• Security Matters RSS Feed

    While access to your admin area is protected by the requirement of your admin password, it is recommended for additional security that you rename your admin directory after installation. This way, it will be significantly harder for hackers to find your admin area or attempt any attack on breaking into it.

    (Before making the following changes, make sure to have a current backup of your files and your database.) 

    You're going to do three steps: A) edit the configure.php settings and upload them, B) rename the admin folder, C) test login to the new folder. 
    Details are below:

    Zen Cart v1.5.x:

    A - configure.php - If you are using v1.5.x, go to step B to rename the folder. If you are using v1.3.x, see the section below about v1.3.x which explains how to edit this file properly in that case.

    There is no need to alter the admin configure.php in v1.5.x when renaming your admin folder. Simply proceed to step B.

    B - Rename the Admin folder

    Using your FTP software or your webhost's File Manager, find your Zen Cart /admin/ directory. Rename the directory to match the settings you just made in step A.

    NOTE: DO NOT advertise this new foldername, else you defeat the entire purpose of renaming it.  And DO NOT EVER put it in your robots.txt file!

    C - Login to your admin using the new URL

    To login to your admin system you will now have to visit a new URL that matches the new name used in steps A and B above.

    For example instead of visiting www.example.com/admin/ visit www.example.com/NeW-NamE4u/

    Zen Cart's use of cookies is VERY simple: it only sets and retrieves an anonymous session cookie. Nothing more.
    However, alterations added by the storeowner may behave differently, including but not limited to tracking addons, analytics scripts, tracking pixels, etc. Those are up to the storeowner to disclose.

    PCI DSS Compliance Questions Answered

    Common myths about PCI Compliance

    Please see the following page for a better understanding of what PCI Compliance is NOT:  https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

    Answers to the most commonly-asked questions pertaining to Payment Card Industry Data Security Standard compliance

    DISCLAIMER: The following answers pertain to a webstore built with default Zen Cart code without any customizations, using only built-in features/modules/capabilities, in the default configuration.
    Any customizations you do to your store render these statements incomplete and require that ...

    In older versions of Zen Cart (v1.3.0,, there was a vulnerability in the code which was announced to the hacker world. Even though that has been fixed in subsequent versions, newbie hackers continue to attempt to find sites which have the vulnerability, thus wasting your time and energy worrying about what they're up to.  Their access attempts also waste some of your website server resources.

    Additionally, there are a number of SQL Injection attacks floating around the internet which attempt to find holes to exploit in vulnerable systems. The current version of Zen Cart is inoculated against all such known vulnerabilities.  Nevertheless, sometimes even ...

    With Zen Cart® it is possible to relocate the "download" folder outside your webserver's "webroot" (the public_html or httpdocs or htdocs etc) folder so that thieves cannot directly link to real files on your server and download without paying or being authenticated.

    To do this, you must:

    1. Choose a download method of either "Download by Streaming" or "Download by Redirect" from Admin->Configuration->Attribute Settings.
      If you're using a Linux ...

    In a Windows-hosting environment, when you create a virtual product using download attributes customers are able to download a product as much as they like by using the following as an example:   www.websitename.co.uk/download/product.zip

    Download by redirect (which windows servers ...

    Apply Security Fixes applicable to your version

    1. If any security fixes have been posted for your version, be sure you have installed them.

    Site Audit to look for damaged or added files

    2. You will need to do a full site audit to be sure all files are as you expect them to be. These ...

    Some common attempts to probe your site for old vulnerabilities, or vulnerabilities from other systems, can be blocked by adding the following code to your site: ...

    An SSL certificate contains the following information:

    - The domain name for which the certificate was issued.
    - The owner of the ...

Zen-Cart, Internet Selling Services, Klamath Falls, OR