X-Cart:Security related tips

From X-Cart 4 Classic
Jump to: navigation, search

After the installation is completed, you must ensure the security of your X-Cart installation and source code. It is strongly recommended you take the following steps.

Protect the installation script install.php

You must ensure that the installation script install.php you used to install X-Cart is well protected from unauthorized access. This is essential because anyone with access to this script can re-install your store or change your store's skin set/layout.

X-Cart provides a mechanism protecting the script install.php after the installation: at the last step of the installation procedure,install.php is renamed to something like install-file-YY-MM-DD-xxxxx.php(The new filename is displayed to you at the last step of the installation procedure and sent to you in the email notification). In the filename install-file-YY-MM-DD-xxxxx.php, the portion YY-MM-DD stands for the year, month and date when the file was renamed, and the portion xxxxx is a randomly generated code. After the renaming, the installation script cannot be run. To be able to use the installation script again, you need to change its name back to install.php using FTP, SSH or any other type of direct access to the file system (Control Panel and the like).

The renaming mechanism may fail if, for example, file renaming is forbidden on your system. If X-Cart fails to rename install.php, the 'Installation complete' message at the last step of X-Cart installation will say so. In this case, you will need to either rename the file install.php manually or remove it from the web-accessible directory keeping a copy of the file in a safe place. Later, if you need to re-install your X-Cart store, you will be able to re-upload the script install.php to /xcart directory and run the installation the same way you did it the first time.

Protect the X-Cart distribution package

To prevent unauthorized access to X-Cart source code, be sure to remove the X-Cart distribution package archive you used to install your store from the web-accessible directory.

Protect X-Cart files and directories

You must ensure that the files and directories of your X-Cart installation are protected by secure permissions.

During X-Cart installation, the installation script automatically sets the required secure permissions on the files and directories that need to be protected. If it is not able to change the permissions, the 'Installation complete' message at the last step of X-Cart installation will say so and provide a list of files/directories for which the permissions need to be re-adjusted. Be sure to re-adjust the permissions as advised.

For all X-Cart files and directories secure permissions must be set. Change the permissions as advised below.

> chmod 644 config.php
> chmod 755 var

Finally, the last but not the least security tip.

Log off when you walk away

If you are using your computer and need to walk away from it for whatsoever reason, even for just a few moments, log off from the admin area of your store or lock your workstation.

See also