Book Image

WordPress 3 Ultimate Security

Book Image

WordPress 3 Ultimate Security

Overview of this book

Most likely – today – some hacker tried to crack your WordPress site, its data and content – maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book. WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some "10 Tips ..." guide. It's ultimate protection – because that's what you need. Survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. Solid! The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable. Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.

Related Content you might be interested in

Current Title:

Small book image
WordPress 3 Ultimate Security
Jun, 2011 | 408 pages
No titles found
Table of Contents (23 chapters)
WordPress 3 Ultimate Security
WordPress 3 Ultimate Security
Credits
Credits
About the Author
About the Author
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
So What's the Risk?
So What's the Risk?
Calculated risk
An overview of our risk
Meet the hackers
Physically hacked off
Social engineering
Weighing up Windows, Linux, and Mac OS X
Malwares dissected
World wide worry
Overall risk to the site and server
Summary
2
Hack or Be Hacked
Hack or Be Hacked
Introducing the hacker's methodology
Ethical hacking vs. doing time
The reconnaissance phase
Demystifying DNS
Domain name security
The scanning phase
Summary
3
Securing the Local Box
Securing the Local Box
Breaking Windows: considering alternatives
Windows security services
Proactive about anti-malware
The almost perfect anti-malware solution
Windows user accounts
Managing passwords and sensitive data
Securing data and backup solutions
Programming a safer system
Summary
4
Surf Safe
Surf Safe
Look (out), no wires
Network security re-routed
Using public computers – it can be done
Hotspotting Wi-Fi
E-mailing clients and webmail
Browsers, don't lose your trousers
Anonymous browsing
Networking, friending, and info leak
Summary
5
Login Lock-Down
Login Lock-Down
Sizing up connection options
WordPress administration with SSL
SSL and login plugins
Locking down indirect access
Apache modules
Summary
6
10 Must-Do WordPress Tasks
10 Must-Do WordPress Tasks
Locking it down
Backing up the lot
Updating shrewdly
Neutering the admin account
Correcting permissions creep
Hiding the WordPress version
Nuking the wp_ tables prefix
Setting up secret keys
Denying access to wp-config.php
Hardening wp-content and wp-includes
Summary
7
Galvanizing WordPress
Galvanizing WordPress
Fast installs with Fantastico ... but is it?
Considering a local development server
Added protection for wp-config.php
WordPress security by ultimate obscurity
Revisiting the htaccess file
Good bot, bad bot
Setting up an antimalware suite
More login safeguards
Concerning code
Hiding your files
Summary
8
Containing Content
Containing Content
Abused, fair use and user-friendly
Illegality vs. benefit
A nice problem to have (or better still to manage)
Sharing and collaboration
Protecting content
Pre-emptive defense
Reactive response
Tackling offenders
Summary
9
Serving Up Security
Serving Up Security
.com blogs vs .org sites
Host type analysis
Control panels and terminals
Managing unmanaged with Webmin
Users, permissions, and dangers
Sniffing out dangerous permissions
System users
Repositories, packages, and integrity
Tracking suspect activity with logs
Summary
10
Solidifying Unmanaged
Solidifying Unmanaged
Hardening the Secure Shell
chrooted SFTP access with OpenSSH
PHP's .ini mini guide
Patching PHP with Suhosin
Isolating risk with SuPHP
Containing MySQL databases
phpMyAdmin: friend or foe?
Bricking up the doors
Fired up on firewalls
Enhancing usability with CSF
Service or disservice?
Gatekeeping with TCP wrappers
Stockier network stack
Summary
11
Defense in Depth
Defense in Depth
Hardening the kernel with grsecurity
Integrity, logs, and alerts with OSSEC
Using OSSEC
Updating OSSEC
Easing analysis with a GUI
Slamming backdoors and rootkits
(D)DoS protection with mod_evasive
Sniffing out malformed packets with Snort
Firewalling the web with ModSecurity
Summary
Plugins for Paranoia
Plugins for Paranoia
Anti-malware
Backup
Content
Login
Spam
SSL
Users
Don't Panic! Disaster Recovery
Don't Panic! Disaster Recovery
Diagnosis vs. downtime
Securing your users
Local problems
Server and file problems
WordPress problems
Verifying uploads and shared areas
Checking htaccess files
Pruning hidden users
Reinstalling WordPress
Security Policy
Security Policy
Security policy for somesite.com
Essential Reference
Essential Reference
WordPress 3 Ultimate Security
Bloggers and zines
Forums
Hacking education
Linux
Macs and Windows
Organizations
Penetration testing
Server-side core documents
Toolkits
Web browsers
WordPress
Mailing lists
Non-official support
Index
Index

Diagnosis vs. downtime

Diagnosis can take time. That can mean downtime. With a bunch of possible root causes, what's needed is a flexible fix that allows for the former, while minimizing the latter.

Initial diagnosis weeds out non-hacked hassles such as local issues, server trouble, and third party incompatibilities, typically with plugins. This stage often throws up a simple fix.

If you still have hitches, how to tackle them will vary depending on the symptoms and your level of experience.

Preparing for deep diagnosis is, for most of us, a sensible precautionary step that involves backing up the site, its database, and its logs. It also involves ensuring access to server logs. Other than using this lot for troubleshooting, the backup may be vital if you scrap something by mistake.

There are now two possible avenues of action:

  • Diagnosing with the site in place, correcting issues and possibly re-installing

  • Re-installing WordPress, straight off, then diagnosing from the compromised backup to correct the root cause

There's no right or wrong with either method, which are generally combined anyhow. Ultimately they lead to the same thing, a secure site. It's just that the route to take depends on the kind of problem you have. Chicken and egg? Yup!

Given the theory, let's get practical.

Note

This guide should not necessarily be taken in order.

While the order of play is ultimately safe all round, in practise, it may lead to more downtime than you want or need. This is where experience really helps, judging the necessary diagnostic steps against particular symptoms.

Read this entire appendix and consider your scenario before making any changes.

Crucially, don't panic, dammit! Anxiety leads to mistakes and more grief. Besides, most snags are pretty easily snared. So smile, however wryly!

Backup Backup Backup Backup Backup Backup Backup ... Why not?

You should backup the files, the database, and logs before making any changes.

Even if you have a recent backup—in which case, don't overwrite it, it is more likely uninfected—you may need something or the other. And if on-site diagnostics don't shimmy out the problem, you can later re-address the infected backup to help corner the underlying issue.

There are a host of backup strategies in Chapter 6 , by the way, just for you.

Previous Section
End of Section
Next Section