opencart security issues

OpenCart is a popular open-source e-Commerce solution that attracts many retailers by its extensive customization possibilities and ease of use. Since the platform is open-source, its internal code and file framework are available to a wide public. While it's a good thing for developers, it also means that hackers are well familiar with OpenCart structure and can occasionally detect and exploit its security vulnerabilities. Read on to find out how to deal with OpenCart security issues.

Attackers seek to compromise a website and add pages with spam information or inject malicious content into the already existing pages on a site. They are mainly aimed at accessing email accounts and stealing sensitive information to misuse it against customers and store owners. Eventually, it will lead to a bad brand reputation and ruined customer trust that usually takes tremendously a lot of time and effort to be restored. Subsequent huge financial losses will also have a detrimental effect on the online retail business. Nevertheless, you can easily avoid website breaches and negative consequences by implementing basic security practices for an OpenCart store.

OpenCart Security Issues: 1. Delete the Install Folder

Install folder or directory has to be deleted immediately after installation. The point is that someone can potentially access the installation folder and relaunch the installer to overwrite a website. To wipe out the directory open FTP client then go to ‘Shop’ and choose the 'Install’ folder to delete it. Note that OpenCart always warns their users in the administration if an install folder is not deleted after setup.

OpenCart Security Issues: 2. Protect Directories

Admin folder

Admin folder provides access to a store's administration, and everyone who gains control over it can edit information about customers and products, modify store settings or even steal some sensitive data. Thus, it is crucial to protect the admin directory and make it difficult to discover and access it. To hack-proof the directory, you should do the following things:

Rename the admin folder

First of all, rename the admin folder with some uncommon name like 'nomansland' in order to conceal it from scripts and hackers targeted specifically at the 'admin' folder of OpenCart.

opencart security issues

After the folder's name is modified, it's necessary to use the new path to access your admin dashboard. It can be done by updating the admin/config.php file and replacing instances of ‘admin’ with the new name, like, ‘nomansland’. There should be five instances changed.

opencart security issues

Finally, the admin login URL will be changed from default ‘’ to ‘’.

How to Migrate Your Online Business to OpenCart. A Time-Tested Guide

Use .htaccess & .htpasswd in the admin folder

It’s recommended to add additional layers of protection in case hackers discover the location of an admin folder. Using .htaccess file lets users block specific traffic from being able to view a website. For example, it’s possible to give the right to access the store only from admin’s IP and deny all the rest. To do so, go to the FTP, pick up the folder you want to protect and create a file .htaccess. Choose to edit it and insert the code below:

Order Deny,Allow Deny from all Allow from "admin ip address"

opencart security issues

Note that it will be applied to all subfolders in the admin directory.

Also, there is an option to password protect an admin directory with .htpasswd file. It will create an additional step of authorization and demand an extra password for the approved administrator to access this directory. It's preferable to do that via cPanel, where you can choose a directory you want to secure with a password and create a user to access it.

opencart security issues


Catalog protection can be accomplished with the mentioned .htaccess file in order to allow access exclusively from admin’s IP address. There is no necessity to secure all files in catalog except the most important ones like template, .php, and .txt files. It can be done through FTP in the same way like with admin folder. You can use the following code:

Order Deny,Allow Deny from all Allow from "admin ip address"

How to Export OpenCart Products

Take into account that access will be blocked to specific file types: template, php, and txt files.

System folder

There are two types of files need to be protected: logs/error.txt and start_up.php. The logs/error.txt provides valuable information about how the server functions and hackers can use it to create a successful breach.

The implementation of .htaccess will secure System folder files from being accessed by unauthorized administrator. Simply insert the code below into .htaccess file in the system folder:

Order Deny,Allow Deny from all Allow from "admin ip address"

OpenCart Security Issues: 3. Set Up File Permissions

One can set up appropriate permissions to a range of important files and thus give directions to the operating system how to deal with access requests to the files. There are three following types of access:

  • Read - files will be only displayed to the user
  • Write - the user will be able to modify such files
  • Execute - the user is allowed to execute files as programs

There are three types of users you can grant permission to:

  • User is the owner of the file
  • Group is a group of users, e.g. site members
  • World is any person connected to the internet, including store visitors

It is recommended to assign 444 or 644 permission types to eliminate chances of file overwriting or malware injection. The first variant (444) allows only reading, while the second (644) provides reading and writing options.

opencart security issues

The following types of files have to be set up:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

Zen Cart vs OpenCart: Pros and Cons

Catch up this long-expected chance!

Start free demo and get a brand-new store just in a few clicks.

Migrate now

OpenCart Security Issues: 4. Be Cautious With 3rd Party Plugins

E-Commerce retailers often install various plugins and modules to expand the functionality of their stores. Third-party add-ons can provoke Opencart security issues since they can potentially contain some random or deliberate vulnerabilities. It happens that hackers create new or make changes to already existing open-source plugins to compromise websites that install them. Thus, users have to be especially cautious with 3rd party extensions and avoid utilizing software of dubious origin.

Hackers prefer plain sailing and target poorly protected and vulnerable websites. Implementing basic but at the same time efficient measures will help to hack-proof a store and avoid possible negative outcomes of security breaches. Find more info on how to secure your OpenCart in this guide.

If you are willing to use OpenCart platform for developing a highly lucrative online business, Cart2Cart offers an automated service for seamless migration to OpenCart. It allows you to transfer numerous entities like products, categories, customers, images, manufacturers, etc., accurately and securely.

Try out an absolutely Free Demo Migration to evaluate the advantages of an automated data import and test the look and functionality of a new OpenCart store.