WordPress 3 Ultimate Security

WordPress 3 Ultimate Security

Overview of this book

Most likely ‚Äì today ‚Äì some hacker tried to crack your WordPress site, its data and content ‚Äì maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book. WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some "10 Tips ..." guide. It's ultimate protection ‚Äì because that's what you need. Survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. Solid! The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable. Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.

WordPress 3 Ultimate Security

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

So What's the Risk?

Calculated risk

An overview of our risk

Meet the hackers

Physically hacked off

Social engineering

Weighing up Windows, Linux, and Mac OS X

Malwares dissected

World wide worry

Overall risk to the site and server

Summary

Hack or Be Hacked

Introducing the hacker's methodology

Ethical hacking vs. doing time

The reconnaissance phase

Demystifying DNS

Domain name security

The scanning phase

Summary

Securing the Local Box

Breaking Windows: considering alternatives

Windows security services

Proactive about anti-malware

The almost perfect anti-malware solution

Windows user accounts

Managing passwords and sensitive data

Securing data and backup solutions

Programming a safer system

Summary

Surf Safe

Look (out), no wires

Network security re-routed

Using public computers – it can be done

Hotspotting Wi-Fi

E-mailing clients and webmail

Browsers, don't lose your trousers

Anonymous browsing

Networking, friending, and info leak

Summary

Sizing up connection options

WordPress administration with SSL

SSL and login plugins

Locking down indirect access

Apache modules

Summary

10 Must-Do WordPress Tasks

Locking it down

Backing up the lot

Updating shrewdly

Neutering the admin account

Correcting permissions creep

Hiding the WordPress version

Nuking the wp_ tables prefix

Setting up secret keys

Denying access to wp-config.php

Hardening wp-content and wp-includes

Summary

Galvanizing WordPress

Fast installs with Fantastico ... but is it?

Considering a local development server

Added protection for wp-config.php

WordPress security by ultimate obscurity

Revisiting the htaccess file

Good bot, bad bot

Setting up an antimalware suite

More login safeguards

Concerning code

Hiding your files

Summary

Containing Content

Abused, fair use and user-friendly

Illegality vs. benefit

A nice problem to have (or better still to manage)

Sharing and collaboration

Summary

Serving Up Security

.com blogs vs .org sites

Host type analysis

Control panels and terminals

Managing unmanaged with Webmin

Users, permissions, and dangers

Sniffing out dangerous permissions

System users

Repositories, packages, and integrity

Tracking suspect activity with logs

Summary

Solidifying Unmanaged

Hardening the Secure Shell

chrooted SFTP access with OpenSSH

PHP's .ini mini guide

Patching PHP with Suhosin

Isolating risk with SuPHP

Containing MySQL databases

phpMyAdmin: friend or foe?

Bricking up the doors

Fired up on firewalls

Enhancing usability with CSF

Service or disservice?

Gatekeeping with TCP wrappers

Stockier network stack

Summary

Defense in Depth

Hardening the kernel with grsecurity

Integrity, logs, and alerts with OSSEC

Using OSSEC

Updating OSSEC

Easing analysis with a GUI

Slamming backdoors and rootkits

(D)DoS protection with mod_evasive

Sniffing out malformed packets with Snort

Firewalling the web with ModSecurity

Summary

Plugins for Paranoia

Anti-malware

Backup

Content

Spam

SSL

Users

Don't Panic! Disaster Recovery

Diagnosis vs. downtime

Securing your users

Local problems

Server and file problems

WordPress problems

Verifying uploads and shared areas

Checking htaccess files

Pruning hidden users

Reinstalling WordPress

Security Policy

Security policy for somesite.com

Essential Reference

WordPress 3 Ultimate Security

Forums

Linux

Server-side core documents

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Acknowledgement

Other than thanking Eugenia, a.k.a. she who must be obeyed and without whom this book would still be a tree, there are a great many other people to whom I wish to express my gratitude.

The Automattic crew makes a fair start, as does the exceptional WordPress community and, beyond that, the wider open source fellowship, from the tech-headed coder to the pyjamaland blogger, those folks who, day by day, teach and inspire us to make much more than just money.

Then there are the unsung heroes of the Web, the white hats who police security, quell the fires, and build the fences that this book merely refers to. Without these guys and gals, we'd all be toast.

Ironically perhaps, I'd like to thank Microsoft too, but don't have a cardiac. Thing is, without all the blue screens, I'd never have had my defens-ucation. Like they say in Yorkshire, where there's muck, there's brass. So cheers Bill, and sorry if I knocked a couple of points off the share price.

Then there are the lads: Javier who's a bit of a git, but who tagged me with WordPress, Marc for prompting me to search-replace Windows for Tux, Piers for just being Piers. And my late dad and my mum, in case she's feigning interest and reading along, just because they're my parents.

Apparently there's been a rumor going around the vpsBible forums that I'd caught a killer virus, else had been run down by a system bus. I'd like to say that, hey, you're a top lot, IOU, and I promise to make it up to you. I've no plans to write another book for at least a couple of weeks.

I'd like to thank the decent, patient, and hard-working people at Packt Publishing for cueing me up on this project. In security spiel, you could say, they took a risk with an unknown threat tapping out his first book. I don't know everyone who's worked on this, but would like to thank the crew backstage as well as those folks I've personally dealt with—Sayama Waghu, Usha Iyer, Priya Mukherji, Vishal Bodwani, Susmita Panda, Dayan Hyames and, especially, Patricia Weir ('cos she's in charge of the cheques)—as well as the work's Technical Reviewers John Eckman, Kevin Kelly and Hari K T. Thank you, one and all. You cut me a break. You also nearly killed me. Thank you.

I had some great advice before signing up for grey hair; Leon Sterling and Steve White from the LinkedIn-based Certified Professional Writers Association and Rupert Heath from his namesake, London-based literary agency. You were right. Blood and guts! It had to be done. Thank you.

Finally, I'd like to thank whoever invented ground coffee, English tea, warm beer, and Scotch whiskey. Writing this last paragraph now, I kid ye not, it sure is time for a wee dram.

WordPress 3 Ultimate Security

WordPress 3 Ultimate Security

Overview of this book

Related Content you might be interested in

Current Title:

WordPress 3 Ultimate Security

Acknowledgement