Making sure your website's private files are not publicly accessible

Posted by Kevin Stateri on December 4, 2025

One important thing to pay attention to in regards to your own OpenCart website is to make sure that all private data remains private, as any kind of data intended only for private use being publicly available is dangerous, and could lead to further breaches of security.

In this article, I will discuss the threats posed by files in the web root that may not be desired to be accessible.

The OpenCart install folder

One of the most likely sources of such issues is the OpenCart install folder, left behind after an OpenCart installation. It could be used to maliciously run installation code on your site again, wiping data and possibly causing security breaches as an attacker gains access to your site's data. Modern OpenCart versions will warn of the existence of the install folder when the Admin panel is accessed and prompt you to remove it, which can be done from the same prompt

The OpenCart storage folder

Another likely source is the OpenCart storage folder, which can house sensitive data such as error logs, which attackers can use to discover private information about your site's vulnerabilities to then exploit them. This is another issue that is warned against in the Admin Panel, where you are prompted to move the Admin folder to outside the web root.

Directory Browsing

One particular issue that might rear its head and cause problems if directory browsing is inadvertently enabled in your server. This will cause anyone on the internet to be able to directly access the site's folders and browse their contents. While ideally no secure data should be under the web root in the first place, even something like the presence or absence of a configuration file could be used as information by an attacker to breach your site. The default OpenCart .htaccess file, if used, contains a configuration that will disable this in Apache. It is a good idea to make sure this is working by navigating to a folder in the site, by for example navigating to /system/ from your site's home page URL.

Testing files

It is common for development work on a site to create files such as "test.php" or "info.php", to quickly test functionality or display information. It is important to make sure such files are removed when a website is made available publically, as it can reveal information about the site that might be useful for further data breaching. For example, the simple phpinfo() function is very useful for developers, but the output can also be used by attackers to quickly hone in on any existing vulnerabilities in the website's setup.

Google Access

One threat that magnifies the issue posed by wrongly accessible files is Google (and other search engines). As the search engine works to index your website, it also tries to find all pages available in it, including any files it might encounter. As such, it can take more obscure issues and make it extremely easy for an attacker to gain access to those files.

With all of this in mind, it's important to make sure your site only makes available files and folders when they are intended to be, and otherwise prevents access. Proactively making sure of this is necessary to keep your site secure against threats. If you're unsure if your site is secure and want to check, you can request a Technical Audit with Antropy, where we check for this and many other issues to security, performance, and reliability.