X-Cart makes it easy for closely anyone with the desire to establish an e-commerce storehouse to do thus, however not everyone has the background cognition to know to address security issues. many storehouse owners begin designing, adding products, and focusing on sales and SEO without ensuring that their x-cart e-commerce store is developed in a guarantee environment with a concentrate on security. once established often x-cart memory owners are not aware of what is required to maintain their x-cart in a manner that keeps it secure over prison term. The purpose of this tutorial is to assist you in understanding :

  • The importance of X-Cart security
  • Hosting X-Cart in a secure environment
  • How to secure your X-Cart
  • Maintenance of X-Cart security

The importance of X-Cart security

Website security should always be a priority, but is absolutely crucial when dealing with e-commerce stores that transact and memory sensitive customer data such as electronic mail addresses, telephone numbers, addresses, and credit calling card information. Reading through the x-cart forum you will find many x-cart store owners who have had the misfortune of having their x-cart hacked/exploited. Having worked with x-cart since 2002, I ’ ve had many of those storehouse owners come to me asking what can be done to fix their shop, and I have repeatedly heard the coarse answer that cipher had ever talked to them about security and they were unaware of anything that needed to be done. Believe me when I say that if you are not aware of what is required to secure and maintain your x-cart, it is by absolute luck that your x-cart has not been hacked or exploited and it is only a matter of time before you become a victim. That said, by reading this tutorial you are well on your way to reason and performing x-cart security system to keep you and your customers safe .

Hosting X-Cart in a procure environment

The environment on which your x-cart is hosted is the free-base for all security, and if your host and/or server is not procure, all the security settings on your x-cart are not going to keep you from being exploited. There are generally two types of host : a shared waiter where you purchase a plan with a host and they provide you distance for your site to reside on a waiter with many early clients, or a dedicate server, which is a calculator where you can host your locate ( s ) entirely ( a VPS is basically a combination allowing dedicated waiter privileges in an environment shared with less users than with share host ).

Secured Shared Hosting

The independent benefits of shared host is the abridge cost available by sharing the server with other users, and having the server company manage the server security. These same benefits can besides pose a security threat however, as the sites of other clients can jeopardize your security if their sites are breached, and if you rely on a waiter company to secure a server and they fail to do so correctly, you can find yourself in serious trouble. To combat these electric potential problems, it is imperative that you host with a trust host provider who makes server security a priority. View our recommended X-Cart Hosting providers .

Dedicated unmanaged server

I unfortunately often see x-cart storehouse owners establish or move to an unmanaged dedicated server without knowing the burden of security that falls on them in doing so. When working with an unmanaged server, you are responsible for ALL waiter security. This includes the configuration of all your waiter settings, arsenic well as keeping your kernel, os, php/mysql, see panel, etc. up-to-date as raw branches and patches are released. This is a daunting job for anyone not very experience with server security, and is not recommended for the average exploiter .

Dedicated managed server

surprisingly, having a managed server does not inevitably mean your waiter is plug. When purchasing a oversee plan, it is important to know what the server provider will and won ’ triiodothyronine do as depart of your do plan ; it is not uncommon for person to established a managed server and setup their site ( s ) thinking the host will take manage of security, only to find their server exploited to which the server company responds saying they alone perform security tasks upon request. If you rely on your master of ceremonies for a in full managed security package it is significant that you work with a trust host provider who takes security badly, and ensure that all aspects of security are accounted for .

Server Management Companies

personally, I recommend an unmanaged dedicated server software and then using the services of a server management ship’s company such as EZSM or ServerWizards. These companies will configure your initial security settings, put processes in put to manage your security system, and keep your server up-to-date as upgrades and patches are made available .

How to secure your X-Cart

After securing the host environment, it is necessary to address security with x-cart itself. Taking the following steps will make great strides in securing your x-cart : 1. see you have a secure https connection for your store using a valid SSL certificate. For more details please refer to How do I set up secure login, registration and checkout in my X-Cart store ?. 2. Do not use the “master” x-cart admin account. To change this, login using your “ dominate ” x-cart admin account, create a new administrator with a username that is less generic. Log in as that newfangled drug user and delete the “ master ” exploiter report. 3. immediately password protect your admin and provider directories. You can normally password protect these directories using a dominance panel such as cPanel, or you can use .htaccess and .htpasswd files ( Please find an case here, or run a promptly google search if you are uncertain how ). 4. Be aware of your site ’ sulfur file permissions, as having free charge permissions in conjunction with an overwork can allow person to write and execute files on your web site. This is a very coarse exploit against x-cart then take this badly. In general your file chmod permissions should appear as follows :

File Type Permission

*.php 644

*.tpl 644

*.pl 755

*.sh 755

/catalog/ 777

/files/ 777

/images/ 777

/var/ 777

/var/* folders 777

/var/* files 666

For more details please mention to :
5. Do not store credit card information in your database. To disable, or to ensure that this set is disabled, open your config.php file and ensure the $ store_cc variable is set to false :

$store_cc = false;

6. It is constantly a thoroughly idea to log into your x-cart admin section using https indeed that the data you transact during the x-cart seance is encrypted. The pursuit code will force your x-cart admins/providers to login using httрs : // by redirecting them when httр : // is used. Add this code to the .htaccess of your admin section ( adjust your url ) :

# Force https on the admin section

RewriteEngine On

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$$1 [R=301,L]

Add this code to the .htaccess of your provider section ( adjust your url ) :

# Force https on the provider section

RewriteEngine On

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$$1 [R=301,L]

7. The pursue .htaccess code, which can be placed in an .htaccess file in your memory ’ mho etymon directory ( same directory as / and cart.php ), will prevent access to sensitive areas of the x-cart file structure. If you are on a waiter that does not support .htaccess files, you will want to find alternate ways to block access to these files .

Options +SymlinksIfOwnerMatch -Indexes

RewriteEngine on

# Block access to sensitive directories

RedirectMatch permanent ^.*/.pgp/.*$

RedirectMatch permanent ^.*/patch..*$

RedirectMatch permanent ^.*/sql/.*$

RedirectMatch permanent ^.*/schemes/.*$

RedirectMatch permanent ^.*/skin1_original/.*$

RedirectMatch permanent ^.*/Smarty.*$

RedirectMatch permanent ^.*/upgrade/.*$

RedirectMatch permanent ^.*/var/.*$

# Block access to sensitive file types

RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$

# Block access to sensitive files

RedirectMatch permanent ^.*/COPYRIGHT

RedirectMatch permanent ^.*/INSTALL.*$

RedirectMatch permanent ^.*/NEW.*$

RedirectMatch permanent ^.*/README

RedirectMatch permanent ^.*/UPGRADE.*$

RedirectMatch permanent ^.*/VERSION

RedirectMatch permanent ^.*/include/version.php

RedirectMatch permanent ^.*/config.php

RedirectMatch permanent ^.*/

RedirectMatch permanent ^.*/install.php$

X-Cart 4.4 or aboveNote: If you are using X-Cart 4.4, replace this line:

RedirectMatch permanent ^.*/var/.*$

eminence : If you are using X-Cart 4.4, replace this cable : with the come lines :

RedirectMatch permanent ^.*/var/.*$

Otherwise the speed-up tool for Javascript and CSS will not work! otherwise the speed-up instrument for Javascript and CSS will not work ! to the url to your error_message.php file. note : Changeto the url to your error_message.php file .
8. Security for nginx/IIS (htaccess not-compatible) web servers :
For nginx/IIS web servers which do not use htaccess files, it is strongly recommended to move the rules from the following folders :

  • xcart/.htaccess
  • xcart/var/.htaccess
  • xcart/var/cache/.htaccess
  • xcart/var/tmp/.htaccess
  • xcart/var/log/.htaccess

to the shape files of these servers, for case, nginx.conf on nginx web servers.
optionally, you can besides move there the htaccess rules from the paragraph 6 and 7 of X-Cart : Store_Security # How_to_secure_your_X-Cart .

How do I set up dependable login, registration and checkout in my X-Cart memory ?

This article provides guidelines for configuring HTTPS for your X-Cart store .

Obtain an SSL certificate

To use HTTPS for your X-Cart memory locate, you need to obtain an SSL certificate and have it properly installed and configured on your web server. You besides need to monitor your SSL security passing date and be ready to renew it when necessity. The majority of hosting companies help their customers to purchase SSL certificates or provide their own Shared SSL URLs. If your hosting company does not render such services, you will need to purchase a certificate on your own. We will be glad to assist you with this emergence. You can purchase SSL certificates from our company. We sell SSL certificates provided by the populace ‘s moderate Certification Authority, Comodo Group. For details, conditions and prices, please see hypertext transfer protocol : // If you are on a dedicated server, we can offer you our service on analyzing and configuring your server and/or install an SSL Certificate on it. Please eminence that we will need the ‘root ‘ entree to your server over SSH or the ‘Administrator ‘ access over MS Remote Access Desktop to complete these tasks .

configure the HTTPS server in X-Cart

once you have an SSL certificate for your store web site installed and configured, you should adjust the HTTPS server settings in X-Cart. If your HTTPS host differs from your HTTP host, you will need to edit the file /config.php specifying your HTTPS host in the variable $xcart_https_host.

enable HTTPS for your shop

enable HTTPS for the entire X-Cart memory site

Method 1. habit for web servers with corroborate for .htaccess, like apache

If you are using a web server of the above-mentioned type, to set your entire X-Cart memory to operate over HTTPS, you should add the stick to code to the .htaccess file after the cable “ RewriteBase ” :

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 

If the basic URL of your web site is known, it will be tied better to add the rules as follows :

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$$1 [^] [R=301,L]

( Be sure to replace “ ” with your actual canonic URL ). The above code should be added before the code for handling Clean URLs. You can besides use the follow instructions : hypertext transfer protocol : //

Enable the ‘Use procure protocol ( HTTPS ) ‘ choice for X-Cart versions 4.7.9 and subsequently.

Method 2. use for servers like nginx.conf

Convert the rules cited in Method 1 above to nginx.conf as follows :

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;

For more information, see : hypertext transfer protocol : //

Enable the ‘Use fasten protocol ( HTTPS ) ‘ option for X-Cart versions 4.7.9 and late.

Method 3. Use in addition to Methods 1 or 2 above or as a standalone method acting if Methods 1 or 2 can not be used

X-Cart versions 4.7.9 and later:
To switch your entire X-Cart memory to HTTPS :

  1. In your X-Cart store’s Admin area, go to the ‘General settings/Security options’ page and scroll down to the HTTPS options section.
  2. Enable the ‘Use secure protocol (HTTPS)’ option:
    Xc4 use secure protocol 479nlater.png
  3. Save the changes.

X-Cart versions prior to 4.7.9:
To switch your entire X-Cart store to HTTPS, edit the file https.php. Find the course :

function is_https_link($link, $https_scripts) {

and replace it with

function is_https_link($link, $https_scripts) {
return true;

enable HTTPS for the login, registration, check and requital pages ( X-Cart versions prior to 4.7.9 )

If you do not wish to enable HTTPS for the stallion store site but need HTTPS for the login, registration, checkout and payment pages :

  1. In your X-Cart store’s Admin area, go to the ‘General settings/Security options’ page and scroll down to the HTTPS options section.
  2. Enable the ‘Use secure protocol (HTTPS) for login, registration, checkout and payment pages’ option:
    Xc4 use secure protocol before479.png
  3. If you wish, enable the following HTTPS options on the same page:
    • Use HTTPS for users’ login and registration
    • Use secure login form on a separate page (HTTPS) (Available in X-Cart versions 4.5.4 and earlier. Removed in X-Cart 4.5.5)
  4. Save the changes.
  5. If using X-Cart 4.5.4 or earlier, go to the Payment Methods configuration page and specify which payment methods should work using the HTTPS protocol. Save the changes.

enable HTTPS for specific php scripts

If you do not wish to enable HTTPS for the entire shop locate but barely need to secure some php scripts in your X-Cart store so they can lone be accessed via HTTPS, you should add the scripts that need to be secured to the ‘https_scripts ‘ array in the file /https.php. You can find some examples of how that can be done right in the file /https.php:

$https_scripts[] = 'login.php';
$https_scripts[] = array(


If your web server does not use SSL certificates, and you are running an HTTPS Proxy alternatively, you may need to configure some extra settings to enable your X-Cart work over SSL ( batten connection ). In the charge include/https_detect.php, specify the proxy IP address and set the $ HTTPS varying to ‘true ‘ :

if ($_SERVER['REMOTE_ADDR'] == '') {
$HTTPS_RELAY = true;
$HTTPS = true;

If you are not indisputable whether your web server uses SSL certificates or runs behind an HTTPS Proxy, contact your hosting service provider or server administrator or email our technical support – we will help you find that out .


If you experience problems with external services ( requital / transport ) working over https while using curl/libcurl as the hypertext transfer protocol module, try adding the following line to :



$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);

How do I set up password security for my X-Cart admin and provider areas ?

by and large, the password protective covering can be done as follows ( assuming that you want to use “ abc123 ” and “ 123 ” as login/password ) : 1. In X-Cart Admin area, open the Summary page. 2. In the Environment information section, rule and copy the X-Cart directory path ( something like /home/user/www/xcart ). You will need it a snatch late. 3. Generate .htpasswd file. If you have shell access to your hosting waiter and enter the adopt command :

htpasswd -c .htpasswd abc123

and then iron Enter. now enter the merchant winder ( password ) two times. alternatively, you can use one of the on-line htpasswd generators to generate an entrance for your .htpasswd file ( for example hypertext transfer protocol : // ), then copy the generate entry into your .htpasswd file. therefore, the content of your .htpasswd file will look like :


4. Copy the .htpasswd file to the X-Cart ‘s admin and provider directories. 5. open admin/.htaccess and paste the following data to it :

AuthType Basic
AuthName "Restricted Admin Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/admin/.htpasswd
require valid-user

6. open provider/.htaccess and paste the following data to it :

AuthType Basic
AuthName "Restricted Provider Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/provider/.htpasswd
require valid-user

alternatively, you can password-protect the admin and supplier areas using the password security frame-up facility in the Control Panel of your hosting explanation .

Seven security features that you might not know so far

BLOCK_UNKNOWN_ADMIN_IP ( in X-Cart versions before 4.5.5 named SECURITY_BLOCK_UNKNOWN_ADMIN_IP )

The mode of enhanced security. It allows you to control from which IP addresses users can access your x-cart. By nonpayment, it is disabled ( set to FALSE ). To turn it on, edit config.php file. Set this prize :


to ‘TRUE ‘ :


immediately after you enable this mood, you must login to X-Cart Admin back end indeed that your own IP address is registered in the system. After that, no user will be able to log in to the Admin back end until you register their IP address : all login attempts will be denied and the users will get an mistake message. If the login/password submitted by a user are right ( i.e. represent to the login/password of an existing exploiter, and this user belongs to a type with permissions to access this X-Cart zone ), a request to register the exploiter ‘s IP address will be sent to X-Cart administrator e-mail. This telling will provide information about the prison term of the login try, the username and the IP address. This way you will be able to decide whether you should grant entree to this drug user, and, if you choose to do so, will be able to grant access simply by clicking on a link in the e-mail. As a result, the IP address will be registered in your store ‘s tilt of allowed IP addresses. More information :

system Fingerprints

X-Cart uses MD5 ( Message-Digest algorithm 5 ) for data integrity control. Using this cock you can create lists of MD5 checksums of all the files in X-Cart initiation directory and compare checksum lists generated at unlike periods of time to verify the integrity of your X-Cart files. In X-Cart, a list of MD5 checksums of all the files is called “ system fingerprint ”. The first system fingerprint in your store is generated automatically during x-cart facility. Any system fingermark can be compared with the current state of the store or with any other fingerprint. This action allows detecting any changes in /xcart directory. You get a list of files which have been modified, added or lost ( removed from the organization or renamed so they can not be identified ). You can use this tool to track the transfer and fishy files. For antique, you think your store has been hacked. You get the full moon list of the changed files and check/repair them manually. More information : X-Cart : system Fingerprints

protection from CSRF attacks ( traverse site request counterfeit attacks )

There is a built-in protection from CSRF attacks. Each form in the backend has a unique identifier which ensures that this form is valid. This alone forms are used for the protection. unique shape identifiers are generated within a user school term and assigned to each x-cart page which is loaded in the drug user ‘s browser and which contains an HTML shape for submitting data via POST. The independent determination of these identifiers is to ensure authenticity of the human body when the shape is submitted by the exploiter : if the submitted shape contains a valid form identifier, the form is recognized as that generated by X-Cart in the stream user ‘s session, and therefore it detected as valid and safe for practice. If there is no valid form identifier, the imprint is treated as fishy and the render serve is canceled. information about the CSRF attacks : hypertext transfer protocol : // There are sooooo many web applications that merely do n’t have such a auspices : – (


It is possible to forbid calling X-Cart in IFRAME / FRAME tags. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can enable this option as an extra security standard. It prevents such attacks that the attackers display X-Cart through a frame and, using browser vulnerabilities, intercept the information entered in the form. To enable this feature, edit the pursuit tune in config.php :

define("FRAME_NOT_ALLOWED", false);

blowfish encoding ( merchant key )

puffer data encoding ( based on Merchant key ) is more dependable than the usual encoding method. In this method acting, you create a Merchant key – a password that allows you to encrypt the details of your customers ‘ orders and to decrypt previously encrypted ordain details when you wish to view them. such a higher level of security is because the key, used to encrypt and decrypt order details, is not stored anywhere in the system. The only thing that is stored is an MD5 touch of the key. When you need to access the details of a certain order, you manually enter your Merchant key into a special shape on the ‘Order details ‘ page. In the future session, you will have to re-enter the Merchant key to get access to order details. so if person steals your database and all files, he will not be able to steal the credit card numbers anyhow. More information : X-Cart : puffer


PHPIDS ( PHP Intrusion Detection System ) is an open source PHP Web Application Intrusion Detection System. PHPIDS detects Cross-site script ( XSS ), SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, Denial of Service ( DoS ). It is simple to use and good structured. It provides impact of every attack by analyzing any chosen stimulation variables as POST, GET, SESSION, COOKIE. Find out more at hypertext transfer protocol : //
By default there ‘s no IP-based limitations on accessing X-Cart admin sphere. To make your admin area more secure you can define IP-based restrictions by editing the ADMIN_ALLOWED_IP/$admin_allowed_ip parameter in the config.php file located in the X-Cart root directory as shown below. Example:

const ADMIN_ALLOWED_IP = ",";

// For old versions
$admin_allowed_ip = "б";

This will make the access limited to users from IP addresses and .

Maintaining X-Cart security

A boastful err I see with users of software is thinking they can setup the software and run the software for an indefinite period of time. It is imperative with x-cart, and all software you run for that matter, that you apply security patches and upgrade as new releases are available. While the patches and upgrades do require fourth dimension and/or money to apply, neglecting to do thus can be potentially fateful to your business and they need to be made a priority.

X-Cart provides security and dismissal bulletins that you can sign up for in your X-Cart Account. Be sure to sign-up for these bulletins and stay on top of your security .
Hint: If you need to walk away from your calculator for whatsoever cause flush for merely a few moments, log off from the admin area of your store or lock your workstation .

See besides

article copyright 2007 hypertext transfer protocol : //

reference :
Category : Website hosting

Leave a Reply

Your email address will not be published.