Just noticed the redirect gone's. I'm using this!!
#####
# The following rules should be added
# to the TOP of your existing .htaccess file
# to prevent malicious users/bots from accessing
# x-cart files that aren't meant to be public.
#####
# block all smarty templates (no reason to have these exposed)
RedirectMatch gone ^/.*\.tpl$
# block all .log (log files), .sql (sql dump/export) and .conf (config files) files
# in case some day these files move to another directory
RedirectMatch gone ^.*\.(sql|log|conf)$
# block access to the 'Smarty-*' directory
RedirectMatch gone ^.*Smarty.*$
# block common X-Cart files that could reveal
# that you have X-Cart installed
RedirectMatch gone VERSION.*
RedirectMatch gone COPYRIGHT.*
RedirectMatch gone INSTALL.*
RedirectMatch gone NEW.*
RedirectMatch gone README.*
RedirectMatch gone UPGRADE.*
# block access to /upgrade
Redirect gone /upgrade
# block access to /skin1_original
Redirect gone /skin1_original
# block access to the /sql directory
Redirect gone /sql
# block access to the /shipping directory
Redirect gone /shipping
# block access to the pgp directories
Redirect gone /.pgp
Redirect gone /.pgp.def
# block access to the pgp directories
Redirect gone /tmp
Redirect gone /var