OpenCart is a popular open source e-Commerce solution that attracts a huge number of retailers by its extensive customization possibilities and ease-of-use. Since the platform is open source its internal code and file framework are available to a wide public. While it's a good thing for developers, it also means that hackers are well familiar with OpenCart structure and can occasionally detect and exploit its security vulnerabilities.

Attackers seek to compromise a website and add pages with the spam information or inject malicious content into the already existing pages on a site. They are mainly aimed at accessing email accounts and stealing sensitive information to misuse it against customers as well as store owners. Eventually, it will lead to bad brand reputation and ruined customer trust that usually takes tremendously a lot of time and efforts to be restored. Subsequent huge financial losses will also have a detrimental effect on online retail business. Nevertheless, website breaches and its negative consequences can be easily avoided by implementing basic secure practices for an OpenCart store.

1. Delete the Install Folder

Install folder or directory has to be deleted immediately after installation. The point is that someone can potentially access the installation folder and launch the installer again to overwrite a website. To wipe out the directory open FTP client then go to ‘Shop’ and choose the 'Install’ folder to delete it. Note that OpenCart always warns their users in the administration in case an install folder is not deleted after setup.

2. Protect Directories

Admin folder

Admin folder provides access to a store’s administration and everyone who gains control over it can edit information about customer and products, modify store settings or even steal some sensitive data. Thus, it is crucial to protect the admin directory and make it difficult to discover and access it. To hack-proof the directory you should do the following things:

Rename the admin folder

First of all, rename the admin folder with some uncommon name like ‘nomansland’ in order to conceal it from scripts and hackers targeted specifically at the 'admin' folder of OpenCart.


After the folder's name is modified, it’s necessary to use the new path to access your admin dashboard. It can be done by updating the admin/config.php file and replacing instances of ‘admin’ with the new name, like, ‘nomansland’. There should be 5 instances changed.


Finally, the admin login URL will be changed from default ‘’ to ‘’.

Use .htaccess & .htpasswd in the admin folder

It’s recommended to add additional layers of protection in case hackers discover the location of an admin folder. Using .htaccess file lets users block specific traffic from being able to view a website. For example, it’s possible to give the right to access the store only from admin’s IP and deny all the rest. To do so, go to the FTP, pick up the folder you want to protect and create a file .htaccess. Choose to edit it and insert the code below:

<Files *.*> Order Deny,Allow Deny from all Allow from "admin ip address" </Files>


Note, that it will be applied to all subfolders in admin directory.

Also, there is an option to password protect an admin directory with .htpasswd file. It will create an additional step of authorization and demand extra password for the approved administrator to access this directory. It’s preferably to do that via cPanel, where you can choose a directory you want to secure with a password and create a user to access it.



Catalog protection can be accomplished with the mentioned .htaccess file in order to allow access exclusively from admin’s IP address. There is no necessity to secure all files in catalog except the most important ones like template, .php, and .txt files. It can be done through FTP in the same way like with admin folder. You can use the following code:

<FilesMatch "\.(php|tpl|txt)$"> Order Deny,Allow Deny from all Allow from "admin ip address" </FilesMatch>

Take into account that access will be blocked to specific file types: template, php, and txt files.

System folder

There are two types of files need to be protected: logs/error.txt and start_up.php. The logs/error.txt provides valuable information about how the server functions and hackers can use it to create a successful breach.

The implementation of .htaccess will secure System folder files from being accessed by unauthorized administrator. Simply insert the code below into .htaccess file in the system folder:

<FilesMatch "\.(php|txt)$"> Order Deny,Allow Deny from all Allow from "admin ip address" </FilesMatch>

3. Set Up File Permissions

One can set up appropriate permissions to a range of important files and thus give directions to the operating system how to deal with access requests to the files. There are three following types of access:

  • Read - files will be only displayed to the user
  • Write - the user will be able to modify such files
  • Execute - the user is allowed to execute files as programs

There are three types of users you can grant permission to:

  • User is the owner of the file
  • Group is a group of users, e.g. site members
  • World is any person connected to the internet, including store visitors

It is recommended to assign 444 or 644 permission types in order to eliminate chances of file overwriting or malware injection. The first variant (444) allows only reading while the second one (644) provides with reading and writing options.


The following types of files have to be set up:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

4. Be Cautious With 3rd Party Plugins

E-Commerce retailers often install various plugins and modules to expand the functionality of their stores. Third party add-ons are able to provoke Opencart security issues since they can potentially contain some random or deliberate vulnerabilities. It happens that hackers create new or make changes to already existing open source plugins in order to compromise websites that install them. Thus, users have to be especially cautious with 3rd party extensions and avoid utilizing software of dubious origin.

Hackers prefer a plain sailing and target poorly protected and vulnerable websites. Implementing basic but at the same time, efficient measures will help to hack-proof a store and avoid possible negative outcomes of security breaches.

If you are willing to use OpenCart platform for developing a highly lucrative online business, Cart2Cart offers an automated service for seamless migration to OpenCart. It allows you to transfer numerous entities like products, categories, customers, images, manufacturers, etc in an accurate and secure way.

Try out an absolutely Free Demo Migration to evaluate the advantages of an automated data import and test the look and functionality of a new OpenCart store.