WordPress 3 Ultimate Security

WordPress 3 Ultimate Security

Overview of this book

Most likely ‚Äì today ‚Äì some hacker tried to crack your WordPress site, its data and content ‚Äì maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book. WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some "10 Tips ..." guide. It's ultimate protection ‚Äì because that's what you need. Survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. Solid! The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable. Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.

WordPress 3 Ultimate Security

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

So What's the Risk?

Calculated risk

An overview of our risk

Meet the hackers

Physically hacked off

Social engineering

Weighing up Windows, Linux, and Mac OS X

Malwares dissected

World wide worry

Overall risk to the site and server

Summary

Hack or Be Hacked

Introducing the hacker's methodology

Ethical hacking vs. doing time

The reconnaissance phase

Demystifying DNS

Domain name security

The scanning phase

Summary

Securing the Local Box

Breaking Windows: considering alternatives

Windows security services

Proactive about anti-malware

The almost perfect anti-malware solution

Windows user accounts

Managing passwords and sensitive data

Securing data and backup solutions

Programming a safer system

Summary

Surf Safe

Look (out), no wires

Network security re-routed

Using public computers – it can be done

Hotspotting Wi-Fi

E-mailing clients and webmail

Browsers, don't lose your trousers

Anonymous browsing

Networking, friending, and info leak

Summary

Sizing up connection options

WordPress administration with SSL

SSL and login plugins

Locking down indirect access

Apache modules

Summary

10 Must-Do WordPress Tasks

Locking it down

Backing up the lot

Updating shrewdly

Neutering the admin account

Correcting permissions creep

Hiding the WordPress version

Nuking the wp_ tables prefix

Setting up secret keys

Denying access to wp-config.php

Hardening wp-content and wp-includes

Summary

Galvanizing WordPress

Fast installs with Fantastico ... but is it?

Considering a local development server

Added protection for wp-config.php

WordPress security by ultimate obscurity

Revisiting the htaccess file

Good bot, bad bot

Setting up an antimalware suite

More login safeguards

Concerning code

Hiding your files

Summary

Containing Content

Abused, fair use and user-friendly

Illegality vs. benefit

A nice problem to have (or better still to manage)

Sharing and collaboration

Summary

Serving Up Security

.com blogs vs .org sites

Host type analysis

Control panels and terminals

Managing unmanaged with Webmin

Users, permissions, and dangers

Sniffing out dangerous permissions

System users

Repositories, packages, and integrity

Tracking suspect activity with logs

Summary

Solidifying Unmanaged

Hardening the Secure Shell

chrooted SFTP access with OpenSSH

PHP's .ini mini guide

Patching PHP with Suhosin

Isolating risk with SuPHP

Containing MySQL databases

phpMyAdmin: friend or foe?

Bricking up the doors

Fired up on firewalls

Enhancing usability with CSF

Service or disservice?

Gatekeeping with TCP wrappers

Stockier network stack

Summary

Defense in Depth

Hardening the kernel with grsecurity

Integrity, logs, and alerts with OSSEC

Using OSSEC

Updating OSSEC

Easing analysis with a GUI

Slamming backdoors and rootkits

(D)DoS protection with mod_evasive

Sniffing out malformed packets with Snort

Firewalling the web with ModSecurity

Summary

Plugins for Paranoia

Anti-malware

Backup

Content

Spam

SSL

Users

Don't Panic! Disaster Recovery

Diagnosis vs. downtime

Securing your users

Local problems

Server and file problems

WordPress problems

Verifying uploads and shared areas

Checking htaccess files

Pruning hidden users

Reinstalling WordPress

Security Policy

Security policy for somesite.com

Essential Reference

WordPress 3 Ultimate Security

Forums

Linux

Server-side core documents

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Setting up secret keys

Setting up secret keys takes as long as a few wags of a dog's tail and, with their hashing salts propping up your password and stifling backdoor cookie-hijacked Dashboard access, they may just prevent a hacker from turning your site into a dog's dinner.

Go to the beefy salts generator at https://api.wordpress.org/secret-key/1.1/salt:

Tasty. Copy the lot, crack open your wp-config.php in the site's root, and sniff this out:

Trash all that, pasting in its place your new sodium-powered hack-me-nots.

You can change these again if you like. The only side-effect is that old cookies are burnt, so users will have to dip back into the cookie jar (or, more technically, just log back in).

WordPress 3 Ultimate Security

WordPress 3 Ultimate Security

Overview of this book

Related Content you might be interested in

Current Title:

WordPress 3 Ultimate Security

Setting up secret keys