Securing osCommerce Websites

Over recent years, osCommerce has increasingly become a target of hackers. It seems every few months a new exploit gains traction and causes havoc amongst osCommerce shop owners. In recent weeks, we have noticed a small but significant number of customers running out of date & improperly secured osCommerce installs fall victim. The following post will provide some important security practices to consider when running this script.

As with any script it is important to make sure you keep informed regarding the latest updates – unfortunately, development on osCommerce has not kept up with the number of users still using this script. Above ensuring you are using the latest version, you should also be applying extra security measures. The base install requires a number of additional security precautions in order to ensure your install is as secure as possible.

The following tips are a good place to start for every osCommerce shop owner to take in order to secure their installs:

  1. Rename your Admin area to something random eg. instead of your admin area URL being it is something like etc.
  2. Remove the admin file called “file_manager.php” and the file called “define_language.php” (note that RC3 delivers without the file_manager.php file already).
  3. Password or IP protect your admin area using a .htaccess file via your cPanel (note that osCommerce rc3 has this feature installed already via the admin area)
  4. As a minimum, install the following recommended security modules:
    Security Pro
    IP Trap
    .htaccess Protection
  5. Make sure that your admin settings for file-based sessions and cache (if you use either), do not use the /tmp folder.

As development on osCommerce is known to be a little slow, averaging between 6-12 Months between updates, it is highly important to take a pro-active approach in securing your installation and keeping ahead of the latest issues. The best resource is of course the developers themselves and especially the osCommerce user community forum, (the “best security practices” threads for various versions should be the first stop for anyone running or considering running osCommerce)

Additionally, relevant osCommerce user communities such as ClubOSC – provide many great tips and resources from securing your install to cleaning up after being attacked.

Lastly, as always with important data make sure you are taking regular backups and storing them offsite eg. regular file & database backups downloaded to your local computer or FTP server.