Secure your osCommece store by installing following mods and making few changes lest it gets hacked and your hard work goes down the drain. If your osCommerce shop just got hacked, first step to get your website back is to restore it from a clean backup. And by chance you do not have a clean backup, you are toast, big time! Because in this case you will have to go and check each and every file for any injected code.
Anyway, if you have restored your website already, you need to secure it by taking following steps:
- If you have not already removed the ‘install’ directory, delete ‘catalog/install/’ directory completely.
- Change the permissions on catalog/includes/configure.php file and chmod it to 444. Do the same with catalog/admin/includes/configure.php file.
- Install Security Pro mod fom here. It will prevent any injection attacks
- Change all user names and passwords of catalog admin panel, including the DB user.
- Make sure that no directory has permissions above 755. If your hosting requires permissions of 777 on directories for osCommerce to work then you need to change hosting.
- Also make sure that all files, other than the two above mentioned configure.php files have permissions no higher than 644. configure.php files need to be chmod to 444. (You may use 644 too).
- Install SiteMonitor mod from here and monitor your stores for any unauthorised changes
- Install IP trap mod from here http://addons.oscommerce.com/info/5914 to block elicit access attempts.
- Install htaccess protection mod from here
- Go to your osCommerce Admin Panel and delete the filemanager.php. You do not need this manager to edit your files. It should never have been part of the osCommerce.
- Rename the ‘admin’ folder and give it a unique name, and not necessarily using admin word in new name. It should not be too difficult to remember yourself, something yuo can remember easily but you get the idea. Once you have renamed the admin folder, you need to make two changes for /admin/ in admin/includes/configure.php to your ‘/renamed-admin-directory/’.
- Password Protect the renamed ‘admin’ folder with a new user and password.
- Run a full virus scan, Malware and SpyBot scan on your PC which you use to FTP files to the site.
Hope that helps.