SafetyDetectives had the chance to talk to the security experts of Antropy., a team of web developers specialising in specialises in e-commerce solutions for OpenCart merchants.
We looked at their approach to prevent and react to the security threats most commonly faced by OpenCart website owners, and what security trends they should keep an eye on.
What are the most common vulnerabilities faced by your clients?
The most common ones we encounter are Distributed Denial of Service attacks (DDoS Attacks).
These can disrupt the website’s availability, often resulting in the website going down and being inaccessible to customers thus preventing orders and resulting in a loss of income or leads.
DDoS Attacks may not be specifically targeted at a particular business, although they have the potential to while others are carried out randomly, with attackers selecting targets without specific intent.
The internet is a vast ecosystem, and many computer systems from various locations worldwide have been compromised without the owners’ knowledge and are often incorporated into a “botnet,” a network of infected computers controlled by a single entity. These botnets are frequently used in DDoS attacks to achieve various malicious objectives.
As with many systems being compromised, there are so many web-crawlers, legitimate or malicious that exist and scan websites for various bits of information such as email addresses, phone numbers, and checking your SEO score that can overload cheap servers resulting in downtime similar to a DDoS attack. OpenCart-based websites as well were recently targeted for DDoS/Bruteforce attempts on the admin panel.
We at Antropy have developed a couple of methods to help prevent this, either via the .htaccess, a vQmod/OCMOD or Cloudflare WAF.
Secondly, we see a lot of websites that don’t have directory indexing turned off, leading to open directories which can be indexed by search engines.
Open directories can lead to exposure of files that aren’t meant to be public. One thing that people like to do is store backups or other files within the public root directory or in a folder that can easily be guessed, such as “backups” allowing whoever to view this directory, and to download possible sensitive files.
Amongst the rest, we also see a lot of weak passwords leading to compromised accounts or systems resulting in attackers stealing and/or uploading code to stay hidden in the system.
There are so many tools and password lists now that brute-force attacks can happen within minutes to hours and if login routes aren’t rate-limited, they can often go undetected until the system has been compromised.
Have I Been Pwned provides a great service to see if your passwords have been leaked online and if any of your email addresses have been exposed in previous data leaks.
How do you help prevent these vulnerabilities?
We employ several strategies to help prevent the vulnerabilities mentioned, particularly DDoS attacks, directory indexing, and weak passwords. Here are some ways these issues can be addressed:
DDoS Attacks
There are a number of methods to prevent these attacks, the one we recommend the most would be to utilise Cloudflare as they also offer a service (and other useful services) called “Attack Mode” which can prevent traffic from ever reaching the server.
While in Attack Mode, visitors will often be shown a quick loading page with a CAPTCHA which most of the time visitors won’t be required to complete and if they do, it’s often just a single click.
This allows for authentic visitors to reach the site and browse/shop as intended as the visitors won’t be shown this page again until their next session.
Using a decent hosting provider will often help as well, they’ll be able to handle larger loads better than other cheap hosting sites and can often utilise services such as Imunify360 that can help prevent malicious traffic.
Open Directories
Fixing open directories is a simple task, on some websites when set up directory listings are enabled by default and aren’t always noticed.
Ensuring the server is set up correctly is crucial as simple things such as this can be overlooked and if you happen to store ZIP file backups in a directory in your public root, they have a chance of being found.
Weak Passwords
It’s a good idea to not reuse passwords and to also use a Password Manager, I personally have been a Bitwarden customer for many years and I’ve never had an issue with forgetting passwords as they can easily be synced and used on multiple devices.
What further steps do you suggest your clients take to improve the security of their applications?
We recommend checking if you’re making use of services you have available such as Imunify360 and Cloudflare as these services can be set up but forgotten about so they aren’t utilised at all.
We also offer an OpenCart Health Check service for OpenCart based stores which will check over the store, code, server and more to ensure best practices are in place and help identify issues.
We also recommend a good password manager, generator and to use two-factor authentication (2FA) where applicable.
Maintain regular backups of your application and its data. Ensure that backups are securely stored offsite and are regularly tested to ensure you’re able to recover otherwise if you have non-working/corrupt backups, that is the same as not having any backups at all.
And what is your suggested reaction plan in case of a breach?
In the event of a website breach, it’s a good idea to take the website offline / place it into maintenance mode to prevent customers from accessing the site and being potentially exposed.
If you’re using security software such as Imunify360, it would be a good idea to run a malware scan of the website(s) to help identify which files are or have malicious code within them.
With the same or similar software, you can often clean up these files by quarantining or removing them to ensure they can’t be accessed anymore.
It’ll be crucial to identify where these came from which can be tricky so it’s best to ensure your software is always up to date with the latest patches to prevent any known exploits from being used and ensure you’re using strong passwords.
We would also recommend contacting a cybersecurity company as they can often assist with malware cleanup and running frequent malware checks along with offering testing services to ensure your application isn’t vulnerable.
What security challenges do you see in the future of your industry, and what should site owners do to prevent them?
Automated attacks have existed for many years and aren’t likely to go away anytime soon but likely to increase over time.
We could likely start seeing attacks powered by artificial intelligence, as AI and machine learning technologies advance and become more readily available, attackers may use AI to automate and enhance their attack strategies which could lead to more sophisticated and targeted attacks.