Securing OsCommerce

From Lunarpages Web Hosting Wiki

While we have not seen a lot of hacking of OsCommerce, it is still at risk like any other script. Keeping it up to date with the latest version is the first and best thing to do to avoid being hacked. Below are other things you can do to make it much harder to hack your store. Please run a backup in your control panel before making any changes and download the backup to your local computer for safe-keeping.

1. Register_Globals – The latest versions of OsCommerce no longer need them so disable them. They are disabled by default on our servers but if you have enabled them previously, please set them back to Off in php.ini. It is possible some older contributions may still need register_globals. If you see any errors in your store or store admin after disabling them, you will need to set them back to On but then please only enable them in your store's folder if your store is located in a subfolder of public_html. See . Command would be “register_globals = On” (or Off to disable and without the quotes).

2. Set the permissions on the 2 configure.php files to 444. Normally these can be found under includes/ and admin/includes.

3. Remove filemanager.php and define_language.php. These often lead to errors if used to edit your files anyway and hackers may use them to add their own code to your files or database. To remove them:

Delete define_language.php and file_manager.php from catalog/admin.

Open admin/includes/boxes/tools.php and delete the lines:

'' . BOX_TOOLS_FILE_MANAGER . '<br>' .

You may just remark these lines out by adding // at the beginning of each line. Be sure these changes are made again each time you upgrade your site.

4. Change the name of the admin folder and/or password protect it. Changing the name may be an issue with upgrading later if you installed via Fantastico or Softaculous and wish to continue using them to upgrade it. However, in my experience, there are so many wonderful contributions that can be added to OsCommerce to make it more functional and work any way you like that most folks will need to upgrade manually anyway so this would not be an issue for them.

After you rename the admin directory to something less obvious, you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

You may password protect the admin subfolder in Cpanel and LPCP with Password Protect Directories. Even though you normally have to login to the admin area when browsing it, that only provides minimal protection. Password protecting the folder blocks access to it directly.

5. We have seen issues with spammers using the tell-a-friend.php file to send emails from sites. We recommend not enabling this in Admin and renaming or deleting that file.

6. Install the following contributions for security:

7. Add the Admin Notes contribution,2599 . It is very useful to document contributions you have added, major upgrades to Oscommerce, misc changes such as those for general security, things to add, hacker incidents, and anything else important. One use of the 3 color settings for each note is red for important, incident, or has an issue, green for installed and OK, yellow for needs to be installed or tested. This can come in handy should the site be hacked or moved to another server.

In Conclusion...

To be safe you should make backups of your database and site files as it saves a lot of time & effort cleaning up after an attack and customers are responsible for their own files and keeping backups. Create new backups of files and database after making any site changes like adding a contribution and backup the database as often as necessary depending on the activity in your store. The database is the one truly irreplaceable item and the one that changes most often. You can manually backup the database in OsCommerce, Admin, Tools. Also checkout . To automate backups, see this thread from the Lunarforums.