Steps 1, 2 and 3 are absolutely essential. Step 4 is important if you're using any oscommerce contributions (e.g. community supplied modifications and enhancements) but it is a good idea anyway because it adds extra protection from SQL injection hacks.
Do this after you install oscommerce – even before you configure your client's store. Not doing these leaves your entire server open to hacking. If you have an existing oscommerce site and haven't taken these steps, do them right now....then go thank your lucky stars you weren't hacked.
Delete /admin/file_manager.php (#1 hack target)
Rename your /admin to something else
Use Cpanel “Password Protect Directory” to password protect the newly named admin directory.
Secure your database SQL using Security Pro (http://addons.oscommerce.com/info/7708)
to your /includes/modules directory
Edit your /includes/application_top.php slightly (see the readme)
If you want to play cat and mouse with the malicious bots you can install what is called a “honey pot” or IP trap. There are a few oscommerce contributions which automate this process but I like to have more control since I sometimes forget that I renamed admin and fall into my own trap :-)
Here's how to install a simple IP trap that notifies you when a bad bot trolls through places it shouldn't go.
Edit your domain's robots.txt to say:
A good bot (like search engine bots) will read your robots.txt and avoid the directories you disallow. A bad bot will either ignore your robots.txt or read it and go straight to the disallowed directory and look for an opportunity to hack your server.
You have to do this step or you'll be plagued with search engine bots falling into your trap. If you don't have a robots.txt just create it in a text editor, add the above two lines and upload it to the top directory of the domain. (e.g. public_html or public_html/[Addon Domain Name])
Create the following (text) file (which you will name index.php) and put your own info:
$ip = $_SERVER["REMOTE_ADDR"];
mail("[YOUR EMAIL HERE]","Hack attack on [YOUR DOMAIN HERE]/admin",$ip,"From:noreply@[YOUR DOMAIN].com");
Make a copy of this file and call it file_manager.php (since this is the admin file that the malicious bots look for most.)
Upload both index.php and file_manager.php to your (fake) /admin directory (not your renamed and real admin directory...these files go in your false directory that is named “admin”)
What to do if you get email that a bot has fallen into your IP Trap
I like to check the IP first (to make sure it doesn't come from my client. I use http://whatismyipaddress.com/ip-lookup because I can also look up to see if this ip has been blacklisted. (Be aware that some ip's are blacklisted for spam purposes just because they belong to an ISP and most ISPs don't allow their customers to operate mail servers. So your own IP may show up blacklisted on the mail blacklist.)
Once I'm sure the IP is a malicious bot, I use Cpanel to IP Deny it to all my domains (on all my servers)
Just today I saw 3 different bots trolling through a client's domain (which wasn't even an oscommerce site) looking for /admin/file_manager.php. These bots are set to recursively search through all the domains they can find, trying again and again to strike it rich (malicious-bot-wise) by hitting an installed /admin/file_manager.php file which will then let them upload a rootkit and run amok on the server.
I can absolutely guarantee you that if you don't delete admin/file_manager.php (the real one – not your ip trap) your oscommerce site will be hacked. And when it is hacked, your entire server will be hacked. So I cannot stress how important it is to secure your oscommerce site.