Book Image

WordPress 3 Ultimate Security

Book Image

WordPress 3 Ultimate Security

Overview of this book

Most likely – today – some hacker tried to crack your WordPress site, its data and content – maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book. WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some "10 Tips ..." guide. It's ultimate protection – because that's what you need. Survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. Solid! The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable. Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.
Table of Contents (23 chapters)
WordPress 3 Ultimate Security
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
Index

World wide worry


Network security is never something to be taken for granted. Web-connected, the threatscape multiplies exponentially. Be under no illusion, the place is a war zone.

Old browser (and other app) versions

Of all our local programs, it's the browser that most generally flies closest to the sun, the hackfest that is the web. Browsers that aren't religiously updated are likely to be prone to infection, some posing mild and others critical risks such as allowing the local installation of malicious code even though the user's merely browsing innocent-looking sites.

The browser isn't the only worry. Any application is a worry. Web-facing ones—anything that traffics data via a port as we'll detail later in the chapter—are a particular worry. These days, that's most of them as they send reports about who-knows-what back to their big brother marketers. Delete anything you don't need and set the rest to auto-update.

Unencrypted traffic

Any data you send over the web is fair game for interception and, among many other things, extortion. That could be your IM or VOIP chatter, it could be your e-mail or webmail, it is everything via FTP, it is everything over HTTP.

Note

FTP is perilous. So is Telnet. So is HTTP. We cover safe protocols in Chapter 5.

Dodgy sites, social engineering, and phish food

Yes, we covered some of this already. You need to hear it again.

Sites get hacked and often the visitor is the target. As we'll cover soon enough in this chapter, we can innocently surf a trusted site, click on a link and, hey presto: blue screen. Really, it's a base example but the fact is that, online, it's that easy to get hit. What's worse is when there's no blue screen and we've no idea we just downloaded a keylogging rootkit. (And just before logging into the server too, which five minutes later becomes the latest addition to some Russian botnet while our data's being sold to the highest bidder.)

Then there's socially engineered traffic-driving, frequently via a nasty Facebook app or one of those short links on Twitter. Before you know it you've been phished off, pressed the wrong button, and went and sold Grandma. Or maybe you wanted that XYZ off thepiratething, else P2P'ed the crack, only it was a hack and you took the whack. Not to mention the red lights, or the gambling dens, hardly breathing the problems with the try this links on IRC and so on, and on, and on, and on.

If it smells fishy but it's not edible, throw it back. Fishy or not, if it's a link, know the risk.

Infected public PCs

Hmmn, this'll be mainly about cybercafés then. Well, infection per se, you may as well eat your dinner off the floor of a WC, let alone use a public PC. Just read that bit about browser updates again, look me in the eye and tell me you think that those machines are secure. We'll have some fun here in Chapter 4. Following that you may never go, laptop-free, on holiday again.

Sniffing out problems with wireless

OK, this is a biggie so pay attention. Wireless sniffing is hazardous to your network, your site, your wallet, and not least of all to your stress level.

Running an Ethernet-cabled network and internet connection, barring cable bashing hackers, is fool-proof but, if you haven't taken the time to properly secure a wireless connection, you may as well climb onto the roof and start shouting out your passwords, credit card numbers, personal fetishes, and the fact that you hate your boss. Or if you get vertigo, just hook up a 60" monitor and pop it in the window facing the street.

You're especially vulnerable to having your wireless sniffed—where your web traffic data packets are intercepted, decoded, and later mined for data or personal profiling—if:

  • You use any security protocol other than WPA2

Actually, that's it. Sure there may be other worries like, come the case-study medical papers, that we're beginning to resemble 60-second chicken dinners, but this is the bottom line security concern.

Wireless hotspots

Similarly, given the above, it doesn't take a genius to work out that inherently insecure hotspots aren't great places to maintain your site or file a tax return. Indeed, they're piping red hot danger zones, and then there are the evil twins ...

Evil twins

An evil twin mimics a public wireless point, but has been set up by a phisher, often usurping a genuine neighboring hotspot. It induces you with free web access before sniffing data that may be used, say, to deplete your smile.

Meanwhile, the spoof hotspot logon page typically phishes your user data, harvests account information, and injects malware onto your device. Nice.

Ground zero

By way of a section summary and in terms of the threats we face, the web is ground zero. It's fabulous, enriching, a hell of a surf. It's downright dangerous, getting red-line worse, and we've barely scratched the surface.

The security of your site, your network, your business, and your identity depend upon you understanding its danger and, as far as is feasible, muzzling the damn thing.

Note

So there we have the mainstay of the local and web risks and, as you can surely work out, many of these lead inevitably to worries for your web server and network devices, your WordPress site, your content, your data, your hairline ...