How To Make Your CS-Cart and Multi-Vendor Project Secure (14 steps)

Roman Ananev
14 Steps to make your CS-Cart more secure

Regardless of whether you decided to think about the safety of your project before you were hacked or you think it might happen; you’re in the right place. We made a compiled list of actions and hints you can do to prevent a lot of hackers’ attacks.

Here’s a recap of the steps you need to make your website based on CS-Cart or Multi-Vendor more secure:

  1. Rename administration panel to a random path

    We recommend setting up admin panel URL to a random and secure string like the password “13frI2yHJF0hHEOqShvCE4QJ.php“. Don’t use admin.php, secureadmin.php or similar names.

  2. Ensure all passwords are strong and secure

    If you haven’t yet done it, make sure that all passwords relating to your website,Β not just your CS-Cart admin password,Β are secure. Check if you are using strong passwords ( Reset if needed.Secure CS-Cart amd Multi-Vendor administrator password must contain both letters and numbers

  3. Add 2FA

    You can also add two-factor authentication to your admin panel with our add-ons: 2FA by Google and 2FA by Duo to make it harder for hackers to create an account.

  4. Create strong access key to cron script

    Make sure that your cron script access key is secure and hard to be brute-forced.
    String access key to cron script in CS-Cart and Multi-Vendor

  5. Install SSL on your project and don’t ignore “Mixed content” warning

    SSL will add a layer of security to your site and is free on our hosting. We install, update, and monitor all SSL certificates for no extra cost. If your hosting provider doesn’t provide SSL, you need to purchase it. Anyway, our solution contains free SSL. Let’s Encrypt SSL with strong security settings for all your domains.

    Read more about Mixed content in What is Mixed Content? and Prevent Mixed Content.

  6. Set up full HTTPS redirect for your website

    Make full redirect to https:// (SSL) connection for storefront and the admin panel.Enable secure connection for the storefront and the administration panel in CS-Cart and Multi-Vendor

  7. Make “api_https_only” tweak to “true” value

    Make changes to the “config.local.php” file in the root folder of your project.
    Tweak: Allows the use the API functionality only by the HTTPS protocol

  8. Keep your CS-Cart, add-ons and themes updated

    It’s important to keep your website up to date. Every time your theme, add-ons, or CS-Cart/Multi-Vendor itself are updated, you should run that update, as it will often include security and performance patches.

    Contact us for an upgrade!

    When you update your project, make sure you do it properly, creating a backup and testing updates on a development (staging) server if you have one. Our hosting solution includes free daily automated backups, and we can provide a development environment for all your sites with implemented CI/CD processes.

  9. Don’t install insecure or nulled plugins and themes

    When installing a CS-Cart add-on, make sure they’re compatible with your version and that you’re downloading them from an official resource or developer.

    If you are buying our themes or add-ons, we guarantee a quality add-on supported by future versions. In case you need help, you always can contact us via our helpdesk system.

  10. Hide your PHP version exposed via “X-Powered-By” header

    Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header. Make changes to the php.ini file.

  11. Hide NGINX and Apache version

    – Add server_tokens off; to the “http” section of the NGINX configuration file.
    – Add/modify/append the lines that contains “ServerTokens Prod” and “ServerSignature Off” at the end of the Apache2 configuration file.

  12. Set up a firewall and extra security tools/checks

    – Make string firewall settings, put the BasicAuth to the admin panel.
    – Restrict SSH via make allow list of trusted IP addresses.

  13. Remove all sensitive files from your project which shouldn’t be accessible

    Remove temp_dump.sql, error_log, test.php files, etc. It can help attackers to get more information about your project. Read more here.

  14. Consider a security service or hire an information security specialist

    An information security specialist in our time is the necessary specialist who provides security for your company or project. In case you don’t have a budget for it, migrate to our Cloud Hosting – we provide information security specialist as a part of our service.

Having your website hacked is an unpleasant experience. It means your site isn’t available for users, which could impact your business. You will have to take swift action, affecting your other activity.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on pocket

Tired of solving complicated hosting issues? Focus on your business with complete peace of mind!

Save time, money and effort on hosting work!

Black Friday 2020

Big Sale starts on Nov. 25