This post list contributions and small code snippets for osCommerce security enhancement. After doing some research on various forums, practical problem solving and referring few documents we have compiled this



  • If site is not under development mode and very few edits are expected Secure your osCommerce
    then we recommend all .php and.js files to be set to 444 (hosting
    company should allow execution with this permission).
  • All folders to have 555 excluding images folder.
  • If you have any logs created then that folder to be treated as image folder.



  • In admin under session you should set the following if settings allow:
  • Force cookies TRUE
  • Check for IP address
  • Check for user agent
  • Regenerate session TRUE
  • Kill spider session TRUE


5.Ways to get to security hole :

  • We will add code snippets in coming days.

6.Suggested changes to osCommerce:

  • Rename admin folder
  • htaccess protected admin
  • Change $current_page=//something like script path rather than php self
  • Apply patches that have been placed in osCommerce 2.3.1
  • Remove unwanted language folders and sample osCommerce data
  • Apply register global patches and set register global to OFF
  • Captcha for create account reviews contact us

7.Code snippets:

  • We will add code snippets in coming days