1   2   3   4

Setting file permissions

After installation is complete it's useful to take some basic security measures. What's most necessary is to set up UNIX file permissions. This way you can limit the ability to use files and directories only to necessary components. Always remember that giving complete write/execute permissions to some important files makes your store absolutely insecure so you should be very careful with that.

Recommended file permissions

• Files

• Folders

Always set to 777 for this directory. It is a work area used by the smarty engine to generate new templates when any .tpl has been modified .

777 while updating catalog, then set to 755 once catalog has been written.

To be able to write or upload new files and pictures to the folder.

The log directory records all shopping cart errors and customer shopping cart movements.

The news directory needs to be available for writing to.

The shopping cart skin pictures and other menu items.

All other directories and subdirectories should be set to this higher security level.

You can also use .htaccess files (hidden access control files in each directory of a Unix/Linux system) to protect certain directories for extra security on a live site. X-Cart already has .htaccess files embedded in the tar/gzip files.

Overall security & performance tips

• Put the images in the file system (at least to start).
• Learn the correct security settings and implement them from the beginning (permissions, password protected admin directory, removing install and upgrade files, etc).
• Put products in a master CSV and import that way.
• Buy some text editor, FTP client and backup software for unpacking/editing/transferring.
• Keep on top of the upgrades. Nothing is worse than spending a day upgrading through 10 versions.
• Backup, backup, backup.
• Do not record important information (e. g. site and database passwords) in files on an Internet connected PC. It is too easy for backdoor trojans programs and viruses to collect and forward personal information. Even printed on paper in a locked cabinet is more secure.
• Make sure that your php scripts have 644 permissions and directories have 755 except for some special directories like admin/newsletter and templates_c.
• Make sure that SQL connections are allowed only from the local machine (localhost).
• Protect the installation script install.php with new Auth code or delete it completely. Change the file permissions to 600.
• Remove any tar files that are no longer needed.
• Try to access your admin interface only via HTTPS protocol (start your URL with https://).
• If you have an SSL certificate, you can make the whole website secure by enabling it in the shopping cart. You can setup X-Cart to run at HTTPS.
• Do not keep any unnecessary files in your web directory (for example, X-cart distribution archive). Delete it completely or move them away from the public_html directories. Change the file permissions to 400.
• Forbid directory listing in your web server, so no one can browse through your script directories.

Installation services

If you find it difficult to install X-Cart by yourself, you can purchase installation services from us. Our qualified specialists will be glad to help you to install X-Cart on your web-server. We are able to perform this work in the fastest and most effective manner. If there is no required software on your server and you have provided us with root/administrator access, we will install all applications (PHP, MySQL etc) that are needed to get X-Cart running. Being performed by the experienced technicians, installation service guarantees that you will be able to avoid most technical problems that may occur due to specific environment of your server and because you are not yet familiar with the software.

Revision date: Jan 31, 2006

1   2   3   4