Articles » How to protect your online shop and marketplace: 9 security tips and tricks

How to protect your online shop and marketplace: 9 security tips and tricks

eCommerce is a very demanding sphere concerning the security of websites and all the sensitive data stored and processed during the checkout process. Modern CMS including CS-Cart and Multi-Vendor already include strong security protection, but as any software it is fully effective only if appropriately configured, monitored, and integrated with an overall security policy that starts with awareness that each vulnerability in the project might be detected and exploited. 

Widespread security mistakes are shared access to the admin panel, one password to all accounts and lack of data policy and training on the access hygiene and cyber security. In this article we collected 9 hints to prevent most common hackers’ attacks and security threats for websites based on CS-Cart or Multi-Vendor.

1. Rename the administration panel address

We recommend setting up the admin panel URL to a random and secure string like CiFmHsKHSilw.php where the name is generated by a password generator. Don’t use admin.php, secureadmin.php or similar names.

2. Install SSL and make redirects to HTTPS

Secure Sockets Layer (SSL) is a security protocol that creates an encrypted connection between the company’s server and the user’s browser. In eCommerce it is essential to protect online transactions and ensure the security of customer data. If the site does not have a certificate, the browser will warn the user about an “insecure connection”. Would a potential customer trust your shop? Doubtfully. If your hosting provider doesn’t provide an SSL by default, buy it on your own. Our hosting solution for CS-Cart includes a free and auto-renewed SSL certificate, so you don’t have to worry about it.

3. Use strong passwords and two-factor authentication

Always use a unique password for each account you create. Make sure that all passwords to your website, including your CS-Cart admin password, are strong and secure. It is highly recommended to include upper and lower case, numbers, and symbols. Never use one and the same password for different resources.

Use two-factor authentication to prevent unauthorized access to admin panel accounts in your store. Two-factor authentication methods are based on providing a password as the first factor of protection and usage of a security token or a biometric factor, such as a fingerprint or facial scan as the second layer of protection. You can find the recommended add-ons on CS-Cart marketplace to generate one-time passcodes, push notifications, or make phone calls.

4. Install secure add-ons and themes

When choosing a CS-Cart add-on or theme, check if  they are compatible with your CMS version. We recommend downloading apps and design themes from CS-Cart official marketplace. Developers presented there are certified according to CS-Cart standards. CS-Cart specialists test random add-ons and mark them with a special label.They also ensure that posted reviews come from the real owners of CS-Cart stores. 

5. Keep your CS-Cart platform, add-ons and themes updated

Upgrade your store to protect personal data, improve performance and enhance the overall security. It’s highly recommended to install updates issued by CMS, add-ons and themes developers as they include security and performance patches. Don’t forget to create a backup and test updates on a development server before moving to production. Choose hosting providers who provide free daily automated backups and development environments. This will secure your data in case something goes wrong during the update process. 

6. Hide your PHP, NGINX and Apache versions 

When the expose_php directive is enabled, the HTTP response header will include the PHP version. However, you may not want to broadcast the specific PHP version your site is using. Prevent the web server from sending back the “X-Powered-By” header by setting expose_php = off in the php.ini file. This is also handy for PCI compliance. 

Add server_tokens= off to the http- section of the NGINX configuration file.

Add/modify the lines that contain ServerTokens Prod and ServerSignature Off at the end of the Apache2 configuration file.

7. Set tweaks in the config file in the root folder of your project

The list of tweaks in the config file is constantly growing for better performance of projects. It is necessary to set them properly for higher security. We recommend setting the following tweaks to a “true” value on the config.local.php file 

  • api_https_only
  • api_allow_customer if you allow unauthorized clients
  • secure_cookies

Don’t forget to set up cors_allowlist and csp_frame_ancestors.

8. Remove sensitive files

Remove files like temp_dump.sql, error_log, test.php files. These files can help the intruders to get more information about your project. Check with your developer or system administrator the following types of files:

9. Make security audits

During each release of a new version of CS-Cart and Multi-Vendor starting from version 4.12.0 together with our infrastructure and security partner ASAP Lab we conduct SAST and DAST security testing to identify common vulnerabilities and penetration risks in CS-Cart core and default add-ons.  

For projects with numerous modifications, integrations and 3rd party add-ons, we recommend making regular enhanced security audits. A mistake or oversight in any of the above points can potentially lead to a disclosure of sensitive and critical project data, or even compromise it. Usually after the security audit you will get a detailed report on the security status of your project, list of identified vulnerabilities and possible attacks and recommendations for their elimination and prevention to mitigate any security risks.

If you experience any of these signs of cyberattack, don’t postpone a consultation with IT security specialists. Take the security of your projects seriously and enjoy round-the-clock availability of your CS-Cart/Multi-Vendor stores for higher sales, better business reputation and customer loyalty.


Roman Ananyev
CEO ASAP Lab
Hosting for business, custom infrastructure and server services

Leave a Reply

Your email address will not be published.