This week has been one of those weeks that has been absolutely non-stop for osCommerce work. One of the more interesting jobs was to lockdown an osCommerce site that had been the subject of a hack.
As usual, I cleaned the site of the hack, then made a few core code adjustments and installed a few security extras. This included renaming the admin area and setting up a new user for the usual osCommerce login and protcting via .htaccess.
All locked down. And yet…a few hours later I received an email from my client saying the site had been hacked again. Well, I know that’s just not possible anymore, so logged in and found…yes, the files had been hacked.
as I know that the changes I made are secure, the hacker had to be getting in from somewhere else. Checking the log files showed me some interesting info;
The hacker was accessing the webmail of my client – so when I sent my client any info, the hacker was able to read it easily. I instructed my client to remove webmail from his hosting control panel, then set up a hotmail account. I then cleaned the site again, and sent new admin URL and passwords to the hotmail account.
Since then, no more hacks.
So, when you think that it is your osCommerce site that is the problem, it might well not be. Make sure to lockdown EVERYTHING, including hosting control panel, your own computer, etc. Change passwords regularly. If you give your password out to anyone (eg, a developer), make sure to change it again after he has finished work.
Remember – it takes only one dis-satisfied client of your shop to ruin your reputation. Don’t let that happen because of a lapse in your security!