Most likely, today, some hacker tried to crack your WordPress site, its data and content. Maybe that was just a one-off from some bored kid. Just as likely, it was an automated hit, trying dozens of attacks to find a soft spot. Then again, quite likely it was both.
Whether you've been successfully hacked already, else want some insurance, Welcome.
Let's be frank, up front. Web security has no silver bullet. The threatscape is simply too vast, the vulnerabilities too numerous. Your risk stretches from the keyboard at your fingertips, through and out the back of your local machine, buzzing around its network, maybe through your phone, into the router, hopping across your web surfing, into the remote server, buzzing around that network and jumping all over WordPress.
Gee whiz!
In other words, changing the admin username, mashing a new password, and swapping the table prefix doesn't address much, important as these things are. They, and pretty much all the Top Tips guides, combine limited security with a false sense of security.
Place your bets. Your site, whatever its hosting type, is only as safe as the weakest local-to-remote link, and then some. You can shore up WordPress, and you must, but if some Joe Hacker comes along, physically or technically, and grabs a password from your local machine, else bothers to profile you online, then, a few tools later, I'd back the black hat.
I'm sorry if that scares you. The intention is to emote you, to induce you to read not just Chapter 6 plus maybe a bit of 7, but to read the lot. I'll try to keep you awake. That being done, I'm also sorry to break this but that's not it. Security is like dogs and Christmas, it's a life-long deal. Fortunately, even though the hacks get better, your security management gets easier and, maybe this author's just a bit sad but, really, hacking the security war is quite good fun.
Sold?
Whether you are or not, read Chapter 1. Then see what you think.
Chapter 1, So What's the Risk? sets the scene by outlining the vulnerabilities of WordPress, both directly and indirectly, coupled with the threats seeking to manipulate those frailties and ultimately helping us to weigh up the risk to our sites and blogs.
Chapter 2, Hack or Be Hacked practises our newly-gained theoretical awareness, giving us the hacker's mindset, the methodology, and the toolkit to flag vulnerabilities with WordPress, its server, its network, and contingent devices.
Chapter 3, Securing the Local Box does just that, taking a potentially flaky working environment and reinforcing it with a best of breed anti-malware solution to give us a solid foundation from where to administer the site.
Chapter 4, Surf Safe plugs us tentatively into the wall, and the web, throwing up the problems we face while pinning down the solutions we need to navigate securely this perilous minefield of malicious intent.
Chapter 5, Login Lock-Down maps out the web's mass transport system, its protocols, directing their correct use for securely delivering data while armour-plating precious destinations such as the Dashboard, the server, and phpMyAdmin.
Chapter 6, 10 Must-Do WordPress Tasks gives the platform teeth by addressing common shortcomings with a heap of tips along the way to secure administration and, also for example, setting up an automated off-server backup system.
Chapter 7, Galvanizing WordPress sets out numerous advanced techniques to defend against hackers, scrapers, and spammers while again advising on a range of admin issues such as a security-assistive local development strategy.
Chapter 8, Containing Content addresses ours, explaining the law and our copyright options, showing how to benefit from managed reuse and setting out tools and strategies to defend, track, and regain control of copy and media.
Chapter 9, Serving Up Security boots us into our site's security-interdependent hosting assessment, demystifying least privilege user and file protection while tracking malicious activity with the correct use of logs.
Chapter 10, Solidifying Unmanaged takes due care to harden server and control panel access, to isolate web and server files, to protect PHP and databases, and to firewall the lot with an extensively tweaked network configuration.
Chapter 11, Defense in Depth fortifies the site and server with kernel and memory patching, a web application firewall, simplified logs management and host-, network- and rootkit-based detection systems.
Appendix A, Plugins for Paranoia is my personal pick of the protective plugin pack, with each and every one thoroughly tested and listed on merit.
Appendix B, Don't Panic! Disaster Recovery sequentially orders a strategy to protect our site users, our reputation, and SEO before finding and rectifying problems to get the site back online in the quickest possible time.
Appendix C, Security Policy provides a working document template setting out a framework strategy to pre-empt and future-proof your ongoing security concerns.
Appendix D, Essential Reference pools security's big gun websites including blogs, forums, hacking tools, organizations and, oddly enough, WordPress resources.
It might be useful if you've got a WordPress site. Unless you're assessing the platform, that is, in which case, fair enough.
Otherwise, reflecting marketshare, desktop computers, which are referred to throughout the book as being local, tend to center on Windows machines while servers, which are referred to as being remote, center exclusively on Linux. Local Mac and Linux users, by the way, can apply many of the remote techniques we cover to their local machines.
Regarding the server, if VPS or dedicated plan holders have any problems using the guides, this will most likely be due to the differences in package management between the Linux distributions. These tutorials have been prepared using Debian-based systems which use the DEB package format. Those with other distributions will want to tweak the commands to reflect their distro which, for the Red Hat forks CentOS or Fedora, for example, would be the RPM package system equivalents. Similarly, this guide uses the Debian-happy aptitude package manager so either swap that for apt-get or, again for example with Red Hat systems, switch to the equivalent yum commands.
Pretty much everything else should be standard across the board. The notable exception is those who've shunned Apache in favor of, say, Nginx. You folks would need to translate the security rules stated here, for example the htaccess rules, for equivalent use.
Of course, there's a bucket of code here, so you'd do well to trundle off to this book's online home to grab a copy of that, saving bags of time and maybe a few syntax errors:
WordPress 3 Ultimate Security – http://guv.li/wp3us
Probably lots of coffee will help too, plus a thick skin if you work for Microsoft.
WordPress 3 Ultimate Security is designed for security novices and web pros alike.
From site and server owners and administrators to members of their contributing team, the mission of this project has been to take a complex and, for most people, an utterly dull subject and make it accessible, encouraging, and sometimes remotely fun. Sort of.
Even a total security and WordPress newbie can cut the odds of a successful attack from practically inevitable to practically zero. Practically.
In other words:
Got a WordPress site or blog? Well done. That'll do.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Short of devoting this entire tome to further authentication modules, which by and large, work the same way as mod_auth and mod_auth_digest, it would, nonetheless, be amiss not to mention a few of them."
A block of code is set as follows:
<VirtualHost 123.45.67.890:443> ServerName somesite.com ServerAlias www.somesite.com DirectoryIndex index.php index.html
Any command-line input or output is written as follows:
chown -R USER:USER .ssh chmod 700 .ssh chmod 600 .ssh/authorized_keys
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "As shown in the image, you should choose WPA2, sometimes marked as WPA Personal, along with AES encryption".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.