Security Double Check?

[Lafferty Store]

I have set up my first Zen Cart with only a few minor issues which have been fixed thanks to this very informative forum. I have avoided alot of issues by browsing the forum and reading about other people's issues. I have found out how to customize my store by reading other people's questions and following the instructions given to them. This forum has been a MAJOR help in my first venture into e-commerce.

The basics:

V 1.3.8a
SSL of course
Dedicated server
Secure FTP

However... my main concern (as I am sure everyone's is) is SECURITY. I have done all the recommendations in the Wiki regarding security. (renaming admin, complex passwords, etc) I have done all the recommendations that I have found in the forum regarding security. I am *relatively* sure my file/folder permissions are set properly. I am setting the store up for my boss, so I want to make darn tootin' sure security is priority number one.

My question is, does anyone have any recommendations as far as double and triple checking my settings and security before the site goes live? I just want to do EVERYTHING in my power to make sure the site is locked down from the e-maggots who have nothing better to do than try to bust into someone else's store. I would say my main concern is permissions on files and folders, and not leaving any "holes" open.

Suggestions and tips please?

And thanks for a great product and help forum.

[kobra]

As you are on a dedicated - you should be employing some type of firewall with a specific set of policies. This is outside of Zen Cart itself but a fairly std in setting up a web server.

As long as you are on the www (and you have to be to sell online) you will be vulnerable to attacks.

Watch the logs and yu can block individual IP's or a range of IP's whre you do not intend on selling and/or attacks are beging generated from.

[Lafferty Store]

As you are on a dedicated - you should be employing some type of firewall with a specific set of policies. This is outside of Zen Cart itself but a fairly std in setting up a web server.

As long as you are on the www (and you have to be to sell online) you will be vulnerable to attacks.

Watch the logs and yu can block individual IP's or a range of IP's whre you do not intend on selling and/or attacks are beging generated from.

The guy from my ISP handles the server and firewall stuff, and he has been very helpful in that regard, as well as doing .htaccess and other security aspects.

I'm just trying to be thorough and not overlook anything that could be a major hassle later on because I left a hole open.

Thanks for your reply.

[yellow1912]

Your main concern should be the users, not the system.

99% of the time it's the users' carelessness (or ignorance) that causes the system to be compromised.

[Lafferty Store]

Your main concern should be the users, not the system.

99% of the time it's the users' carelessness (or ignorance) that causes the system to be compromised.

How so? Can you give me an example of what to look out for? (Or avoid)

[Website Rob]

I'm just trying to be thorough and not overlook anything that could be a major hassle later on because I left a hole open.

Trust but Verify.

Depending upon Windows or Linux for your Server and what kind of Control Panel is used for the Hosting part, verify yourself that certain things have been done. Regardless of who installs what, there is always a way for others check on what has been been done and how well it is working. That's how Hackers get in.

Better protection can be provided at the Server level which is why that is so important. As to Security at the Hosting account level, make sure directory & file permission are what they should be. If any script, Zen Cart or otherwise, says that directories or Files need wide open permissions (777 for example) then make sure security has been put in place to help prevent hacking / cracking.

[Lafferty Store]

Trust but Verify.

Depending upon Windows or Linux for your Server and what kind of Control Panel is used for the Hosting part, verify yourself that certain things have been done. Regardless of who installs what, there is always a way for others check on what has been been done and how well it is working. That's how Hackers get in.

Better protection can be provided at the Server level which is why that is so important. As to Security at the Hosting account level, make sure directory & file permission are what they should be. If any script, Zen Cart or otherwise, says that directories or Files need wide open permissions (777 for example) then make sure security has been put in place to help prevent hacking / cracking.

Thanks much... I passed that along to my server guru...

Server is Linux and yes my Control Panel is secure as well (https)

[Website Rob]

... and yes my Control Panel is secure as well (https)

Using 'https' has nothing to do with securing a Control Panel. Many times there are default 'things' included which must be disabled or better secured. cPanel is a good example as many of the 'default' scripts provided are very old and need to be turned OFF; else security breaches can be possible. Other Control Panels have other areas but all need to be double checked.

Then there is the Server 'php.ini' file which need changes for better security. Apache could some beefing up, and on, and on, and on. This should all be done by a good Server Admin. You say your ISP or somebody from there is handling this? I would especially double check the work.

[Lafferty Store]

Using 'https' has nothing to do with securing a Control Panel. Many times there are default 'things' included which must be disabled or better secured. cPanel is a good example as many of the 'default' scripts provided are very old and need to be turned OFF; else security breaches can be possible. Other Control Panels have other areas but all need to be double checked.

Then there is the Server 'php.ini' file which need changes for better security. Apache could some beefing up, and on, and on, and on. This should all be done by a good Server Admin. You say your ISP or somebody from there is handling this? I would especially double check the work.

Well that's where I'm lacking, sad to say but true. I don't know the server side of this stuff, I am just a lowly web guy, and this is my first venture into this side of things. I'm learning, but I don't want to screw something up due to lack of knowledge. That's why I rely on my server guru.