Reading list Switch to dark mode

    Opencart Web Application Firewall (WAF) Security

    Updated 22 March 2024

    When security is the concern for an Opencart website’s data, then what better than a Web Application Firewall!

    Web Application Firewall Security: What is it?

    Owing to ongoing cyber crimes and data theft scenarios, business entrepreneurs have been seeking extremely sound security for their website’s data.

    This is an imperative aspect else the store owners may tend to lose their data to hackers which shall bring them extreme loss in terms of revenue as well as customer goodwill.

    At the same time securing the Opencart website with a WAF or Web Application Firewall may be a good idea.

    Furthermore, it takes care of all the data being transmitted hither and yon and secures it against data theft and malicious activities.

    Start your headless eCommerce
    now.
    Find out More

    Therefore, keeping in mind the beneficiary aspects, we have the Opencart’s Web Application Firewall (WAF) Security module which implements the features of the WAF.

    Opencart Web Application Firewall (WAF) Security module facilitates the 2-factor authentication process for the admin, customers, and affiliate users.

    Also, the store owners have the leverage to ban an IP(s) or a country(s). Hence, any person trying to access data, bearing a banned IP address or country, will not be able to access the data.

    Thus, online businesses need to inculcate the WAF security feature thereby enhancing the security aspect for the websites and their customers’ data.

    Furthermore, it will help ensure customer retention and better revenue generation by comparatively higher sales conversions.

    Note:

    1. This module supports all templates and themes including the Journal theme.

    2. Also, Opencart Web Application Firewall (WAF) Security supports the Multi-Store feature of default Opencart.

    Watch the below video tutorial to understand the plugin workflow:

    Features

    • The store owner can enable 2-factor authentication for the admin, customer, and affiliate user login.
    • Thus, for 2-factor authentication, the login users must scan the QR code using Google authenticator. 
    • The Recaptcha feature is allowed for the admin’s login purpose. 
    • This module allows pre-sign-up email validation.
    • This module also integrates the AbuseIPDB to block and report IP.
    • Also, the admin may choose to allow or disallow specific file types that can be uploaded.
    • Notifications for resetting passwords are sent to the admin users and customers if need be. 
    •  The admin can create custom email templates.
    • For additional security, the admin may choose to restrict an IP or given set of IPs to access the website’s data. 
    • Also, the admin may restrict a country or set of countries to access the website’s data. 
    • A Brute Force log consists of a list of users who tend to have made login attempts.
    • It also displays a list of secure/ insecure directory content of the website. 
    • Allows with WAF Security Email Domain Ban feature and shows WAF Security Email Domain Ban log as well.
    • The overall security of the website’s data is taken care of by WAF and it protects data from malicious attacks. 
    • This module supports the Multi-Store feature of default Opencart.

    Installation

    Upload Files

    First, extract the downloaded zip file. After that, open the correct Opencart Version Folder. According to Opencart Version installed in your system.

    Further, upload admin, catalog, and system to the Opencart root directory.ftp-1

    Refresh Modifications

    The user can navigate through Extensions > Modifications. Now click the Refresh button as visible below screenshot.Modifications-1

    Edit User Groups

    Thereafter, go to System > Users > Usergroups. And then edit ‘Administrator’. Click Select All for both Access Permission and Modify Permission and Save it.user groups

    Install

    Now navigate to Extensions > Modules. Find Webkul WAF Security from the list. Click the Install button as visible in the screenshot below.extensions

    Retrieving the Google Recaptcha API Keys

    To gather the Google Recaptcha API Keys the user must follow the following steps:

    Step 1:

    • Firstly, navigate to the Google reCAPTCHA page and click on the Recaptcha button on the right.

    admin-console

    Step 2:

    • The user must have a Google Account to log in. For that, the user needs to Enter the Gmail user name, password and click on the Next button to proceed further.

    login

    Step 3:

    As a result, a page as shown below will open up where the user needs to:

    • Enter a label that will make it easy to identify the site in the future.
    • Choose the type of reCAPTCHA as – reCAPTCHA V2.
    • Enter the Domain name (registration for domain.com also registers subdomain.domain.com) where the user wishes to use it.
    • Accept the reCAPTCHA Terms of Service by checking the checkbox.
    • Lastly, click the Register button.

    register new site

    Step 4:

    • Consequently, the user will receive the ReCaptcha Site Key and Secret Key.

    recaptcha API key

    Module Configurations: Web Application Firewall

    As the admin attempts to log in, a pop-up for Webkul WAF Security 2factor Authentication will appear.WAF-2

    It includes a QR Code, which the admin must scan using Google Authenticator on the smartphone to log in. WAF-2-1

    Meanwhile, after completion of the installation process, the admin will find the WAF Security menu option in the admin panel.

    The following sub-menu options under the WAP Security menu option:

    –WAF Module Configuration

    –WAF Security:

    • IP Ban 
    • Country Ban
    • Brute Force Log
    • Directory Permission

    WAP Module Configuration

    Initially, the admin will have to configure the General, API Keys, and Mail tabs under WAP Module Configuration. 

    Let us take a deep dive into each tab configuration, individually. 

    General Tab:

    The admin will configure fields such as Status, Recaptcha option for Admin Login, No. of Allowed failed Attempts, Poor Password Check, etc.

    config

    Eventually, the admin will configure the General settings as under: 

    Status: The admin sets the status of the task as enabled. 

    Recaptcha Option for Admin Login: The admin can enable the Recaptcha option, which displays after a failed number of attempts. 

    The number of Allowed Failed Attempts: The admin defines a value for allowed failed attempts. 

    User Customer IP Abuse Confidence Score: The admin defines a value for this field which is a minimum value to check the User/Customer IP AbuseConfidenceScore.

    • If AbuseConfidenceScore is more than this value, then the user cannot log in. 

    config_2

    Recaptcha Display Pages: The pages on which the Recaptcha shall be visible. 

    Poor Password Check: If enabled, it will work if a customer tends to add a weak password when registering. 

    Pre SignUp Email Validation: If enabled, then email validation is required before any customer registers. 

    Admin Google 2Factor Verification: If enabled, the admin will encounter 2Factor Verification while logging in.

    Customer/ Affiliate Google 2Factor Verification: On enabling this field, the customer/ affiliates users will encounter 2Factor Verification while logging in.

    API Keys tab: 

    Thereafter, the admin will set the configurations under the API Keys tab. The admin will have to retrieve the Google Recaptcha Site and Secret Key. 

    API_Keys-1

    The API Keys tab configurations may be set as under:

    Google Recaptcha Site Key: The admin will gather it from Google’s website. 

    Google Recaptcha Secret Key: Retrieved from Google’s website. 

    AbuseIPdb API Key: Retrieved from the AbuseIPdb website. Click here to retrieve the same. 

    Mail Tab:

    The third tab is the Mail tab, under which the following tabs are to be configured:

    • New File Notification
    • Login Notification 
    • Other Notification
    • SignUp Email Notification
    • Mail Info

    The configurations of each tab are stated as under:

    New File Notification

    Under this tab, the admin configures the fields such as Add New File Notification, File Extensions, Add New File Notification Subject, etc. 

    new_file_notification

    The field configurations are set as follows:

    Add New File Notification: If enabled, the admin shall receive a notification if any new file is added. 

    File Extensions: The admin defines the allowed file extensions against this field. 

    Add New File Notification Subject: The admin defines a subject for new file notification. 

    Add New File Notification Description: Description for the new file notification. 

    Login Notification 

    The admin will configure the fields such as Admin Login Notification Status, Admin Login Notification Subject, Admin Login Notification Description, etc.

    login_notification

    The settings of the Login Notification tab is as follows:

    Admin Login Notification:

    • Status: Set the status of the admin login notification as enabled. 
    • Subject: The admin adds a subject for the login notification 
    • Description: The description of the admin’s login notification. 

    Catalog Login Notification: 

    • Status: The admin sets the status of the catalog login notification as enabled. 
    • Subject: Subject of the login notification. 
    • Description: Description of the admin’s login notification. 

    Other Notification

    Under this tab, the admin will configure fields such as Reset Current LoggedIn Admin User Password, Reset Password Notification Status, etc.

    other_notification

    Subsequently, the Other Notification tab configurations are set as under: 

    Reset Current LoggedIn Admin User Password: If enabled, then-current admin user password will reset. 

    Reset Password Notification Status: On enabling this field, the reset password notification will be sent to all the users and customers. 

    Admin Reset Password Notification Subject: The subject for the admin reset password notification.

    Admin Reset Password Notification Description: The description for the admin reset password notification.

    Customer Reset Password Notification Subject: Subject for customer reset password notification. 

    Customer Reset Password Notification Description: Description of the customer reset password notification.

    The admin sends notifications for resetting passwords to admin users and customers in case of suspicious activities.

    reset_password

    SignUp email Notification

    The admin will configure the following fields- SignUp Email Validation Status, SignUp Email Validation Subject, SignUp Email Validation Status, etc. 

    sign_up_email_notification

    The configurations for the SignUp Email Notification tab are set as under: 

    SignUp Email Validation

    • Status: When enabled, then email verification mail will be sent as customer registers. 
    • Subject: Define a subject for the SignUp Email Validation field. 
    • Description: Set a description for the SignUp Email Validation field. 

    Mail Info: 

    The admin can choose the codes to write email templates from the given list. 

    mail_info

    WAF Security IP Ban

    On setting the WAF Module Configurations, the admin needs to configure the WAF Security IP Ban sub-menu option. 

    On clicking the WAF Security IP Ban sub-menu option, the admin will find a WAF security IP Ban List as shown in the image below.

    Moreover, the admin can enable or disable any IP at any point in time.

    • If any user(s) who wishes to log in bears an IP same as that the admin disables, then they cannot log in. 

    To enable any IP(s), the admin will have to select the IPs from the list as shown below. 

    Hence, to enable the IP’s the admin will have to click on the thumb’s up option on the top right corner of the WAF Security IP Ban page as shown in the image below:

    ip_ban

    On clicking the thumb’s up button, a message, “Success: IP enabled successfully!” will display and the Status of the respective IPs will alter to Enabled as shown in the image below:wevkul-opencart-web-application-firewall-security-ban-ip-enabled

    Likewise, the admin can even disable the enabled IPs by clicking the thumb’s down button on the top-right of the WAF Security IP Ban page

    WAF Security Country Ban

    The admin needs to configure the WAF Security Country Ban sub-menu option, thereafter. 

    On clicking the WAF Security Country Ban sub-menu option, the admin redirects to the WAF Security Country Ban page as shown in the image. 

    The admin will find the WAF Security Country Ban List, where the admin can enable or disable a country(s) at any point in time.

    • If any user(s) who wishes to log in belongs to the disabled country, they cannot log in. 

    Thus, to enable any country(s), the admin will have to select the countries whose status is disabled from the list as shown below. 

    To enable the countries the admin will have to click on the thumb’s up option on the top right corner of the WAF Security Country Ban page as shown in the image below:

    wevkul-opencart-web-application-firewall-security-country-ban-list

    Subsequently, on clicking the thumb’s up button, a message, “Success: Country enabled successfully!” will display and the Status of the respective Countries will alter as shown in the image below. wevkul-opencart-web-application-firewall-security-enable-country-ban

    Likewise, the admin can also disable the enabled Countries by clicking the thumb’s down button on the top-right of the WAF Security Country Ban page

    WAF Security Brute Force Log

    Moving on, the next configuration in the configuration list is the WAF Security Brute Force Log.

    As the admin clicks on the WAF Security Brute Force Log sub-menu option, it redirects to the WAF Security Brute Force Log page. 

    Further, it displays the login history logs of all the users as shown in the image below:

    WAF-Security-Brute-Force-Log

    WAF Security Directory Permission

    Then, the admin will find the WAF Security Directory Permission sub-menu option.

    Consequently, it displays the directory content listing depicting whether it is secure or not-secure as shown in the image below:

    WAF-Security-Directory-Permission

    WAF Security Email Domain Ban

    When a domain like example.com is enabled then the user with the same domain won’t be able to register or login. Furthermore, when disabled the user will be able to register and log in.

    This section shows WAF Security Email Domain Ban List as shown below:WAF-Security-Email-Domain-Ban

    WAF Security Email Domain Ban Log

    This section shows user login details of the banned domain:

    WAF-Security-Email-Domain-Banned-Log-1

    Frontend Workflow

    2-factor Authentication Process: For Registered Customers

    Meanwhile, in the front end, the registered customers will encounter the 2-factor Authentication before logging in to their accounts. 

    The customer needs to enter the email address and password and proceed to login in the usual way, as shown in the image below. 

    webkul-opencart-web-application-firewall-security-already-registered-customer-login

    As soon as the customers add the details and login, they will encounter a pop-up for WAF Security 2factor Authentication as shown in the image below. 

    The customers need to scan the QR code using the Google Authenticator which they need to install on their smartphones. 

    WAF-Screenshot

    Thereafter, the customers will receive a code after scanning the QR code. This code is to be added under the Google 2factor Authenticate Code tab as shown in the image below. 

    WAF-Screenshot-1

    If the code matches with the Google Authenticator’s code, it will redirect the customers to their account pages as shown below. 

    webkul-opencart-web-application-firewall-security-my-account

    Email Verification: For New Customers

    Subsequently, if any new customer wishes to register with the website, they will have to go through the Email Verification process. 

    To register with the website, the New Customer form is present where the new customer needs to click on the Continue button as shown below. 

    webkul-opencart-web-application-firewall-security-new-customer-loginThis redirects to the account registration page (namely, Register Account) where the customer needs to fill in the Personal Details, Password and agree to the Privacy Policy. 

    In the Register Account page itself,  a Verify Email button is present, which the new customer must click for email verification after adding the email address. 

    webkul-opencart-web-application-firewall-security-new-customer-verify-email

    On clicking the Verify Email tab, a success message, ‘Verification message has been sent to your above email address!’ shall display as shown in the image below. 

    webkul-opencart-web-application-firewall-security-verification-email-sent-to-new-customer

    Recaptcha Visibility: In the Contact Us Form

    Furthermore, in the contact us form as well, the customers will find the Recaptcha for additional security.

    The customers need to add the Name, Email Address, the Enquiry, and go through the Recaptcha Validation as shown in the image below. 

    webkul-opencart-web-application-firewall-security-recaptcha-at-contact-us-form

    Hence, that’s all for the Opencart Web Application Firewall (WAF) Security extension. If you face any issues, feel free to raise and add a ticket at HelpDesk Support.

    Also please visit our other useful Opencart extension.

    Current Product Version - 4.1.0.0

    Supported Framework Version - 2.x.x.x, 3.x.x.x

    . . .

    Leave a Comment

    Your email address will not be published. Required fields are marked*


    2 comments

  • Salamah
    • Zeba Hakim (Moderator)
  • Back to Top

    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home

    Table of Content