Upon successful installation of osCommerce Online Merchant, the following steps need to be performed to secure the installation of your online store.
The catalog/install directory must be removed from the web server otherwise a user could use the installation procedure and reconfigure the online store to use another database server.
The file permissions for catalog/includes/configure.php and catalog/admin/includes/configure.php must deny write access by the web server. This is commonly performed by setting the permission flag to a read only value of 644 or 444 depending on your server.
Some directories need to allow write access by the web server for osCommerce Online Merchant to function properly. A list of directories and the current write permission state can be viewed on the Administration Tool -> Tools -> Security Directory Permissions page.
The Administration Tool is secured by its own login routine but is still publicly accessible. It is recommended to further protect the Administration Tool by setting a htaccess password on the catalog/admin directory.
Instructions for adding a htaccess password layer is provided on the Administration Tool -> Configuration -> Administrators page.