Coding OXID eShop, we take care about the security of the application itself, pass security audits by 3rd party specialists and work with security bulletins. Nonetheless, there is a number of points you are responsible for. Find out in this tutorial what to take into account configuring your server, OXID eShop and 3rd party software. This tutorial comes up with useful hints how you can prevent insecure OXID eShops.
Here we go!
Usually your hosting provider cares about server side security. If you have booked managed services, you can rely on provider’s work and expertise. But there are some points you can you yourself:
- Keep an eye on system requirements/system health. Improper file access righs on your server can be a risk.OXID eShop supports some well known cases and checks a bunch of file permissions. Make sure there is no check failing in admin panel and you’ve got a good start.
- Another common mistake is to leave directory index active. Try this: http://www.youroxideshop.com/out/basic. If you get a directory listing: Switch it off imediately. Ask your provider about instructions how to do this. An exact procedure depends on the server environment you’re using.
- Switch off display_errors in your PHP configuration. Instead, switch on error reporting to a log file. Your hosting provider will help you find this option. PHP errors can be provoked by hackers and give them useful information.
- Don’t leave backup files on your server! Have you ever tried to access http://www.youroxideshop.com/config.inc.php.bak using your browser? You will see your database access publicly available. Of course this also works fine using any different non-.php file extension.
- Also, check if http://www.youroxideshop.com/phpinfo.php, http://www.youroxideshop.com/p.php or http://www.youroxideshop.com/info.php (or similar) is accessable. If you have a match, then some of your shop programmers left some interesting information behind.
- OXID’s tool oxchkversion for checking unexpected differences is often left behind as well. Try to open http://www.youroxideshop.com/oxchkversion.php. If you see something, remove oxchkversion.php from your webspace.
Besides using SSL for Frontend and Admin interface there is another important action you can take:
- Protect your /admin/ folder with an .htaccess file that avoids unauthorized browser access to /admin/ and adds an extra security level.
- If you’re using general export you also must protect folder /export by .htaccess to prevent others to read your shop data
Having two independent protection mechanisms increases security significantly.
Never install additonal software (e.g. forum or blog software, phpMyAdmin) on the same server with your OXID eShop installation except it is strictly encapsulated. Ask your provider for details.
If you have no choice and you have to install it on the same server, at least make really, really sure alt the time you have installed latest security patches for it.
Beware! Even if your server and your OXID eShop is up to date it might become a serious risk if you have not installed latest versions of all additional tools.
Please protect all parts of your software and additional folders that you do not want to have available for public access with a .htaccess file.
In OXID eSales support we very often detect completely unprotected phpMyAdmin installations. This is a perfect “one-click”-possibility to destroy your entire shop or steal your data!. Honestly, it takes just a few clicks to delete all of your database content. It’s pretty simple to find open phpMyAdmin installation even when the URL looks like “cryptical”. Security by obfuscation is a myth!