Zen Cart™ Site Security

The Zen Cart™ software is made available to you for use, additions, changes, modifications, etc. without charge, under the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store.

Donations can be made at: The Zen Cart™ Team Page

We appreciate your support.
The Zen Cart™ Team

Zen Cart™ is derived from: Copyright 2003 osCommerce
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under the GNU General Public License


This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

STEPS IN SECURING YOUR ZEN CART™ STORE

The following is a list of several steps you can take to secure your Zen Cart™ site:

1. Delete the /zc_install folder

Once installation is complete, delete the /zc_install folder from the server.
Don't simply rename the folder, as this leaves you vulnerable if someone were to discover this renamed folder.

2. Set configure.php files read-only

It's important that you CHMOD (set permissions) on the two configure.php files as read-only.
Typically this means setting it to "644", or in some cases "444".
If you cannot do this with your FTP software, try using the File Manager supplied with your webhosting account.
If you're using a Windows server, simply set the file as "Read-Only" for "Everyone" and especially the IUSR_xxxxx user if running IIS, or the "System" account or "apache user" if running Apache.

3. Rename your "/admin" folder

Renaming the "admin" folder makes it much harder for would-be hackers to get into your admin area.

(Before making the following changes, make sure to have a current backup of your files and your database.)

A- Open your admin/includes/configure.php, using a simple text editor like notepad.
Change all instances of /admin/ to your chosen new admin folder-name.

Change this section:

define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/admin/');
define('DIR_WS_HTTPS_CATALOG', '/');

And this section:

define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');
define('DIR_FS_CATALOG', '/home/mystore.com/www/public/');

B- Find your Zen Cart /admin/ directory, using your FTP software or your webhost File Manager.
Rename the directory to match the settings you just made in your admin/includes/configure.php.

4. Delete any unused Admin accounts

Admin->Tools->Admin Settings
In your admin area, open the Tools menu, and choose Admin Settings
- Check for any unused admin accounts, and delete them. Especially the "Demo" account, if it exists.

5. Admin Password Security

It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.

You can change your admin password in Admin->Tools->Admin Settings, and click on the "Reset Password" button, or click on the icon that looks like a recycle symbol.

We recommend that you use passwords that are at least 8 characters long.
Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps too.

6. Protect your "define pages" content in "html_includes"

After you have finished editing your define pages (Admin->Tools->Define Pages Editor), you should protect them:
A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes area.

B. Make them CHMOD 644 or 444 (or “read-only” for Windows hosts). See notes above on CHMOD.
/includes/languages/english/html_includes – and all files/folders underneath

If you make them read-only, then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the read-only status, which is more complicated.

NOTE: Of course, once you set them read-only, then you'll have to go and set them read-write before making additional changes using the define-pages editor.

7. Use .htaccess files to protect against unwanted snooping

In several folders, there are .htaccess files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to "any" .PHP scripts, since it's expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security.
If you delete these files, you run the risk of leaving yourself open to people snooping around.

There are also some semi-"blank" index.html files in several folders. These files are there to protect you in case your FTP software won't upload .htaccess files, or your server won't accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It's a good "alternative", although using .htaccess files in ALL of these folders is the better choice, for servers that accept them.

Suggested content for .htaccess files in folders where there is an index.html file but NOT yet an .htaccess file would be something like the following (depends on your server configuration):

#.htaccess to prevent unauthorized directory browsing or access to .php files
   IndexIgnore */*
   <Files *.php>
    Order Deny,Allow
    Deny from all
   </Files>

If your webhost configuration doesn't allow you to create/use your own .htaccess files, sometimes they provide an interface in your hosting admin control panel where you can set the desired .htaccess settings.

It is recommended that you work with your host to configure these settings if this is the method they require. You need to choose -- and use -- the appropriate method for your server. As mentioned above, it's best to work with your web hosting company to select and implement the best method for your specific server. We can't tell you what to use for your specific server, but we offer these guidelines as a starting point.