Security on OsCommerce – ways to improve it!

One thing a lot of new web master’s and store owners overlook is security on their web site. This is especially important if you are running an e-commerce platform such as osCommerce. Here are a few tips to ensure your osCommerce site is as secure as possible for your customers and your site’s data, as well as some general policy’s you should follow to avoid fraudulent orders or spam.

SSL Certificate

Even if you use a payment gateway such as paypal where the payment is process on their web site as opposed to directly on your site, i highly recommend that you install a SSL certificate on your website for osCommerce. The reason for this is when people are creating accounts and going through the checkout pages pre-payment gateway their connection is encrypted on your site, which makes them feel more secure. Also it’s beneficial to use SSL for your admin area to encrypt the data being sent to you such as order and customer information. A SSL from godaddy.com only costs about 30 bucks for a year, and is well worth the investment for the piece of mind it provides both you and your customers.

Rename your Admin Folder

Although osCommerce has password protection to log into your admin area, most store owners keep the admin files in the default /admin folder. Change this and update the admin/includes/configure.php file accordingly. This means it make sit just a little harder for hackers to try to find your admin folder (the first step). I suggest you rename the admin folder a random selection of letters and numbers, and write it down somewhere safe.

Delete The Installation Directory

It amazes me how many people overlook this.. Many just rename it to a dir like _install. There s a reason the osCommerce install asks you to delete the directory. If someone got access to the directory and re-ran the install script, they could overwrite your database, removing all your customers, products and order tables in the osCommerce database. You should ALLAYS delete the install directory, not rename it.

Strong Passwords

This is the one most valuable tip I can provide. DO NOT use common words as passswords.. they will be hacked.. For your admin logins, ftp passwords, database passwords allways use a password made up of upper and lowercase letters and some numbers… the more random the better.

Storing Credit Card Numbers

Allthough osCommerce “vanilla” does not store credit card numbers, some payment modules and contributions add this ability. I would highly recommend you do NOT use them, or if you choose to, remove the credit card numbers from the relayed orders as soon as the order is completed. In fact, in many countries, it may be illegal to store the credit card number along with the CCV code for it in your database.

If a hacker ever got into your back end, or got access to export your database information, all those credit card and CCV numbers would be ripe for the picking by them. This is why if you must store them on the site to process orders, you should remove

PayPal

If you use PayPal as your payment method, you should state on the site and also follow the policy that you will ONLY ship to PayPal verified addresses. This will protect you from some ways you can be defrauded as since you sent it to their PayPal verified address, it is meant to go to the address of the person who owns the PayPal account.

Shipping Insurance

If you plan to ship items over about $50 you should consider adding a cost to your shipping estimates to include shipping insurance. This can be beneficial if items get lost, stolen or sent to fraudulent addresses.

E-Mail Addresses

Don’t post your actual email address on any pages of the store. There are millions of email harvester bots just waiting to get a hold of it to send to spam companies. there is a contact_us.php with a contact form for a reason, so you dont need to post your e-mail address on the site to be harvested.

Captcha

Allthough not fully necessary, a good additional step is to install captcha on the create account and contact pages to stop bots from spamming you or creating accounts on your website.