OpenCart is a popular and easily deployed open source eCommerce system, and unfortunately like many popular open source packages hackers have a lot of information at their disposal to help them get access to your system, one of the primary methods hackers use to attack an eCommerce system is a brute force attack on the Admin console and with OpenCart like many other systems this has a fixed and well known directory name of /admin/.
The first step in securing your OpenCart store is to change the name of the admin console path to hide it from would be hackers using bots to perform brute force attacks.
Step 1. Renaming the /admin/ folder in OpenCart.
Using either your cpanel or file manage navigate to your root OpenCart folder and change the admin folder name to something more obscure, the more obscure the name the better, ideally use a minimum of 12 characters and mix numbers, upper and lower case characters and symbols like – hyphen (anything that is allowed in a url).
For the purposes of this example we shall rename the folder from /myopencartroot/admin/ to /myopencartroot/my-secure-admin/.
Next you need to change to admin config.php file to point to the new path, using your file manager or FTP client navigate to the /myopencartroot/my-secure-admin/config.php file and open it for editing.
Having made the above changes and saved your admin config.php file you should now be able to access your OpenCart Admin Console via your new admin URL.
Step 2. Adding Cloudflare Security to your OpenCart site.
If you do not already have an account with Cloudflare then will need to create one and follow their process to add a new site, we are not going to document this here as it is a simple step by step process and there is plenty of help and documentation on the Cloudflare website.
Once you have added your website to Cloudflare and modified your Hostnames we recommend waiting 24hrs before continuing to the next steps in order to allow for full and proper DNS propogation.
Step 3. Adding SSL support via Cloudflare.
We almost always recommend running your SSL via Cloudflare as it is FREE to setup and does not require a change to your hosting.
Once your site is running under Cloudflares protection SSL switch over is relatively simple, in the crypto menu on Cloudflare make sure the SSL encryption level is set to Flexible
By setting SSL to Flexible in Cloudflare you do not need an SSL certificate on your host server, thus no changes are required to your websites hosting platform in order to make the jump to SSL.
Modifying your config files to direct all traffic to SSL across your site.
You will need to edit both the root config.php file and the admin config.php file to set the URL’s to run via HTTPS in order to activate SSL across your website, in the case that we want ALL web traffic to use SSL rather than just OpenCarts admin and Account pages then you should. change both files so that all the URL’s are set to HTTPS from HTTP.
Given Google’s current thinking on wanting all websites to be running HTTPS across all pages then this is by far the best and most secure path for a new site, for existing sites you will need to plan an migration to SSL in order to ensure you do not lose backlinks etc.
Step 4. Adding Cloudflare Pagerules to Secure Admin and Account Areas.
For the majority of your website you can set the cloud flare default security Level to ‘LOW’ this is located in the overview menu of the Cloudflare admin console, you will then want to setup page rules to bypass cacheing and up the security level for sensitive areas of your website, such as the Customer Account, Checkout and Admin areas.
The following rules should be added, as seen above
On all of the above rules you should set:
- Cache Level: Bypass
- Security Level: Medium
This is as a minimum, you can also switch off things like rocket loader etc to make these areas more stable.