Dear Customers,
 
We would like to notify you about possible hack attacks to your site configuration files if the 'install.php' file was not deleted from your version after installation.
 
To avoid attacking, we strongly recommend you to perform the following steps:
 
1) Delete the file 'install.php' from your server (if it wasn't deleted earlier).
2) Rename the 'admin' folder to any name you choose and update your bookmarks.
3) Unselect 'writable' privileges for all folders, except for the 'images' folder.
4) Check your Admin panel for unknown php code (it can be placed in the footer body, for example).
5) Change the login/password to your Admin panel (via Administration > System > Administrators > Change password) and ensure that you are not using the default details, like: admin/admin
 
Please, feel free to contact our support team on any issues or problems.
 
With kind regards,
ViArt Support Team

3) Unselect 'writable' priviliges for main folders.
 
Anjula
 
My folders are WRITABLE for Owner only. Is that right?
 
Thanks
 
Chris

3). Main folders > which folders are these exactly.
 
Just includes & admin or more than them
 
and yes as per christopherO is this just set to just owners e.g 755
 
Maybe a little more time and therefore clarity could be devoted to this important warning ! We are not all techies !

Does this also include the install zend php files ?

Hello All,
 
Please, kindly find answers to your questions as to a security alert issue.
  
No, you may leave zend php files on your server. There is no need to remove them.
 My folders are WRITABLE for Owner only. Is that right?
 
Actually, it depends mostly on what type of owner you are. If you have complete root privileges (provided by your hosting provider), then you should leave 755 privileges, otherwise you won't be able to upload files via FTP. In this case no one except you won't be able to access your file(s) and make any changes there.
 
If you as an owner does not have root permissions, but rather an access, like www-data:www-data, then it is strongly recommended to unselect any writable permissions to avoid any hack attack. www-data - is just a sample name, it can be different for different systems, like: apache:apache - for FreeBSD, httpd:httpd - for RedHat, www-data – for Debian.
 
For example, with wxrwxr-x root:root - nobody except a root owner is able to change files, while with root:www-data -anyone from www.data group may access your files and edit them.
 
Therefore, it is advisable to check your owner's privileges and set necessary permissions for your folders, taking into account your server settings and owner’s privileges.
 
With kind regards,
ViArt Support Team

Thanks Anjula,
 
755 should do the trick for me !

Hello,
 
In addition to the precautions we described earlier you can also add an extral layer of defense by password protecting your "admin" directory with an ".htaccess" file. The only inconvenience is that you'll need to log in twice, however this measure will increase security.
 
For detailed instructions on creation an .htaccess file, please refer to the following articles:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
http://www.cs.dal.ca/studentservices/faq/tutorials/web_sites/htaccess.shtml
http://www.javascriptkit.com/howto/htaccess3.shtml
 
With kind regards,
ViArt Support Team
 

I assume that all the advice above relates to just the admin folder?

Hi anjula
 
Can I recommend that you add a neat version of all these tasks to the final completion page of the installation wizard for the next version of Viart.
 
This would remind people at the moment they are most likely to make all the required changes.

Even better,
 
- the viart installation could check the rights of folders itself
 
- the admin and shop front end could display an error and not run until the install.php file had been deleted.
 
 
similar things could be done to assist with many of the other tasks you recommend are applied to a newly installed shop.
 
 
i hope the next release can start automating and doing some of these checks itself.
 

automation seems the most logical way to go, for sure. crazy not to if it can be done considering massive fines for those not pci compliant; and if they're not technical experts in any way,,, well not everyone knows this stuff.