Here you will find some hints and tips on how to stop hackers from compromising your store.

1. Rename your admin folder
2. Lock down admin access
3. Use secure passwords
4. CHMOD your files to the correct settings - Check Permissions
5. Turn off tell a friend
6. Enable the reCaptcha Form
7. Monitor unauthorised file changes - Sitemonitor
8. Make sure you have installed all of the security patches (these are not optional)
9. Check your local machine for Malware, Keyloggers, Trojans, etc.

• What to do if you are hacked?

osCmax v2.5 and above has the functionality to allow you to change your admin folder name when installing the software. It is strongly advised that you do change the name. If you have not changed it and wish to now please follow the instructions below:

• Open admin/includes/configure.php
• Edit these lines:

• The more obscure the name the better - try to use numbers and letters.

• Give users secure user names
• Ensure that users use secure passwords - letters, numbers, upper and lower case, symbols etc
• Using .htaccess (or your server supplied password facility), restrict directory access to your 'admin' directory, with a username and password.
• Set the admin .htaccess to only allow your IP address - only applicable if you have a fixed IP address - many people don't.

• Ensure that users use secure passwords - letters, numbers, upper and lower case, symbols etc
• Make sure you use these password throughout ie. on your admin, FTP, Windows Login, etc.
• Wikipeadia on passwords

The most common cause of hacks is code inserted into unprotected files and folders.

• Folders should be CHMOD to a maximum of 755.
• Files should be CHMOD to a maximum of 644.
• Both configure files should be a maximum of 444.

However, if you are using suPHP on your server (ask your host if you are not sure or run this suPHP check) then …

• Files should be CHMOD to a maximum of 600.
• Both configure files should be a maximum of 400

• Install Check Permissions which goes through your entire site to check that all your files are set to the correct CHMOD.
• It will also check you have removed the install directory, renamed your admin and checks you have a backup directory.

• Once you have checked your site - you can then update all of the incorrectly CHMOD files.

This infobox allows unscrupulous users to use your server to send emails out to people.

• Disable this infobox by going to Admin –> Infoboxes –> Press the red icon next to the box.

• Enable the Captcha form by opening your admin panel
• Go to Configuration → General Settings → reCaptcha Form
• Go to reCaptcha website and open an account to get a key
• Set the Enable to true
• Enter your Public Key
• Enter your Private Key

In order to do this you will need to install SiteMonitor.

Make sure that you installed all of the security updates for osCMax. You can get updates about osCMax from Michael_S's blog

There are a number of decent freeware or open source anti-virus and anti-malware packages available for download.

(Some possibilities)

Okay the worst has happened … Here is what you need to do: (Source: Michael_S, osCmax forums)

Change behaviour:

• consider the sites that you visit, with the machine that you access your shop/bank etc. with. Is your machine a toy or a business tool? It may not be wise to mix the two roles.
• tighten up your browser security - eg. Firefox with Adblock+ and NoScript.
• try a more secure Operating System, Linux being a fine example, with some variants (distributions) specifically offering secure browsing facilities.

• This is a common hack to osCommerce stores. If you see anything that looks like <?phpeval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC … at the top of any of your files on the server then you need to wipe and reload.

• If you would like to try and work out what the code does then use this site to decode the base64.

• Read the instructions here for a good guide on what to do next

• Another hack which inserts an iframe and tries to send customers credit card details to a third party tracker … once card details are sent then it pushes client through to official payment gateway so store owner will be unaware.
• You will find additional code inserted in templates/fallback/checkout_payment.tpl.php file which is generating the iframe inside a base64 string. Remove this code immediately.