Due to the various vulnerability of PHP program inside osCommerce (version 2.x) admin folder, it is HIGHLY recommend to set a password protected directory to your osCommerce admin folder (or the similar application, e.g. ZenCart, etc), such that without the admin password, it will deny direct HTTP requests to the PHP files inside admin folder.
URL:
http://www.yourdomain.com/shop/admin , or
http://www.yourdomain.com/shop/iadmin
To set a Password Protected Directory, you need to
1. Login to DirectAdmin Control Panel https://www.yourdomain.com:2222
2. Goto File Manager
3. Navigate to /domains/xxx.com/public_html/shop/admin (assume you your osCommence is installed in /shop folder and have a /admin/ folder)
4. Copy .htaccess as .htaccess2 (make a backup of .htaccess. On the file .htacess, there is a link called Copy at the bottom of that row)
5. Use File Manager and goto /domains/xxx.com/public_html/shop
6. At the admin (or iadmin) folder, There is a Protect Link, click on it
7. Answer those 4 questions, and enabled Protection
8. Then you will have a login prompt before you goto osCommerce admin page
Further Details:
http://forums.oscommerce.com/topic/340995-security-issue-with-admin-directory/
