This can usually be done via your Hosting Control Panel. Please contact support if you need help with this.
10) Turn OFF the option of sending CC info via e-mail - in General Settings/E-mail options.
11) Change your permissions:
.php - 644
.tpl - 644
.pl - 755
.sh - 755
VERSION - 644
templates_c - always 777
catalog - 777 - (to be able to write catalog and then 755 once catalog has been written)
files - 777 - (to be able to write to the folder / upload pics etc)
log - 777
All others - 755
12) Disable storing of CC info in the database (unless you are using manual credit card processing). Open up store/config.php and change this line:
$store_cc = true;
$store_cc = false;
Let us know if you have questions or need help with any of above.