Securing the /admin/ folder in OpenCart

Since OpenCart is open source it can be a target for hackers since they already know the basic file structure and how the core code works. One of the easiest methods of securing your OpenCart dashboard is to rename the /admin/ folder.  This will ‘hide’ the folder from scripts and hackers specifically looking for the ‘admin’ folder of OpenCart. Follow the steps below to change the /admin/ folder’s name. Don’t forget that once you do this, you’ll need to use the new path to access your admin dashboard.

Secure the Admin Folder

  1. Log into cPanel
  2. Click on File Manager
  3. Use file manager to navigadeleting-an-affiliate-account-in-opencartte to the folder containing the “admin” folder
  4. Right click on the “admin” folder and select “rename
  5. Type in your new name for the “admin” folder (you can change it to whatever you want but the more obscure the name the better such as “ADMIN889723”)
  6. Now, open the /admin/config.php with the code editor (Remember, you changed the name of the folder. Replace ‘admin’ with the new folder name).

    Important! There are several instances of “admin” throughout the config file. All instances must be changed for this to work.

    Below in Red is the instances of admin you will need to change.

    // HTTP define('HTTP_SERVER', 'http://test.domain.com/opencart/admin/'); define('HTTP_CATALOG', 'http://test.domain.com/opencart/');  // HTTPS define('HTTPS_SERVER', 'http://test.domain.com/opencart/admin/'); define('HTTPS_CATALOG', '>http://test.domain.com/opencart/');  // DIR define('DIR_APPLICATION', '/home/userna5/public_html/opencart/admin/'); define('DIR_SYSTEM', '/home/userna5/public_html/opencart/system/'); define('DIR_DATABASE', '/home/userna5/public_html/opencart/system/database/'); define('DIR_LANGUAGE', '/home/userna5/public_html/opencart/admin/language/'); define('DIR_TEMPLATE', '/home/userna5/public_html/opencart/admin/view/template/'); define('DIR_CONFIG', '/home/userna5/public_html/opencart/system/config/'); define('DIR_IMAGE', '/home/userna5/public_html/opencart/image/'); define('DIR_CACHE', '/home/userna5/public_html/opencart/system/cache/'); define('DIR_DOWNLOAD', '/home/userna5/public_html/opencart/download/'); define('DIR_LOGS', '/home/userna5/public_html/opencart/system/logs/'); define('DIR_CATALOG', '/home/userna5/public_html/opencart/catalog/');  // DB define('DB_DRIVER', 'mysql'); define('DB_HOSTNAME', 'localhost'); define('DB_USERNAME', 'userna5_ocar341'); define('DB_PASSWORD', 'password'); define('DB_DATABASE', 'userna5_ocar341'); define('DB_PREFIX', 'oc_');
  7. There should be 5 instances referencing the /admin/ folder that would need to be updated to the new name you changed the folder to

You can also add another layer of protection to the dashboard by password protecting the /admin/ folder. You can do this by following the tutorial on password protecting directories.

If you need further assistance please feel free to ask a question on our support center website.

InMotion is Here to Help

With a dedicated server, you can easily manage your OpenCart application through SSH. This means fast access to your files from any location where you have online access. Also, you get the support  you need. Have questions with OpenCart? We have a education channel for that too. Check out our dedicated server review for more information about how we are here to help.

Looking for a host for your OpenCart installation? Go to OpenCart Hosting Accounts with Inmotion Hosting for more information.

Thoughts on “Securing the /admin/ folder in OpenCart

  • This article is so outdated and wrong it’s ridiculous it hasn’t been changed. It’s good to have the full info on this article especially since 99% of installations will not be kept at default. To pug it bluntly, the information in this article is good for the stock default installation of opencart but the very moment you install a theme or a module or an extension, it all goes haywire.

    If you have modules and extensions installed, you will need to look through all of their files and change any part of their code that points to the default admin panel directory to your new directory. If you do not do this, you will get errors when trying to configure those modules or extensions in the admin panel. If those modules or extensions relate to product or category enhancements, you will get errors when trying to create or edit any of them.

    The info in this article only does the base exterior visual part of it and fixes some of the back end things for the default install, it won’t work for everything. I recommend having a copy of Dreamweaver and using the Find tool to find all instances of admin and then replace them with your new directory name. HOWEVER, be careful to look at each instance you are replacing to ensure that it is a directory instance and not a part of the code which has nothing to do with directory pointing.

    It is a much more lengthy process if you have any additional stuff installed than this guide states.

    • Thanks for your comment, your feedback is very valuable. Also, your recommendations are always welcome and appreciated to help support the community!

  • I am looking for ways to secure my Openacrt store after multiple attacks and I would like to try this one. But I have lots of extensions already, so would I need reinstall all of them, changing the name of the admin folder and admin references for each one? Also, when uploading new extensions, will I have to do the same? Thank you

  • I tried using ftp to server to rename the admin folder and change the config.php file. However, I have checked the steps and found out the 

    admin/view/template/report/adv_customers.tpl file and

    admin/controller/module/adsmart_search.php

    both have reference to /admin inside. So I changed them also and uploaded the 3 files to the server. Our OC 1.5.6 had a cache module installed by someone else, and i dont know this is causing problems after we made the change. After we made the change, when we tried login to the admin screen, nothing happens and we are shown the admin login screen again. Also, there was error message when users tried to click links like login / shopping cart etc from our homepage so they cannot make purchases. after i rebooted the server, due to having only 10gb free the mysqld does not start. we immediately tried undoing the change we made to the admin section, and after freeing up disk space and rebooting the server, the OC seems to working normally. So after this trauma, i dont know if i could rename the admin folder without causing problems.

    • Lenny, it certainly sounds like renaming the admin folder again may be a bad idea. I would recommend contacting the OpenCart community at https://www.opencart.com/?route=support/support for more assistance with this. Alternatively, you may need to work with an experienced web developer, if you don’t have one already, to assist you in resolving this issue.

  • Be sure to goto Extentions/Modifications and refresh after the change and your extentions should reappair as with my installation.

  • Hello, thanks for this article … 

    I have a quick question though — 

    “admin” is referenced inside of the admin/controller/extension/installer.php 

    Do we change ‘admin’ mentions to our renamed folder name inside of this file also?

     

  • hi,

    i followed the above steps, changed the instances in Admin/config.php

    i have also installed vqmod and changed the pathReplaces.php

    but u still get an error message

    Fatal error: Call to undefined method Exception::getClass() in /homepages/6/d631535011/htdocs/system/engine/front.php on line 61

    • Either the files aren’t where they are expected to be, or the file permissions are wrong. I would try to check vqmod and verify it is set up correctly. Call to undefined method, means its not defining something which usually means the file that defined the method is not loaded.

  • Yes, I change each of the five instances metioned in step 7,  I followed the all the above instructions. All my extentions stop working… Please help; what do I do?

    • Changing the path to /admin should not have an effect on your extensions. I suggest changing it back and try completing the steps again. If that doesn’t work you, provide us your domain and we can look into it further.

  • Yes, I did follow all the instructions by changing the five instances mentioned in Step 7. it affected almost all the extentions to stop working.

    Please help… what do I need to do?

  • Hello Please I followed the above instructions and it works out but when I try to purchase an item its giving error “Fatal error: require_once(): Failed opening required ‘admin/model/sms/hooks.php’ (include_path=’.:/usr/local/lib/php’) in /home/expygrou/public_html/shop/catalog/controller/sms/events.php on line 1″

    thats means customers will not recieve sms and will not see confirmation page

    Please help….

  • Thanks for your time and effort on the matter TJEdens and Arn. I will contact the extention developers then, in order to secure the admin environment a bit better.

    Kind regards and keep up the great work!

  • Hi guys, thanks for the reply!

    At the moment I use an SEO extension called “All in one SEO”. The settings of this extensions can be altered in the backend under catalog. It probably is easy to fix, but I do not possess the knowhow, nor can find it yet on the net.

    Kind regards,
    Stef

    • Hello Stef,

      As the “All in one SEO” is a third-party software affecting your extensions, and you want to alter the way it works, you will probably be best served by contacting the author of the extension. If you directly contact them, then you will much quicker and more accurate response for your needs. Apologies that we can’t give you a direct solution for the issue.

      Kindest regards,
      Arnel C.

  • Hi Tim and staff, 

    Thanks for the great information! Everything seems to work perfectly, except that I can’t see (and therefore access) some extensions in the backend after having changed the admin folder name. 

    I’ve replaced “admin” in the /admin/config.php file, but what else should be changed?

    Kind regards and thanks again for the post!

    • Hello Stef,

      Can you inform us of what extensions do this when you make that change so we can try to replicate it on our system.

      Best Regards,
      TJ Edens

  • thanks, I want to try this, but I would like to know if it will affect the extenssions that reside in the admin folder.

    • Hello,

      You would need to make the changes for anything residing in the admin folder. If you did not, there would be file location errors occurring when a call is made to anything under the admin folder.

      Kindest Regards,
      Scott M

    • The vqmod files should not need to be changed unless you have something within them that directly reference your admin URL.

  • It may help people if you mention that when you update OC to the next version (and have previously followed your advice to change the admin directory to something else, like “ADMIN889723″), then to remember to account for this when you upload the new version. With that said, does it matter which way to go with the OC update? Should I..

    A) Change my admin directory back to ‘admin’ and change the config file back to it’s original state? 

    or 

    B) Change the name of the local (ie., ner version that I’m about to upload) admin to directory to my name, for instance “ADMIN889723″? 

    I just want to make sure I don’t break anything “internally” when it is installed. 

    Thanks!

    Sam (@perspectiverse)

    • Hello Sam, thanks for the comment!

      You are correct that if you change the admin folder as is discussed in this guide, you would want to keep that folder in mind when doing an upgrade. I’ll flag this article for an update, but in your case you’d want to go with option B, as you’d simply be keeping your config files already using this custom folder.

      When you do an upgrade of OpenCart, you should backup your website files and also backup your database before starting.

      To upgrade, you should download the latest version of OpenCart from their website, and then delete the local /upload/config.php and /upload/admin/config.php files that come along with it so they don’t overwrite your current ones. You should also rename the /upload/admin directory to match the custom one you already made on the server for your old installation.

      Then you just upload all the folders and files in the local /upload folder via FTP on top of the old OpenCart files on the server. Finally you would access your OpenCart installation followed by /install in the address bar to begin the upgrade process.

      Thanks again for the comment, please let us know if you had any other questions at all!

      – Jacob

Leave a Reply to InMotionFan Cancel reply