How To Make Your CS-Cart and Multi-Vendor Project Secure (14 steps)

Here’s a recap of the steps you need to make your website based on CS-Cart or Multi-Vendor more secure:

1. Rename administration panel to a random path

   We recommend setting up admin panel URL to a random and secure string like the password “13frI2yHJF0hHEOqShvCE4QJ.php“. Don’t use admin.php, secureadmin.php or similar names.

2. Ensure all passwords are strong and secure

   If you haven’t yet done it, make sure that all passwords relating to your website, not just your CS-Cart admin password, are secure. Check if you are using strong passwords https://www.lastpass.com/features/password-generator). Reset if needed.

3. Add 2FA

   You can also add two-factor authentication to your admin panel with our add-ons: 2FA by Google and 2FA by Duo to make it harder for hackers to create an account.

4. Create strong access key to cron script

   Make sure that your cron script access key is secure and hard to be brute-forced.
   

5. Install SSL on your project and don’t ignore “Mixed content” warning

   SSL will add a layer of security to your site and is free on our hosting. We install, update, and monitor all SSL certificates for no extra cost. If your hosting provider doesn’t provide SSL, you need to purchase it. Anyway, our solution contains free SSL. Let’s Encrypt SSL with strong security settings for all your domains.
   
   Read more about Mixed content in What is Mixed Content? and Prevent Mixed Content.

6. Set up full HTTPS redirect for your website

   Make full redirect to https:// (SSL) connection for storefront and the admin panel.
   

7. Make “api_https_only” tweak to “true” value

   Make changes to the “config.local.php” file in the root folder of your project.
   

8. Keep your CS-Cart, add-ons and themes updated

   It’s important to keep your website up to date. Every time your theme, add-ons, or CS-Cart/Multi-Vendor itself are updated, you should run that update, as it will often include security and performance patches.
   
   Contact us for an upgrade!
   
   When you update your project, make sure you do it properly, creating a backup and testing updates on a development (staging) server if you have one. Our hosting solution includes free daily automated backups, and we can provide a development environment for all your sites with implemented CI/CD processes.

9. Don’t install insecure or nulled plugins and themes

   When installing a CS-Cart add-on, make sure they’re compatible with your version and that you’re downloading them from an official resource or developer.
   
   If you are buying our themes or add-ons, we guarantee a quality add-on supported by future versions. In case you need help, you always can contact us via our helpdesk system.

10. Hide your PHP version exposed via “X-Powered-By” header

    Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header. Make changes to the php.ini file.

11. Hide NGINX and Apache version

    – Add server_tokens off; to the “http” section of the NGINX configuration file.
    – Add/modify/append the lines that contains “ServerTokens Prod” and “ServerSignature Off” at the end of the Apache2 configuration file.

12. Set up a firewall and extra security tools/checks

    – Make string firewall settings, put the BasicAuth to the admin panel.
    – Restrict SSH via make allow list of trusted IP addresses.

13. Remove all sensitive files from your project which shouldn’t be accessible

    Remove temp_dump.sql, error_log, test.php files, etc. It can help attackers to get more information about your project.

14. Consider a security service or hire an information security specialist

    An information security specialist in our time is the necessary specialist who provides security for your company or project. In case you don’t have a budget for it, migrate to our Cloud Hosting – we provide information security specialist as a part of our service.