1. Security Pro from FWR Media
2. OSC SEC from Taipo
3. Filesafe from FWR Media
4. Add htaccess to all public folders
5. Rename /admin/ and htpasswd it
6. Remove references to (newly renamed) admin area in outgoing emails
7. Add extra login parameter (JanZ)
8. Fix $PHP_SELF spoofability
Bad Conduct from Debs (undecided on this, I am still "road-testing" it).
I am not in favour of IP trapping, as most hackers don't use their own IP addresses.
If anyone has any extra thoughts on this, please post.
For securing a hacked site - exactly the same, but make sure that the hack is cleaned out first. This can be done by manually inspecting the files and removing any files/code that is not supposed to be there. Or by re-installing from a known unhacked backup. Or of course, starting from scratch with a brand new install of oscommerce.
Edited by burt, 16 May 2011 - 11:59 AM.