Setting Up Your Store > Store Security > 

Security Checklist

Here are a few things to check before your store goes live:

1. After installation, remove your install.php file, and any other install files from add-on modules.

2. Lock your "log" and "sql" directories. Best way is to use ".htaccess" files denying permission entirely. To check the effectiveness, browse to a link like:

http://www.mysite.com/cart/sql

If you don't get access, that's good. If you can see files, you've got a potential hole.

3. Don't keep backups in the "log" directory. Make a backup when you need one, copy it away, and remove the original. I have a script that makes a backup each night into a secure directory.

4. Always log into your admin area with https:

https://www.mysite.com/cart/admin

5. Force all cart pages to be used by customers in secure (https) mode. - Check these boxex in General Settings:

Do not redirect customers from HTTPS to HTTP:

Use HTTPS for users' login and registration:

Warning: You need to make sure you have your https configured correctly at the server level before you do this or you will lock yourself out of the store! For non-windows servers, you need to set up a symlink, which links the http and https directories.

6. Put an "index.php" file in each subdirectory of the cart to prevent directory browsing. The only text you need in these files is a re-direct to your homepage. Alternatively, some hosts will disable directory listing for you.

7. Never keep the 'Master' account. When you first log in to X-Cart, create a new admin account, log out, log back in with the new account and delete the master account.

8. Password protect your Admin and Provider directories. One extra level of protection will discourage hackers. This can usually be done via your hosts Control Panel.

9. Turn OFF the option of sending CC info via e-mail - in General Settings/E-mail options.

10. Change your permissions:

.php - 644

.tpl - 644

.pl - 755

.sh - 755

VERSION - 644

FOLDERS

templates_c - always 777

catalog - 777 - (to be able to write catalog and then 755 once catalog has been written)

files - 777 - (to be able to write to the folder / upload pics etc)

log - 777

All others - 755

You can do this via FTP, your hosting control panel, or by using SSH with a command like this:

find ./ -name "*.php" -print -exec chmod 644 {} \;

11. Disable storing of CC info in the database (unless you are using manual credit card processing). Open up config.php (found in your root directory) and change this line:

$store_cc = true;

to

$store_cc = false;