18 Dec 2017
Avactis 1.9.1 build 8365 and later
Nowadays hackers use many different types of sophisticated attacks on web servers and web applications.
Security is crucial for e-commerce and in this post we tried to accumulate security tips and recommendations which can help you make your store and server more secure and hacker-proof.
I. General Security of Your Computer and Access Information
Your store can be hacked even if your server and web software are absolutely secure.
How is that possible? Hackers can simply steal FTP access information from your local computer using a hidden trojan program! The trojan can detect your access information in RAM, memory of your browser or e-mail client program, or even key presses, and send it to the hackers' database.
Then the hackers' automatic software will visit all the hacked sites using the FTP access info and modify files with the most common file names (e.g.
etc), or even all available files, and add malicious code to them. For example, it can be spam links or IFRAMEs loading pages from hackers' websites, dangerous shell code, etc.
How to protect your local computer and access information?
Make sure your computer is malware-free
Scan your local computer using up-to-date anti-malware programs. Make sure your computer and computers of your developers or employers are protected with the latest anti-virus software. You can use commercial or free software, for example the free
Microsoft Security Essentials
. Note that
not every anti-virus program
detects IFRAME malware. One of the best anti-malware scanners is
Never store access information in plain text
If you save your passwords to text files, they can easily be read by malware. Use specially-designed password storage software. A good example is the cross-platform open-souce
Never send access information in plain text
Hackers use special sniffer programs to monitor network traffic and catch access information. So, even if your computer is 100% secure, and your server is 110% secure, your FTP login/password can be caught in between!
It is highly recommended to transfer access information only over secure connections:
HTTPS for web forms (like the
on our site)
HTTPS for web mail (
Gmail has a setting for always using HTTPS)
Secure POP and SMTP if you're using a standalone mail program (Outlook and Thunderbird 3 connect through SSL by default)
FTPS for file transfer (a great SFTP client for Windows is
Before connecting or sending a password somewhere,
what a connection it would be and find a way to switch to the secure one.
Change access information regularly
It is recommended to change access information at least several times a year. Even if hackers manage to steal your password, they won't be able to use it.
Use strong passwords for FTP, SSH and control panels
Hackers use the so called "brute force" attack. They use special automatic programs that can guess the password if it's simple. For example, if you use a password which consists of only digits, it means that hackers can guess the password within several minutes or an hour.
More information about password cracking methods
(Please read it!)
It is highly recommended to use strong passwords which consist of numbers, letters and special symbols. The length of the password should be more than 8 symbols. Hackers can use special dictionaries with thousands of simple passwords, like "admin12345", "pass54321", "Yahoo1999", etc. So please don't use common words and numbers as your password.
You can test the strength of any password using this
on-line tool from Microsoft
Example of a strong password:
(It was generated by KeePass referenced above)
If you still prefer remembering passwords in your head, read these
useful tips on how to create strong passwords that you can easily remember
Here's another handful of tips straight from Microsoft:
4 steps to protect your computer
II. Security of Avactis Stores and Other Web Applications
Here are some recommendations and tips on how to make your store more secure. If you cannot do these steps yourself, don't hesitate to
contact our support team
3rd party software
If you have several web applications on your server, e.g. forum, image gallery, blog, etc., make sure that you use the latest versions. Also make sure that the latest security patches are applied to these applications. Usually hackers use exploits/security holes in popular programs that allow them to execute system commands on your server. It is not recommended to make old software available for web access.
Encryption of credit card information
Avactis uses 2 types of encryption: RSA 1024 bit encryption algorithm and Blowfish encryption algorithm.
In "Manual/Offline Credit Card Processing" module settings, you can generate a private key file. To see credit card data you will need to upload this private key file each time. So even if hackers steal your database and all files, they will not be able to steal credit card numbers anyway.
Check if the installation files has been removed
After the installation of Avactis has finished, the files
are automatically deleted. Please verify that they have actually been deleted. If they have not, please manually delete the files to avoid accidental re-installation with overwriting your data.
Backup your store data on a regular basis
For data security purposes, it is highly recommended to perform backup at regular time intervals - once a day (optimal), a week, or a month, depending on the size of your data and on how often it is updated. It is also recommended to download backup files to your computer at regular time intervals to prevent loss of data in the event of server failure. In case a server failure occurs, you will be able to restore the on-line store from the backup files that were saved to your computer.
Avactis has an automatic backup system which can be configured as a Cron job (backups can be created regularly and automatically by your server). You can also use backup service from your hosting provider, but make sure it backs up databases too.
For more information please refer to our manual:
Data Backup and Restore
It is highly recommended to use the secure HTTPS protocol for checkout pages and login pages.
Avactis allows you to easily switch all or just the needed parts of the store front (Catalog, Shopping Cart, Checkout, File Download, Customer Account, Customer Authorization) to HTTPS. Same is for Admin area pages: whole Admin Area (Backend) or Sign-In & Admin Members Management, Orders & Customers, Payment & Shipping Modules Settings only.
You can configure it in
If an SSL certificate is not installed on your server, you should purchase it from a trusted authority and ask your hosting provider to configure the SSL certificate for you prior to setting it up in Avactis.
Protection of Admin Area with a .htaccess web password
You can additionally protect the avactis-system/admin/ directory using an .htaccess web password. More information about it is available in the
on the official Apache web server site.
III. Security of Hosting Server Software
Security of your server is the job of your hosting provider (if your server is not dedicated and unmanaged).
The server security is not related to this post, as there is a ton of server settings and recommendations, here are just several tips:
Make sure your hosting uses a firewall and a good anti-virus program;
You can scan your site and hosting server using PCI DSS scanners, for example
this Comodo company product
in order to find our some server side security issues;
You can disable remote script execution with these PHP settings: allow_url_fopen, allow_url_include;
You can ask your hosting provider to install the
module for Apache;
If your server control panel is Parallels Plesk you can scan your website with Watchdog 2.0 tool for detection of rootkits and server security issues;
If you have something to add, please don't hesitate to comment below.
07 Oct 2010 11:56 PM
Add a Comment
Sharing is good. If you have a comment about this entry, please feel free to share. The comments might be reviewed by our staff, and may require approval before being posted. Questions posted will not be answered. Please submit a Ticket for support requests.
-- Entire Support Site --
Add to Favorites
Help Desk Menu
Submit a Ticket
Help Desk Software By Kayako eSupport v3.11.01