Recently, there are many zen cart shopping store were attacked by hackers, for example, main page has been changed to add a lot of garbage link(fix this please refer step 5), here list some of important security recommendations.
Renaming the “admin” folder makes it much harder for would-be hackers to get into your admin area.
(Before making the following changes, make sure to have a current backup of your files and your database.)
A- Open your admin/includes/configure.php, using a simple text editor like notepad.
Change all instances of /admin/ to your chosen new admin folder-name.
Change this section:
define(’DIR_WS_ADMIN’, ‘/admin/’);
define(’DIR_WS_CATALOG’, ‘/’);
define(’DIR_WS_HTTPS_ADMIN’, ‘/admin/’);
define(’DIR_WS_HTTPS_CATALOG’, ‘/’);
And this section:
define(’DIR_FS_ADMIN’, ‘/home/mystore.com/www/public/admin/’);
define(’DIR_FS_CATALOG’, ‘/home/mystore.com/www/public/’);
B- Find your Zen Cart /admin/ directory, using your FTP software or your webhost File Manager.
Rename the directory to match the settings you just made in your admin/includes/configure.php.
C - To login to your admin system you will now have to visit a new URL that matches the new name used in steps A and B above. For example instead of visiting http://www.example.com/admin/ visit http://www.example.com/NeW_NamE4u/.
D - You should also protect your admin area by using a .htaccess file similar to the one shown below, and placing it into /admin/includes. (This should already exist in Zen Cart versions 1.2.7 and greater.)
E- Install the security patch on your Zen Cart? 1.3.x store
It’s important that you CHMOD (set permissions) on the two configure.php files as read-only.
Typically this means setting it to “644″, or in some cases “444″.
The configure.php files are located in:
/<YourStoresFolder>/includes/configure.php
/<YourStoresFolder>/admin/includes/configure.php
Quite often setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been. You must verify the correct setting by entering the store and seeing if there is a warning message on the top of the screen. “Warning: I am able to write to the configuration file:…” In this case you will need to use the “File Manager” supplied with your webhosting account.
If you’re using a Windows server, simply set the file as Read-Only for Everyone and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the System account or apache user if running Apache.
Admin->Tools->Admin Settings
In your admin area, open the Tools menu, and choose Admin Settings
- Check for any unused admin accounts, and delete them. Especially the “Demo” account, if it exists.
It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.
You can change your admin password in Admin->Tools->Admin Settings, and click on the “Reset Password” button, or click on the icon that looks like a recycle symbol.
We recommend that you use passwords that are at least 8 characters long.
Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps too.
If you are going to use normal words it is a good idea to join together two normal words that don’t normally go together.
After you have finished editing your define pages (Admin->Tools->Define Pages Editor), you should protect them:
A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes area.
B. Make them CHMOD 644 or 444 (or
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « May | ||||||
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 | |||||
RSS feed for comments on this post · TrackBack URI
Leave a reply