Securing oscommerce stores and prevent being hacked

Posted by admin on September 28, 2009 under oScommerce Security, osCommerce Services | Be the First to Comment

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

You need to secure oscommerce by doing the following steps

1) Remove admin/file_manager.php
2) Remove admin/define_language.php
3) Make backups of your database and site files, saves a great deal of time & effort cleaning up should anything nasty happen.
4) Install the following useful contributions

Prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

htaccess protection http://addons.oscommerce.com/info/6066

Stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change host

You can use the contribution at http://addons.oscommerce.com/info/6134 to assist with permission settings.

Other steps to be followed

SECURING THE ADMIN:

By re-naming & password protection

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

CODE
require(‘includes/application_top.php’);

add:
CODE

// clean posted vars
reset($_POST);
while (list($key, $value) = each($_POST)) {
if (!is_array($_POST[$key])) {
$_POST[$key] = preg_replace(“/[^ a-zA-Z0-9@%:{}_.-]/i”, “”, urldecode($_POST[$key]));
} else { unset($_POST[$key]); } // no arrays expected
}

following the above steps makes the store secure

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

home top