Wordpress 3 Ultimate Security电子书

WordPress 3 Ultimate Security

Table of Contents

WordPress 3 Ultimate Security

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. So What's the Risk?

Calculated risk

An overview of our risk

Meet the hackers

White hat

Black hat

Botnets

Cybercriminals

Hacktivists

Scrapers

Script kiddies

Spammers

Misfits

Grey hat

Hackers and crackers

Physically hacked off

Social engineering

Phone calls

Walk-ins

Enticing URLs

Phishing

Social networking (and so on)

Protecting against social engineering

Weighing up Windows, Linux, and Mac OS X

The deny-by-default permission model

The open source advantage

System security summary

Malwares dissected

Blended threats

Crimeware

Data loggers

At loggerheads with the loggers

Hoax virus

Rootkits

Spyware

Trojan horses

Viruses

Worms

Zero day

World wide worry

Old browser (and other app) versions

Unencrypted traffic

Dodgy sites, social engineering, and phish food

Infected public PCs

Sniffing out problems with wireless

Wireless hotspots

Evil twins

Ground zero

Overall risk to the site and server

Physical server vulnerabilities

Open ports with vulnerable services

Access and authentication issues

Buffer overflow attacks

Intercepting data with man-in-the-middle attacks

Cracking authentication with password attacks

The many dangers of cross-site scripting (XSS)

Assorted threats with cross-site request forgery (CSRF)

Accessible round-up

Lazy site and server administration

Vulnerable versions

Redundant files

Privilege escalation and jailbreak opportunities

Unchecked information leak

Directory traversal attacks

Content theft, SEO pillaging, and spam defacement

Scraping and media hotlinking

Damn spam, rants, and heart attacks

Summary

2. Hack or Be Hacked

Introducing the hacker's methodology

Reconnaissance

Scanning

Gain access

Secure access

Cover tracks

Ethical hacking vs. doing time

The reconnaissance phase

What to look for

How to look for it

Google hacking

Sites and links

Finding files

Keyword scanning

Phone numbers

More on Google hacking

Scouting-assistive applications

Hacking Google hacking with SiteDigger

WHOIS whacking

Demystifying DNS

Resolving a web address

Domain name security

The scanning phase

Mapping out the network

Nmap: the Network Mapper

Using ping sweeps to map out a network

Checking for open ports on a network device

Checking for vulnerable services on a network device

Secondary scanners

Scanning for server vulnerabilities

Nessus

Creating policies with Nessus

Assessing problems

OpenVAS

GFI Languard

Qualys

NeXpose and Metasploit

Scanning for web vulnerabilities

Wikto

Paros Proxy

HackerTarget

Alternative tools

Hack packs

Summary

3. Securing the Local Box

Breaking Windows: considering alternatives

Windows security services

Security or Action Center

Windows Firewall

Windows Update

Internet Options

Windows Defender

User Account Control

Configuring UAC in Vista

Configuring UAC in Windows 7

Disabling UAC at the registry (Vista and 7)

UAC problems with Vista Home and Premium

Proactive about anti-malware

The reactionary old guard: detection

Regular antivirus scanners

Signature-based

Heuristics-based

The proactive new guard: prevention

HIPS and behavior scanning

HIPS vs behavior scanners

Sandbox isolation

The almost perfect anti-malware solution

Comodo Internet Security (CIS)

Comodo Firewall

Comodo Antivirus

Scanning by signature

Scanning by heuristics

Comodo Defense+ (HIPS) and sandbox

Pick 'n mix anti-malware modules

Firewall with ZoneAlarm

Antivirus with Avira AntiVir

HIPS + sandbox + firewall with DefenseWall

Behavior scanning with ThreatFire

Updating ThreatFire

Sensitivity Level

System Activity Monitor

Multiple sandboxes with Sandboxie

Advanced sandboxing (and more) with virtual machines

Rootkit detection with GMER and RootRepeal

Malware cleaning with Malwarebytes

Anti-malware product summary

Prevention models and user commitment

Windows user accounts

XP user accounts

Vista and Windows 7 user accounts

Managing passwords and sensitive data

Proper passphrase policy

Password and data managers

Web browser data managers

Future-proofed data management

Why LastPass?

Setting up LastPass

Installing LastPass

Using LastPass

Bolstering LastPass security

LastPass multi-factor authentication

Virtual keyboard

One time passwords

Grid system

YubiKey support

Sesame authentication

Passed out? That's it!

Securing data and backup solutions

Have separate data drives

Encrypting hard drives

Automated incremental backup

Registry backup

Programming a safer system

Patching the system and programs

Binning unwanted software

Disabling clutter and risky Windows services

Disabling XP's Simple File Sharing

Summary

4. Surf Safe

Look (out), no wires

Alt: physical cable connection

The wireless management utility

Securing wireless

Router password

Changing the SSID

Hiding the SSID

WEP vs. WPA vs. WPA2

WPA2 with AES

AES vs. TKIP

Wireless authentication key

Optional: MAC address filtering

Summing up wireless

Network security re-routed

Swapping firmware

Using public computers – it can be done

Booting a Preinstalled Environment (PE)

Secure your browsing

Online applications

Portable applications

Advanced data management and authentication

Covering your tracks

Checking external media

Hotspotting Wi-Fi

Hardening the firewall

Quit sharing

Disabling automatic network detection

Alternative document storage

Encrypted tunnelling with a Virtual Private Network

E-mailing clients and webmail

Remote webmail clients (and other web applications)

Encrypted webmail

Checking your encryption type

Better webmail solutions

Logging out

Local software clients

Keeping the client updated

Instant scanning

Sandboxing clients

Local and remote clients

Plain text or HTML

E-mail encryption and digital signatures with PGP

Encrypting attachments with compression utilities

Your e-mail addresses

Don't become phish food

Beware of spoof addresses

Damn spam

SpamAssassin Trainer

Browsers, don't lose your trousers

Latest versions

Internet Explorer (IE)

Isolating older browsers

Browsers and security

Chrome's USPs (for good and very bad)

Chrome outfoxed

Firefox security settings

The password manager

Extending security

Ad and cookie cullers

AdBlock Plus *

Beef Taco *

BetterPrivacy *

Ghostery

Ad Hacker

FEBE *

LastPass *

Locationbar2

Lock The Text

Anti-scripting attacks

NoScript *

RequestPolicy

SSL certificate checks

Certificate Patrol *

Perspectives *

Web of Trust (WOT) *

Anonymous browsing

Locally private browsing

Online private browsing

Anonymous proxy server

Chained proxies

SSL proxies and Virtual Private Networks (VPNs)

Corporate and private VPNs

Private SOCKS proxy with SSH

Networking, friending, and info leak

Third party apps and short links

Summary

5. Login Lock-Down

Sizing up connection options

Protocol soup

WordPress administration with SSL

SSL for shared hosts

Shared, server-wide certificates

Letting WordPress know

Logging in

Dedicated, domain-specific certificates

Dedicated IP

Obtaining signed certificates

Setting up a signed certificate

SSL for VPS and dedicated servers

Creating a self-signed certificate

Generating the files

Required Apache modules

Configuring the virtual host file

Alerting WordPress and activating SSL

Using a signed certificate

Testing SSL and insecure pages

SSL reference

SSL and login plugins

Locking down indirect access

Server login

Hushing it up with SSH

Shared hosting SSH request

Setting up the terminal locally

Linux or Mac locally

Windows locally

Setting up Tunnelier

Securing the terminal

Creating keys: Linux or Mac locally

Creating keys: Windows locally

Uploading keys

Using keys from multiple machines

SFTP not FTP

SFTP from the command line

SFTP using S/FTP clients

Connecting up a client

phpMyAdmin login

Safer database administration

Control panel login

Apache modules

IP deny with mod_access

What is my IP?

IP spoofing

Password protect directories

cPanel's Password Protect Directories

Authentication with mod_auth

The htaccess file

A quick shout out to htaccess, bless

The passwd file

Creating and editing password files

Creating group membership

Basically, it's basic

Better passwords with mod_auth_digest

Easily digestible groups

More authentication methods

mod_auth_db and mod_auth_dbm

mod_auth_mysql

mod_auth_pg95

Yet more authentication methods

Summary

6. 10 Must-Do WordPress Tasks

Locking it down

Backing up the lot

Prioritizing backup

Full, incremental and differential

How and where to backup

Backing up db + files on the web server

Backing up db + files by your web host

Backing up db to (web)mail

Backing up db and/or files to cloud storage

SMEStorage Multi-Cloud WordPress Backup

Automatic WordPress Backup

Updraft

BackWPup

VaultPress

Un-clouding the issue

Backing up files for local Windows users

Installing Cobian as a service

Setting up Tunnelier's FTP-to-SFTP bridge

Setting up the bridge

Saving your profile

Creating the batch files

Testing your batch files

Setting up your first Cobian Backup task

Hooking Tunnelier into Cobian

Opening the bridge

Testing the ruddy thing

Backing up a database to local machines

Dumping the data from a database

Cron the script

Grabbing the data dump for Windows locally

Flushing the dump

Files and db backup for local Mac 'n Linux users

Full backup to local

Full backup remote to remote

Incremental backups to local

Incremental remote-to-remote

Backing up backup!

Updating shrewdly

Think, research, update

Dry run updates

Updating plugins, widgets and other code

The new update panel

Neutering the admin account

The problem with admin

Deleting admin

OK, don't delete admin!

Creating privileged accounts

Private account names and nicknames

Least privilege users

Custom roles

Denying subscriptions

Correcting permissions creep

Pruning permissions at the terminal

Restyling perms with a control panel

777 permissions

wp-config.php permissions

Hiding the WordPress version

Binning the readme

Cloaking the login page and the version

Silver bullets won't fly

Nuking the wp_ tables prefix

Backing up the database

Automated prefix change

Manual prefix change

Installing WordPress afresh

Setting up secret keys

Denying access to wp-config.php

Hardening wp-content and wp-includes

Extra rules for wp-include's htaccess

Extra rules for wp-content's htaccess

Summary

7. Galvanizing WordPress

Fast installs with Fantastico ... but is it?

Considering a local development server

Using a virtual machine

Added protection for wp-config.php

Moving wp-config.php above the WordPress root

Less value for non-root installations

WordPress security by ultimate obscurity

Just get on with it

Introducing remove_actions

Blog client references

Feed references

Relational links

Linking relationships thingy

Stylesheet location

Renaming and migrating wp-content

The problem with plugins

The other problem with plugins

Yet another problem with those pesky plugins

Default jQuery files

Themes and things

"Just another WordPress blog"

Ultimate security by obscurity: worth it?

Revisiting the htaccess file

Blocking comment spam

Limiting file upload size

Hotlink protection

Protecting files

Hiding the server signature

Protecting the htaccess file

Hiding htaccess files

Ensuring correct permissions

Adding a deny rule

Good bot, bad bot

Bot what?

Good bot

Bad bot

Bots blitzkrieg

Snaring the bots

Short circuiting bots with htaccess

Bots to trot

The Perishable Press 4G Blacklist

Honey pots

Project Honey Pot

CloudFlare

Bad Behavior

Perishable Press Blackhole for bad bots

Setting up an antimalware suite

Firewall

AntiVirus

More login safeguards

Limit Login Attempts

Scuttle log-in errors

Concerning code

Deleting redundant code

Scrutinize widgets, plugins and third party code

Ditto for themes

Running malware scans and checking compatibility

Routing rogue plugins

Hiding your files

Summary

8. Containing Content

Abused, fair use and user-friendly

Scraping and swearing

The problem with scrapers

Fair play to fair use

Extending knowledge, generally with non-commercial intent

The public interest

The amount and value of the extracted material

The effect on the current and future worth of the original content

Illegality vs. benefit

A nice problem to have (or better still to manage)

Sharing and collaboration

Sack lawyers, employ creative commons

Site and feed licensing

Protecting content

Pre-emptive defense

Backlink bar none

Tweaking the title

Linking lead content

Reasserting with reference

Binning the bots

Coining a copyright notice

Fielding your feeds

Adding a digi-print footer

Showing only summaries

Preventing media hotlinks

Refusing right-clicks

Watermarking your media

Reactive response

Seeking out scrapers

Investigating the Dashboard

Incoming links

Trackbacks

Investigating the site and server log

Online investigation

Searching with Google

Don't bother with Google Blogs

Using Google Alerts

Copyscape

Feedburner's Uncommon Uses

Plagium

TinEye

Pinpointing scrapers

Run a WHOIS search

Tackling offenders

The cordial approach

The DMCA approach

The jugular approach

The legal approach

Finding the abuse department

Summary

9. Serving Up Security

.com blogs vs .org sites

Host type analysis

Choices choices ...

Querying support and community

Questions to ask hosting providers

Control panels and terminals

Safe server access

Understanding the terminal

Elevating to superuser permissions

Setting up a panel

Managing unmanaged with Webmin

Installing Webmin

Securing Webmin

Users, permissions, and dangers

Files and users

Ownership and permissions

Translating symbolic to octal notation

Using change mode to modify permissions

WordPress permissions

Permissions case study: super-tight wp-config.php

Using change owner to modify ownership

Owning your files

Sniffing out dangerous permissions

Suspect hidden files and directories

Protecting world-writable files

Scrutinising SUID and SGID files (aka SxID files)

Keeping track of changes with SXID

Cronning SXID

System users

Shared human accounts

Administrative accounts

Deleting user accounts

Home directory permissions

User access

Non-human accounts

Repositories, packages, and integrity

Verifying genuine software

MD5 checksums

GnuPG cryptographic signatures

Tracking suspect activity with logs

Reading the Common Log Format (CLF)

What visitor

What file

From where

What client

Exercising the logged data

Chicken and egg with logging plugins

Legwork for access logs

Logs and hosting types

Checking the authorization log

Securing and parsing logs

Enabling logs

Dynamic logs

Off-site logging

Log permissions

Summary

10. Solidifying Unmanaged

Hardening the Secure Shell

Protocol 2

Port 22

PermitRootLogin yes

PasswordAuthentication yes

AllowUsers USERNAME

Reloading SSH

chrooted SFTP access with OpenSSH

Binning the FTP service and firewalling the port

Providing a secure workspace

Deleting users safely

PHP's .ini mini guide

Locating your configuration options

Making .ini a meany

open_basedir

Patching PHP with Suhosin

Installing Suhosin

Isolating risk with SuPHP

Installing SuPHP

Alternatives to SuPHP

Containing MySQL databases

Checking for empty passwords

Deleting the test database

Remote db connections with an SSH tunnel

phpMyAdmin: friend or foe?

Did we mention backup?

Bricking up the doors

Ports 101

Fired up on firewalls

Bog-standard iptables firewall

Adding the firewall to the network

Quitting superuser

Reference for iptables

Enhancing usability with CSF

Installing CSF

CSF as a control panel module

Setting up the firewall

Error on stopping the firewall

CSF from the command line

Using CSF to scan for system vulnerabilities

Service or disservice?

Researching services with Netstat

Preparing to remove services

Researching services

inetd and xinetd super-servers

Service watch

Disabling services using a service manager

Using sysv-rc-conf

Deleting unsafe services with harden-servers

Closing the port

Gatekeeping with TCP wrappers

Stockier network stack

Summary

11. Defense in Depth

Hardening the kernel with grsecurity

Growling quietly with greater security

Controlling user access with RBAC

Second-tier access control

Training the RBAC system with Gradm

Memory protection with PaX

The multi-layered protection model

Debian grsecurity from repositories

Compiling grsecurity into a kernel

Matching the kernel and grsecurity packages

Exporting the version numbers

Verifying the package downloads

Patching the kernel

Xen VPS configuration part 1

Configuring the kernel

grsecurity levels

Kernel level chroot hardening

Properly implemented?

grsecurity and chroot

Using Sysctl support to maximize security settings

Options galore

The kernel executable

Xen VPS configuration part 2

Booting and checking the kernel

Installing Gradm

Integrity, logs, and alerts with OSSEC

Obtaining and verifying the source

The installation process

What kind of installation (server, agent, local, or help)?

Choosing where to install the OSSEC HIDS [/var/ossec]

Configuring the OSSEC HIDS

Do you want to add more IPs to the white list?

Setting the configuration to analyze the following logs

Using OSSEC

Updating OSSEC

Easing analysis with a GUI

OSSEC-WUI

Splunk

Slamming backdoors and rootkits

(D)DoS protection with mod_evasive

Sniffing out malformed packets with Snort

Installing the packages

Snort's installation options

Specifying the network

Point to the database

Ruby on Rails dependencies

Creating the web interface

Creating a sub-domain using an A record

Setting up the virtual host file

Creating the database

Deploying Ruby on Rails with Passenger

Enabling everything

Browsing to Snorby

Hacking yourself

Configuring the network

Updating Snort's rule-base

Sourcefire Vulnerability Research Team™ (VRT)

Emerging Threats

Firewalling the web with ModSecurity

Installing mod-security, the Apache module

Applying a ruleset

Enabling CRS and logging

Tuning your ruleset

Rulesets and WordPress

Updating rulesets

ModSecurity resources

Summary

A. Plugins for Paranoia

Anti-malware

Backup

Content

Login

Spam

SSL

Users

B. Don't Panic! Disaster Recovery

Diagnosis vs. downtime

Securing your users

Considering maintenance mode

Using a plugin

Using a rewrite rule

Local problems

Server and file problems

WordPress problems

Incompatible plugins

Injected plugins

Widgets, third party code and theme problems

Fun 'n' frolics with files

Scrutinizing file changes

Remote file comparison

Local file comparison

Deep file scanning

Verifying uploads and shared areas

Checking htaccess files

Pruning hidden users

Reinstalling WordPress

Some provisos

Upload WordPress and plugins

Importing a database backup

Editing wp-config-sample.php

Setting least privileges

Sending the clean platform live

Changing your passwords

Checking your search engine results pages

Revisiting WordPress security

C. Security Policy

Security policy for somesite.com

Aim

Goals

Somesite.com

Personal Computers

Server

Roles and responsibilities

Security Manager (SM)

System Administrator

Site Administrator

Site Editors

Other roles

Network assets

PCs and media

Routing gear

Server

Website assets

Backup

Code updates

Database

Domain

Further policy considerations

D. Essential Reference

WordPress 3 Ultimate Security

Bloggers and zines

2600: The Hacker Quarterly

CGISecurity

Darknet

Dark Reading

ha.ckers

KrebsonSecurity

Jeremiah Grossman

Phrack Magazine

Forums

hack in the box

sla.ckers

WindowSecurity

Hacking education

Go Hacking

HackThisSite

Hellbound Hackers

OWASP WebGoat Project

We Chall

YouTube

Linux

Linux Online

Linux Journal

YoLinux

Macs and Windows

Apple Product Security

Microsoft Security

Organizations

OWASP

SANS

SecurityFocus

WASC

Wikipedia

Penetration testing

ISECOM's OSSTM

OWASP Testing Guide

Server-side core documents

Apache HTTP Server Version 2.2 Documentation

Apache: Module Index

MySQL: Security

PHP: Security

Toolkits

SecTools.Org

TREACHERY UNLIMITED

WASC Web Application Security Scanner List

Web browsers

Chrome

Firefox

Internet Explorer

Opera

Safari

Browser Security Handbook

WordPress

Forums

.com support

Codex

News

Planet

Development updates

Trac

Reporting Bugs

Security issues

Plugin Repository Trac

Plugins and themes

Plugins and themes source

Kvetch!

IRC

Mailing lists

Non-official support

LinkedIn WordPress group

WordPress forums

WordPress Tavern

Index