1. Here are a few steps that should be taken after X-Cart is installed to help keep it safer. If you have any questions about these steps, please submit a support ticket:
2. Make sure you have a valid SSL certificate and your cart is setup to use HTTPS in the payment methods.
3. Do not use the "master" X-Cart admin account. To change this, login using your "master" X-Cart admin account, create a new administrator with a user name that is unique to you (ie. not admin, administrator, master). Log in as the user you just added and delete the "master" user account.
4. Immediately password protect your admin and provider directories. You can password protect these directories using a your cPanel, or you can use .htaccess and .htpasswd files.
5. Be aware of your site's file permissions, as having loose file permissions in conjunction with an exploit, can allow someone to write and execute files on your website - this is a very common exploit against X-Cart so take this step very serious. In general your file permissions should appear as follows:
File Type Permission
*.php
644
*.tpl
644
*.pl
755
*.sh
755
/catalog/
777
/files/
777
/images/
777
/var/
777
/var/* folders
777
/var/* files
666
6. If you SSH into your website, you can run these commands inside of your /xcart directory (or whaterver directory X-Cart is installed)
find . -type d -exec chmod 755 {} \;
find . -type d -name 'catalog' -exec chmod 777 {} \;
find . -type d -name 'files' -exec chmod 777 {} \;
find . -type d -name 'images' -exec chmod 777 {} \;
find . -type d -name 'var' -exec chmod 777 {} \;
find . -type d -name 'templates_c' -exec chmod 777 {} \;
find . -type d -name 'log' -exec chmod 777 {} \;
find . -type d -name '.pgp' -exec chmod 777 {} \;
find . -type f -name '*.php*' -exec chmod 755 {} \;
find . -type f -name '*.tpl*' -exec chmod 644 {} \;
find . -type f -name '*.pl*' -exec chmod 755 {} \;
find . -type f -name '*.sh*' -exec chmod 755 {} \;
7. Turn off the "sending credit card information" option in emails. Look in the General Settings -> E-Mail Options section of your X-Cart admin section.
8. DO NOT store credit card information in your database (unless you are using the subscriptions module). To disable, open your config.php file and ensure the $store_cc variable is set to false (you can do this from with cPanel's "File Manager"):
$store_cc = false;
9. Here are a some entries you can add to the .htaccess file (in your /public_html directory). These entries will block access to sensitive directories and files. There are many other options that can be entered into your .htaccess file to further protect it, but these will cover most of what you will need.
# block all smarty templates (no reason to have these exposed)
RedirectMatch gone ^/.*\.tpl$
# block the entire log directory
ReDirect gone /log
# block all .log (log files), .sql (sql dump/export) and .conf (config files) files
# in case some day these files move to another directory
RedirectMatch gone ^.*\.(sql|log|conf)$
# block access to the 'Smarty-*' directory
RedirectMatch gone ^.*Smarty.*$
# block access to /upgrade
Redirect gone /upgrade
# block access to /skin1_original
Redirect gone /skin1_original
# block access to the /sql directory
Redirect gone /sql
# block access to the /shipping directory
Redirect gone /shipping
# block access to the pgp directories
Redirect gone /.pgp
Redirect gone /.pgp.def