What it does:

Blocks hacking attempts and automatically bans the hacker access to your website.

Simple install:

Upload one new folder (bad_conduct) that contains two new files (root of your website)
Append the included code to your “.htaccess” file (within the root of your website)

Done... but lets see how it works and test...

Only add to your one htaccess in the ROOT of your site... it will protect it all, no matter what your store structure is.
Default (existing) permissions of .htaccess (644 or RW-R--R--) should work.
We will be blocking the hackers IP address in append mode (your existing .htaccess file will not be overwritten)
The hacker will be blocked on the first attempt.
It will record the attempts
You can then view the IP address used by the hackers, the date and time of attacks and the code or SQL query they have tried to inject.
Upload the folder and add the code to the end of your htaccess. Then test. If you are having issues, recheck the instructions, read it all. Only then modify the file permission of ban.php or htaccess (read permissions below).

I am using proven methods to identify XSS attacks. Most of these rules I have had in use for over five years. They are tested methods to recognize attacks. We do not let them continue to try hacking, they will be blocked.
Read the new .htaccess rules (included to append to your existing file). If you see one the same, remove your existing rule/line. We can not have both, as we will be using the rule to block the attacker.

Hackers seem to communicate with one another... You should notice a steady drop-off in attacks within a few days.

INSTALL NOTES:
Remember to BACKUP your htaccess
before you add the new htacces rules to the BOTTOM of your existing htaccess file.
NOTE: Add one blank line at the end of the .htaccess file or it won't work!
When you hand edit your htaccess file; remember to leave one empty line at the end of your htaccess file, or banned IP address will not append correctly and you will probably receive 500 internal Server Error.

IMPORTANT!
DO NOT link to the new folder (bad_conduct) and DO NOT add any of these folder/ files your robots.txt file.

I don't like the idea of blocking IPs with "spider traps or honeytraps". That is a discussion in itself... but using such actions can easily turn against a business/website.
Remember, sometimes even Google bots will ignore robots.txt.

OTHER SECURITY TIPS:
On a properly setup server, all directories should be set to 755. All files should be set to 644, except for the configure files and some files added by some contributions (never 777)
The two configure.php files should be set to either 644, 444 or 400 - which setting is correct for those two files will depend on your hosting.

You should not have any files set to 755 permissions (only folders).

As a website business owner/operator, you must also operate as an IT / security person:
You should never type in any password directly, even if you keep tight security on your computer. I personally use RoboForm2Go as it's very reliable and secure.
If you are not already using one, this is what it is:
RoboForm2Go runs directly from USB flash drives giving your passwords and other personal data complete security portability, and manageability.

Secure your store. Here are some starting tips:
Rename the admin folder and DO NOT add it your robots.txt file (hackers read your robots.txt file for site structure details)

Here's how: Rename the admin folder with a random name. example: adiofdhsou7456 (make up your own name)
change two lines in /admin/includes/configure.php
define ('DIR_WS_ADMIN', '/admin/'); <<< (change the name admin to match your new admin name)
define ('DIR_FS_ADMIN', '/home/username/public_html/catalog/admin,'); <<< (you may not have catalog, only change the name admin to match your new admin name)

You should not have the file: /admin/file_manager.php (it is a security risk)
To remove filemanger:
Delete file_manager.php from catalog/admin <<< (you may not have your site installed in catalog, many are in root /admin)
open admin/includes/boxes/tools.php and delete the line:
'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

Also, admin/define_language.php is vulnerable to the same hacks as filemanger, so it too should be removed.

Notice how I block attempts at accessing it, even though it does not exist on the server?
Any attempt to access the file would be from a hacker. So we block them and record their activity in /bad_conduct/data.html

This will work with other security mods such as: Security Pro by FWR Media
Server performance is not adversely effected with BAD BEHAVIOR BLOCK, rather improved, as attacks are stopped immediately.

TEST:
I have noticed many brute-force attacks recently. On an unprotected store, they will look something like this:

............/sqlweb/scripts/setup.php
........./phpMyAdmin-4/scripts/setup.php
......./mysql/scripts/setup.php
.....and more...........
...and more......
...etc.

They are looking for vulnerabilities. Hundreds of hits like these will slow your site down and the hacker will continue to attempt his work if left unchecked. We block them on the first attempt.
NOTE: during testing, your own ip will be blocked.
Test your security by appending any of the above to your website url like this: http://www.your-website.com/phpMyAdmin-4/scripts/setup.php

During testing, your IP address will be blocked, read to remove it/ allow access again...

You will need to unblock your IP address after testing (use cpanel IP deny manager, or directly remove your ip from the bottom of your root htaccess file using ftp etc.)

Now check your http://your-website.com/bad_conduct/data.html

If you need to run a setup script yourself: remove the htaccess code and replace it when you are done doing your maintenance/work.
I use this on my websites and it works very well. You: after installing; Test your website completely.

MAINTENANCE/ OPERATION:
If under cpanel,
use: IP deny manager
You may choose to unblock older banned IP address every few weeks/months...

Check your http://your-website.com/bad_conduct/data.html periodically.
(you may open it with your browser to check it)

Run any banned IP address through a service such as this: http://whatismyipaddress.com/

What type of hacking can we block: XSS (Cross-Site Scripting) ,SQL Injection & Brute Force Attacks

Block out any script trying to set a mosConfig value through the URL
Block out any script trying to base64_encode
Block out any script that includes a <script> tag in URL
Block out any script trying to set a PHP GLOBALS variable via URL
Block out any script trying to modify a _REQUEST variable via URL
Block attempt to redirect to /self
Block hackers trying a redirect via cPath
Block hackers trying Brute Force attacks

Of course we can block even more. Notice in the code we added to the htaccess file... the last two RewriteRules are a catch-all for common Brute Force attacks.
You may have to temporarily remove the RewriteRule that reads: RewriteRule setup\.php... if you are installing a contribution that uses a setup.php called directly.

On some of my non oscommerce websites, I block more using additional RewriteRules. After you are comfortable, you can add more rules if need be, just follow the syntax of the existing rules.
The blocks included (to append to your .htaccess) will cover most every attack, and they get no second try.

Security is often overlooked by so many website owners, like an afterthought. Yet it is one of the most important parts of your business! Do not leave yourself in that vulnerable position.
It is late but I wanted to share something with the business community this evening. I believe I haven't forgotten anything... I type to fast sometimes and outrun my brain. I may open a support topic in the forums so you can share update ideas with one another.

I hope oscommerce continues to develop. It has been my favorite store software and most of the community members are unconditionally supportive. I do miss Bobby Easland, his talent, his kind/ supportive personality. I see some good coders showing up here... The guys just seem better at that. Robert Fisher for example (FWR Media) comes to mind. The support he gives to his contributions is just amazing. There are others. You should support your contributors. They work for mostly nothing but the common interest in supporting entrepreneurs and open source software. I cringe when I see someone complain that a contribution "doesn't meet their expectations"... It's a starting point, some contributions will require effort on your part. Hard work equals success. Some people huh (mostly spoiled kids complain) !

About me:

My name is Debs. I'm sometimes forward (I am a true redhead, my excuse) I have been a self-employed business lady for the last 16 years. One of my websites got hacked about five years ago... during the busy holiday season.
That proved devastating!!! You don't think about it as much until it happens to yourself. It can take months for a website business to fully recover.
I have a 23 year old daughter that often works for Microsoft and has a degree doing IT management stuff (networking skills). She helps me a little with my ideas and helps some checking of code. She is not a .php programmer either though!
I stay active... jog, play tennis, and WORK! Business is more then a hobby for me. It pays my bills, gave me the ability to raise my three daughters, and gives me great enjoyment.

What works for me... may not be another's cup of tea! I hope this works for you too. I really do. We need to stop the hackers from bringing down anyone's business.
I do not post often in the forums... but I show up now and again to look for updates and ideas.
While a little bashful, I am not shameful. If you feel this BAD BEHAVIOR BLOCK has worked to save your website/ business from being hacked, you can always PayPal me (aeroshoppe@hotmail.com) a buck or two. I'll put it toward another new skirt. Thank You!