Setting up security
Here you will find some hints and tips on how to stop hackers from compromising your store.
Preventive Measures
Rename your admin folder
Lock down admin access
Use secure passwords
-
Turn off tell a friend
Enable the reCaptcha Form
-
Make sure you have installed all of the security patches (these are not optional)
Check your local machine for Malware, Keyloggers, Trojans, etc.
The Cure
1. Rename your admin folder
osCmax v2.5 and above has the functionality to allow you to change your admin folder name when installing the software. It is strongly advised that you do change the name. If you have not changed it and wish to now please follow the instructions below:
define('DIR_WS_ADMIN', '/catalog/admin/');
define('DIR_FS_ADMIN', '/home/mystore.com/www/public/catalog/admin/');
Your existing path to your installation will vary depending on your hosting environment
If you have an SSL certificate then access your new admin directory
securely.
2. Lock down admin access
Give users secure user names
Ensure that users use secure passwords - letters, numbers, upper and lower case, symbols etc
-
-
3. Use secure passwords
4. CHMOD your files to the correct settings
The most common cause of hacks is code inserted into unprotected files and folders.
Folders should be CHMOD to a maximum of 755.
Files should be CHMOD to a maximum of 644.
Both configure files should be a maximum of 444.
However, if you are using suPHP on your server (ask your host if you are not sure or run this suPHP check) then …
Some servers do not allow you to change the permissions via
FTP. You can however change them using the File Manager in cPanel.
Install Check Permissions
If you are a slightly more advanced user you can use a tip from Michael_S for setting this directly on the server.
These commands can be run from the linux command line or from an executable file via cronjob.
Here is the command run to set all directories:
find . -type d -exec chmod 755 {} \ ;
Here is the command run to set all php files:
find . -type f -name “*.php” | xargs chmod 644
5. Turn off tell a friend
This infobox allows unscrupulous users to use your server to send emails out to people.
6. Enable the reCaptcha form on your contact us page
7. Monitor unauthorised file changes
In order to do this you will need to install SiteMonitor.
8. Make sure you have installed all of the security patches
Make sure that you installed all of the security updates for osCmax. You can get updates about osCmax from Michael_S's blog
9. Check your local machine for Malware, Keyloggers, Trojans, etc.
The Cure
What to do if you are hacked?
Okay the worst has happened … Here is what you need to do: (Source: Michael_S, osCmax forums)
Do a complete scan on all your work computers (machines that you access your site from). Make sure you have no malware, trojans, viruses, etc. Once you have certified your machines are clean go to step 2.
Change all your passwords. This includes ALL passwords related to your site.
FTP (all ftp accounts), Control Panel, osCmax admin panel (all admin accounts), mysql database password, email account passwords.
If you have a clean backup, completely wipe your files (all directories and files). Then restore your clean backup. This will guarantee no backdoor files left hidden somewhere in your file tree.
Double check all of the admin settings including email addresses, payment details, store name, copy emails to etc.
Lock down permissions. This means absolutely no directories or files with 777 permissions at a bare minimum. You should remove write permissions from all directories and files that do not need it.
Change behavior - stop using clear text email and ftp. Only use encrypted email (pop3/smtp logins and data transmission) and encrypted ftp (FTPS, FTPES or SFTP).
Consider the sites that you visit, with the machine that you access your shop/bank etc. with. Is your machine a toy or a business tool? It may not be wise to mix the two roles.
Tighten up your browser security - eg. Firefox with Adblock+ and
NoScript.
Try a more secure Operating System, Linux being a fine example, with some variants (distributions) specifically offering secure browsing facilities.
The Eval base64 hack
Check this if you want to pay with different payment method
Another hack which inserts an iframe and tries to send customers credit card details to a third party tracker … once card details are sent then it pushes client through to official payment gateway so store owner will be unaware.
You will find additional code inserted in templates/fallback/checkout_payment.tpl.php file which is generating the iframe inside a base64 string. Remove this code immediately.