The Zen Cart® software is made available to you for use, additions, changes, modifications, etc. without charge, under the GNU General Public License. While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store. Donations can be made at: The Zen Cart® Team Page We appreciate your support. The Zen Cart® Team
Zen Cart® is derived from: Copyright 2003 osCommerce This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE and is redistributable under the GNU General Public License
This software is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative.
Without applying extra efforts to your connection on the internet you are wandering around an unsecured environment. Before you make administrative modifications to secure Zen Cart® and its database, you need to equip yourself with secure ways to make these modifications. Otherwise if someone is watching/listing to the information you transmit, it might not be long before your private business information becomes public. The bare minimum you should have is access to shared SSL services from your hosting company.
The preferred would be to have a dedicated SSL certificate for your store, as it is more professional in appearance than the use of a shared certificate. There will be an expense incurred to obtain a dedicated SSL certificate and dedicated IP address in your hosting account.
Instead of using regular FTP to access your server's files, it would be wise (if your hosting company offers FTPS support) to use a program that offers FTP over SSL/TLS. This method will encrypt the information you transmit and receive. This is important especially when you are downloading database backups or configuration files which contain usernames and passwords, etc.
If your hosting company does not offer SFTP or FTPS, then they are most likely not PCI Compliant either, and you should be choosing a different hosting company who takes security seriously.
It's important that after you've installed your site and are satisfied that it's working properly, including actually doing live transactions to test ALL the payment and shipping modules you're using on your site, be sure to do some cleanup:
REMOVE THE FOLLOWING FOLDERS (and all the files inside them), TO MINIMIZE SECURITY RISKS:
Optional: Additionally, *IF* you have no intentions of supporting downloadable products or music-media products, you can *also* remove these folders:
Renaming the "admin" folder makes it much harder for would-be hackers to get into your admin area.
(Before making the following changes, make sure to have a current backup of your files and your database.)
A- Find your Zen Cart /admin/ directory, using your FTP software or your webhost File Manager. Rename the directory.
B - To login to your admin system you will now have to visit a new URL that matches the new name used in step A above. For example, instead of visiting http://www.example.com/admin/ visit http://www.example.com/NeW_NamE4u/.
Go to Admin->Configuration->Email Options, and change your Email Transport Protocol to SMTPAUTH, and then fill in all the SMTP credentials in the other settings lower on that same screen.
This will not only help prevent outgoing emails from ending up in spam folders, but will also prevent the disclosure of your admin foldername when sending emails from your admin screens.
It's important that you set permissions on the two configure.php files as read-only. Typically this means setting them to "644", or in some cases "444".
The configure.php files are located in: /<YourStoreFolder>/includes/configure.php /<YourStoreFolder>/renamed_admin/includes/configure.php
Quite often setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been. You must verify the correct setting by entering the store and seeing if there is a warning message on the top of the screen. "Warning: I am able to write to the configuration file:..." In this case you will need to use the "File Manager" supplied with your webhosting account.
If you're using a Windows server, simply set the file as Read-Only for Everyone and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the System account or apache user if running Apache.
Admin->Admin Access->Admin Users In your admin area, open the Admin Accessmenu, and choose Admin Users - Check for any unused admin accounts, and delete them. Especially the "Demo" account, if it exists.
It is wise to use complicated passwords so that a would-be hacker cannot easily guess them. You can change your admin password in Admin->Admin Access->Admin Users, and click on the "Reset Password" button.
We recommend that you use passwords that are at least 8 characters long. Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps too. If you are going to use normal words it is a good idea to join together two normal words that don't normally go together.
It is wise to observe caution while working in your admin area:
After you have finished editing your define pages (Admin->Tools->Define Pages Editor), you should protect them:
A. Download a copy of them to your PC using your FTP software. They are located in the /includes/languages/english/html_includes/ folder and subfolders.
B. Make them CHMOD 644 or 444 (ie: “read-only”). See notes above on CHMOD. /includes/languages/english/html_includes – and all files/folders underneath (note: on "some" hosts, you must use at least 645 or 555 in order for the contents to still display)
If you make them read-only, then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the read-only status, which is more complicated. NOTE: Of course, once you set them read-only, then you'll need to go and set them back to read-write before making additional changes using the define-pages editor, or uploading replacements via FTP, and then read-only again when done.
In several folders, there are .htaccess files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to "any" .PHP scripts, since it's expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security. If you delete these files, you run the risk of leaving yourself open to people snooping around.
There are also some semi-"blank" index.html files in several folders. These files are there to protect you in case your FTP software won't upload .htaccess files, or your server won't accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It's a good "alternative", although using .htaccess files in ALL of these folders is the better choice, for servers that accept them.
In order for the .htaccess settings supplied with Zen Cart® to work, your host must include either 'All' or all of these: 'Limit Options Indexes' parameters to the AllowOverride configuration in the server's apache/conf/httpd.conf file.Some hosts don't like to let you use the OPTIONS directive, so you'll need to leave that line out or put a # in front of it.
If your webhost configuration doesn't allow you to create/use your own .htaccess files, sometimes they provide an interface in your hosting admin control panel where you can set the desired .htaccess settings.
It is recommended that you work with your host to configure these settings if this is the method they require. You need to choose -- and use -- the appropriate method for your server. As mentioned above, it's best to work with your web hosting company to select and implement the best method for your specific server. We can't tell you what to use for your specific server, but we offer these guidelines as a starting point.
On Linux/Unix hosts, generally, permission-setting recommendations for basic security are:
On Windows hosts, setting files read-only is usually sufficient. Should double-check that the Internet Guest Account has limited (read-only) access.
The folders for which installation suggests read-write access for setup are these. If your site supports .htaccess protection, then you should use it for these folders. (The .htaccess files included with v1.3.9 and newer should already cover the basics.)
To stop the browser from printing a URL (which discloses your Admin foldername) on the invoice or any other document on the web, follow these steps:
For Internet Explorer: o Click on File then Page Setup o At page setup, remove this two character combination: "&u" from the header or footer text box.
For Firefox: o Click on File then Page Setup o On page setup window click on the tab "Margins & Header/Footer". In the "Header & Footer" section set all of the drop downs to --blank--. (Or at least remove all references to "Title" and "URL".)
Copyright 2003 - 2013 Zen Ventures, LLC — Zen Cart® www.zen-cart.com