Hi J.T., thanks for the response. All very good points and are things I take into consideration. As a WordPress guys, I know this topic of people getting hacked all too well.
Currently for backups, I use a program called SyncBackSE to backup all my hosting files with one click (and it automates backups once a week) and I log into phpMyAdmin and export my database to keep a current backup, typically once or twice a week.
I also posted a new forum thread which shows some .htaccess rules I use to help protect against things like SQL injection.
I have 2 IP addresses blocked in my .htaccess file as well which came from two known hackers who try to hack WordPress sites, though they could have been using a Proxy.
What would really help with security is if someone could come up with a mod which customizes our database install some and then all we’d need to do is update what we did in a config file. For example, in WordPress, many hackers will try to gain access to the database because they know the default install of a WordPress database has a database prefix of wp_
So if they guess correctly that my prefix is wp_, then they can try some sql injection tactics because they know wp_users is the database table which contains my username and password. However, in WordPress there is a way to change wp_ to something else, like say 3lbLV_. In this way, the hacker won’t be able to guess how to use standard scripts to access my database.
Going back to what you said about assuming you’re going to be hacked, I assume if someone knows I’m using Magento (looking at my source code), then they know my database probably looks exactly like yours and his and hers. Once they crack one, they can crack all.
A nice mod to change our installs to be a little less cookie cutter would be great.
Any other suggestions out there on how to lockdown Magento?