X-Cart:Store Security

From X-Cart 4 Classic
Jump to: navigation, search


X-Cart makes it easy for nearly anyone with the desire to establish an e-commerce store to do so, however not everyone has the background knowledge to know to address security issues. Many store owners begin designing, adding products, and focusing on sales and SEO without ensuring that their x-cart e-commerce store is developed in a secure environment with a focus on security. Once established often x-cart store owners are not aware of what is required to maintain their x-cart in a manner that keeps it secure over time.

The purpose of this tutorial is to assist you in understanding:

  • The importance of X-Cart security
  • Hosting X-Cart in a secure environment
  • How to secure your X-Cart
  • Maintenance of X-Cart security

The importance of X-Cart security

Website security should always be a priority, but is absolutely crucial when dealing with e-commerce stores that transact and store sensitive customer data such as email addresses, phone numbers, addresses, and credit card information. Reading through the x-cart forums you will find many x-cart store owners who have had the misfortune of having their x-cart hacked/exploited. Having worked with x-cart since 2002, I’ve had many of those store owners come to me asking what can be done to fix their store, and I have repeatedly heard the common response that nobody had ever talked to them about security and they were unaware of anything that needed to be done. Believe me when I say that if you are not aware of what is required to secure and maintain your x-cart, it is by sheer luck that your x-cart has not been hacked or exploited and it is only a matter of time before you become a victim. That said, by reading this tutorial you are well on your way to understanding and performing x-cart security to keep you and your customers safe.

Hosting X-Cart in a secure environment

The environment on which your x-cart is hosted is the base for all security, and if your host and/or server is not secure, all the security settings on your x-cart are not going to keep you from being exploited. There are generally two types of hosting: a shared server where you purchase a plan with a host and they provide you space for your site to reside on a server with many other clients, or a dedicated server, which is a computer where you can host your site(s) exclusively (a VPS is essentially a combination allowing dedicated server privileges in an environment shared with less users than with shared hosting).

Secured Shared Hosting

The main benefits of shared hosting is the reduced cost available by sharing the server with other users, and having the server company manage the server security. These same benefits can also pose a security threat however, as the sites of other clients can jeopardize your security if their sites are breached, and if you rely on a server company to secure a server and they fail to do so correctly, you can find yourself in serious trouble. To combat these potential problems, it is imperative that you host with a trusted hosting provider who makes server security a priority. View our recommended X-Cart Hosting providers.

Dedicated unmanaged server

I unfortunately often see x-cart store owners establish or move to an unmanaged dedicated server without knowing the onus of security that falls on them in doing so. When working with an unmanaged server, you are responsible for ALL server security. This includes the configuration of all your server settings, as well as keeping your kernel, os, php/mysql, control panel, etc. up-to-date as new branches and patches are released. This is a daunting task for anyone not very experienced with server security, and is not recommended for the average user.

Dedicated managed server

Surprisingly, having a managed server does not necessarily mean your server is secure. When purchasing a managed plan, it is important to know what the server provider will and won’t do as part of your managed plan; it is not uncommon for someone to established a managed server and setup their site(s) thinking the host will take care of security, only to find their server exploited to which the server company responds saying they only perform security tasks upon request. If you rely on your host for a fully managed security package it is important that you work with a trusted hosting provider who takes security seriously, and ensure that all aspects of security are accounted for.

Server Management Companies

Personally, I recommend an unmanaged dedicated server package and then using the services of a server management company such as EZSM or ServerWizards. These companies will configure your initial security settings, put processes in place to manage your security, and keep your server up-to-date as upgrades and patches are made available.

How to secure your X-Cart

After securing the hosting environment, it is necessary to address security with x-cart itself. Taking the following steps will make great strides in securing your x-cart:

1. Ensure you have a secure https connection for your store using a valid SSL certificate.

For more details please refer to How do I set up secure login, registration and checkout in my X-Cart store?.

2. Do not use the "master" x-cart admin account. To change this, login using your "master" x-cart admin account, create a new administrator with a username that is less generic. Log in as that new user and delete the "master" user account.

3. Immediately password protect your admin and provider directories. You can usually password protect these directories using a control panel such as cPanel, or you can use .htaccess and .htpasswd files (Please find an example here, or run a quick google search if you are unsure how).

4. Be aware of your site’s file permissions, as having loose file permissions in conjunction with an exploit can allow someone to write and execute files on your website. This is a very common exploit against x-cart so take this seriously. In general your file chmod permissions should appear as follows:

File Type Permission

*.php 644

*.tpl 644

*.pl 755

*.sh 755

/catalog/ 777

/files/ 777

/images/ 777

/var/ 777

/var/* folders 777

/var/* files 666

For more details please refer to:

5. Do not store credit card information in your database. To disable, or to ensure that this setting is disabled, open your config.php file and ensure the $store_cc variable is set to false:

$store_cc = false;

6. It is always a good idea to log into your x-cart admin section using https so that the data you transact during the x-cart session is encrypted. The following code will force your x-cart admins/providers to login using httрs:// by redirecting them when httр:// is used.

Add this code to the .htaccess of your admin section (adjust your url):

# Force https on the admin section

RewriteEngine On

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/admin/$1 [R=301,L]

Add this code to the .htaccess of your provider section (adjust your url):

# Force https on the provider section

RewriteEngine On

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/provider/$1 [R=301,L]

7. The following .htaccess code, which can be placed in an .htaccess file in your store’s root directory (same directory as / and cart.php), will prevent access to sensitive areas of the x-cart file structure. If you are on a server that does not support .htaccess files, you will want to find alternate ways to block access to these files.

Options +SymlinksIfOwnerMatch -Indexes

RewriteEngine on

# Block access to sensitive directories

RedirectMatch permanent ^.*/.pgp/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/patch..*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/sql/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/schemes/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/skin1_original/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/Smarty.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/upgrade/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

# Block access to sensitive file types

RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$ http://www.yourdomain.com/x-cart-path/error_message.php

# Block access to sensitive files

RedirectMatch permanent ^.*/COPYRIGHT http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/INSTALL.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/NEW.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/README http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/UPGRADE.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/VERSION http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/include/version.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/config.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/top.inc.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/install.php$ http://www.yourdomain.com/x-cart-path/error_message.php

X-Cart 4.4or above
Note: If you are using X-Cart 4.4, replace this line:
RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

with the following lines:

<FilesMatch !"\.(css|js)$">
RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
Otherwise the speed-up tool for Javascript and CSS will not work!
Note: Change http://www.yourdomain.com/x-cart-path/ to the url to your error_message.php file.

8. Security for nginx/IIS (htaccess not-compatible) web servers:
For nginx/IIS web servers which do not use htaccess files, it is strongly recommended to move the rules from the following folders:

  • xcart/.htaccess
  • xcart/var/.htaccess
  • xcart/var/cache/.htaccess
  • xcart/var/tmp/.htaccess
  • xcart/var/log/.htaccess

to the configuration files of these servers, for example, nginx.conf on nginx web servers.
Optionally, you can also move there the htaccess rules from the paragraphs 6 and 7 of X-Cart:Store_Security#How_to_secure_your_X-Cart.

How do I set up secure login, registration and checkout in my X-Cart store?

Firstly, you should obtain an SSL certificate and have it properly installed and configured on your web server.

The majority of hosting companies help their customers to purchase SSL certificates or provide their own Shared SSL URLs. If your hosting company doesn't render such services, you will need to purchase a certificate on your own.

We will be glad to assist you with this issue. You can purchase SSL certificates from our company. We sell SSL certificates provided by the world's leading Certification Authority, Comodo Group. For details, conditions and prices, please see http://www.x-cart.com/ssl/.

If you are on a dedicated server, we can offer you our service on analyzing and configuring your server and/or install the SSL Certificate on it. Please note: we will need the 'root' access to your server over SSH or the 'Administrator' access over MS Remote Access Desktop to complete these tasks.

Secondly, once you have the SSL certificate installed and configured, you should configure the HTTPS server in X-Cart. To do it, modify the <xcart_dir>/config.php file and set the $xcart_https_host variable properly:

* X-Cart HTTP & HTTPS host and web directory
* This section defines the location of your X-Cart installation. If X-Cart is
* installed using Web installation, the variables of this section are
* configured via the Installation Wizard. If you install X-Cart manually, use
* this section to provide your web server details manually.
* $xcart_http_host - Host name of the server on which your X-Cart software is
* to be installed;
* $xcart_https_host - Host name of the secure server that will provide access
* to your X-Cart-based store via the HTTPS protocol;
* $xcart_web_dir - X-Cart web directory.
* The variables $xcart_http_host and $xcart_https_host must contain hostnames
* ONLY (no http:// or https:// prefixes, no trailing slashes).
* Web dir is the directory where your X-Cart is installed as seen from the Web,
* not the file system.
* Web dir must start with a slash and have no slash at the end. An exception to
* this rule is when you install X-Cart in the site root, in which case you need
* to leave the variable empty.
* $xcart_http_host ="www.yourhost.com";
* $xcart_https_host ="www.securedirectories.com/yourhost.com";
* $xcart_web_dir ="/xcart";
* will result in the following URLs:
* http://www.yourhost.com/xcart
* https://www.securedirectories.com/yourhost.com/xcart
* $xcart_http_host ="www.yourhost.com";
* $xcart_https_host ="www.yourhost.com";
* $xcart_web_dir ="";
* will result in the following URLs:
* http://www.yourhost.com/
* https://www.yourhost.com/

Finally, enable the secure checkout at your store by selecting the HTTPS protocol for the payment methods to be secure on the Payment Methods page. You can also adjust these HTTPS options on the 'General settings/Security options' page:

Optionally, if you need secure certain php scripts you should add https scripts to <xcart_dir>/https.php file, 'https_scripts' array. You can find some examples in <xcart_dir>/https.php file:

$https_scripts[] = 'login.php';
$https_scripts[] = array(

Optionally, if you want to switch the whole x-cart to secure mode edit https.php file. Find the line

function is_https_link($link, $https_scripts) {

and replace it with

function is_https_link($link, $https_scripts) {
return true;

Now, if your web server does not use SSL certificates, and you are running an HTTPS Proxy instead, you may need to make additional settings to enable your X-Cart work over SSL (secure connection). In the include/https_detect.php file, define the proxy IP address and set the $HTTPS variable to 'true':

if ($_SERVER['REMOTE_ADDR'] == '') {
$HTTPS_RELAY = true;
$HTTPS = true;

If you are not sure whether your web server uses SSL certificates or runs behind an HTTPS Proxy, contact your hosting service provider or server administrator or email our technical support - we will help you find that out.

If you experience problems with external services (payment / shipping) working over https while using curl/libcurl as the https module, try adding the following line to top.inc.php:



$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);

How do I set up password protection for my X-Cart admin and provider areas?

Generally, the password protection can be done as follows (assuming that you want to use "abc123" and "123" as login/password):

1. In X-Cart Admin area, open the Summary page.

2. In the Environment info section, find and copy the X-Cart directory path (something like /home/user/www/xcart). You will need it a bit later.

3. Generate .htpasswd file.

If you have shell access to your hosting server and enter the following command:

htpasswd -c .htpasswd abc123

and then press Enter. Now enter the merchant key (password) two times.

Alternatively, you can use one of the on-line htpasswd generators to generate an entry for your .htpasswd file (for example http://www.htaccesstools.com/htpasswd-generator/), then copy the generated entry into your .htpasswd file.

So, the content of your .htpasswd file will look like:


4. Copy the .htpasswd file to the X-Cart's admin and provider directories.

5. Open admin/.htaccess and paste the following data to it:

AuthType Basic
AuthName "Restricted Admin Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/admin/.htpasswd
require valid-user

6. Open provider/.htaccess and paste the following data to it:

AuthType Basic
AuthName "Restricted Provider Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/provider/.htpasswd
require valid-user

Alternatively, you can password-protect the admin and provider areas using the password protection setup facility in the Control Panel of your hosting account.

Seven security features that you might not know yet


The mode of enhanced protection. It allows you to control from which IP addresses users can access your x-cart.

By default, it is disabled (set to FALSE). To turn it on, edit config.php file. Set this value:


to 'TRUE':


Immediately after you enable this mode, you must login to X-Cart Admin back end so that your own IP address is registered in the system. After that, no user will be able to log in to the Admin back end until you register their IP address: all login attempts will be denied and the users will get an error message.

If the login/password submitted by a user are correct (i.e. correspond to the login/password of an existing user, and this user belongs to a type with permissions to access this X-Cart zone), a request to register the user's IP address will be sent to X-Cart administrator email.

This notification will provide information about the time of the login attempt, the username and the IP address. This way you will be able to decide whether you should grant access to this user, and, if you choose to do so, will be able to grant access simply by clicking on a link in the email. As a result, the IP address will be registered in your store's list of allowed IP addresses.

More information:

System Fingerprints

X-Cart uses MD5 (Message-Digest algorithm 5) for data integrity control. Using this tool you can create lists of MD5 checksums of all the files in X-Cart installation directory and compare checksum lists generated at different periods of time to verify the integrity of your X-Cart files.

In X-Cart, a list of MD5 checksums of all the files is called "system fingerprint". The first system fingerprint in your store is generated automatically during x-cart installation.

Any system fingerprint can be compared with the current state of the store or with any other fingerprint. This process allows detecting any changes in /xcart directory. You get a list of files which have been modified, added or lost (removed from the system or renamed so they cannot be identified).

You can use this tool to track the changed and suspicious files. For ex, you think your store has been hacked. You get the full list of the changed files and check/repair them manually.

More information: X-Cart:System Fingerprints

Protection from CSRF attacks (cross site request forgery attacks)

There is a built-in protection from CSRF attacks. Each form in the backend has a unique identifier which ensures that this form is valid. This unique forms are used for the protection.

Unique form identifiers are generated within a user session and assigned to each x-cart page which is loaded in the user's browser and which contains an HTML form for submitting data via POST. The main purpose of these identifiers is to ensure authenticity of the form when the form is submitted by the user: if the submitted form contains a valid form identifier, the form is recognized as that generated by X-Cart in the current user's session, and therefore it detected as valid and safe for use. If there is no valid form identifier, the form is treated as suspicious and the submit process is canceled.

Information about the CSRF attacks: http://en.wikipedia.org/wiki/Cross-site_request_forgery

There are sooooo many web applications that just don't have such a protection :-(


It is possible to forbid calling X-Cart in IFRAME / FRAME tags.

If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can enable this option as an additional security measure. It prevents such attacks that the attackers display X-Cart through a frame and, using browser vulnerabilities, intercept the information entered in the form.

To enable this feature, edit the following line in config.php:

define("FRAME_NOT_ALLOWED", false);

Blowfish encryption (merchant key)

Blowfish data encryption (based on Merchant key) is more secure than the usual encryption method. In this method, you create a Merchant key - a password that allows you to encrypt the details of your customers' orders and to decrypt previously encrypted order details when you wish to view them.

Such a higher level of security is because the key, used to encrypt and decrypt order details, is not stored anywhere in the system. The only thing that is stored is an MD5 signature of the key. When you need to access the details of a certain order, you manually enter your Merchant key into a special form on the 'Order details' page. In the next session, you will have to re-enter the Merchant key to get access to order details.

So if somebody steals your database and all files, he will not be able to steal the credit card numbers anyway.

More information: X-Cart:Blowfish


PHPIDS (PHP Intrusion Detection System) is an open source PHP Web Application Intrusion Detection System. PHPIDS detects Cross-site scripting (XSS), SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, Denial of Service (DoS). It is simple to use and well structured. It provides impact of every attack by analyzing any chosen input variables as POST, GET, SESSION, COOKIE. Find out more at http://phpids.org/


By default there's no IP-based limitations on accessing X-Cart admin area. To make your admin area more secure you can define IP-based restrictions by editing the $admin_allowed_ip parameter in the config.php file located in the X-Cart root directory as shown below.


$admin_allowed_ip = ",";

This will make the access limited to users from IP addresses and

Maintaining X-Cart security

A big mistake I see with users of software is thinking they can setup the software and run the software for an indefinite period of time. It is imperative with x-cart, and all software you run for that matter, that you apply security patches and upgrade as new releases are available. While the patches and upgrades do require time and/or money to apply, neglecting to do so can be potentially fatal to your business and they need to be made a priority.

X-Cart provides security and release bulletins that you can sign up for in your X-Cart Account. Be sure to sign-up for these bulletins and stay on top of your security.

Hint: If you need to walk away from your computer for whatsoever reason even for just a few moments, log off from the admin area of your store or lock your workstation.

See also

Article copyright 2007 WebsiteCM.com http://www.websitecm.com/x-cart-tutorials/x-cart-security/