After the successful installation of TomatoCart Opensource Shopping Cart, the following steps need to be performed to secure the installation of the online store.
- Remove Installation Files
- Reset File and Directory Permissions
- Configuration Files
- Writable Directories
- Extra Protection for the Administration Tool
Remove Installation Files
The install directory must be removed from the web server otherwise a user could use the installation procedure and reconfigure the online store to use another database server.
Reset File and Directory Permissions
The file permissions on includes/configure.php must be set to deny write access by the web server service. This is commonly performed by setting the permission flag to a read only value of 644 or 444.
The following directories must be set to allow the web server service to write to for the Administration Tool to function properly. This is commonly performed by setting the permission flags to a world-writable value of 777.
|Directories||Web Server Writable|
Extra Protection for the Administration Tool
The Administration Tool is secured by its own login routine but is still publicly accessible. For security reasons, it is recommended to further protect the Administration Tool as follows:
- Setting a htaccess password on the admin directory.
- Renamed the admin directory to another name that is more difficult to guess by the hacker. Once you rename the admin directory, it is necessary to modify the DIR_FS_ADMIN with the new directory name defined in includes/configure.php.