Application Security · OpenCart

OpenCart security audit and hardening

A fixed-price audit of your OpenCart store across three layers: the application, the server it runs on, and the checkout where the money moves. From $390.

From: $390 · Turnaround: 5 business days
We maintain OpenCart stores Not a one-off scan
Checkout skimmer check Where card data leaks
Ranked findings Sorted by likelihood
Fixed price No subscription

Ask the OpenCart forum if the platform is secure and you’ll get the same answer every time: it’s secure, and if you got hacked, it was your fault. A weak admin password, a dodgy extension, a file you left writable. They’re not wrong. But that answer doesn’t help the store owner who’s now selling stolen card numbers to their own customers without knowing it.

OpenCart’s real problem isn’t the core code. It’s that the project is slow and prickly about security, so patches and disclosures don’t move the way they do on bigger platforms. That leaves the store owner holding the risk. Someone has to actually watch the store, check the extensions, and lock the parts the installer left open. That’s the job.

We audit three layers: the OpenCart application, the server underneath it, and the checkout path where card data flows. Then we fix what we find.

Where OpenCart stores get hit

Three layers we check

The store

Admin folder still on the default /admin, leftover install/ directory, the storage/ folder sitting inside the web root, config.php permissions, and every ocmod and vqmod modification that could be hiding a backdoor.

The server

File permissions, PHP version, SSH and firewall, outdated OpenCart core against current releases, and whether one site on the box can reach another.

The checkout

Payment and template files scanned for card skimmers, the gateway integration checked, and the admin and order data reviewed for the PCI exposure that comes with handling card flows.

The checkout layer is the one most security guides skip, and it's the one that costs you customers. A skimmer injected into a single template file can run for months, quietly copying card numbers at the point of sale.

What the audit covers

Full scope, every store

We run the same checklist on every OpenCart store, whether it's a 50-product shop or a 12,000-order catalog. No stripped-down scan that we upsell you out of.

Core, theme, and extension versions checked against current OpenCart releases and known CVEs
Every ocmod and vqmod modification reviewed for injected or backdoor code
Admin folder, login hardening, and leftover install/ directory
storage/ directory location: inside or outside the web root, and whether it's exposed
config.php and admin/config.php permissions and exposed credentials
Checkout and payment template files scanned for card skimmers
Full malware and file-integrity scan against a clean OpenCart copy
Admin user review: count, weak passwords, dormant accounts, role escalation
SSL/TLS coverage and HTTP security headers across the store
Backup verification: a real restore path, not just a plugin claiming to back up
What you receive

Findings you can act on

You get a report in plain English, ranked by how likely each issue is to bite you, with the checkout risks called out first. Not a scanner dump. The things that matter, in order, with the fix beside each one.

01

Ranked findings report

Every issue scored by likelihood and impact, with payment-path risks at the top.

02

Extension and modification audit

Which ocmod and vqmod changes are safe, which are stale, and which are hiding something.

03

Fix list with priorities

What we fixed, what you should do next, and what can wait, separated clearly.

04

Backup and recovery note

Where your backups go, how to restore the store, and the gap if there is one.

05

Walkthrough call

Thirty minutes to go through the findings so the report isn't just a file you file away.

How it runs

Four steps, five days

Five business days from access to a hardened store, with a full backup taken before we change anything.

1

Access and snapshot

You give us admin, SFTP, and database access. We take a full backup of the store before touching a setting.

Same day
2

Three-layer scan

Store, server, and checkout. Automated tools plus a manual read of the payment and modification files, because scanners miss injected code.

Days 1-2
3

Harden and fix

Move storage out of the web root, lock config files, rename and protect admin, remove any skimmer or backdoor we find, and document each change.

Days 3-4
4

Re-scan and handoff

We re-run the scan to confirm the fixes held, then walk you through the report.

Day 5
Pricing

Fixed price, no subscription

The audit-only tier is $390. That’s the three-layer scan, the ranked report, and the walkthrough call. You get a clear picture of where the store stands and a fix list you can hand to any developer.

Most store owners want the holes closed, not just listed, so the audit-plus-hardening tier at $690 includes the actual fixes: storage and config lockdown, admin protection, skimmer removal, patching, and a re-scan to prove it worked.

Already hacked? Start with restoration.

If your store is already compromised, redirecting customers or skimming cards, an audit is the wrong first move. You need the malware gone and the store clean before hardening means anything. That’s an OpenCart restoration job, and the hardening folds in once you’re clean. Tell us it’s an active incident and we’ll treat it as one.

Audit

$390 one-time
  • Three-layer security scan
  • Extension and modification audit
  • Ranked findings report
  • Walkthrough call
Book an audit
Most popular

Audit + Hardening

$690 one-time
  • Everything in Audit
  • storage/ and config lockdown
  • Admin protection and login hardening
  • Skimmer and malware removal
  • Post-fix re-scan
Book audit + hardening
Tech we use

Tooling we lean on

OpenCart ClamAV ocmod/vqmod review ConfigServer eXploit Scanner Cloudflare WAF Let's Encrypt Fail2ban
Where this fits

How this connects to the rest of the stack

This is the OpenCart version of our website security service. The platform changes the attack surface, but the three-layer pattern is the same one we run everywhere. If you want the platform view first, our OpenCart support overview covers the maintenance, upgrades, and break-fix work we do on stores day to day, including the 3.x to 4.x jump.

The store still sits on a Linux box, and a good share of the hardening lives there. Our Linux server support page covers that layer on its own. If you also run WordPress somewhere in the business, the WordPress security audit uses the same method at the application level, and the two pair well on one engagement.

If the store is already compromised, start with OpenCart malware removal and restoration, which cleans the store first and hardens after. There’s no point locking the doors while someone’s still inside copying card numbers.

On the fence about upgrading? Our take on OpenCart 3 versus 4 explains why staying patched matters more than the version number.

Security for OpenCart maintenance, security & upgrades

Need security for opencart maintenance, security & upgrades sorted?

We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.

We read every message. We don't pass your details to anyone else, ever.