Working extensively with x-cart since 2002, Jon Peters of WebsiteCM is available to assist you with your x-cart based business. Ask him a question at http://www.websitecm.com/forum/ or find out how to improve your x-cart based business with x-cart mods, x-cart tutorials and more at http://www.websitecm.com/.
X-Cart makes it easy for nearly anyone with the desire to establish an e-commerce store to do so, however not everyone has the background knowledge to know to address security issues. Many store owners begin designing, adding products, and focusing on sales and SEO without ensuring that their x-cart e-commerce store is developed in a secure environment with a focus on security. Once established often x-cart store owners are not aware of what is required to maintain their x-cart in a manner that keeps it secure over time.
The purpose of this tutorial is to assist you in understanding:
The importance of X-Cart security
Hosting X-Cart in a secure environment
How to secure your X-Cart
Maintenance of x-cart security
The importance of X-Cart security
Website security should always be a priority, but is absolutely crucial when dealing with e-commerce stores that transact and store sensitive customer data such as email addresses, phone numbers, addresses, and credit card information. Reading through the x-cart forums you will find many x-cart store owners who have had the misfortune of having their x-cart hacked/exploited. Having worked with x-cart since 2002, I've had many of those store owners come to me asking what can be done to fix their store, and I have repeatedly heard the common response that nobody had ever talked to them about security and they were unaware of anything that needed to be done. Believe me when I say that if you are not aware of what is required to secure and maintain your x-cart, it is by sheer luck that your x-cart has not been hacked or exploited and it is only a matter of time before you become a victim. That said, by reading this tutorial you are well on your way to understanding and performing x-cart security to keep you and your customers safe.
Hosting X-Cart in a secure environment
The environment on which your x-cart is hosted is the base for all security, and if your host and/or server is not secure, all the security settings on your x-cart are not going to keep you from being exploited. There are generally two types of hosting: a shared server where you purchase a plan with a host and they provide you space for your site to reside on a server with many other clients, or a dedicated server, which is a computer where you can host your site(s) exclusively (a VPS is essentially a combination allowing dedicated server privileges in an environment shared with less users than with shared hosting).
Secured Shared Hosting
The main benefits of shared hosting is the reduced cost available by sharing the server with other users, and having the server company manage the server security. These same benefits can also pose a security threat however, as the sites of other clients can jeopardize your security if their sites are breached, and if you rely on a server company to secure a server and they fail to do so correctly, you can find yourself in serious trouble. To combat these potential problems, it is imperative that you host with a trusted hosting provider who makes server security a priority. View our recommended X-Cart Hosting providers.
Dedicated Server
Unmanaged
I unfortunately often see x-cart store owners establish or move to an unmanaged dedicated server without knowing the onus of security that falls on them in doing so. When working with an unmanaged server, you are responsible for ALL server security. This includes the configuration of all your server settings, as well as keeping your kernel, os, php/mysql, control panel, etc. up-to-date as new branches and patches are released. This is a daunting task for anyone not very experienced with server security, and is not recommended for the average user.
Managed
Surprisingly, having a managed server does not necessarily mean your server is secure. When purchasing a managed plan, it is important to know what the server provider will and won't do as part of your managed plan; it is not uncommon for someone to established a managed server and setup their site(s) thinking the host will take care of security, only to find their server exploited to which the server company responds saying they only perform security tasks upon request. If you rely on your host for a fully managed security package it is important that you work with a trusted hosting provider who takes security seriously, and ensure that all aspects of security are accounted for.
Server Management Companies
Personally, I recommend an unmanaged dedicated server package and then using the services of a server management company such as EZSM or ServerWizards. These companies will configure your initial security settings, put processes in place to manage your security, and keep your server up-to-date as upgrades and patches are made available.
How to secure your X-Cart
After securing the hosting environment, it is necessary to address security with x-cart itself. Taking the following steps will make great strides in securing your x-cart:
Ensure you have a secure https connection for your store using a valid SSL certificate.
Do not use the "master" x-cart admin account. To change this, login using your "master" x-cart admin account, create a new administrator with a username that is less generic. Log in as that new user and delete the "master" user account.
Immediately password protect your admin and provider directories. You can usually password protect these directories using a control panel such as cPanel, or you can use .htaccess and .htpasswd files (run a quick google search if you are unsure how).
Be aware of your site's file permissions, as having loose file permissions in conjunction with an exploit, can allow someone to write and execute files on your website - this is a very common exploit against x-cart so take this seriously. In general your file chmod permissions should appear as follows:
File Type Permission
*.php 644
*.tpl 644
*.pl 755
*.sh 755
/catalog/ 777
/files/ 777
/images/ 777
/var/ 777
/var/* folders 777
/var/* files 666
Turn off the option of sending credit card information in e-mails in the General Settings -> E-Mail Options section of your x-cart admin section.
Unless you are using the subscriptions module, do not store credit card information in your database. To disable, or to ensure that this setting is disabled, open your config.php file and ensure the $store_cc variable is set to false:
$store_cc = false;
It is always a good idea to log into your x-cart admin section using https so that the data you transact during the x-cart session is encrypted. The following code will force your x-cart admins/providers to login using https:// by redirecting them when http:// is used.
Add this code to the .htaccess of your admin section (adjust your url):
# Force https on the admin section
RewriteEngine On
RewriteCond % !443
RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/admin/$1 [R=301,L]
Add this code to the .htaccess of your provider section (adjust your url):
# Force https on the provider section
RewriteEngine On
RewriteCond % !443
RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/provider/$1 [R=301,L]
The following .htaccess code, which can be placed in an .htaccess file in your store's root directory (same directory as / and cart.php), will prevent access to sensitive areas of the x-cart file structure. If you are on a server that does not support .htaccess files, you will want to find alternate ways to block access to these files.
(NOTE: Change http://www.yourdomain.com/x-cart-path/ to the url to your error_message.php file.)
Options +SymlinksIfOwnerMatch -Indexes
RewriteEngine on
# Block access to sensitive directories
RedirectMatch permanent ^.*/.pgp/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/patch..*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/sql/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/schemes/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/skin1_original/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/Smarty.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/upgrade/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
# Block access to sensitive file types
RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$ http://www.yourdomain.com/x-cart-path/error_message.php
# Block access to sensitive files
RedirectMatch permanent ^.*/COPYRIGHT http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/INSTALL.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/NEW.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/README http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/UPGRADE.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/VERSION http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/include/version.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/config.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/top.inc.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/install.php$ http://www.yourdomain.com/x-cart-path/error_message.php
Maintainance of x-cart security
A big mistake I see with users of software is thinking they can setup the software and run the software for an indefinite period of time. It is imperative with x-cart, and all software you run for that matter, that you apply security patches and upgrade as new releases are available. While the patches and upgrades do require time and/or money to apply, neglecting to do so can be potentially fatal to your business and they need to be made a priority.
X-Cart provides security and release bulletins that you can sign up for in your x-cart client account. Be sure to sign-up for these bulletins and stay on top of your security.
Article copyright 2007 WebsiteCM.com and may be republished provided all content is left intact including author information, copyright notice and website links.
- Related Videos
- Related Articles
- Ask / Related Q&A
- Getting to Know More About Microsoft Business Software
- Business Software – Adding Efficiency to Business
- The Benefits Of Modern Business Software
- Business Software, Web Applications and Desktop Software Compared
- What Is Business Software?
- Negotiating The Business Software Minefield
- Business Software Development Outsourcing Management: to Improve the Business Efficacy
- Training Staff On New Business Software
Acronis True Image Home 2010 Coupon Code 30% Off
By: Simon | 29/12/2009We offer you a special New Year coupon for top product Acronis True Image Home 2010. Discount is 30%. Coupon Code is “ 30OFFATIHAll ”. It is valid from 16:00 EST, December 28th, 2009 until 00:01 EST, January 1st, 2010. Use coupon code for Acronis True Image Home 2010 and save $15
True Keys On How The Radeon 9100 IGP Driver Will Provide An Exceptional Gaming Experience For Any Avid Gamer!
By: Marvin Dunn | 29/12/2009The Radeon 9100 IGP driver has incorporated a clock initiator for the master with wide spectrum assistance.
Find out Windows 7 Password! Reset Windows 7 Password!
By: Fiona | 29/12/2009Find out Windows 7 Password! Reset Windows 7 Password! An administrator password in Windows 7 is the password to any account that's setup to access administrator level functions in Windows 7. There doesn't actually have to be an Administrator user account. What you need is the password to any account that can act as an administrator. There are a few times when you will need this password. You may need an Windows 7 administrator password if you're trying to run certain types of programs or a
Godsw Mobile SMS Transfer 2.1 Released
By: ylxdaisy | 29/12/2009Do you have a mass of important SMS, and unluckily, you need to transfer all your SMS with difficulty for some other reasons. Don't worry about it. “GodswMobile sms transfer” helps you to transfer all of your SMS to your pc within 2 minutes. It can both run on Microsoft Windows Mobile 5.0 and 6.0 system.
How to burn video to Blu-Ray disc (BD) for Blu-ray player and PS3?
By: swordm | 29/12/2009Here is a guide that show you how to burn video to Blu-Ray disc (BD) for PlayStation 3 and Blu-ray Player
Speculating How to Create a Better Gaming Environment for You? Find Out How the Radeon 9200SE Driver Will Help You
By: Victoria | 29/12/2009The 9200SE series lays foundation for the high-end graphic technology. The configuration of its memory makes its usage very flexible.
DTV4PC Review - Digital TV on Your PC
By: Cara Lashley | 29/12/2009If you're looking for a DTV4PC review, learn about the product here.
Employee Benefits Could Make or Break a Company
By: Harry Slay | 29/12/2009While almost every employer appreciates the importance of good employees, not all appreciate that a good way to acquire and retain a good workforce is by use of a good benefits plan.
Websitecm Partners With Ewdhosting to Offer X-cart SEO Mod Free
By: Jon Peters | 03/10/2008 | Press Releases"Our ability to partner with EWDHosting helps us to ensure that our clients are running their business on a solid platform which can support our X-Cart SEO modules and the high levels of associated traffic they generate."
Custom Dynamic Search Engine Optimization (cdseo) Pro for X-cart
By: Jon Peters | 27/05/2008 | SoftwareCreated from over six years of hands-on x-cart seo experience in addition to feedback from the top x-cart search engine marketing firms, CDSEO Pro creates a search engine friendly structure while providing the ability to seo optimize your category, product, manufacturer, and static pages.
Why or Why not X-cart
By: Jon Peters | 20/03/2008 | SoftwareBefore you dive in and establish your x-cart store, we feel it is important to make you aware of x-cart's limitations and inform you how these limitations can be addressed by resources made available by the x-cart community.
X-cart Speed Tips
By: Jon Peters | 20/03/2008 | SoftwareFor all x-cart's strengths, speed is certainly not one of them. There are however steps you can, and should, take to speed up your x-cart. Here is the most complete listing of x-cart speed optimization tips available.