|
|
| Book details / order |
| WORDPRESS 3 ULTIMATE SECURITY PROTECT YOUR WORDPRESS SITE AND ITS NETWORK |
Most likely – today – some hacker tried to crack your wordpress site, its data and content – maybe once but, with automated tools, very likely dozens or hundreds of times. there's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book.
wordpress 3 ultimate security shows you how to hack your site before someone else does. you'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. this is more than some "10 tips ..." guide. it's ultimate protection – because that's what you need.
survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. solid!
the wordpress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. we'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. with that done, your ongoing security is infinitely more manageable.
covering deep-set security yet enjoyable to read, wordpress 3 ultimate security will multiply your understanding and fortify your site.
this is an essential guide to securing your wordpress site and content, which shows what to do locally, wirelessly, server-side, and with the application to keep the bad guys out.
what you will learn from this book :
hack or be hacked! learn the mind-set, how attackers work, the methods they employ and how to use those to secure wordpress
work safely from anywhere, using the latest antimalware tools on your pc and being secure even on infected shared machines
understand the dangers of wireless connections, maximize your router's protection and know how to safely use public wifi hotspots
learn about and use the toughest internet protocols to connect to your server, site, and files with military-strength encryption
find out how to hide your dashboard and any other sensitive web files by using code, plugins, and apache modules
carry out dozens of wordpress security tasks using either plugins or code and utilizing either a control panel or terminal
keep tabs on content, find out who is using it, and how to enforce your copyright (and safeguard your seo)
know the risks with control panels and interfaces like phpmyadmin, learning how to solidify them or completely hide them from attackers
recover from a wordpress disaster, properly diagnosing the underlying cause of the problem so that it won't be repeated
consider the security differences between web hosting types and know what kind of security questions to ask a shared host
grasp key linux concepts like file ownership and permissions, using the terminal to maximize security options (for shared hosting too)
reinforce the server with – for starters – an encrypted connection, network, firewall, and kernel hardening and with a web application firewall
approach
this is a comprehensive essential guide to wordpress security written in a light style, which converts learning a really serious topic to an enjoyable read. it is packed with copy-paste solutions to security to suit all levels of security know-how.
who this book is written for
just as wordpress is used by a broad spectrum of website owners, with varying degrees of security know-how, so wordpress 3 ultimate security is written to be understood by security novices and web professionals alike. from site and server owners and administrators to members of their contributing team, this essential a to z reference takes a complex and, let's face it, frankly dull subject and makes it accessible, encouraging, and sometimes even fun. even if you are a total newbie to security, you can transform an insecure site into an iron-clad fortress, safeguarding your site users, your content and, sooner or later, your stress level.
about the author
olly connelly was conceived in the summer of love and likes to think that he's the reincarnation of some dude who copped it after a woodstock head-banger.
born in windsor, england, he's no relation. olly lives with eugenia, just off a beach in valencia, spain.
his background is broadcasting and satirical journalism and his experience includes serially annoying the bbc, bloomberg, and mtv.
web-wise, olly's a freelance content producer, web developer, and system administrator. his site vpsbible.com guides linux newbies to set up and maintain their own unmanaged vps boxes. at guvnr.com, meanwhile, he chats up the web and tries equally to demystify the complex. you can also catch @the_guv on the mighty t where he tweets tech 'n tonics.
mini cart
your cart is empty.
mini wishlist
your wishlist is empty.
audio books
shroff/o'reilly books @ reduced prices
special discount
chapter 1: so what's the risk?
calculated risk
an overview of our risk
meet the hackers
white hat
black hat
botnets
cybercriminals
hacktivists
scrapers
script kiddies
spammers
misfits
grey hat
hackers and crackers
physically hacked off
social engineering
phone calls
walk-ins
enticing urls
phishing
social networking (and so on)
protecting against social engineering
weighing up windows, linux, and mac os x
the deny-by-default permission model
the open source advantage
system security summary
malwares dissected
blended threats
crimeware
data loggers
at loggerheads with the loggers
hoax virus
rootkits
spyware
trojan horses
viruses
worms
zero day
world wide worry
old browser (and other app) versions
unencrypted traffic
dodgy sites, social engineering, and phish food
infected public pcs
sniffing out problems with wireless
wireless hotspots
evil twins
ground zero
overall risk to the site and server
physical server vulnerabilities
open ports with vulnerable services
access and authentication issues
buffer overflow attacks
intercepting data with man-in-the-middle attacks
cracking authentication with password attacks
the many dangers of cross-site scripting (xss)
assorted threats with cross-site request forgery (csrf)
accessible round-up
lazy site and server administration
vulnerable versions
redundant files
privilege escalation and jailbreak opportunities
unchecked information leak
content theft, seo pillaging, and spam defacement
scraping and media hotlinking
damn spam, rants, and heart attacks
summary
chapter 2: hack or be hacked
introducing the hacker's methodology
reconnaissance
scanning
gain access
secure access
cover tracks
ethical hacking vs. doing time
the reconnaissance phase
what to look for
how to look for it
google hacking
more on google hacking
scouting-assistive applications
hacking google hacking with sitedigger
whois whacking
demystifying dns
resolving a web address
domain name security
the scanning phase
mapping out the network
nmap: the network mapper
secondary scanners
scanning for server vulnerabilities
nessus
openvas
gfi languard
qualys
nexpose and metasploit
scanning for web vulnerabilities
wikto
paros proxy
hackertarget
alternative tools
hack packs
summary
chapter 3: securing the local box
breaking windows: considering alternatives
windows security services
security or action center
windows firewall
windows update
internet options
windows defender
user account control
configuring uac in vista
configuring uac in windows 7
disabling uac at the registry (vista and 7)
uac problems with vista home and premium
proactive about anti-malware
the reactionary old guard: detection
regular antivirus scanners
the proactive new guard: prevention
the almost perfect anti-malware solution
comodo internet security (cis)
comodo firewall
comodo antivirus
comodo defense+ (hips) and sandbox
pick 'n mix anti-malware modules
firewall with zonealarm
antivirus with avira antivir
hips + sandbox + firewall with defensewall
behavior scanning with threatfire
updating threatfire
sensitivity level
system activity monitor
multiple sandboxes with sandboxie
advanced sandboxing (and more) with virtual machines
rootkit detection with gmer and rootrepeal
malware cleaning with malwarebytes
anti-malware product summary
prevention models and user commitment
windows user accounts
xp user accounts
vista and windows 7 user accounts
managing passwords and sensitive data
proper passphrase policy
password and data managers
web browser data managers
future-proofed data management
why lastpass?
setting up lastpass
passed out? that's it!
securing data and backup solutions
have separate data drives
encrypting hard drives
automated incremental backup
registry backup
programming a safer system
patching the system and programs
binning unwanted software
disabling clutter and risky windows services
disabling xp's simple file sharing
summary
chapter 4: surf safe
look (out), no wires
alt: physical cable connection
the wireless management utility
securing wireless
router password
changing the ssid
hiding the ssid
wep vs. wpa vs. wpa2
wpa2 with aes
aes vs. tkip
wireless authentication key
optional: mac address filtering
summing up wireless
network security re-routed
swapping firmware
using public computers – it can be done
booting a preinstalled environment (pe)
secure your browsing
online applications
portable applications
advanced data management and authentication
covering your tracks
checking external media
hotspotting wi-fi
hardening the firewall
quit sharing
disabling automatic network detection
alternative document storage
encrypted tunnelling with a virtual private network
e-mailing clients and webmail
remote webmail clients (and other web applications)
encrypted webmail
checking your encryption type
better webmail solutions
logging out
local software clients
keeping the client updated
instant scanning
sandboxing clients
local and remote clients
plain text or html
e-mail encryption and digital signatures with pgp
your e-mail addresses
don't become phish food
beware of spoof addresses
damn spam
spamassassin trainer
browsers, don't lose your trousers
latest versions
internet explorer (ie)
isolating older browsers
browsers and security
chrome's usps (for good and very bad)
chrome outfoxed
firefox security settings
the password manager
extending security
ad and cookie cullers
febe *
lastpass *
locationbar²
lock the text
anti-scripting attacks
ssl certificate checks
web of trust (wot) *
anonymous browsing
locally private browsing
online private browsing
anonymous proxy server
chained proxies
ssl proxies and virtual private networks (vpns)
corporate and private vpns
private socks proxy with ssh
networking, friending, and info leak
third party apps and short links
summary
chapter 5: login lock-down
sizing up connection options
protocol soup
wordpress administration with ssl
ssl for shared hosts
shared, server-wide certificates
dedicated, domain-specific certificates
ssl for vps and dedicated servers
creating a self-signed certificate
using a signed certificate
testing ssl and insecure pages
ssl reference
ssl and login plugins
locking down indirect access
server login
hushing it up with ssh
shared hosting ssh request
setting up the terminal locally
securing the terminal
sftp not ftp
sftp from the command line
sftp using s/ftp clients
connecting up a client
phpmyadmin login
safer database administration
control panel login
apache modules
ip deny with mod_access
what is my ip?
ip spoofing
password protect directories
cpanel's password protect directories
authentication with mod_auth
the htaccess file
the passwd file
creating and editing password files
creating group membership
basically, it's basic
better passwords with mod_auth_digest
easily digestible groups
more authentication methods
mod_auth_db and mod_auth_dbm
mod_auth_mysql
mod_auth_pg95
yet more authentication methods
summary
chapter 6: 10 must-do wordpress tasks
locking it down
backing up the lot
prioritizing backup
full, incremental and differential
how and where to backup
backing up db + files on the web server
backing up db + files by your web host
backing up db to (web)mail
backing up db and/or files to cloud storage
backing up files for local windows users
backing up a database to local machines
files and db backup for local mac 'n linux users
backing up backup!
updating shrewdly
think, research, update
dry run updates
updating plugins, widgets and other code
the new update panel
neutering the admin account
the problem with admin
deleting admin
ok, don't delete admin!
creating privileged accounts
private account names and nicknames
least privilege users
custom roles
denying subscriptions
correcting permissions creep
pruning permissions at the terminal
restyling perms with a control panel
777 permissions
wp-config.php permissions
hiding the wordpress version
binning the readme
cloaking the login page and the version
silver bullets won't fly
nuking the wp_ tables prefix
backing up the database
automated prefix change
manual prefix change
installing wordpress afresh
setting up secret keys
denying access to wp-config.php
hardening wp-content and wp-includes
extra rules for wp-include's htaccess
extra rules for wp-content's htaccess
summary
chapter 7: galvanizing wordpress
fast installs with fantastico ... but is it?
considering a local development server
using a virtual machine
added protection for wp-config.php
moving wp-config.php above the wordpress root
less value for non-root installations
wordpress security by ultimate obscurity
just get on with it
introducing remove_actions
blog client references
feed references
relational links
linking relationships thingy
stylesheet location
renaming and migrating wp-content
the problem with plugins
the other problem with plugins
yet another problem with those pesky plugins
default jquery files
themes and things
"just another wordpress blog"
ultimate security by obscurity: worth it?
revisiting the htaccess file
blocking comment spam
limiting file upload size
hotlink protection
protecting files
hiding the server signature
protecting the htaccess file
hiding htaccess files
ensuring correct permissions
adding a deny rule
good bot, bad bot
bot what?
good bot
bad bot
bots blitzkrieg
snaring the bots
short circuiting bots with htaccess
bots to trot
honey pots
setting up an antimalware suite
firewall
antivirus
more login safeguards
limit login attempts
scuttle log-in errors
concerning code
deleting redundant code
scrutinize widgets, plugins and third party code
ditto for themes
running malware scans and checking compatibility
routing rogue plugins
hiding your files
summary
chapter 8: containing content
abused, fair use and user-friendly
scraping and swearing
the problem with scrapers
fair play to fair use
illegality vs. benefit
a nice problem to have (or better still to manage)
sharing and collaboration
sack lawyers, employ creative commons
site and feed licensing
protecting content
pre-emptive defense
backlink bar none
tweaking the title
linking lead content
reasserting with reference
binning the bots
coining a copyright notice
fielding your feeds
adding a digi-print footer
showing only summaries
preventing media hotlinks
refusing right-clicks
watermarking your media
reactive response
seeking out scrapers
investigating the dashboard
investigating the site and server log
online investigation
pinpointing scrapers
tackling offenders
the cordial approach
the dmca approach
the jugular approach
the legal approach
finding the abuse department
summary
chapter 9: serving up security
.com blogs vs .org sites
host type analysis
choices choices ...
querying support and community
questions to ask hosting providers
control panels and terminals
safe server access
understanding the terminal
elevating to superuser permissions
setting up a panel
managing unmanaged with webmin
installing webmin
securing webmin
users, permissions, and dangers
files and users
ownership and permissions
translating symbolic to octal notation
using change mode to modify permissions
using change owner to modify ownership
sniffing out dangerous permissions
suspect hidden files and directories
protecting world-writable files
scrutinising suid and sgid files (aka sxid files)
keeping track of changes with sxid
cronning sxid
system users
shared human accounts
administrative accounts
deleting user accounts
home directory permissions
user access
non-human accounts
repositories, packages, and integrity
verifying genuine software
md5 checksums
gnupg cryptographic signatures
tracking suspect activity with logs
reading the common log format (clf)
what visitor
what file
from where
what client
exercising the logged data
chicken and egg with logging plugins
legwork for access logs
logs and hosting types
checking the authorization log
securing and parsing logs
enabling logs
dynamic logs
off-site logging
log permissions
summary
chapter 10: solidifying unmanaged
hardening the secure shell
protocol 2
port 22
permitrootlogin yes
passwordauthentication yes
allowusers username
reloading ssh
chrooted sftp access with openssh
binning the ftp service and firewalling the port
providing a secure workspace
deleting users safely
php's .ini mini guide
locating your configuration options
making .ini a meany
open_basedir
patching php with suhosin
installing suhosin
isolating risk with suphp
installing suphp
alternatives to suphp
containing mysql databases
checking for empty passwords
deleting the test database
remote db connections with an ssh tunnel
phpmyadmin: friend or foe?
did we mention backup?
bricking up the doors
ports 101
fired up on firewalls
bog-standard iptables firewall
adding the firewall to the network
quitting superuser
reference for iptables
enhancing usability with csf
installing csf
csf as a control panel module
setting up the firewall
error on stopping the firewall
csf from the command line
using csf to scan for system vulnerabilities
service or disservice?
researching services with netstat
preparing to remove services
researching services
inetd and xinetd super-servers
service watch
disabling services using a service manager
using sysv-rc-conf
deleting unsafe services with harden-servers
closing the port
gatekeeping with tcp wrappers
stockier network stack
summary
chapter 11: defense in depth
hardening the kernel with grsecurity
growling quietly with greater security
controlling user access with rbac
memory protection with pax
the multi-layered protection model
debian grsecurity from repositories
compiling grsecurity into a kernel
integrity, logs, and alerts with ossec
obtaining and verifying the source
the installation process
using ossec
updating ossec
easing analysis with a gui
ossec-wui
splunk
slamming backdoors and rootkits
(d)dos protection with mod_evasive
sniffing out malformed packets with snort
installing the packages
snort's installation options
ruby on rails dependencies
creating the web interface
creating a sub-domain using an a record
setting up the virtual host file
creating the database
deploying ruby on rails with passenger
enabling everything
browsing to snorby
hacking yourself
configuring the network
updating snort's rule-base
sourcefire vulnerability research team™ (vrt)
emerging threats
firewalling the web with modsecurity
installing mod-security, the apache module
applying a ruleset
enabling crs and logging
tuning your ruleset
rulesets and wordpress
updating rulesets
modsecurity resources
summary
appendix a: plugins for paranoia
anti-malware
backup
content
login
spam
ssl
users
appendix b: don't panic! disaster recovery
diagnosis vs. downtime
securing your users
considering maintenance mode
using a plugin
using a rewrite rule
local problems
server and file problems
wordpress problems
incompatible plugins
injected plugins
widgets, third party code and theme problems
fun 'n' frolics with files
deep file scanning
verifying uploads and shared areas
checking htaccess files
pruning hidden users
reinstalling wordpress
some provisos
upload wordpress and plugins
importing a database backup
editing wp-config-sample.php
setting least privileges
sending the clean platform live
changing your passwords
checking your search engine results pages
revisiting wordpress security
appendix c: security policy
security policy for somesite.com
aim
goals
roles and responsibilities
security manager (sm)
system administrator
site administrator
site editors
other roles
network assets
pcs and media
routing gear
server
website assets
backup
code updates
database
domain
further policy considerations
appendix d: essential reference
wordpress 3 ultimate security
bloggers and zines
forums
hacking education
linux
macs and windows
organizations
penetration testing
server-side core documents
toolkits
web browsers
wordpress
mailing lists
non-official support
Author : Olly connelly
Publication : Packt publication
Isbn : 9789350234792
Store book number : 109
NRS 1000.00
|
 |
|
|
|
|
|
|
|
| |
|
|
