ZEN CART安全建店的步骤 (2009.12.18 更新)

ZEN CART安全建店的步骤 (2009.12.18 更新) : 安装设置

由 Jack » 2006-10-11 5:47

强烈建议所有Zen Cart用户再次阅读本贴，保证网店的安全。

下面是强化Zen Cart网店安全的几个步骤:

1. 删除以下几个目录和文件

安装完成后，请从服务器上删除以下目录和文件:
- /docs
- /extras (重要)
- /zc_install
- /install.txt (这是文件)

另外，如果你的网店不是卖可下载类的产品，请同时删除以下文件和目录：
- /download
- /media
- /pub

不要只是改名目录，万一别人知道了目录名，就不安全。

如果删除了 download 目录，商店设置－属性设置－允许下载，设置为：false

2. 设置configure.php文件为只读

将两个configure.php文件用CHMOD(设置权限)命令改为只读很重要。

通常就是设置为"644"，有时是"444"。

如果无法通过FTP程序修改，可以用主机商提供的文件管理工具来修改。

如果您用的是Windows服务器，只要将文件设置为"所有人" "只读"，如果是在IIS下，是IUSR_xxxxx 用户，或者"System"帐号，在Apache下，是"apache user"帐号。

3. 改名"/admin"目录

修改"admin"目录名，用一个很难猜测到的名字。
(在进行下面的修改前，请备份文件和数据库。)

A- 用文本编辑器，例如记事本，打开文件admin/includes/configure.php。

将所有出现/admin/的地方改成自己的管理目录名。

需要修改的部分:
define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/admin/');
define('DIR_WS_HTTPS_CATALOG', '/');

需要修改的部分:
define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');
define('DIR_FS_CATALOG', '/home/mystore.com/www/public/');

B- 找到Zen Cart的/admin/目录，

将该目录名按照admin/includes/configure.php中的定义作相应修改。

4. 删除不用的管理员帐号

管理页面->工具->管理设置

在管理页面下，打开工具菜单，选择管理设置
- 检查所有没有使用的管理员帐号并删除。特别注意是否有"Demo"帐号。

5. 强化管理员密码

一定要使用一定强度、不易猜测的密码。

要修改管理员密码，进入管理页面->工具->管理设置，点击"重置密码"按钮，或点击那个想回收箱的图标。

建议使用至少8位密码。
密码最好包含字母、数字、符合、以及大小写等。

6. 保护"自定义页面" "html_includes"中的内容

定义好您的自定义页面后，(管理页面->工具->页面编辑), 您要保护这些文件:

A. 用FTP软件下载备份，这些文件位于
/includes/languages/schinese/html_includes目录。

B. 修改文件 CHMOD 644 或 444 (或 Windows下为"只读")。见上面的CHMOD说明
/includes/languages/schinese/html_includes

网店安全相关贴子：强化Zen Cart 网店安全

Buyers' Guide: How to Find a Web Hosting Provider

Buyers' Guide: How to Find a Web Hosting Provider — eCommerce-Guide.com

By Vangie Beal
February 16, 2010

For a small business owner, finding a provider to host your Web site can be a big task. There is a lot more to shopping for a Web site hosting provider than just comparing prices and disk space. When looking for the right provider, you need to start with a good idea of types of services you'll need for your own Web site. After that, you can work on finding the right hosting provider — one that can meet your needs at a price you can afford.

When you start shopping for the right vendor to provide your Web hosting services, make sure the provider offers packages for small and medium sized businesses (SMBs). You want to invest in a professional plan with professional services for your business, not a company that really only has experience with personal Web site hosting.

Getting Started: A Web-Hosting Glossary of Terms

When you first start looking for a hosting provider, it probably won't take you long to realize there is whole new world of standards, phrases and terms to learn. The first step to finding a provider is to familiarize yourself with the common lingo, so you can understand what each vendor has to offer. To get you started, here are eight Web-hosting terms you should know, courtesy of Webopedia.com.

• Web host Web server
• virtual host
• virtual server
• dedicated hosting /server
• shared hosting / server
• backup
• service level agreement

· Ecommerce-Guide Tip: You can find hundreds of Web-hosting terms in Webopedia's Internet and Online Services category.

First Decision: Shared Vs Dedicated Hosting

One of the first decisions you will want to make is choosing between sharedand dedicated hosting. A shared Web server — sometimes called virtual hosting — basically means your Web site will share resources with other Web sites. In this scenario, multiple Web sites are running (hosted) on the same physical server. On a dedicated server, your Web site is the only one on the server.

The biggest differences between the two types of hosting options are price, performance and control. When you consider a shared service, the cost is considerably lower as multiple Web sites pay for the server. On a dedicated server, you are the only one paying for the server which, combined with additional start-up costs and IT requirements, makes this a more expensive option.

Another issue to consider is in-house expertise. In a shared environment your responsibility is to provide the content, and the hosting provider will take care of other details, such as the server set-up, including the operating system, bandwidth management, backups, e-mail and security.

On dedicated servers, the provider often supplies management software, but you will largely be responsible for the server management — not just the Web site management. This will require dedicated IT staff to handle Web-server installation, deciding which Web applications to run on the server, backing-up the server and security issues.

One of the biggest issues for an e-commerce Web site is choosing specific carts or payment systems. On a shared server, you are limited to what the hosting provider supports.

For the very small businesses (home-based and entrepreneurs) if you do not have the technical know-how, shared hosting will probably be the easiest and best way to get started. You can also start your business with a shared Web server, and move on to a dedicated server as your Web site grows.

For e-commerce Web sites, PCI-complianceis going to factor in to the type of server you choose. On a dedicated server you can have control to ensure you are in compliance with the standards, but again it will require dedicated IT.

Many shared hosts may not offer secure PCI-compliance. Smaller businesses without the technical expertise can, however, use a third-party Application Service Provider (ASP)that will capture all of the order data and store it on its servers. You will still be required to comply with PCI standards and regulations.

Since most small e-commerce shops and businesses start out with a shared server, this will be the example used most frequently in this guide. Anyone interested in dedicated hosting should read The Great Hosting Debate: Shared vs. Dedicated guide on Small Business Computing.com.

· Ecommerce-Guide Tip: Hosting Plan Primer

Go to page: 1 2 Next