top 10 ways to secure your oscommerce-based store, security

Here is a list of basic security measures you can carry out to protect your store. Use it as a checklist and consider implementing any missing from your server’s security policy. Some of security steps have certain server requirements that may or may not be available to you, depending on your hosting plan. This post is for stores on Linux servers with LAMP (LinuxApacheMysqlPhp) configurations.

These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.

  • Check and Set Permissions
    Permissions are assigned to each folder and file which indicate access rights to specific users or groups.
  • Folders should be a maximum of 755, however certain folders – /images; /admin/backups; /tmp; may require 757 for writing to, depending on your server configuration. All files should be 644 (configure.php files 444 if possible)
  • Disable the ‘Allow Guest to Tell a Friend’ feature
    Some carts allow visitors to the site to send emails through this feature. By disabling this feature, you will prevent non-logged-in customers from using your server to send ‘spam’ email messages.
  • Update your store and module software to the latest versions and patches
    With every new software release, there are usually security or bug fixes which improve the functionality and stability of your store. If you don⬔t upgrade, hackers will be able to easily exploit your websites from known vulnerabilities.
  • Use local htaccess files to restrict script execution, access
    For local htaccess files to work, the server must be setup to allow this, usually in with the command ‘AllowOverride All’ or ‘AllowOverride Limit’ in the apache/conf/httpd.conf file. Check with your hosting company if this is configured.
  • In the htaccess file itself, start by denying access to everything:

  Order Deny,Allow
  Deny from all
  • Then allow access to only certain files:
  • 
      Order Allow,Deny
      Allow from all
    
  • For example, the /images folder:
  • 
      Order Allow,Deny
      Allow from all
    
  • Prevent these variables from being used in say the /cache folder:
  • 
      Order Deny,Allow
      Deny from All
    
    
  • If a folder of downloads, the code can be added so the file is treated automatically as ‘Save As’ and not run as an application:
  • 
      Order Allow, Deny
      Allow from all
      ForceType application/octet-stream
      Header set Content-Disposition attachment
    
  • If you want to prevent snoopers from listing the contents of a folder, there are several ways to do this. The first thing to establish is whether your hosting company already does this via the Apache config file. Ask your hosting company if the following exist in the Apache config file:
    DirectoryIndex index.php
    Options -Indexes -ExecCGI
    (the -ExecCGI is particularly useful as it prevents hackers executing scripts in the folder)
  • If not, ask what the DirectoryIndex is set to (usually it will be “index.php”) – if this is the case, you can add this to a local htaccess file :
    IndexIgnore */*

    or you can create a blank index.php and upload that to the folder

  • Monitor your error and access logs
    You’re looking for suspicious entries here – any links that go to pages not on your site; links that have http after the index.php; that sort of thing. Your store my have /error or /debug folders in its directory structure – check here too.
  • Backup your store regularly
    mySQL database – this can be done through Admin/Tools/Mysql Backup. Use whatever compression is available. Avoid downloading the compressed backup over an unsecured (http://) connection. The zipped backup file is created in admin/backups, so consider how to secure this folder too.
  • Your store’s files – these AREN’T saved using the mySQL backup and must be done separately. Basically you need a copy of everything in /catalog (or ‘root’ which may be called ‘public_html’.)
  • Server settings – more applicable to stores running on their own server (in which case you should have a maintenance program set up already), however check with your hosting company to see how they manage backing up the server configurations.
  • Check with hosting company on what they have done to make your site secure
    Your store can be severely compromised if your hosting company hasn’t correctly secured the server. There are many configuration features that can be enabled by them (eg suHosin, apache config settings and php.ini settings are a few) – so it pays to be clear on what they’re doing to make your store more secure. This is particularly important if you’re running on a shared server and using shared SSL (not recommended.)
  • Get a dedicated SSL certificate and static IP address for your store
    This will help in many ways and if you’re serious about presenting a dependable, secure store, these are essential requirements.
  • Seek help
    If your business warrants, or you still want additional assurance (esp if running forum software on your site, or other scripts outside of your e-cart software), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars.
  • Admin-specific security
    Check this post about securing your admin with specific points related to this important utility’s function. The admin is often the point of entry for hacking attempts.