Regardless of whether you decided to think about the safety of your project before you were hacked or you think it might happen; you’re in the right place. We made a compiled list of actions and hints you can do to prevent a lot of hackers’ attacks.
Here’s a recap of the steps you need to make your website based on CS-Cart or Multi-Vendor more secure:
- Rename administration panel to a random path
We recommend setting up admin panel URL to a random and secure string like the password “
13frI2yHJF0hHEOqShvCE4QJ.php
“. Don’t use admin.php, secureadmin.php or similar names. - Ensure all passwords are strong and secure
If you haven’t yet done it, make sure that all passwords relating to your website, not just your CS-Cart admin password, are secure. Check if you are using strong passwords (https://www.lastpass.com/password-generator). Reset if needed.
- Add 2FA
You can also add two-factor authentication to your admin panel with our add-ons: 2FA by Google and 2FA by Duo to make it harder for hackers to create an account.
- Create strong access key to cron script
Make sure that your cron script access key is secure and hard to be brute-forced.
- Install SSL on your project and don’t ignore “Mixed content” warning
SSL will add a layer of security to your site and is free on our hosting. We install, update, and monitor all SSL certificates for no extra cost. If your hosting provider doesn’t provide SSL, you need to purchase it. Anyway, our solution contains free SSL. Let’s Encrypt SSL with strong security settings for all your domains.
Read more about Mixed content in What is Mixed Content? and Prevent Mixed Content. - Set up full HTTPS redirect for your website
Make full redirect to
https://
(SSL) connection for storefront and the admin panel. - Make “api_https_only” tweak to “true” value
Make changes to the “
config.local.php
” file in the root folder of your project. - Keep your CS-Cart, add-ons and themes updated
It’s important to keep your website up to date. Every time your theme, add-ons, or CS-Cart/Multi-Vendor itself are updated, you should run that update, as it will often include security and performance patches.
Contact us for an upgrade!
When you update your project, make sure you do it properly, creating a backup and testing updates on a development (staging) server if you have one. Our hosting solution includes free daily automated backups, and we can provide a development environment for all your sites with implemented CI/CD processes. - Don’t install insecure or nulled plugins and themes
When installing a CS-Cart add-on, make sure they’re compatible with your version and that you’re downloading them from an official resource or developer.
If you are buying our themes or add-ons, we guarantee a quality add-on supported by future versions. In case you need help, you always can contact us via our helpdesk system. - Hide your PHP version exposed via “X-Powered-By” header
Setting
expose_php = Off
just prevents the webserver from sending back the X-Powered-By header. Make changes to thephp.ini
file. - Hide NGINX and Apache version
– Add
server_tokens off;
to the “http” section of the NGINX configuration file.
– Add/modify/append the lines that contains “ServerTokens Prod
” and “ServerSignature Off
” at the end of the Apache2 configuration file. - Set up a firewall and extra security tools/checks
– Make string firewall settings, put the BasicAuth to the admin panel.
– Restrict SSH via make allow list of trusted IP addresses. - Remove all sensitive files from your project which shouldn’t be accessible
Remove
temp_dump.sql
,error_log
,test.php
files, etc. It can help attackers to get more information about your project. - Consider a security service or hire an information security specialist
An information security specialist in our time is the necessary specialist who provides security for your company or project. In case you don’t have a budget for it, migrate to our Cloud Hosting – we provide information security specialist as a part of our service.
Having your website hacked is an unpleasant experience. It means your site isn’t available for users, which could impact your business. You will have to take swift action, affecting your other activity.