Hacking

Hello Joe,

I am almost ready to move to Dreamhost. My stance was to transport my e-commerce site to Dreamhost only when I have sorted the hacking challenge I had. I did not want to take the problem along to the new host.

In the meantime I have learned a lot in preventing hacking and made OpenCart more secure. I do not think there is a 100% way to prevent hacking, we can only make it more difficult.

What have I learned:

  1. Open source is more likely to be hacked, specifically when hackers know how to access the backend. Most backends start with admin after the URL. I have taken a couple of steps to make it more secure.

  2. I have hidden the backend by changing it to a new file name. When this is done a couple of changes has to be make in the config.php file as well. This has to be remembered when updating software.

  3. Secondly, I have used php to deny/allow IP-addresses. Only my IP addresses are set in the htaccess file for access on the admin section.

  4. Thirdly, I have changed all passwords.

  5. Fourthly, all suspected customer IP adresses have been blocked. In my case it was even easier, because the products are only relevant to South Africa. One has to be careful not to block Google robots for obvious reasons. Unrelated robots were blocked as well.

  6. I have even changed the ftp details. I do consider to hide the catalogue as well. Then I will consider 2FA, though I have learned customers does not like complicated processes.

  7. I am going to upgrade the software to the latest version. Once I have done it successfully I will migrate to Dreamhost. This part is done on our test website.

I have learned that Dreamhost also have some OpenCart specialist who can assist me if needed in future. Daniel Kerr is the owner of OpenCart. Unfortunately, when you ask for support you may end up with any person in that community. This probably was part of the hacking of our website.

At least I can say now that I successfully beaten these hacker. I will give them a final blow when migrating to Dreamhost. Why? All ftp will change as well as the shop name. I consider to remove credentials.

This was a steep learning curve and now I am happy that it has happened, before I was swearing at these hackers. Probably this was the best way to learn.

Kind regards

2
5 replies