LiteCommerce:Security

From X-Cart 4 Classic
Revision as of 12:20, 31 May 2012 by Dohtur (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Warning.png This article refers to LiteCommerce 2.x only. For user manual to LiteCommerce 3.x, please visit this website.



For smooth and uninterruptible operation of your store and in order to prevent fraud attacks it is essential to securely setup your store. The following measures help you enhance the security of your online store:

1. Make sure that permissions on certain files and directories are not excessive:

  • If your server is UNIX-based: Go to LiteCommerce installation directory on the server and issue the following shell or FTP commands to change file access permissions (for further details on changing file permissions, see 'man chmod' or your FTP client reference manual):
chmod 755 .
chmod 644 etc/config.php
  • If your server is Windows-based: Use file management tools (Control Panel utility or other) supplied to you by your hosting provider to set the necessary permissions (you might want to consult your hosting provider for details on how to do this). LiteCommerce installation directory and the 'etc/config.php' file within it must now be configured to be unwriteable and undeletable by the owner user of the web-server application while remaining writeable and deletable by the file owner (you). If you do not know how to do this on your server set-up, please consult our installation services for assistance.

2. Make sure that the Installation Wizard utility ('install.php') is not freely accessible:

Note: For security purposes after the installation is complete, the 'install.php' script is renamed into a PHP file which has a filename comprised of 32 hexadecimal figures (1-9 and a-f) followed by '.php'. If you do not intend to use the Installation Wizard utility on your LiteCommerce installation, it is safe to remove the PHP file completely. You can always unpack the 'install.php' file from the distribution and place it back on the site when you need it.

If the utility remains in LiteCommerce installation directory, use the following guidelines to secure it:

  • the utility file must be owned by the user whose credentials were used to upload the installation to the web server and not the user that runs the web server application (like 'www' on UNIX systems or 'IUSR_<computername>' on Windows systems);
  • it must be readable, writable and executable by the owner and deny reading, writing and execution rights to user group and others;
  • you can also modify the '.htaccess' file in your LiteCommerce installation directory to limit Installation Wizard access to trusted intranet computers.

3. Create and configure '.htaccess' files in LiteCommerce installation directory and the 'etc/' directory to limit access to the following components of LiteCommerce software:

LICENSE
cleanup.php
etc/config.php
admin.php

LiteCommerce installation directory contains '.htaccess' file protecting the 'LICENSE' and 'etc/config.php' files from unauthorized access. This file can be edited as needed. It also contains the commented (disabled) sample code for setting up basic authentication which you can use to create additional layer of protection for the Administrator Zone and other components of your online store.

Important: Make sure that the use of '.htaccess' files is not suppressed or limited by your hosting provider, as this is often the case. If your web server configuration prohibits overriding access settings, '.htaccess' file would not be able to protect the files from unauthorized access by the web users.

4. Use secure HTTP (HTTPS) protocol in both Administrator and Customer Zones (for details see the section "Security Options" of this manual).

5. Use secure administrative credentials. This means that users with administrative privileges should choose passwords which are long and complex enough to be guessed or matched using break-in software. Additionally, any failed Administrator Zone login attempt is taken notice of, resulting in the login attempt details being sent to the e-mail specified in the 'Site administrator e-mail' field of the company's general settings (see the section "Company Options" for details). If the store has multiple users with administrative privileges, clicking on the 'login history' link in the page header of the Administrator Zone reveals the last time when each of the administrators logged in (Figure 3-13). This information can be used to track administrative activities.

Figure 3-13: Administrator login history screen

Figure 3-13: Administrator login history screen