Security Measures To Take Right After An Opencart Installation


When it comes to security, compromise is the last thing that you should ever do. Do not ever start directly right after a fresh OpenCart installation or an update (Read 5 Steps to upgrade from OpenCart 1.5X to OpenCart 2.X). Prior to that, it is very important to take some security measures that I am going to discuss in this article. You can use these measures as a checklist to be taken care of right after an OpenCart installation.

1. Delete the Install folder-  You can find the install folder usually in “public_html/upload/install”. Right after your installation is complete, delete this install folder. This folder contains critical information about the site database, MVC structure, and some other important information, but they are not needed after the installation is complete. If you have noticed, even the OpenCart installer interface asks you to delete this folder just after the installation process is completed.


2. Clear demo data of OpenCart- On the first installation of OpenCart, you would find a lot of demo data in the OpenCart system. It has a lot of demo data for sample customers, sample products, sample sales, and much more. These data are just for reference purpose which should be deleted prior to setting up a real web-shop. If you do not delete the demo data, it will just clutter with your real data and cause a lot of confusion.

You can delete the demo images from:

‘upload/image/cache/catalog/demo/’ &


To have a fresh database, with no Products information in your OpenCart database all you need to do is execute the following command in MySQL console.

Caution: Do not ever run these commands on your live sites, unless you want to lose everything. These commands will clear your database. So, it is recommended to use only on a fresh OpenCart installation where you do not have anything important in the database.

DELETE FROM oc_address;

DELETE FROM oc_category;

DELETE FROM oc_category_description;

DELETE FROM oc_category_to_store;

DELETE FROM oc_coupon;

DELETE FROM oc_customer;

DELETE FROM oc_download;

DELETE FROM oc_download_description;

DELETE FROM oc_manufacturer;

DELETE FROM oc_manufacturer_to_store;

DELETE FROM oc_product;

DELETE FROM oc_product_description;

DELETE FROM oc_product_discount;

DELETE FROM oc_product_featured;

DELETE FROM oc_product_image;

DELETE FROM oc_product_option;

DELETE FROM oc_product_option_description;

DELETE FROM oc_product_option_value;

DELETE FROM oc_product_option_value_description;

DELETE FROM oc_product_related;

DELETE FROM oc_product_special;

DELETE FROM oc_product_to_download;

DELETE FROM oc_product_to_store;

DELETE FROM oc_review;

DELETE FROM oc_store;

DELETE FROM oc_store_description;

DELETE FROM oc_product_tags;

DELETE FROM oc_order;

3. Check that no demo vouchers are there- In OpenCart 1.5.x, there are some demo vouchers available which are same in all OpenCart 1.5.x installations. Delete them from ‘sales/coupons’ tab, unless you want the hackers to utilize those coupons. If you have the OpenCart 2.0.x version, you might not need to do the same as there are no sample coupons in 2.0.x, but still it’s worth checking once.


4. Change your admin URL- Admin URL is the first thing hacker check when they come to your website. You do not want to make it so easy for them to guess your admin URL by leaving it as ‘yoursiteurl/admin’ itself. To ensure the site security, you must change your Admin URL from the default ‘yoursiteurl/admin’ to something not easy to guess. It’s an important item in our checklist here.

To change the Admin URL follow these instructions:

A. Open admin/config.php

B. Replace the word ‘Admin’ everywhere in the file with whatever word you want to use in the admin URL. And it’s done here.

Please note: If you are using VQMOD to perform the changes here, you must follow these additional steps:

C. Open vqmod/install/index.php file

D. Replace $admin= “admin” With $admin = “yourchosenword

E. For older version of VQMOD (older than 2.3.0), open all the files one-by-one in the vqmod/xml and replace all “admin” with your chosen word.

PS: “yourchosenword” is whatever word you want to use for your admin panel

5. Remove Default customer groups- Default customer groups don’t give a security threat though, but it is a recommended practice to remove the default customer groups. Now that you have cleared your database, default products and everything, creating your new customer groups as per your requirement is a good practice. Keeping default customer groups will just confuse you.

With OpenCart 1.5.x and 2.0.x both, you will find this section at ‘sales/customers/customer groups’.


Now that you are aware of the basic OpenCart security check, you are all set to proceed with your online shop setup. You can proceed with your post installation steps like OpenCart template installation, plugins for advanced features, and so on.

There are few companies which also provide the OpenCart installation services, where they take care of all these aspects. If you are not confident about a perfect installation by yourself, you may use their services if required.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s