Difference between revisions of "Important Site Security Recommendations"

From Zen Cart(tm) Wiki
Jump to: navigation, search
Line 1: Line 1:
==Steps in Securing Your Zen Cart™ Store==
===SSL Security Protection Tips===
Without applying extra efforts to your connection on the internet you are wandering around an unsecured environment. Before you make administrative modifications to secure Zen Cart™ and its database, you need to equip yourself with secure ways to make these modifications. Otherwise if someone is watching/listing to the information you transmit, it might not be long before your private business information becomes public. The bare minimum you should have is access to shared [http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL] services from your hosting company.
The preferred would be to have a dedicated SSL certificate for your store, as it is more professional in appearance than the use of a shared certificate. There will be an expense incurred to obtain a dedicated SSL certificate and dedicated IP address in your hosting account.
Additionally, it would be prudent (if your hosting company offers FTPS support) to use a program that offers [http://en.wikipedia.org/wiki/FTPS FTP over SSL/TLS] instead of just traditional non-secure FTP.  This tool will encrypt the information you transmit and receive.
'''''The following is a list of several steps you can take to secure your Zen Cart™ site:'''''
===1. Delete the ''/zc_install'' folder===
Once installation is complete, delete the ''/zc_install'' folder from the server. Don't simply rename the folder, as this leaves you vulnerable if someone were to discover this renamed folder.
===2. Rename your ''/admin'' folder===
It is recommended for additional security that you rename your ''admin'' directory after installation. This way, it will be significantly harder for hackers to find your admin area or attempt any attack on breaking into it.
(Before making the following changes, make sure to have a current backup of your files and your database.)
A - Open your admin/includes/configure.php, using a simple text editor like notepad.
Change all instances of ''admin'' to your chosen new admin folder-name. For maximum security, you may want to consider that new folder name should include numbers and a combination of upper and lower case letters. The longer you make this folder's name the more secure it will be. Make sure you leave all the <code>/</code> intact.
Change this section:
  define('DIR_WS_ADMIN', '/admin/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_ADMIN', '/admin/');
  define('DIR_WS_HTTPS_CATALOG', '/');
And this section:
  define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');
  define('DIR_FS_CATALOG', '/home/mystore.com/www/public/');
B - Find your Zen Cart&trade; ''/admin/'' directory, using your FTP software or your webhost ''File Manager''. Rename the directory to match the settings you just made in step A.
C - To login to your admin system you will now have to visit a new URL that matches the new name used in steps A and B above. For example instead of visiting ''<nowiki>http://www.example.com/admin/</nowiki>'' visit ''<nowiki>http://www.example.com/NeW_NamE4u/</nowiki>''. Use of [http://en.wikipedia.org/wiki/SSL SSL] is highly recommended to protect you and your customers' information. To protect the new admin folder name from [http://en.wikipedia.org/wiki/Packet_sniffer packet sniffers], use https in the example link above (this of course depends on your server having an SSL certificate installed).
D - You should also protect your admin area by using an ''.htaccess'' file similar to [[Important_Site_Security_Recommendations#7._Use_.htaccess_files_to_protect_against_unwanted_snooping|the one shown below]], and placing it into ''/admin/includes''. This should already exist in Zen Cart&trade; versions 1.2.7 and greater.
===3. Set configure.php files read-only===
It's important that you CHMOD (set permissions) on the two configure.php files as read-only.
Typically this means setting them to ''644'', or in some cases ''444''.<br>
The configure.php files are located in:<br>
/<YourStoresFolder>/admin/includes/configure.php <br>
Quite often setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been. You must verify the correct setting by entering the store and seeing if there is a warning message on the top of the screen. "Warning: I am able to write to the configuration file:..." In this case you will need to use the "File Manager" supplied with your webhosting account.
If you're using a Windows server, simply set the file as ''Read-Only'' for ''Everyone'' and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the ''System'' account or ''apache user'' if running Apache.
===4. Delete any unused ''Admin'' accounts===
[[Admin_-_Tools_-_Admin_Settings|Admin > Tools > Admin Settings]]
In your ''Admin'' area, open the ''Tools'' menu, and choose ''Admin Settings''. Check for any unused ''Admin'' accounts, and delete them. Especially the ''Demo'' account, if it exists.
===5. Admin Password Security===
It is wise to use complicated passwords so that a would-be hacker can't easily guess them.
You can change your ''Admin'' password in [[Admin_-_Tools_-_Admin_Settings|Admin > Tools > Admin Settings]], and click on the ''Reset Password'' button, or click on the icon that looks like a recycle symbol.
We recommend that you use passwords that are at least eight characters long.
Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps too.
If you are going to use normal words it is a good idea to join together two normal words that don't normally go together.
===6. Protect your "define pages" content in "html_includes"===
After you have finished editing your define pages ([[Admin_-_Tools_-_Define_Pages_Editor|Admin > Tools > Define Pages Editor]]), you should protect them:
A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes area.
B. Make them CHMOD 644 (or “read-only” for Windows hosts). See notes above on CHMOD.
''/includes/languages/english/html_includes'' – and all files/folders underneath
If you make them read-only, then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the read-only status, which is more complicated.
Note: Of course, once you set them read-only, then you'll have to go and set them read-write before making additional changes using the define-pages editor.
===7. Use ''.htaccess'' files to protect against unwanted snooping===
In several folders, there are ''.htaccess'' files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to any .PHP scripts, since it's expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security. If you delete these files, you run the risk of leaving yourself open to people snooping around.
There are also some blank ''index.html'' files in several folders. These files are there to protect you in case your FTP software won't upload ''.htaccess'' files, or your server won't accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It's a good alternative, although using ''.htaccess'' files in all of these folders is the better choice, for servers that accept them.
Suggested content for ''.htaccess'' files in folders where there is an ''index.html'' file but not yet an ''.htaccess'' file would be something like the following (depends on your server configuration):
  #.htaccess to prevent unauthorized directory browsing or access to .php files
  IndexIgnore */*
  <Files *.php>
    Order Deny,Allow
    Deny from all
  #add the following to protect against people discovering what version your spiders.txt file is
  <Files *.txt>
    Order Deny,Allow
    Deny from all
If your webhost configuration doesn't allow you to create/use your own ''.htaccess'' files, sometimes they provide an interface in your hosting admin control panel where you can set the desired ''.htaccess'' settings.
It is recommended that you work with your host to configure these settings if this is the method they require. You need to choose, and use, the appropriate method for your server. As mentioned above, it's best to work with your web hosting company to select and implement the best method for your specific server. We can't tell you what to use for your specific server, but we offer these guidelines as a starting point.
===8. Disable "Allow Guest To Tell A Friend" feature===
You may wish to go to [[Admin_-_Configuration_-_E-Mail_Options#Allow_Guest_To_Tell_A_Friend|Admin > Configuration > Email Options > Allow Guest To Tell A Friend]] and set the option to ''false''. This will prevent non-logged-in customers from using your server to send unwanted email messages.
===9. Protect your "images" and other folders===
During initial installation, you are advised to set your images folder to read/write, so that you can use the ''Admin'' interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.
However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits.
Thus, once your site is built and your images have been created/loaded, you should drop the security down from read/write to read.  ie: change from CHMOD 777 down to 644 for files and 755 for folders.
Additionally, *IF* your server is running PHP as a CGI application and not as an Apache module, and you wish to prevent hackers from executing scripts in your images folder (which is only an issue *if* they are able to successfully hack to your images folder and insert rogue script files), you could further secure it by adding a custom .htaccess file which only allows images to be displayed, and won't allow the use of php files etc.  Here's the code for said custom .htaccess file:
  # Prevent directory viewing and the ability of any scripts to run.
  # No script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
  OPTIONS -Indexes -ExecCGI
====File/Folder permissions settings====
On Linux/Unix hosts, generally, permission-setting recommendations for basic security are:
*folders/directories:  755
*files:  644
On Windows hosts, setting files read-only is usually sufficient. Should double-check that the ''Internet Guest Account'' has limited (read-only) access.
====Folder Purposes====
The folders for which installation suggests read-write access for setup are these. If your site supports .htaccess protection, then you should use it for these folders.
*/cache<br />This is used to cache session and database information. The BEST security protection for this is to move it to a folder "above" the public_html/htdocs/www area, so that it's not accessible via a browser. (Requires changes to DIR_FS_SQL_CACHE setting in configure.php files as well as [[Admin_-_Configuration_-_Sessions#Session_Directory|Admin > Configuration > Sessions > Session Directory]].
*/images<br />See other suggestions earlier.
*/includes/languages/english/html_includes<br />See other suggestions earlier.
*/media<br />This is only suggested read-write for the sake of being able to upload music-product media files via the admin. Could be done by FTP as an alternative.
*/pub<br />This is used on Linux/Unix hosts to have downloadable products made available to customers via a secure delivery method which doesn't disclose the 'real' location of files/data on your server (so that people can't share a URL and have their friends steal downloads from your site)
*/admin/backups<br />This is used by automated backup routines to store database backups. Optional.
*/admin/images/graphs<br />This is used by the [[Admin_-_Tools_-_Banner_Manager|Admin > Tools > Banner Manager]] for updating/displaying bar graphs related to banner usage. If not writable, feature is ignored.
===10. Remove the print URL feature from your browser===
To stop the browser from printing the admin URL on the invoice follow these steps:.<br>
*Microsoft Internet Explorer<br>
**Click on ''File'' then ''Page Setup''
**At page setup window, remove these two character combination "&u" from the header or footer text box.
**Click on ''File'' then ''Page Setup''
**On page setup window click on the tab "Margins & Header/Footer". In the "Header & Footer" section set all of the drop downs to --blank--. (Or at least remove all instances of "Title" and "URL" from the various boxes.)
===11. Things to Check Up on Regularly===
#Be sure you've done all the steps listed in this document.
#Make recent backups of your website files and database.
#* Backup the database over a secure connection ([http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL]).
#* Backup the website files over a secure connection [http://en.wikipedia.org/wiki/FTPS FTP over SSL/TLS].
#* Store the backed up database and website files into an encrypted file.
#Check your server's error log regularly for odd or suspicious activity.
#*Look for any links that went to a page that isn't in your site.
#*Look for links that have http after the ''index.php''.
#Check your website files regularly to be sure nothing's been added or altered.
#Ask your web host what they have done to be sure the server you're on is safe and secure so that outsiders cannot do any harm, and so that other websites on your server cannot be used to get to your site and cause any harm (in case they have security holes in them).
#If your business warrants, or you still want additional assurance (especially if running forum software on your site, or other scripts outside of Zen Cart&trade;), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars.

Revision as of 00:20, 5 December 2007