Difference between revisions of "How to Secure"

From Phoenix Cart User Guide
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
<span class="btn-grey"><historylink type="back">&#129032; Back</historylink></span>
+
<div class="btn btn-grey btn-back">{{#fas:arrow-left}} Back</div> <div class="btn btn-grey btn-download">{{#fas:download}} Download & Install</div>
<span class="btn-grey" style="color:#0088dd;">'''[[DOWNLOAD & INSTALL|&#x1F809; DOWNLOAD & INSTALL]]'''</span>
 
 
<hr>
 
<hr>
  
Line 6: Line 5:
 
<BIG>'''Secure the Website'''</BIG>
 
<BIG>'''Secure the Website'''</BIG>
  
When you have logged into Admin, warnings as shown below are given as reminders on the admin dashboard.
+
When you have logged into Admin you will see the admin dashboard - see <big>'''[[ADMINISTRATION]]'''</big> for a complete guide.
 +
 
 +
Security warnings are given as reminders on the admin dashboard, shown on the right of the screenshot.
  
 
<div class="mainpage_box">
 
<div class="mainpage_box">
Line 14: Line 15:
 
These warnings are also shown on the '''Security Checks''' page.
 
These warnings are also shown on the '''Security Checks''' page.
  
From admin go to '''Tools &rarr; Security Checks''' to see this:
+
From admin go to [[File:adminnavbartools.png|link=]] '''Tools &rarr; Security Checks''' to see this:
 
<div class="mainpage_box">
 
<div class="mainpage_box">
 
[[File:securitychecks1.png|link=]]
 
[[File:securitychecks1.png|link=]]
 
</div>
 
</div>
 
*This shows a new installation with security messages that require attention.
 
*This shows a new installation with security messages that require attention.
 +
 +
Deal with each one in sequence.
  
 
----
 
----
Line 28: Line 31:
  
 
*Add a second level of password protection to the '''youradmin''' folder/directory on the server.
 
*Add a second level of password protection to the '''youradmin''' folder/directory on the server.
**From the admin dashboard go to '''Configuration &rarr; Administrators''' to see this:
+
**From the admin dashboard go to [[File:adminnavbarconfig.png|link=]] '''Configuration &rarr; Administrators''' to see this:
 
<div class="mainpage_box">
 
<div class="mainpage_box">
 
[[File:administrators1.png|link=|1500px]]
 
[[File:administrators1.png|link=|1500px]]
Line 34: Line 37:
  
  
*Click <span class="btn-blue">Edit</span> to see this:
+
*Click <span class="btn-yellow">Edit</span> to see this:
 
<div class="mainpage_box">
 
<div class="mainpage_box">
 
[[File:administrators3.png|link=|1500px]]
 
[[File:administrators3.png|link=|1500px]]
Line 40: Line 43:
  
  
*Enter a different '''Username:''' and '''New Password:'''
+
*Enter '''Username:''' and '''New Password:'''
 
*Tick the '''Protect With htaccess/htpasswd''' box.
 
*Tick the '''Protect With htaccess/htpasswd''' box.
*Click <span class="btn-blue">Save</span> to see this:
+
*Click <span class="btn-green">Save</span> to see this:
 
<div class="mainpage_box">
 
<div class="mainpage_box">
 
[[File:administrators2.png|link=|1500px]]
 
[[File:administrators2.png|link=|1500px]]
 
</div>
 
</div>
 +
 +
 +
When you next access the site you will see something like this to sign in:
 +
 +
[[File:signin.png]]
  
  
Line 62: Line 70:
  
 
*Ensure both '''configure.php''' files have their file permissions set so only owner can read and write - set file permissions to 644 or 444 or 400 dependent on server host. This can be done in your server account control panel or using FTP software e.g. using WinSCP select file, click properties.
 
*Ensure both '''configure.php''' files have their file permissions set so only owner can read and write - set file permissions to 644 or 444 or 400 dependent on server host. This can be done in your server account control panel or using FTP software e.g. using WinSCP select file, click properties.
**Important: Our server does not allow the 644 setting to be changed using the control panel or FTP which causes the error message to remain on admin page - providing the setting is 644 this can be ignored or contact your host server to change it for you.
+
**Important: Our server does not allow the 644 setting to be changed using the control panel or FTP which causes the error message to remain on admin page - in this case contact your host server to change it for you.
*Presuming a SSL certificate is installed:
 
**Edit '''includes/configure.php''' and '''youradmin/includes/configure.php'''
 
**The files on the host server can be edited using FTP software.
 
**E.g. using FileZilla - right click on the file and click '''View Edit''' in the popup menu.
 
**Change Line 4 in both files to <code>define('ENABLE_SSL', true);</code> - save file back to the server.
 
**Important: '''includes/configure.php''' and '''youradmin/includes/configure.php''' are different files in different locations, never open both at once to avoid confusion and ensure they are transferred to the correct locations.
 
  
  
Line 98: Line 100:
 
[[File:securitychecks7.png|link=]]
 
[[File:securitychecks7.png|link=]]
  
*Click the message - it is linked to '''Tools &rarr; Version Checker''' to see this:
+
*Click the message - it is linked to [[File:adminnavbartools.png|link=]] '''Tools &rarr; Version Checker''' to see this:
 
<div class="mainpage_box">
 
<div class="mainpage_box">
 
[[File:versionchecker.png|link=|1500px]]
 
[[File:versionchecker.png|link=|1500px]]
Line 114: Line 116:
  
  
When all security warnings have been successfully dealt with, you will see this:
+
<big>'''Make a test purchase'''</big>
  
 +
Though not an essential part of securing the shop, now is a good time to browse around the shop and make a test purchase to familiarise yourself with how it works. It is good practice to browse the shop through the eyes of a customer and you should do this every time you make any changes to your website to ensure customers can make a purchase.
  
[[File:admin1.png|link=|1500px]]
+
*From admin click on the <span style="color:#007bff;"><big>'''Your Shop'''</big></span> link to go to the shop.
 
 
 
 
----
 
 
 
 
 
<big>'''Make a test purchase'''</big>
 
 
 
Though not an essential part of securing the shop, now is a good time to browse around the shop and make a test purchase to familiarise yourself with how it works. It is good practice to browse the shop through the eyes of a customer.
 
  
*From admin click on the '''Shop''' link, as shown below to go to the shop.
 
 
<div class="mainpage_box">
 
<div class="mainpage_box">
[[File:adminlinks.png|link=]]
+
[[File:adminlinks.png|link=|1500px]]
 
</div>
 
</div>
  
You will see this.
+
You will see similar to this.
 
<div class="mainpage_box">
 
<div class="mainpage_box">
[[File:shop.png|link=|1500px]]
+
[[File:shop.jpg|link=|1500px]]
 
</div>
 
</div>
  

Revision as of 05:04, 25 March 2021

Back
Download & Install


Secure the Website

When you have logged into Admin you will see the admin dashboard - see ADMINISTRATION for a complete guide.

Security warnings are given as reminders on the admin dashboard, shown on the right of the screenshot.

Admin.png

These warnings are also shown on the Security Checks page.

From admin go to Adminnavbartools.png Tools → Security Checks to see this:

Securitychecks1.png

  • This shows a new installation with security messages that require attention.

Deal with each one in sequence.



Admin HTTP Authentication

Securitychecks3.png

  • Add a second level of password protection to the youradmin folder/directory on the server.
    • From the admin dashboard go to Adminnavbarconfig.png Configuration → Administrators to see this:

Administrators1.png


  • Click Edit to see this:

Administrators3.png


  • Enter Username: and New Password:
  • Tick the Protect With htaccess/htpasswd box.
  • Click Save to see this:

Administrators2.png


When you next access the site you will see something like this to sign in:

Signin.png


TIP:

  • It is advisable to password protect the whole website to prevent visitors or internet search engines finding the website before it is ready - go to PASSWORD PROTECT - this can also be done on the cpanel in some host server accounts.




config_file_catalog

Securitychecks4.png

  • Ensure both configure.php files have their file permissions set so only owner can read and write - set file permissions to 644 or 444 or 400 dependent on server host. This can be done in your server account control panel or using FTP software e.g. using WinSCP select file, click properties.
    • Important: Our server does not allow the 644 setting to be changed using the control panel or FTP which causes the error message to remain on admin page - in this case contact your host server to change it for you.




Github Directory

Securitychecks5.png

  • Delete this folder/directory from the server - right click and delete.




install_directory

Securitychecks6.png

  • Delete this folder/directory from the server.




Version Check

Securitychecks7.png

  • Click the message - it is linked to Adminnavbartools.png Tools → Version Checker to see this:

Versionchecker.png




The README text file is no longer required.

  • Delete this file from the server.




Make a test purchase

Though not an essential part of securing the shop, now is a good time to browse around the shop and make a test purchase to familiarise yourself with how it works. It is good practice to browse the shop through the eyes of a customer and you should do this every time you make any changes to your website to ensure customers can make a purchase.

  • From admin click on the Your Shop link to go to the shop.

Adminlinks.png

You will see similar to this.

Shop.jpg

NOTE: If the Install page still shows instead of your shop, ensure Install folder/directory has been deleted from the host server and ensure your browser cache is cleared. NOTE: Some host servers also have a cache so don't worry if the Install page is still showing. If temporarily frustrated by the link taking you to yoursite/install/index.php simply change the link in your browser address bar to yoursite/index.php - the host server's cache will eventually clear, usually within 24 hours.


TIP:

  • To bypass your browser's cache:
  • Firefox / Safari: Hold Shift while clicking Reload, or press either Ctrl-F5 or Ctrl-R (⌘-R on a Mac)
  • Google Chrome: Press Ctrl-Shift-R (⌘-Shift-R on a Mac)
  • Internet Explorer: Hold Ctrl while clicking Refresh, or press Ctrl-F5
  • Opera: Go to Menu → Settings (Opera → Preferences on a Mac) and then to Privacy & security → Clear browsing data → Cached images and files.



🠈 Previous Step Next Step 🠊


Phoenix Cart User Guide, like CE Phoenix Cart, is free to use but is maintained by unpaid volunteers.
If you have found it useful, please donate to the coffee pot!
Use this link to donate whatever you want.

Donate with Paypal

Code references are licensed under a Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales License.
All other content is the reserved Intellectual Property and Copyright of phoenixcart.org
PROTECTED BY COPYSCAPE ANTI-PLAGIARISM