Menu Close
    Hire us Request quote Reading list Switch to dark mode

    Opencart Web Application Firewall (WAF) Security

    When security is the concern for an Opencart website’s data, then what better than a Web Application Firewall!

    Web Application Firewall Security: What is it?

    Owing to ongoing cyber crimes and data theft scenarios, business entrepreneurs have been seeking for extremely sound security for their website’s data.

    This is an imperative aspect else the store owners may tend to lose their data to hackers which shall bring them extreme loss in terms of revenue as well as customer’s goodwill.

    At the same time securing the Opencart website with a WAF or Web Application Firewall may be a good idea.

    Furthermore, it takes care of all the data being transmitted hither and yon and secures it against data theft and malicious activities.

    It is capable of securing the website’s data against SQL injection, Distributed Denial of Service (DDoS), cross-site scripting, etc.

    Therefore, keeping in mind the beneficiary aspects, we have the Opencart’s Web Application Firewall (WAF) Security module which implements the features of the WAF.

    Opencart Web Application Firewall (WAF) Security module facilitates the 2-factor authentication process for the admin, customers, and affiliate users.

    Also, the store owners have the leverage to ban an IP(s) or a country(s). Hence, any person trying to access data, bearing a banned IP address or country, will not be able to access the data.

    Thus, it is quite essential for online businesses to inculcate the WAF security feature thereby enhancing the security aspect for the websites and their customers’ data.

    Furthermore, it will help ensure customer retention and better revenue generation by comparatively higher sales conversions.

    Features

    • The store owner can enable 2-factor authentication for the admin, customer, and affiliate user login.
    • Thus, for 2-factor authentication, the login users must scan the QR code using Google authenticator. 
    • The Recaptcha feature is allowed for the admin’s login purpose. 
    • This module allows pre-sign up email validation.
    • This module also integrates the AbuseIPDB to block and report IP.
    • The admin may choose to allow or disallow specific file types which can be uploaded.
    • Notifications for resetting passwords are sent to admin user and customers if need be. 
    •  The admin can create custom email templates.
    • For additional security, the admin may choose to restrict an IP or given set of IP to access the websites data. 
    • Also, the admin may restrict a country or set of countries to access the websites data. 
    • A Brute Force log consists of a list of users who tend to have made login attempts.
    • It also displays a list of secure/ insecure directory content of the website. 
    • Overall security of the websites data is taken care of by WAF and it protects data from malicious attacks. 

    Installation

    Upload Files

    First, extract the downloaded zip file. After that, open the correct Opencart Version Folder. According to Opencart Version installed in your system.

    Further, upload admin, catalog and system to the Opencart root directory.

    Refresh Modifications

    The user can navigate through Extensions > Modifications. Now click the Refresh button as visible in below screenshot.

    Edit User Groups

    Thereafter, go to System > Users > Usergroups. And then edit ‘Administrator’. Click Select All for both Access Permission and Modify Permission and Save it.

    Install

    Now navigate to Extensions > Modules. Find Webkul WAF Security from the list. Click the Install button as visible in the screenshot below.

    Retrieving the Google Recaptcha API Keys

    To gather the Google Recaptcha API Keys the user must follow the following steps:

    Step 1:

    • Firstly, navigate to the Googles reCAPTCHA page and click on the myRECAPTCH button on the right.

    Step 2:

    • The user must have a Google Account to login. For that, the user needs to Enter the Gmail user name, password and click on the Next button to proceed further.

    Step 3:

    As a result, a page as shown below will open up where the user needs to:

    • Enter a label that will make it easy to identify the site in future.
    • Choose the type of reCAPTCHA as – reCAPTCHA V2.
    • Enter the Domain name (registration for domain.com also registers subdomain.domain.com) where the user wishes to use it.
    • Accept the reCAPTCHA Terms of Service by checking the checkbox.
    • Lastly, click the Register button.

    Step 4:

    • Consequently, the user will receive the reCAPTCH Site Key and Secret Key.

    Module Configurations: Web Application Firewall

    As the admin attempts to log in, a pop up for Webkul WAF Security 2factor Authentication will appear.

    It includes a QR Code, which the admin must scan using Google Authenticator on the smart phone so as to login. 

    Meanwhile, after completion of the the installation process, the admin will find the WAF Security menu option in the admin panel.

    The following sub-menu options under WAP Security menu option:

    –WAF Module Configuration

    –WAF Security:

    • IP Ban 
    • Country Ban
    • Brute Force Log
    • Directory Permission

    WAP Module Configuration

    Initially, the admin will have to configure the General, API Keys and Mail tabs under WAP Module Configuration. 

    Let us take a deep dive into each tab configuration, individually. 

    General Tab:

    The admin will configure fields such as Status, Recaptcha option for Admin Login, No. of Allowed failed Attempts, Poor Password Check, etc.

    Eventually, the admin will configure the General settings as under: 

    Status: The admin sets the status of the task as enabled. 

    Recaptcha Option for Admin Login: The admin can enable the recaptcha option, which displays after failed number of attempts. 

    Number of Allowed Failed Attempts: The admin defines a value for allowed failed attempts. 

    User Customer IP Abuse Confidence Score: The admin defines a value for this field which is a minimum value to check the User/Customer IP AbuseConfidenceScore.

    • If AbuseConfidenceScore is more than this value, then the user cannot login. 

    Recaptcha Display Pages: The pages on which the recaptcha shall be visible. 

    Poor Password Check: If enabled, it will work if a customer tends to add a weak password when registering. 

    Pre SignUp Email Validation: If enabled, then email validation is required before any customer registers. 

    Admin Google 2Factor Verification: If enabled, the admin will encounter 2Factor Verification while logging in.

    Customer/ Affiliate Google 2Factor Verification: On enabling this field, the customer/ affiliates users will encounter 2Factor Verification while logging in.

    API Keys tab: 

    Thereafter, the admin will set the configurations under the API Keys tab. The admin will have to retrieve the Google Recaptcha Site and Secret Key. 

    The API Keys tab configurations may be set as under:

    Google Recaptcha Site Key: The admin will gather it from the Google’s website. 

    Google Recaptcha Secret Key: Retrieved from the Google’s website. 

    AbuseIPdb API Key: Retrieved from the AbuseIPdb website. Click here to retrieve the same. 

    Mail Tab:

    The third tab is the Mail tab, under which the following tabs are to be configured:

    • New File Notification
    • Login Notification 
    • Other Notification
    • SignUp Email Notification
    • Mail Info
    The configurations of each tab is stated as under:
    New File Notification

    Under this tab, the admin configures the fields such as Add New File Notification, File Extensions, Add New File Notiifcation Subject, etc. 

    The fields configurations are set as follows:

    Add New File Notification: If, enabled, the admin shall receive a notification if any new file is added. 

    File Extensions: The admin defines the allowed file extensions against this field. 

    Add New File Notification Subject: The admin defines a subject for new file notification. 

    Add New File Notification Description: Description for the new file notification. 

    Login Notification 

    The admin will configure the fields such as Admin Login Notification Status, Admin Login Notification Subject, Admin Login Notification Description, etc.

    The settings of the Login Notification tab is as follows:

    Admin Login Notification:

    • Status: Set the status of the admin login notification as enabled. 
    • Subject: The admin adds a subject for the login notification 
    • Description: The description of the admin’s login notification. 

    Catalog Login Notification: 

    • Status: The admin sets the status of the catalog login notification as enabled. 
    • Subject: Subject for the login notification. 
    • Description: Description of the admin’s login notification. 
    Other Notification

    Under this tab, the admin will configure fields such as Reset Current LoggedIn Admin User Password, Reset Password Notification Status, etc.

    Subsequently, the Other Notification tab configurations are set as under: 

    Reset Current LoggedIn Admin User Password: If enabled, then current admin user password will reset. 

    Reset Password Notification Status: On enabling this field, the reset password notification will be sent to all the users and customers. 

    Admin Reset Password Notification Subject: The subject for the admin reset password notification.

    Admin Reset Password Notification Description: The description for the admin reset password notification.

    Customer Reset Password Notification Subject: Subject for customer reset password notification. 

    Customer Reset Password Notification Description: Description for the customer reset password notification.

    The admin sends notifications for resetting passwords to admin user and customers in case of suspicious activities. 

    SignUp email Notification

    The admin will configure the following fields- SignUp Email Validation Status, SignUp Email Validation Subject, SignUp Email Validation Status, etc. 

    The configurations for the SignUp Email Notification tab are set as under: 

    SignUp Email Validation

    • Status: When enabled, then email verification mail will be sent as customer registers. 
    • Subject: Define a subject for the SignUp Email Validation field. 
    • Description: Set a description for the SignUp Email Validation field. 
    Mail Info: 

    The admin can choose the codes to write email templates from the given list. 

    WAF Security IP Ban

    On setting the WAF Module Configurations, the admin needs to configure the WAF Security IP Ban sub-menu option. 

    On clicking the WAF Security IP Ban sub-menu option, the admin will find a WAF security IP Ban List as shown in the image below.

    Moreover, the admin can enable or disable any IP at any point of time.

    • If any user(s) who wishes to login bears an IP same as that the admin disables, then they cannot login. 

    To enable any IP(s), the admin will have to select the IP’s from the list as shown below. 

    Hence, to enable the IP’s the admin will have to click on the thumb’s up option on top right corner of the WAF Security IP Ban page as shown in the image below.

    On clicking the thumb’s up button, a message, “Success: IP enabled successfully!” will display and the Status of the respective IP’s will alter to Enabled as shown in the image below. 

    Likewise, the admin can even disable the enabled IP’s by clicking the thumb’s down button on top-right of the WAF Security IP Ban page

    WAF Security Country Ban

    The admin needs to configure the WAF Security Country Ban sub-menu option, thereafter. 

    On clicking the WAF Security Country Ban sub-menu option, the admin redirects to the WAF Security Country Ban page as shown in the image. 

    The admin will find the WAF Security Country Ban List, where the admin can enable or disable a country(s) at any point of time.

    • If any user(s) who wishes to login belongs to the disabled country, they cannot login. 

    Thus, to enable any country(s), the admin will have to select the countries whose status is disable from the list as shown below. 

    To enable the countries the admin will have to click on the thumb’s up option on top right corner of the WAF Security Country Ban page as shown in the image below.

    Subsequently, on clicking the thumb’s up button, a message, “Success: Country enabled successfully!” will display and the Status of the respective Countries will alter as shown in the image below.

    Likewise, the admin can also disable the enabled Countries by clicking the thumb’s down button on top-right of the WAF Security Country Ban page

    WAF Security Brute Force Log

    Moving on, the next configuration in the configuration list is the WAF Security Brute Force Log.

    As the admin clicks on the WAF Security Brute Force Log sub-menu option, it redirects to the WAF Security Brute Force Log page. 

    Further, it displays the login history logs of all the users as shown in the image below.

    WAF Security Directory Permission

    Lastly, the admin will find the WAF Security Directory Permission sub-menu option, which is the last configuration.  

    Consequently, it displays the directory content listing depicting whether it is secure or not-secure as shown in the image below. 

    Frontend Workflow

     
    2-factor Authentication Process: For Registered Customers

    Meanwhile, in the frontend, the registered customers will encounter the 2-factor Authentication before loggin in to their accounts. 

    The customer needs to enter the email address and password and proceed to login in the usual way, as shown in the image below. 

    As soon as the customers add the details and login, they will encounter a pop-up for WAF Security 2factor Authentication as shown in the image below. 

    The customers need to scan the QR code using the Google Authenticator which they need to install on their smart-phones. 

    Thereafter, the customers will receive a code after scanning the QR code. This code is to be added under the Google 2factor Authenticate Code tab as shown in the image below. 

    If the code matches with the Google Authenticator’s code, it will redirect the customers to their account pages as shown below. 

    Email Verification: For New Customers

    Subsequently, if any new customer wishes to register with the website, they will have to go through the Email Verification process. 

    To register with the website, New Customer form is present where the new customer needs to click on the Continue button as shown below. 

    This redirects to the account registration page (namely, Register Account) where the customer needs to fill in the Personal Details, Password and agree to the Privacy Policy. 

    In the Register Account page itself,  a Verify Email button is present, which the new customer must click for email verification after adding the email address. 

    On clicking the Verify Email tab, a success message, ‘Verification message has been sent to your above email address!’ shall display as shown in the image below. 

    Recaptcha Visibility: In the Contact Us Form

    Furthermore, in the contact us form as well the customers will find the recaptcha for additonal security.

    The customers needs to add the Name, Email Address, the Enquiry, and go thorugh the Recaptcha Validation as shown in the image below. 

    Hence, that’s all for the Opencart Web Application Firewall (WAF) Security module. If you face any issue, feel free to raise and add a ticket at HelpDesk Support.

    Current Product Version - 2.0.1.0

    Supported Framework Version - 2.x.x.x, 3.x.x.x

    . . .

    Comment

    Add Your Comment

    Be the first to comment.

    Back to Top
    css.php
    Hire Us!
    Brief us about your requirements and we'll get back to you.
    Woo! Hooy!
    We have just received your message and our expert will get back to you shortly.
    Send Again
    Close

    Table of Content

    Hide Index