osCommerce Security Tutorial

osCommerce websites are essentially e-commerce websites and that underscores the need to effectively secure the site just as it is to secure every other website . This article takes you through the basic process to secure the your osCommerce website.

We cover three(3) critical areas in osCommerce security:

1. How to secure the configure.php file.
2. Securing with htaccess/htpasswd.
3. Add Captcha to your contact form

Also read:  osCommerce Installation and Initial Setup

Let us begin with securing the configure.php file.

After installing osCommerce you will see a message similar to "I am able to write to the configuration file: /home/usertod1/public_html/includes/configure.php. This is a potential security risk in osCommerce and so the first thing to do is to set the user permission on this file.

In this tutorial you will learn how to modify the permissions of the configure.php file, so it is secured and the notification will go away.

Securing the configure.php File:

    Login to your cPanel.
    Under the File section, click the File Manager. If the File Manager Directory Selection window comes up, click Web Root, and click the Go Button.
    Navigate to the configure.php file specified in the error. In my tests it is: /home/usertod1/public_html/includes/configure.php
    Right-click the configure.php file, and click Change Permissions.
    In the change permissions window, change them to 4-4-4, then click the Change Permissions button.
    Now login to the osCommerce Admin section, and you will notice that the "Security risk" message is gone, and has been replaced by "This is a properly configured installation of osCommerce Online Merchant!"

That's it.

Also read: osCommerce Configuration Tutorial

Securing with htaccess/htpasswd

When you first login to your osCommerce administrator section in admin area, you will see the message: "This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd. It means, enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records." To fix this securty problem, you will need to follow the steps below:

Login to the Admin Panel for osCommerce.
    Click the Administrators link.
    You will see the users listed toward the bottom. Click the Edit button to the right of your administrator.
    Enter a password in the New Password field, check the box for Protect With htaccess/htpasswd, then click the Save button.
    A box will pop up asking for a username and password, enter the ones you just set, and click the OK button.
    Instead of the red warning message, you will now see a green message stating "This osCommerce Online Merchant Administration Tool installation is additionally secured through htaccess/htpasswd means."

How to Add Captcha to your contact form using simple Captcha Addon

osCommerce comes with a contact form by default. This form has no validation to prevent robots from filling the form. You can solve this problem with the Simple Captcha Addon. Here are the procedure:

1.Download the captcha module

Download captcha plugin osCommerce. Before you can set up the captcha on your contact form, you will need to download the files from the osCommerce Add-On site.

Once you get the osC-2.3.1-simple-captcha-1.2.zip file on your computer, follow the steps below.


    Upload the files in the catalog folder to your osCommerce installation directory.
    Upload the example-osimg.jpg image file to your images directory in your osCommerce installation folder.
    Rename the image to captcha.jpg.
    Create a folder in your osCommerce installation folder and call it "fonts".
    Upload your font to the font directory for the captcha to work. In this tutorial we are using the Aerovias Brasil font.
    Edit the following file.

    /includes/functions/validations.php


    Add the captcha code to the file osCommercePaste the following code into the validations.php file before the ?> at the bottom of the page.

    define('CAPTCHA_FONT', DIR_FS_CATALOG . 'fonts/truetypefont.ttf');
    define('CAPTCHA_LOAD', 'images/captcha.jpg');
    define('CAPTCHA_IMAGE', DIR_FS_CATALOG . CAPTCHA_LOAD);

    Note! You will need a font uploaded. Make sure you change the truetypefont.ttf file name to your font file name. In this case the path will be AeroviasBrasil.ttf.

    Save the changes.

    Now revisit your website where the contact form is and you will see the captcha on the page.

Optimizing The Performance of Your osCommerce Store


If you run an osCommerce store with a large amount of products and customers or after adding a few contributions, you could begin to get complaints about the store performance. This is due to the fact that the clean version of oscommerce is not optimized. And of course, your customers can’t wait for a page that takes 10 seconds or more to load. So, part of your efforts to secure your store has to be to optimize the store performance. Based on experience and also contributions from the oscommerce community users. Here goes some tips we compiled for osCommerce performance:

1. Optimize your images
Many start uploading heavy images which increases page load. A solution for this would be installing automatic thumbnail generator with cache features. This contribution will cache the image instead of doing it “on the fly”, thus, server load reduces considerably. You can also lighten the images you upload by using an image editor like Phptoshop and saving your images for devices instead of just saving as a jpg or png image.

2. Think twice before adding contributions
One of the advantages for the Oscommerce community is the broad range of pre-made contributions that users can install to the stores. But then store owners make the mistake of adding too many contributions because they want to add more and more functionality. Our advice is to install only the ones you need because. each contribution you install will add overhead to process the logic whether it be pure PHP code or MySQL queries (or both).

On the other hand, if you don’t use certain default features, like : banners, “requests since” footer display, who’s online, etc. then removing these features will improve performance.

3. Do you really need to install STS ?
STS (Simple Template System) is one of the most popular template systems available for osCommerce. However, this contribution increases the number of queries, especially when you have a significant number of categories on your store up to 200-300%.

4. Index your Sessions
If you store the sessions in the database consider adding a (primary) multi-column index on sesskey and expiry columns.

5. Enable Caching
If you have a large number of categories, products, and orders, then it is important to cache data. Some experts advice to create directory ABOVE the publicly accessible document root and giving it proper permissions for the server read/write. Creating it ABOVE the document root ensures that would-be hackers cannot access it with their web browser. Once you have the cache folder created and settings configured then turn on the cache features.

6. Compress page output
Oscommerce has the feature of page compression via GZIP. The optimal setting is compression level 1 for speed as higher levels will not result in significant reduction of page size.

7. Optimize your code and database queries
There is obviously some differences in every store, due to the fact that each of them installs different contributions although they are based in Oscommerce.

So first of all, you have to debug your queries to see which queries are being executed on a per page basis and easily identify those that are redundant or taking excessive time to execute. So that’s a good place to start with.

However, there are some existing code, that can be common functions in all stores.

a. MS3 tax class for MS2. This replaces the stock MS2 tax code with the new tax class for MS3 which is much more efficient and uses less queries per page. The tax query is executed on each price display even if the setting to display tax is disabled. So installing it will increase the page performance.

b. The also_purchased module (product info pages) is a powerful upsale tool however it is the absolutely most server intensive query for the osCommerce application. Some recommend using X-Sell contribution instead.

Finally, some contributions that will help you optimize the store:

    Faster Page Loads, Less DB Queries.

This contribution caches the data and eliminates the database query…thereby saving the table scan for when the cache is not present. This contribution is HIGHLY recommended.

    More Meaningful Data from Query Logging

This contribution replaces the stock logging code to only capture queries that take longer than “X” seconds to execute. Instead of storing every query it only stores the ones that are excessively resource intensive. Also, it stores more useful information such as query, time to execute, calling script, IP of browser, cookies enabled or not, and other nice data.

    osC Explain – for developers

This contribution adds a real nice EXPLAIN feature to every query executed. It allows you to capture each query executed and associated MySQL EXPLAIN data. If you are serious about query optimization this tool is a must.

    Queries and Parse Time Footer Output

This contribution outputs the queries executed and page parse time on a per page basis without storing it to file system. This is handy to optimize page performance on a per page basis. I use it to identify redundant queries or as a quick tool to diagnose performance issues. You can tell at a glance if the lack of performance is due to MySQL, PHP, or other page factors.

    osC-Advanced Cache Class

This contribution has the ability to cache anything you can throw at it: parsed HTML, arrays, or even executable PHP code. If you find tough areas to optimize this class will solve your problems.

Did you find this article useful, then let us know by voting below.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

osCommerce Web Hosting

Todhost web hosting comes with free osCommerce that can be installed with few clicks. You can...

osCommerce Installation and Initial Setup

This tutorial will tae us through the process of installing OsCommerce. Let's get started right...

osCommerce Configuration Tutorial

After a successful installation of your osCommerce ecommerce website, you now need to set it up...

Content Management System in osCommerce

In this tutorial, we look at how to manage the content of your osCommerce store. After a...

Powered by WHMCompleteSolution