When security is the concern for an Opencart website’s data, then what better than a Web Application Firewall!
Web Application Firewall Security: What is it?
Owing to ongoing cyber crimes and data theft scenarios, business entrepreneurs have been seeking for extremely sound security for their website’s data.
This is an imperative aspect else the store owners may tend to lose their data to hackers which shall bring them extreme loss in terms of revenue as well as customer’s goodwill.
At the same time securing the Opencart website with a WAF or Web Application Firewall may be a good idea.
Furthermore, it takes care of all the data being transmitted hither and yon and secures it against data theft and malicious activities.
It is capable of securing the website’s data against SQL injection, Distributed Denial of Service (DDoS), cross-site scripting, etc.
Therefore, keeping in mind the beneficiary aspects, we have the Opencart’s Web Application Firewall (WAF) Security module which implements the features of the WAF.
Opencart Web Application Firewall (WAF) Security module facilitates the 2-factor authentication process for the admin, customers, and affiliate users.
Also, the store owners have the leverage to ban an IP(s) or a country(s). Hence, any person trying to access data, bearing a banned IP address or country, will not be able to access the data.
Thus, it is quite essential for online businesses to inculcate the WAF security feature thereby enhancing the security aspect for the websites and their customers’ data.
Furthermore, it will help ensure customer retention and better revenue generation by comparatively higher sales conversions.
- The store owner can enable 2-factor authentication for the admin, customer, and affiliate user login.
- Thus, for 2-factor authentication, the login users must scan the QR code using Google authenticator.
- The Recaptcha feature is allowed for the admin’s login purpose.
- This module allows pre-sign up email validation.
- This module also integrates the AbuseIPDB to block and report IP.
- The admin may choose to allow or disallow specific file types which can be uploaded.
- Notifications for resetting passwords are sent to admin user and customers if need be.
- The admin can create custom email templates.
- For additional security, the admin may choose to restrict an IP or given set of IP to access the websites data.
- Also, the admin may restrict a country or set of countries to access the websites data.
- A Brute Force log consists of a list of users who tend to have made login attempts.
- It also displays a list of secure/ insecure directory content of the website.
- Overall security of the websites data is taken care of by WAF and it protects data from malicious attacks.
First, extract the downloaded zip file. After that, open the correct Opencart Version Folder. According to Opencart Version installed in your system.
Further, upload admin, catalog and system to the Opencart root directory.
Edit User Groups
Retrieving the Google Recaptcha API Keys
To gather the Google Recaptcha API Keys the user must follow the following steps:
- Firstly, navigate to the Googles reCAPTCHA page and click on the myRECAPTCH button on the right.
- The user must have a Google Account to login. For that, the user needs to Enter the Gmail user name, password and click on the Next button to proceed further.
As a result, a page as shown below will open up where the user needs to:
- Enter a label that will make it easy to identify the site in future.
- Choose the type of reCAPTCHA as – reCAPTCHA V2.
- Enter the Domain name (registration for domain.com also registers subdomain.domain.com) where the user wishes to use it.
- Accept the reCAPTCHA Terms of Service by checking the checkbox.
- Lastly, click the Register button.
- Consequently, the user will receive the reCAPTCH Site Key and Secret Key.
Module Configurations: Web Application Firewall
Meanwhile, after completion of the the installation process, the admin will find the WAF Security menu option in the admin panel.
The following sub-menu options under WAP Security menu option:
–WAF Module Configuration
- IP Ban
- Country Ban
- Brute Force Log
- Directory Permission
WAP Module Configuration
Initially, the admin will have to configure the General, API Keys and Mail tabs under WAP Module Configuration.
Let us take a deep dive into each tab configuration, individually.
Eventually, the admin will configure the General settings as under:
Status: The admin sets the status of the task as enabled.
Recaptcha Option for Admin Login: The admin can enable the recaptcha option, which displays after failed number of attempts.
Number of Allowed Failed Attempts: The admin defines a value for allowed failed attempts.
User Customer IP Abuse Confidence Score: The admin defines a value for this field which is a minimum value to check the User/Customer IP AbuseConfidenceScore.
- If AbuseConfidenceScore is more than this value, then the user cannot login.
Recaptcha Display Pages: The pages on which the recaptcha shall be visible.
Poor Password Check: If enabled, it will work if a customer tends to add a weak password when registering.
Pre SignUp Email Validation: If enabled, then email validation is required before any customer registers.
Admin Google 2Factor Verification: If enabled, the admin will encounter 2Factor Verification while logging in.
Customer/ Affiliate Google 2Factor Verification: On enabling this field, the customer/ affiliates users will encounter 2Factor Verification while logging in.
API Keys tab:
The API Keys tab configurations may be set as under:
Google Recaptcha Site Key: The admin will gather it from the Google’s website.
Google Recaptcha Secret Key: Retrieved from the Google’s website.
AbuseIPdb API Key: Retrieved from the AbuseIPdb website. Click here to retrieve the same.
The third tab is the Mail tab, under which the following tabs are to be configured:
- New File Notification
- Login Notification
- Other Notification
- SignUp Email Notification
- Mail Info
The configurations of each tab is stated as under:
New File Notification
The fields configurations are set as follows:
Add New File Notification: If, enabled, the admin shall receive a notification if any new file is added.
File Extensions: The admin defines the allowed file extensions against this field.
Add New File Notification Subject: The admin defines a subject for new file notification.
Add New File Notification Description: Description for the new file notification.
The settings of the Login Notification tab is as follows:
Admin Login Notification:
- Status: Set the status of the admin login notification as enabled.
- Subject: The admin adds a subject for the login notification
- Description: The description of the admin’s login notification.
Catalog Login Notification:
- Status: The admin sets the status of the catalog login notification as enabled.
- Subject: Subject for the login notification.
- Description: Description of the admin’s login notification.
Subsequently, the Other Notification tab configurations are set as under:
Reset Current LoggedIn Admin User Password: If enabled, then current admin user password will reset.
Reset Password Notification Status: On enabling this field, the reset password notification will be sent to all the users and customers.
Admin Reset Password Notification Subject: The subject for the admin reset password notification.
Admin Reset Password Notification Description: The description for the admin reset password notification.
Customer Reset Password Notification Subject: Subject for customer reset password notification.
Customer Reset Password Notification Description: Description for the customer reset password notification.
SignUp email Notification
The configurations for the SignUp Email Notification tab are set as under:
SignUp Email Validation
- Status: When enabled, then email verification mail will be sent as customer registers.
- Subject: Define a subject for the SignUp Email Validation field.
- Description: Set a description for the SignUp Email Validation field.
The admin can choose the codes to write email templates from the given list.
WAF Security IP Ban
On setting the WAF Module Configurations, the admin needs to configure the WAF Security IP Ban sub-menu option.
On clicking the WAF Security IP Ban sub-menu option, the admin will find a WAF security IP Ban List as shown in the image below.
Moreover, the admin can enable or disable any IP at any point of time.
- If any user(s) who wishes to login bears an IP same as that the admin disables, then they cannot login.
To enable any IP(s), the admin will have to select the IP’s from the list as shown below.
Likewise, the admin can even disable the enabled IP’s by clicking the thumb’s down button on top-right of the WAF Security IP Ban page.
WAF Security Country Ban
The admin needs to configure the WAF Security Country Ban sub-menu option, thereafter.
On clicking the WAF Security Country Ban sub-menu option, the admin redirects to the WAF Security Country Ban page as shown in the image.
The admin will find the WAF Security Country Ban List, where the admin can enable or disable a country(s) at any point of time.
- If any user(s) who wishes to login belongs to the disabled country, they cannot login.
Thus, to enable any country(s), the admin will have to select the countries whose status is disable from the list as shown below.
Likewise, the admin can also disable the enabled Countries by clicking the thumb’s down button on top-right of the WAF Security Country Ban page.
WAF Security Brute Force Log
Moving on, the next configuration in the configuration list is the WAF Security Brute Force Log.
As the admin clicks on the WAF Security Brute Force Log sub-menu option, it redirects to the WAF Security Brute Force Log page.
WAF Security Directory Permission
2-factor Authentication Process: For Registered Customers
Meanwhile, in the frontend, the registered customers will encounter the 2-factor Authentication before loggin in to their accounts.
The customer needs to enter the email address and password and proceed to login in the usual way, as shown in the image below.
As soon as the customers add the details and login, they will encounter a pop-up for WAF Security 2factor Authentication as shown in the image below.
The customers need to scan the QR code using the Google Authenticator which they need to install on their smart-phones.
Thereafter, the customers will receive a code after scanning the QR code. This code is to be added under the Google 2factor Authenticate Code tab as shown in the image below.
If the code matches with the Google Authenticator’s code, it will redirect the customers to their account pages as shown below.
Email Verification: For New Customers
Subsequently, if any new customer wishes to register with the website, they will have to go through the Email Verification process.
To register with the website, New Customer form is present where the new customer needs to click on the Continue button as shown below.
In the Register Account page itself, a Verify Email button is present, which the new customer must click for email verification after adding the email address.
On clicking the Verify Email tab, a success message, ‘Verification message has been sent to your above email address!’ shall display as shown in the image below.
Recaptcha Visibility: In the Contact Us Form
Furthermore, in the contact us form as well the customers will find the recaptcha for additonal security.
The customers needs to add the Name, Email Address, the Enquiry, and go thorugh the Recaptcha Validation as shown in the image below.
Hence, that’s all for the Opencart Web Application Firewall (WAF) Security module. If you face any issue, feel free to raise and add a ticket at HelpDesk Support.
Current Product Version - 220.127.116.11
Supported Framework Version - 2.x.x.x, 3.x.x.x