Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security considerations Rate Topic   - - - - -

 
  • Earl
  • Member
  • Members
  • Join Date: 30-Oct 07
  • 44 posts

Posted 12 December 2007 - 01:27 AM #1

As a newbie to shopping carts and development, I thought it would be nice to share some security considerations which maybe helpful in securing your site. It is not a complete list, but I think it is a start. Please feel free to add to the list.

1. Uses VPS or dedicated hosting (Shared hosting is not easily secured)
2. Use PCI compliance scanning to help find potential holes such as the public listing of directories using http://hostserver/~username and weak encryption used with SSL, cross scripting, etc.
3. Use SFTP or FTP over TLS (never use FTP without encryption)
4. During Installation select a complex encryption key
5. Select a complex database password if possible
6. After Installation REMOVE install.php
7. Ensure Permissions on config.php are 644
8. Rename admin.php to something else e.g. mystoreadmin.php. You will also need to edit the config.php to reflect the change.
9. Ensure your database only accepts connections from your web server.
10. Only use admin/admin as username and password only once, change both ASAP to a different username or email address and a complex password.
11. Always use SSL when accessing the adminCP and other sensitive areas. Avoid shared SSL certificates.
12. If your email server is the same as your web server, you should use either smtp over ssl, pop3s or imaps and not smtp and pop3.
13. Always use complex passwords
14. Keep your usernames and passwords safe (encryption and physically secure)
15. Change your passwords often

Earl
Cs-Cart 1.3.5 SP-1

 
  • Earl
  • Member
  • Members
  • Join Date: 30-Oct 07
  • 44 posts

Posted 12 December 2007 - 08:59 PM #2

As a newbie to shopping carts and development, I thought it would be nice to share some security considerations which maybe helpful in securing your site. It is not a complete list, but I think it is a start. Please feel free to add to the list.

1. Uses VPS or dedicated hosting (Shared hosting is not easily secured)
2. Use PCI compliance scanning to help find potential holes such as the public listing of directories using http://hostserver/~username and weak encryption used with SSL, cross scripting, etc.
3. Use SFTP or FTP over TLS (never use FTP without encryption)
4. During Installation select a complex encryption key
5. Select a complex database password if possible
6. After Installation REMOVE install.php
7. Ensure Permissions on config.php are 644
8. Rename admin.php to something else e.g. mystoreadmin.php. You will also need to edit the config.php to reflect the change.
9. Ensure your database only accepts connections from your web server.
10. Only use admin/admin as username and password only once, change both ASAP to a different username or email address and a complex password.
11. Always use SSL when accessing the adminCP and other sensitive areas. Avoid shared SSL certificates.
12. If your email server is the same as your web server, you should use either smtp over ssl, pop3s or imaps and not smtp and pop3.
13. Always use complex passwords
14. Keep your usernames and passwords safe (encryption and physically secure)
15. Change your passwords often

Earl
Cs-Cart 1.3.5 SP-1


Let me add it is a good idea to have your web server behind a firewall of some kind (This can be found in some VPS packages) with rules blocking unused ports e.g. mysql port 3306.

Earl

 
  • storm
  • Senior Member
  • Members
  • Join Date: 26-Sep 07
  • 126 posts

Posted 12 December 2007 - 09:36 PM #3

Thanks for the very helpful information. I just am beginning setup on a VPS and it is useful info.

Also, I would add to rename the admin.php file to something more complex and edit config.php to reflect the change.
Version 1.3.5 sp1

 
  • Codies
  • Junior Member
  • Members
  • Join Date: 10-Jun 07
  • 25 posts

Posted 15 December 2007 - 12:14 AM #4

I'm also incline to rename classes folder since most of the third party modules reside in that folder.
Previous cs-cart vulnerability was caused by exploit in one of those modules.

but the cart didnt work after i renamed the folder (and config.php as well).