Welcome to Zen Cart®

Dear Zen Cart® User,

Zen Cart® is made available to you for your use, addition, changes, modification, etc. without charge, under Version 2 of the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated, each time you install a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online E-Commerce store.

Donations can be made on the Zen Cart® Team Page

We appreciate your support.
The Zen Cart® Team

Zen Cart® Site Security

Leveraging Resources on the Zen Cart® Website

The Zen Cart® Team, along with Zen Cart® Users and Contributors, regularly update security recommendations on the Zen Cart® Website.

You may wish to also consult recommendations posted on the Zen Cart® Website.

SSL Protection

A Secure Sockets Layer (SSL) connection is the standard security technology for establishing a secure and encrypted connection between a web server and a browser. This requires a SSL certificate from your web hosting provider or a third party certificate provider.

The preferred would be to have a dedicated SSL certificate but there may be additional expense involved in obtaining this. As a bare minimum, you should use a shared SSL certificate provided by your web hosting provider.

Accessing your Site Files Securely

Instead of using regular FTP to access your server files, it is advisable to use an FTP program that allows Secure FTP (SFTP or FTPS).

This method will encrypt the information you transmit and receive. This is important especially when you are downloading database backups or configuration files which contain usernames and passwords, etc.

If your web hosting provider does not support Secure FTP, you may wish to consider a web hosting provider that takes security seriously.

^^ Back to Top ^^

Securing your Zen Cart® Store

Remove Extra Folders from your Server after Install

It is important that after you have installed your Zen Cart® Store and are satisfied that it is working properly, including test transactions to test ALL the payment and shipping modules you are using.

    Remove the following folders and all the files inside them, to minimize security risks:
  • /docs
  • /extras
  • /zc_install
  • /install.txt

It is safe to keep these files on your Local PC, since they can be used as references/documentation, or used to aid in troubleshooting as diagnostic tools, or for upgrading/installing again in the future. However, those folders and files should NOT be on a live webserver.

    If you have no intentions of supporting downloadable products or music-media products, you can optionally also remove these folders:
  • /download
  • /media
  • /pub

You will need to go to Admin->Configuration->Attribute Settings->Enable Downloads, and set it to False to turn off the warning message about the missing download folder.

If you choose to add downloadable products to your site or music-products, you will want to re-upload these appropriate folders (and their contents) to your server again, and assign appropriate permissions.

Use "SMTPAUTH" or "SMTP" as your Email Transport Method Instead of the Generic "PHP" Setting

Go to Admin->Configuration->Email Options, and change your Email Transport Protocol to SMTPAUTH, and then fill in the SMTP Credentials in the other settings lower on that same screen.

This will not only help prevent outgoing emails from ending up in spam folders, but will also prevent the disclosure of your admin foldername when sending emails from your admin screens.

Set Configure.php Files as "Read Only"

It is important that you set permissions on the two configure.php files as Read Only. Typically this means setting them to "644", or in some cases "444".

    The configure.php files are located in:
  • /<YourStoreFolderName>/includes/configure.php
  • /<YourStoreFolderName>/<RenamedAdminFolderName>/includes/configure.php

Quite often, setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been.

Verify the correct setting by accessing the store to see if there is a warning message on the top of the screen: "Warning: I am able to write to the configuration file:...". In such cases, you will need to use the "File Manager" supplied by your web hosting provider.

If you are using a Windows server, simply set the file as "Read Only for Everyone" and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the "System Account" or "Apache User" if running Apache.

Delete Unused Admin Accounts

In your ADMIN AREA, open the "Admin Access" menu and choose "Admin Users".

Delete any unused admin accounts. Especially the "Demo" account, if it exists.

Maintain Admin Password Security

It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.

You can change your admin password in Admin->Admin Access->Admin Users, and click on the "Reset Password" button.

We recommend that you use passwords that are at least 8 characters long. Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps.

If you are going to use normal words, it is a good idea to join two words that do not normally go together.

Admin Access Protection

    Exercise caution while working in your admin area:
  • Use only one browser tab to access your ADMIN AREA
  • Do not visit other sites when you have an active admin session, even if it is in another browser tab
  • Always log out of your ADMIN AREA when not using it

Protect "define pages" in "html_includes"

    Protect define pages (Admin->Tools->Define Pages Editor) after editing:
  • Download a copy to your Local PC using your FTP software.
    1. They are located in the /includes/languages/english/html_includes/ folder and subfolders.
  • Make them CHMOD 644 or 444 (ie: "Read Only").
    1. /includes/languages/english/html_includes – and all files/folders underneath
    2. With some web hosting providers, you must use at least CHMOD 645 or CHMOD 555 for pages to display
    If you make them "Read Only", then a would-be hacker cannot edit them if they gain access to your system, unless they can get permissions to change the "Read Only" status, which is more complicated.
  • Once you set them "Read Only", you will need to go and set them back to "Read/Write" before making additional changes using the define-pages editor, or uploading replacements via FTP, and then set back as "Read Only" again when done.

Use ".htaccess" Files to Protect against Snooping

Several folders, contain are ".htaccess" files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to "any" .PHP scripts, since it is expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly.

If you delete these files, you run the risk of leaving yourself open to people snooping around.

    There are also some blank index.html files in several folders.
  • These files are there to protect you in case your FTP software would not upload ".htaccess" files, or your server would not accept them.
  • These only prevent directory browsing, and do not stop execution of .PHP files.
  • This is a good "alternative", although using .htaccess files in all of these folders is the better choice for servers that accept these.

In order for the .htaccess settings supplied with Zen Cart® to work, your web hosting provider must include either "All" or all of these: "Limit Options Indexes" parameters to the "AllowOverride" configuration in the server apache/conf/httpd.conf file.

If your web hosting provider does not allow setting the "OPTIONS" directive, you will need to leave that line out or put a "#" in front of it.

If your web hosting provider does not allow you to create/use your own .htaccess files, they may provide an interface in your hosting control panel where you can set the desired .htaccess settings. Work with your web hosting provider to configure these settings if this is the method they require.

Your web hosting provider may use web serving software, such as Nginx, which do not use .htaccess files.

In the case of Nginx, directives equivalent to the .htaccess rules are provided after installation of Zen Cart® to serve as a start point. These can be found in the "/<YourStoreFolderName>/zc_install/nginx_conf/" folder.

It is best to work with your web hosting provider to select and implement the best method for your specific server.

You need to choose, and use, the appropriate method for your server. We cannot tell you what to use for your specific server, but we offer these guidelines as a starting point.

Protect your "images" and other Folders

During initial installation, you are advised to set your images folder to "Read/Write", so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.

However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits.

    Hence, once your site is built and your images have been created/loaded, you should increase the permission setting from "Read/Write" to "Read Only".
  • On Linux/Unix hosts, permission setting recommendations for basic security are:
    1. Folders and Directories: CHMOD 755
    2. Files: CHMOD 644
  • On Windows hosts, setting files as "Read Only" is usually sufficient.
    • Double check that the Internet Guest Account has limited ("Read Only") access.

The folders for which installation suggests "Read/Write" access for setup areoutlined below.

If your site supports .htaccess protection, then you should use it for these folders. (The ".htaccess" files included with v1.3.9 and newer should already cover the basics.)

  • /cache
    1. This is used to cache database information.
    2. The BEST security protection for this is to move it to a folder "above" the webroot (public_html or htdocs or www) area, so that it is not accessible via a browser.
    3. This requires changes to DIR_FS_SQL_CACHE setting in both configure.php files as well as the setting in the ADMIN AREA for the Admin->Configuration->Sessions->Session Directory.
  • /images
    • This is discussed earlier in this article.
  • /includes/languages/english/html_includes
    • This is discussed earlier in this article.
  • /logs
    1. This is used to cache database information.
    2. The BEST security protection for this is to move it to a folder "above" the webroot (public_html or htdocs or www) area, so that it is not accessible via a browser.
    3. This requires changes to DIR_FS_SQL_CACHE setting in both configure.php files as well as the setting in the ADMIN AREA for the Admin->Configuration->Sessions->Session Directory.
  • /media
    1. This is only suggested "Read/Write" for the sake of being able to upload music product media files via the admin.
    2. Could be done by FTP as an alternative.
  • /pub
    1. This is used on Linux/Unix hosts to have downloadable products made available to customers via a secure delivery method which does not disclose the 'real' location of files/data on your server.
    2. This is to prevent the sharing of links by your customers that enable unauthorised downloads from your site.
  • /admin/backups
    1. Optional.
    2. This is used by the backup module to store database backups.
  • /admin/images/graphs
    1. This is used by Admin->Tools->Banner Manager for updating and displaying bar graphs related to banner usage.
    2. If not writable, this feature is ignored.

Remove Print URLs from Browser Headers

    Stop your browser from printing a URL (which discloses your ADMIN folder name) on invoices:
  • On Internet Explorer:
    1. Click on "File" then "Page Setup".
    2. At page setup, remove this two character combination: "&u" from the header and/or footer text box.
  • On Firefox:
    1. Click on "File" then "Page Setup".
    2. In the "Page Setup" window, click on the "Margins & Header/Footer" tab.
    3. In the "Header & Footer" section, set all of the drop downs to --blank--.
    4. Remove all references to "Title" and "URL" if they appear.

Things to Check Regularly

Be sure you have done all the steps listed in this document

    Keep good backups of your website files and database (frequently)
  • Backup the database over a secure connection (ie: if you are using phpMyAdmin to backup, then make sure you are using HTTPS addresses in your URLs).
  • Backup the website files over a secure connection (If you are copying files via FTP, be sure to use Secure FTP).
  • Store the backed up database and website files into an encrypted file.
    1. You should NOT keep your backups on your server. If you do however, encrypt them securely.
    2. Ask your web hosting provider for advice.
    Check your server errorlog regularly for odd or suspicious activity (Your hosting control panel should give you access to the Apache error_log)
  • Look for links that lead to pages outside your site
  • Look for links where "http" appears after "index.php"

Check your website files regularly to be sure nothing has been added or altered

Ask your web hosting provider what they have done to be sure the server you are on is safe and secure so that outsiders cannot do any harm, and so that other websites on your server cannot be used to get to your site and cause any harm (in case they have security holes in them)

If your business warrants, or you still want additional assurance (if running ther scripts outside of Zen Cart®), hire a security consultant to audit your site regularly.

Check your Zen Cart /cache/ folder for leftover files that do not belong there.

Check your Zen Cart /logs/ folder for "myDebug-XXXXX.log" files to see whether any errors are happening which need to be fixed. Delete the log files after you have addressed the errors.

^^ Back to Top ^^

Help and Support

For additional help and support, visit the Zen Cart® FAQ and the Zen Cart® Support Forum.

Zen Cart® is derived from: Copyright 2003 osCommerce

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under Version 2 of the GNU General Public License.

O S I Certified
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Copyright 2003 - 2018 Zen Ventures, LLC

Zen Cart®
www.zen-cart.com