How to change the OpenCart admin URL - simply and safely

By default, the OpenCart admin panel is located at /admin/. This is well-known to attackers and various bots. Changing or hiding this URL is a simple way to reduce junk in your logs and brute-force attempts. Below are two clear options for OpenCart 1.5 / 2.x / 3.x (including ocStore 3.0.3.9): rename the folder or set up a “virtual” URL via web server rules.

Before you start

Back up files and database.
Find out the absolute path to the site (e.g., /var/www/site/) and the domain (https://example.com).
If you use cache/OPcache – plan to clear or restart it.
For OpenCart and ocStore 3 remember about DIR_STORAGE (often placed outside the site root).

Method 1. Rename the `admin` folder

Rename the directory admin – for example, to secret-admin.
Update admin/config.php with the new URL and correct paths.

OpenCart 3 / ocStore 3

// HTTP
define('HTTP_SERVER', 'https://example.com/secret-admin/');

// HTTPS
define('HTTPS\_SERVER', '[https://example.com/secret-admin/](https://example.com/secret-admin/)');

// DIR
define('DIR\_APPLICATION', '/var/www/site/secret-admin/');
define('DIR\_SYSTEM', '/var/www/site/system/');
define('DIR\_IMAGE', '/var/www/site/image/');
define('DIR\_STORAGE', '/var/www/site/system/storage/'); // or external path
define('DIR\_CATALOG', '/var/www/site/catalog/');

define('DIR\_LANGUAGE', DIR\_APPLICATION . 'language/');
define('DIR\_TEMPLATE', DIR\_APPLICATION . 'view/template/');
define('DIR\_CONFIG', DIR\_SYSTEM . 'config/');
define('DIR\_CACHE', DIR\_STORAGE . 'cache/');
define('DIR\_DOWNLOAD', DIR\_STORAGE . 'download/');
define('DIR\_LOGS', DIR\_STORAGE . 'logs/');
define('DIR\_MODIFICATION', DIR\_STORAGE . 'modification/');
define('DIR\_SESSION', DIR\_STORAGE . 'session/');
define('DIR\_UPLOAD', DIR\_STORAGE . 'upload/');

OpenCart 2.0–2.3

// HTTP/HTTPS
define('HTTP_SERVER', 'https://example.com/secret-admin/');
define('HTTPS_SERVER', 'https://example.com/secret-admin/');

// DIR
define('DIR\_APPLICATION', '/var/www/site/secret-admin/');
define('DIR\_SYSTEM', '/var/www/site/system/');
define('DIR\_IMAGE', '/var/www/site/image/');
define('DIR\_CATALOG', '/var/www/site/catalog/');

define('DIR\_LANGUAGE', DIR\_APPLICATION . 'language/');
define('DIR\_TEMPLATE', DIR\_APPLICATION . 'view/template/');
define('DIR\_CONFIG', DIR\_SYSTEM . 'config/');
// Other DIR\_\* — depending on your build (often inside system/storage)

OpenCart 1.5.x

// HTTP
define('HTTP_SERVER', 'https://example.com/secret-admin/');
// Front:
define('HTTP_CATALOG', 'https://example.com/');

// DIR
define('DIR\_APPLICATION', '/var/www/site/secret-admin/');
define('DIR\_SYSTEM', '/var/www/site/system/');
define('DIR\_IMAGE', '/var/www/site/image/');
define('DIR\_CATALOG', '/var/www/site/catalog/');

After editing, clear caches (in 2.x/3.x: “Extensions – Modifications – Refresh”; if admin is unavailable – manually delete system/storage/cache and system/storage/modification) and test login with the new address.

Pros: works “out of the box”, OpenCart/ocStore generates correct links.
Cons: you must remember the new folder name and set paths carefully.

Method 2. “Virtual” URL via Rewrite (keep the folder)

The idea: the folder remains /admin/, but externally you log in via /cp/. This requires changing the visible HTTP_SERVER and adding web server rules.

Keep the admin directory as is.
In admin/config.php set the “visible” URL:

// Visible addresses
define('HTTP_SERVER', 'https://example.com/cp/');
define('HTTPS_SERVER', 'https://example.com/cp/');

// Physical paths — to actual admin folder
define('DIR\_APPLICATION', '/var/www/site/admin/');

Apache (.htaccess in site root)

RewriteEngine On

# Serve /cp/ from physical /admin/

RewriteRule ^cp(/.\*)?\$ admin\$1 \[L]

# (Optional) Block direct /admin/

RewriteRule ^admin(/.\*)?\$ - \[R=404,L]

Nginx (inside server { ... })

# Visible URL
location ^~ /cp/ {
    rewrite ^/cp/(.*)$ /admin/$1 last;
}

# (Optional) Block direct /admin/

location ^\~ /admin/ {
return 404;
}

Restart the web server, clear OpenCart caches – and access via /cp/.

Pros: no changes to file structure.
Cons: must configure rules correctly to avoid breaking existing redirects.

More ways to improve security

Basic Auth for admin – an extra password layer. Can be done with the free module Basic HTTP Authorization
IP whitelist (access only from your addresses).

Add to the start of /admin/.htaccess:

Order deny,allow
deny from all
Allow from 1.1.1.1

where 1.1.1.1 is your IP address.

2FA (two-factor authentication) for admins.
Change default login admin and disable unused accounts.
Captcha for admin login.
Instead of changing the URL, you can use an extra login key. This is available in the OCCleaner – cleanup and optimization module.

Common mistakes to avoid

No trailing slash in HTTP_SERVER/HTTPS_SERVER: must be /cp/, not /cp.
Wrong DIR_* paths: check the real site path.
Cache not cleared: interface still serves old version.
Rewrite rule conflicts in .htaccess/Nginx: order of RewriteRule and location matters.
Mixed content: HTTPS with http:// – leads to extra redirects and warnings.

How to roll back if something goes wrong

Method 1: restore the original folder name and revert admin/config.php.
Method 2: temporarily remove Rewrite/location rules and set HTTP_SERVER back to /admin/.
Clear caches/modifications, restart PHP-FPM/web server if needed.

Рекомендуем посмотреть

Базовая HTTP авторизация

0 ₽

100 sales

OCCleaner - очистка и оптимизация v. 2.1.33

990 ₽

Рекомендуем прочитать

How do I log in to the opencart admin panel?

Как восстановить пароль и войти в админку Opencart

Comment (0)

Yet, no one has left a comment to the entry.