Securing the /admin/ folder in OpenCart
Since OpenCart is open source it can be a target for hackers since they already know the basic file structure and how the core code works. One of the easiest methods of securing your OpenCart dashboard is to rename the /admin/ folder. This will 'hide' the folder from scripts and hackers specifically looking for the 'admin' folder of OpenCart. Follow the steps below to change the /admin/ folder's name. Don’t forget that once you do this, you’ll need to use the new path to access your admin dashboard.
- Log into cPanel
- Click on File Manager
- Use file manager to navigate to the folder containing the “admin” folder
- Right click on the “admin” folder and select “rename”
- Type in your new name for the “admin” folder (you can change it to whatever you want but the more obscure the name the better such as “ADMIN889723”)
- Now, open the /admin/config.php with the code editor (Remember, you changed the name of the folder. Replace 'admin' with the new folder name).
Important! There are several instances of "admin" throughout the config file. All instances must be changed for this to work.
Below in Red is the instances of admin you will need to change.
// HTTP define('HTTP_SERVER', 'http://test.domain.com/opencart/admin/'); define('HTTP_CATALOG', 'http://test.domain.com/opencart/'); // HTTPS define('HTTPS_SERVER', 'http://test.domain.com/opencart/admin/'); define('HTTPS_CATALOG', '>http://test.domain.com/opencart/'); // DIR define('DIR_APPLICATION', '/home/userna5/public_html/opencart/admin/'); define('DIR_SYSTEM', '/home/userna5/public_html/opencart/system/'); define('DIR_DATABASE', '/home/userna5/public_html/opencart/system/database/'); define('DIR_LANGUAGE', '/home/userna5/public_html/opencart/admin/language/'); define('DIR_TEMPLATE', '/home/userna5/public_html/opencart/admin/view/template/'); define('DIR_CONFIG', '/home/userna5/public_html/opencart/system/config/'); define('DIR_IMAGE', '/home/userna5/public_html/opencart/image/'); define('DIR_CACHE', '/home/userna5/public_html/opencart/system/cache/'); define('DIR_DOWNLOAD', '/home/userna5/public_html/opencart/download/'); define('DIR_LOGS', '/home/userna5/public_html/opencart/system/logs/'); define('DIR_CATALOG', '/home/userna5/public_html/opencart/catalog/'); // DB define('DB_DRIVER', 'mysql'); define('DB_HOSTNAME', 'localhost'); define('DB_USERNAME', 'userna5_ocar341'); define('DB_PASSWORD', 'password'); define('DB_DATABASE', 'userna5_ocar341'); define('DB_PREFIX', 'oc_');
- There should be 5 instances referencing the /admin/ folder that would need to be updated to the new name you changed the folder to
You can also add another layer of protection to the dashboard by password protecting the /admin/ folder. You can do this by following the tutorial on password protecting directories.
If you need further assistance please feel free to ask a question on our support center website.
InMotion is Here to Help
With a dedicated server, you can easily manage your OpenCart application through SSH. This means fast access to your files from any location where you have online access. Also, you get the support you need. Have questions with OpenCart? We have a education channel for that too. Check out our dedicated server review for more information about how we are here to help.
Looking for a host for your OpenCart installation? Go to OpenCart Hosting Accounts with Inmotion Hosting for more information.
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
new! - Enter your name and email address above and we will post your feedback in the comments on this page!
|1.||Securing the /admin/ folder in OpenCart|
|2.||Security Steps to Take After Installing OpenCart|
|3.||Creating a 404 error page for OpenCart|
2014-02-26 6:07 pm
It may help people if you mention that when you update OC to the next version (and have previously followed your advice to change the admin directory to something else, like "ADMIN889723"), then to remember to account for this when you upload the new version. With that said, does it matter which way to go with the OC update? Should I..
A) Change my admin directory back to 'admin' and change the config file back to it's original state?
B) Change the name of the local (ie., ner version that I'm about to upload) admin to directory to my name, for instance "ADMIN889723"?
I just want to make sure I don't break anything "internally" when it is installed.
2014-02-27 4:51 am
Hello Sam, thanks for the comment!
You are correct that if you change the admin folder as is discussed in this guide, you would want to keep that folder in mind when doing an upgrade. I'll flag this article for an update, but in your case you'd want to go with option B, as you'd simply be keeping your config files already using this custom folder.
When you do an upgrade of OpenCart, you should backup your website files and also backup your database before starting.
To upgrade, you should download the latest version of OpenCart from their website, and then delete the local /upload/config.php and /upload/admin/config.php files that come along with it so they don't overwrite your current ones. You should also rename the /upload/admin directory to match the custom one you already made on the server for your old installation.
Then you just upload all the folders and files in the local /upload folder via FTP on top of the old OpenCart files on the server. Finally you would access your OpenCart installation followed by /install in the address bar to begin the upgrade process.
Thanks again for the comment, please let us know if you had any other questions at all!
2014-04-19 8:18 am
Hello, what about the vqmode files should we rename the content too?
2014-04-21 8:18 am
The vqmod files should not need to be changed unless you have something within them that directly reference your admin URL.
2014-04-28 11:15 am
thanks, I want to try this, but I would like to know if it will affect the extenssions that reside in the admin folder.
2014-04-28 2:53 pm
You would need to make the changes for anything residing in the admin folder. If you did not, there would be file location errors occurring when a call is made to anything under the admin folder.