Zen Cart® is made available to you for your use, addition, changes, modification, etc. without charge, under Version 2 of the GNU General Public License.
While we do not charge for this software, donations are greatly appreciated, each time you install a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online E-Commerce store.
Donations can be made on the Zen Cart® Team Page
We appreciate your support.
The Zen Cart® Team
The Zen Cart® Team, along with Zen Cart® Users and Contributors, regularly update security recommendations on the Zen Cart® Website.
You may wish to also consult recommendations posted on the Zen Cart® Website.
A Secure Sockets Layer (SSL) connection is the standard security technology for establishing a secure and encrypted connection between a web server and a browser. This requires a SSL certificate from your web hosting provider or a third party certificate provider.
The preferred would be to have a dedicated SSL certificate but there may be additional expense involved in obtaining this. As a bare minimum, you should use a shared SSL certificate provided by your web hosting provider.
Instead of using regular FTP to access your server files, it is advisable to use an FTP program that allows Secure FTP (SFTP or FTPS). This method will encrypt the information you transmit and receive. This is important especially when you are downloading database backups or configuration files which contain usernames and passwords, etc.
If your web hosting provider does not support Secure FTP, you may wish to consider a web hosting provider that takes security seriously.
It is important that after you have installed your Zen Cart® Store and are satisfied that it is working properly, including test transactions to test ALL the payment and shipping modules you are using.
It is safe to keep these files on your Local PC, since they can be used as references/documentation, or used to aid in troubleshooting as diagnostic tools, or for upgrading/installing again in the future. However, those folders and files should NOT be on a live webserver.
You will need to go to Admin->Configuration->Attribute Settings->Enable Downloads, and set it to False to turn off the warning message about the missing download folder.
If you choose to add downloadable products to your site or music-products, you will want to re-upload these appropriate folders (and their contents) to your server again, and assign appropriate permissions.
Go to Admin->Configuration->Email Options, and change your Email Transport Protocol to SMTPAUTH, and then fill in the SMTP Credentials in the other settings lower on that same screen.
This will not only help prevent outgoing emails from ending up in spam folders, but will also prevent the disclosure of your admin foldername when sending emails from your admin screens.
It is important that you set permissions on the two configure.php files as Read Only. Typically this means setting them to "644", or in some cases "444".
Quite often, setting permissions on a file to read only via FTP will not work. Even if the permission looks like it was set to read only, it really may not have been.
Verify the correct setting by accessing the store to see if there is a warning message on the top of the screen: "Warning: I am able to write to the configuration file:...". In such cases, you will need to use the "File Manager" supplied by your web hosting provider.
If you are using a Windows server, simply set the file as "Read Only for Everyone" and especially the IUSR_xxxxx (Internet Guest Account) user if running IIS, or the "System Account" or "Apache User" if running Apache.
In your ADMIN AREA, open the "Admin Access" menu and choose "Admin Users".
Delete any unused admin accounts. Especially the "Demo" account, if it exists.
It is wise to use complicated passwords so that a would-be hacker cannot easily guess them.
You can change your admin password in Admin->Admin Access->Admin Users, and click on the "Reset Password" button.
We recommend that you use passwords that are at least 8 characters long. Making them alpha-numeric (including letters, numbers, upper-and-lower-case, etc) helps.
If you are going to use normal words, it is a good idea to join two words that do not normally go together.
Several folders, contain are ".htaccess" files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to "any" .PHP scripts, since it is expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly.
If you delete these files, you run the risk of leaving yourself open to people snooping around.
In order for the .htaccess settings supplied with Zen Cart® to work, your web hosting provider must include either "All" or all of these: "Limit Options Indexes" parameters to the "AllowOverride" configuration in the server apache/conf/httpd.conf file.
If your web hosting provider does not allow setting the "OPTIONS" directive, you will need to leave that line out or put a "#" in front of it.
If your web hosting provider does not allow you to create/use your own .htaccess files, they may provide an interface in your hosting control panel where you can set the desired .htaccess settings. Work with your web hosting provider to configure these settings if this is the method they require.
Your web hosting provider may use web serving software, such as Nginx, which do not use .htaccess files.
In the case of Nginx, directives equivalent to the .htaccess rules are provided after installation of Zen Cart® to serve as a start point. These can be found in the "/<YourStoreFolderName>/zc_install/nginx_conf/" folder.
It is best to work with your web hosting provider to select and implement the best method for your specific server.
You need to choose, and use, the appropriate method for your server. We cannot tell you what to use for your specific server, but we offer these guidelines as a starting point.
During initial installation, you are advised to set your images folder to "Read/Write", so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.
However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits.
The folders for which installation suggests "Read/Write" access for setup areoutlined below.
If your site supports .htaccess protection, then you should use it for these folders. (The ".htaccess" files included with v1.3.9 and newer should already cover the basics.)
Be sure you have done all the steps listed in this document
Check your website files regularly to be sure nothing has been added or altered
Ask your web hosting provider what they have done to be sure the server you are on is safe and secure so that outsiders cannot do any harm, and so that other websites on your server cannot be used to get to your site and cause any harm (in case they have security holes in them)
If your business warrants, or you still want additional assurance (if running ther scripts outside of Zen Cart®), hire a security consultant to audit your site regularly.
Check your Zen Cart /cache/ folder for leftover files that do not belong there.
Check your Zen Cart /logs/ folder for "myDebug-XXXXX.log" files to see whether any errors are happening which need to be fixed. Delete the log files after you have addressed the errors.
For additional help and support, visit the Zen Cart® FAQ and the Zen Cart® Support Forum.