osCommerce, by default, does not have any security protection for the admin area, so it is critically important to get a security plan in place before launching your site. Neglecting this can leave your site open for disaster, including hacking or defacing of your site, and leaving your customers’ sensitive information open for anyone to see. Google can end up crawling, indexing, and caching your customer invoices in the admin area! Some very sensitive information would be open for all to see, and can be a huge headache to handle once the cat is out of the bag. Here is a checklist to follow to make sure your admin area is locked down:

  1. Change the folder name for the admin folder - This one is basic, but very effective. Anyone who knows osCommerce can figure out the URL to your admin area if you use the standard “/admin/” folder. Name it something interesting, like “/mYst0re@dminwhereNOonecanFindit/”
  2. Robots.txt - To avoid having Google, Yahoo, MSN, or other search engines from crawling your admin, edit your robots.txt file to exclude the admin directory from crawls. Add the following to your robots.txt file:User-agent: *
    Disallow: /youradminfoldername/Visit the robotstxt.org site to find more information about the robots.txt standard.
  3. Add Password Protection - There are a number of password protection contributions for osCommerce. I normally use the Admin Account with Access Levels contribution. It works well, and is not overly hard to install.
  4. Delete Credit Card Information - If you use the standard osCommerce credit card module, the card number is stored in the orders table of your database. Once you have printed your order, it is a good idea to delete the card number. You can do this directly in the database if you are comfortable with this, or have a script written to allow you to delete the card on demand. (Shameless plug here!) We can install a script like that on a site for $40.
  5. Add Password Protection with .htaccess file — To add another level of security, you can also add password protection to the admin folder with the .htaccess and .htpasswd files. A tutorial is available at the apache.org site.

Have you experienced any security problems, or have any tips you’d like to share? Leave a comment below.

Technorati Tags: