When security is the concern for an Opencart website’s data, then what better than a Web Application Firewall!
Web Application Firewall Security: What is it?
Owing to ongoing cyber crimes and data theft scenarios, business entrepreneurs have been seeking extremely sound security for their website’s data.
This is an imperative aspect else the store owners may tend to lose their data to hackers which shall bring them extreme loss in terms of revenue as well as customer goodwill.
At the same time securing the Opencart website with a WAF or Web Application Firewall may be a good idea.
Furthermore, it takes care of all the data being transmitted hither and yon and secures it against data theft and malicious activities.
Therefore, keeping in mind the beneficiary aspects, we have the Opencart’s Web Application Firewall (WAF) Security module which implements the features of the WAF.
Opencart Web Application Firewall (WAF) Security module facilitates the 2-factor authentication process for the admin, customers, and affiliate users.
Also, the store owners have the leverage to ban an IP(s) or a country(s). Hence, any person trying to access data, bearing a banned IP address or country, will not be able to access the data.
Thus, online businesses need to inculcate the WAF security feature thereby enhancing the security aspect for the websites and their customers’ data.
Furthermore, it will help ensure customer retention and better revenue generation by comparatively higher sales conversions.
Note:
1. This module supports all templates and themes including the Journal theme.
2. Also, Opencart Web Application Firewall (WAF) Security supports the Multi-Store feature of default Opencart.
Watch the below video tutorial to understand the plugin workflow:
Features
- The store owner can enable 2-factor authentication for the admin, customer, and affiliate user login.
- Thus, for 2-factor authentication, the login users must scan the QR code using Google authenticator.
- The Recaptcha feature is allowed for the admin’s login purpose.
- This module allows pre-sign-up email validation.
- This module also integrates the AbuseIPDB to block and report IP.
- Also, the admin may choose to allow or disallow specific file types that can be uploaded.
- Notifications for resetting passwords are sent to the admin users and customers if need be.
- The admin can create custom email templates.
- For additional security, the admin may choose to restrict an IP or given set of IPs to access the website’s data.
- Also, the admin may restrict a country or set of countries to access the website’s data.
- A Brute Force log consists of a list of users who tend to have made login attempts.
- It also displays a list of secure/ insecure directory content of the website.
- Allows with WAF Security Email Domain Ban feature and shows WAF Security Email Domain Ban log as well.
- The overall security of the website’s data is taken care of by WAF and it protects data from malicious attacks.
-
This module supports the Multi-Store feature of default Opencart.
Installation
Upload Files
First, extract the downloaded zip file. After that, open the correct Opencart Version Folder. According to Opencart Version installed in your system.
Further, upload admin, catalog, and system to the Opencart root directory.
Refresh Modifications
The user can navigate through Extensions > Modifications. Now click the Refresh button as visible below screenshot.
Edit User Groups
Thereafter, go to System > Users > Usergroups. And then edit ‘Administrator’. Click Select All for both Access Permission and Modify Permission and Save it.
Install
Now navigate to Extensions > Modules. Find Webkul WAF Security from the list. Click the Install button as visible in the screenshot below.
Retrieving the Google Recaptcha API Keys
To gather the Google Recaptcha API Keys the user must follow the following steps:
Step 1:
- Firstly, navigate to the Google reCAPTCHA page and click on the Recaptcha button on the right.
Step 2:
- The user must have a Google Account to log in. For that, the user needs to Enter the Gmail user name, password and click on the Next button to proceed further.
Step 3:
As a result, a page as shown below will open up where the user needs to:
- Enter a label that will make it easy to identify the site in the future.
- Choose the type of reCAPTCHA as – reCAPTCHA V2.
- Enter the Domain name (registration for domain.com also registers subdomain.domain.com) where the user wishes to use it.
- Accept the reCAPTCHA Terms of Service by checking the checkbox.
- Lastly, click the Register button.
Step 4:
- Consequently, the user will receive the ReCaptcha Site Key and Secret Key.
Module Configurations: Web Application Firewall
As the admin attempts to log in, a pop-up for Webkul WAF Security 2factor Authentication will appear.
It includes a QR Code, which the admin must scan using Google Authenticator on the smartphone to log in.
Meanwhile, after completion of the installation process, the admin will find the WAF Security menu option in the admin panel.
The following sub-menu options under the WAP Security menu option:
–WAF Module Configuration
–WAF Security:
- IP Ban
- Country Ban
- Brute Force Log
- Directory Permission
WAP Module Configuration
Initially, the admin will have to configure the General, API Keys, and Mail tabs under WAP Module Configuration.
Let us take a deep dive into each tab configuration, individually.
General Tab:
The admin will configure fields such as Status, Recaptcha option for Admin Login, No. of Allowed failed Attempts, Poor Password Check, etc.
Eventually, the admin will configure the General settings as under:
Status: The admin sets the status of the task as enabled.
Recaptcha Option for Admin Login: The admin can enable the Recaptcha option, which displays after a failed number of attempts.
The number of Allowed Failed Attempts: The admin defines a value for allowed failed attempts.
User Customer IP Abuse Confidence Score: The admin defines a value for this field which is a minimum value to check the User/Customer IP AbuseConfidenceScore.
- If AbuseConfidenceScore is more than this value, then the user cannot log in.
Recaptcha Display Pages: The pages on which the Recaptcha shall be visible.
Poor Password Check: If enabled, it will work if a customer tends to add a weak password when registering.
Pre SignUp Email Validation: If enabled, then email validation is required before any customer registers.
Admin Google 2Factor Verification: If enabled, the admin will encounter 2Factor Verification while logging in.
Customer/ Affiliate Google 2Factor Verification: On enabling this field, the customer/ affiliates users will encounter 2Factor Verification while logging in.
API Keys tab:
Thereafter, the admin will set the configurations under the API Keys tab. The admin will have to retrieve the Google Recaptcha Site and Secret Key.
The API Keys tab configurations may be set as under:
Google Recaptcha Site Key: The admin will gather it from Google’s website.
Google Recaptcha Secret Key: Retrieved from Google’s website.
AbuseIPdb API Key: Retrieved from the AbuseIPdb website. Click here to retrieve the same.
Mail Tab:
The third tab is the Mail tab, under which the following tabs are to be configured:
- New File Notification
- Login Notification
- Other Notification
- SignUp Email Notification
- Mail Info
The configurations of each tab are stated as under:
New File Notification
Under this tab, the admin configures the fields such as Add New File Notification, File Extensions, Add New File Notification Subject, etc.
The field configurations are set as follows:
Add New File Notification: If enabled, the admin shall receive a notification if any new file is added.
File Extensions: The admin defines the allowed file extensions against this field.
Add New File Notification Subject: The admin defines a subject for new file notification.
Add New File Notification Description: Description for the new file notification.
Login Notification
The admin will configure the fields such as Admin Login Notification Status, Admin Login Notification Subject, Admin Login Notification Description, etc.
The settings of the Login Notification tab is as follows:
Admin Login Notification:
- Status: Set the status of the admin login notification as enabled.
- Subject: The admin adds a subject for the login notification
- Description: The description of the admin’s login notification.
Catalog Login Notification:
- Status: The admin sets the status of the catalog login notification as enabled.
- Subject: Subject of the login notification.
- Description: Description of the admin’s login notification.
Other Notification
Under this tab, the admin will configure fields such as Reset Current LoggedIn Admin User Password, Reset Password Notification Status, etc.
Subsequently, the Other Notification tab configurations are set as under:
Reset Current LoggedIn Admin User Password: If enabled, then-current admin user password will reset.
Reset Password Notification Status: On enabling this field, the reset password notification will be sent to all the users and customers.
Admin Reset Password Notification Subject: The subject for the admin reset password notification.
Admin Reset Password Notification Description: The description for the admin reset password notification.
Customer Reset Password Notification Subject: Subject for customer reset password notification.
Customer Reset Password Notification Description: Description of the customer reset password notification.
The admin sends notifications for resetting passwords to admin users and customers in case of suspicious activities.
SignUp email Notification
The admin will configure the following fields- SignUp Email Validation Status, SignUp Email Validation Subject, SignUp Email Validation Status, etc.
The configurations for the SignUp Email Notification tab are set as under:
SignUp Email Validation
- Status: When enabled, then email verification mail will be sent as customer registers.
- Subject: Define a subject for the SignUp Email Validation field.
- Description: Set a description for the SignUp Email Validation field.
Mail Info:
The admin can choose the codes to write email templates from the given list.
WAF Security IP Ban
On setting the WAF Module Configurations, the admin needs to configure the WAF Security IP Ban sub-menu option.
On clicking the WAF Security IP Ban sub-menu option, the admin will find a WAF security IP Ban List as shown in the image below.
Moreover, the admin can enable or disable any IP at any point in time.
- If any user(s) who wishes to log in bears an IP same as that the admin disables, then they cannot log in.
To enable any IP(s), the admin will have to select the IPs from the list as shown below.
Hence, to enable the IP’s the admin will have to click on the thumb’s up option on the top right corner of the WAF Security IP Ban page as shown in the image below:
On clicking the thumb’s up button, a message, “Success: IP enabled successfully!” will display and the Status of the respective IPs will alter to Enabled as shown in the image below:
Likewise, the admin can even disable the enabled IPs by clicking the thumb’s down button on the top-right of the WAF Security IP Ban page.
WAF Security Country Ban
The admin needs to configure the WAF Security Country Ban sub-menu option, thereafter.
On clicking the WAF Security Country Ban sub-menu option, the admin redirects to the WAF Security Country Ban page as shown in the image.
The admin will find the WAF Security Country Ban List, where the admin can enable or disable a country(s) at any point in time.
- If any user(s) who wishes to log in belongs to the disabled country, they cannot log in.
Thus, to enable any country(s), the admin will have to select the countries whose status is disabled from the list as shown below.
To enable the countries the admin will have to click on the thumb’s up option on the top right corner of the WAF Security Country Ban page as shown in the image below:
Subsequently, on clicking the thumb’s up button, a message, “Success: Country enabled successfully!” will display and the Status of the respective Countries will alter as shown in the image below.
Likewise, the admin can also disable the enabled Countries by clicking the thumb’s down button on the top-right of the WAF Security Country Ban page.
WAF Security Brute Force Log
Moving on, the next configuration in the configuration list is the WAF Security Brute Force Log.
As the admin clicks on the WAF Security Brute Force Log sub-menu option, it redirects to the WAF Security Brute Force Log page.
Further, it displays the login history logs of all the users as shown in the image below:
WAF Security Directory Permission
Then, the admin will find the WAF Security Directory Permission sub-menu option.
Consequently, it displays the directory content listing depicting whether it is secure or not-secure as shown in the image below:
WAF Security Email Domain Ban
When a domain like example.com is enabled then the user with the same domain won’t be able to register or login. Furthermore, when disabled the user will be able to register and log in.
This section shows WAF Security Email Domain Ban List as shown below:
WAF Security Email Domain Ban Log
This section shows user login details of the banned domain:
Frontend Workflow
2-factor Authentication Process: For Registered Customers
Meanwhile, in the front end, the registered customers will encounter the 2-factor Authentication before logging in to their accounts.
The customer needs to enter the email address and password and proceed to login in the usual way, as shown in the image below.
As soon as the customers add the details and login, they will encounter a pop-up for WAF Security 2factor Authentication as shown in the image below.
The customers need to scan the QR code using the Google Authenticator which they need to install on their smartphones.
Thereafter, the customers will receive a code after scanning the QR code. This code is to be added under the Google 2factor Authenticate Code tab as shown in the image below.
If the code matches with the Google Authenticator’s code, it will redirect the customers to their account pages as shown below.
Email Verification: For New Customers
Subsequently, if any new customer wishes to register with the website, they will have to go through the Email Verification process.
To register with the website, the New Customer form is present where the new customer needs to click on the Continue button as shown below.
This redirects to the account registration page (namely, Register Account) where the customer needs to fill in the Personal Details, Password and agree to the Privacy Policy.
In the Register Account page itself, a Verify Email button is present, which the new customer must click for email verification after adding the email address.
On clicking the Verify Email tab, a success message, ‘Verification message has been sent to your above email address!’ shall display as shown in the image below.
Recaptcha Visibility: In the Contact Us Form
Furthermore, in the contact us form as well, the customers will find the Recaptcha for additional security.
The customers need to add the Name, Email Address, the Enquiry, and go through the Recaptcha Validation as shown in the image below.
Hence, that’s all for the Opencart Web Application Firewall (WAF) Security extension. If you face any issues, feel free to raise and add a ticket at HelpDesk Support.
Also please visit our other useful Opencart extension.
Current Product Version - 4.1.0.0
Supported Framework Version - 2.x.x.x, 3.x.x.x
2 comments
For this, we would like to specify that the extension is meant for default Opencart.
However, if you need any further seller end functionalities kindly share it of [email protected]
Thanks and Regards.