Due to the various vulnerability of PHP program inside osCommerce (version 2.x) admin folder, it is HIGHLY recommend to set a password protected directory to your osCommerce admin folder (or the similar application, e.g. ZenCart, etc), such that without the admin password, it will deny direct HTTP requests to the PHP files inside admin folder.
http://www.yourdomain.com/shop/admin , or
To set a Password Protected Directory, you need to
1. Login to DirectAdmin Control Panel https://www.yourdomain.com:2222
2. Goto File Manager
3. Navigate to /domains/xxx.com/public_html/shop/admin (assume you your osCommence is installed in /shop folder and have a /admin/ folder)
5. Use File Manager and goto /domains/xxx.com/public_html/shop
8. Then you will have a login prompt before you goto osCommerce admin page