WordPress 3 Ultimate Security

Protect your WordPress site and its network

Oily Connelly

[PUBLISHING

1 open sourceI community experience distilled

BIRMINGHAM - MUMBAI

Table of Contents

Preface 1

Chapter 1: So What's the Risk? 7

Calculated risk 8

An overview of our risk 9

Meet the hackers 10

White hat 10

Black hat 11

Botnets 11

Cybercriminals 11

Hacktivists 11

Scrapers 12

Script kiddies 12

Spammers 12

Misfits 12

Grey hat 12

Hackers and crackers 12

Physically hacked off 13

Social engineering 14

Phone calls 14

Walk-ins 14

Enticing URLs 15

Phishing 15

Social networking (and so on) 15

Protecting against social engineering 15

Weighing up Windows, Linux, and Mac OS X 16

The deny-by-default permission model 17

The open source advantage 17

System security summary 18

Table of Contents,

Malwares dissected 18

Blended threats 18

Crimeware 19

Dataloggers 19

At loggerheads with the loggers 20

Hoax virus 20

Rootkits 20

Spyware 20

Trojan horses 21

Viruses 21

Worms 21

Zero day 21

World wide worry 22

Old browser (and other app) versions 22

Unencrypted traffic 22

Dodgy sites, social engineering, and phish food 22

Infected public PCs 23

Sniffing out problems with wireless 23

Wireless hotspots 24

Evil twins 24

Ground zero 24

Overall risk to the site and server 24

Physical server vulnerabilities 25

Open ports with vulnerable services 25

Access and authentication issues 26

Buffer overflow attacks 26

Intercepting data with man-in-the-middle attacks 27

Cracking authentication with password attacks 27

The many dangers of cross-site scripting (XSS) 27

Assorted threats with cross-site request forgery (CSRF) 28

Accessible round-up 28

Lazy site and server administration 29

Vulnerable versions 29

Redundant files 30

Privilege escalation and jailbreak opportunities 30

Unchecked information leak 31

Content theft, SEO pillaging, and spam defacement 32

Scraping and media hotlinking 33

Damn spam, rants, and heart attacks 33

Summary 34

Chapter 2: Hack or Be Hacked 35

Introducing the hacker's methodology 36

Reconnaissance 36

Table of Contents

Scanning 37

Gain access 37

Secure access 37

Cover tracks 37Ethical hacking vs. doing time 38

The reconnaissance phase 39

What to look for 39

How to look for it 40

Google hacking 41

More on Google hacking 43

Scouting-assistive applications 43

Hacking Google hacking with SiteDigger 44

WHOIS whacking 44

Demystifying DNS 46

Resolving a web address 46

Domain name security 47

The scanning phase 47

Mapping out the network 48

Nmap: the Network Mapper 48

Secondary scanners 51

Scanning for server vulnerabilities 52

Nessus 52

OpenVAS 54

GFI Languard 55

Qualys 55

NeXpose and Metasploit 55

Scanning for web vulnerabilities 56

Wikto 56

Paros Proxy 57

HackerTarget 58

Alternative tools 58

Hack packs 58

Summary 59

Chapter 3: Securing the Local Box 61

Breaking Windows: considering alternatives 62

Windows security services 63

Security or Action Center 64

Windows Firewall 64

Windows Update 64

Internet Options 65

Windows Defender 65

Table of Contents

User Account Control 65

Configuring UAC in Vista 66

Configuring UAC in Windows 7 67

Disabling UAC at the registry (Vista and 7) 67

UAC problems with Vista Home and Premium 67

Proactive about anti-rnalware 68

The reactionary old guard: detection 68

Regular antivirus scanners 68

The proactive new guard: prevention 69

The almost perfect anti-malware solution 70

Comodo Internet Security (CIS) 71Comodo Firewall 72

Comodo Antivirus 72

Comodo Defense+ (HIPS) and sandbox 72

Pick 'n mix anti-malware modules 73

Firewall with ZoneAlarm 73

Antivirus with Avira AntiVir 74

HIPS + sandbox + firewall with DefenseWall 75

Behavior scanning with ThreatFire 75

Updating ThreatFire 75

Sensitivity Level 75

System Activity Monitor 76

Multiple sandboxes with Sandboxie 76

Advanced sandboxing (and more) with virtual machines 77

Rootkit detection with GMER and RootRepeal 78

Malware cleaning with Malwarebytes 78

Anti-malware product summary 78

Prevention models and user commitment 79

Windows user accounts 79

XP user accounts 80

Vista and Windows 7 user accounts 80

Managing passwords and sensitive data 81

Proper passphrase policy 81

Password and data managers 82Web browser data managers 82

Future-proofed data management 82

Why LastPass? 83

Setting up LastPass 83

Passed out? That's it! 86

Securing data and backup solutions 86

Have separate data drives 86

Encrypting hard drives 86

Table of Contents

Automated incremental backup 87

Registry backup 88

Programming a safer system 88

Patching the system and programs 88

Binning unwanted software 89

Disabling clutter and risky Windows services 89

Disabling XP's Simple File Sharing 90

Summary 91

Chapter 4: Surf Safe 93

Look (out), no wires 93

Alt: physical cable connection 94

The wireless management utility 94

Securing wireless 94

Router password 94

Changing the SSID 95

Hiding the SSID 95

WEP vs. WPA vs. WPA2 95

WPA2 with AES 95

AESvs. TKIP 96

Wireless authentication key 96

Optional: MAC address filtering 96

Summing up wireless 96

Network security re-routed 96

Swapping firmware 97

Using public computers - it can be done 98

Booting a Preinstalled Environment (PE) 98

Secure your browsing 99

Online applications 99

Portable applications 99

Advanced data management and authentication 100

Covering your tracks 100

Checking external media 101

Hotspotting Wi-Fi 101

Hardening the firewall 101

Quit sharing 101

Disabling automatic network detection 101

Alternative document storage 102

Encrypted tunnelling with a Virtual Private Network 102

E-mailing clients and webmail 102

Remote webmail clients (and other web applications) 102

Encrypted webmail 103

Checking your encryption type 104

Table of Contents

Better webmail solutions 104

Logging out 105

Local software clients 105

Keeping the client updated 105

Instant scanning 105

Sandboxing clients 105

Local and remote clients 106Plain text or HTML 106

E-mail encryption and digital signatures with PGP 106

Your e-mail addresses 107

Don't become phish food 107

Beware of spoof addresses 108

Damn spam 108

SpamAssassin Trainer 108

Browsers, don't lose your trousers 108

Latest versions 109

Internet Explorer (IE) 109

Isolating older browsers 109

Browsers and security 109

Chrome's USPs (for good and very bad) 110

Chrome outfoxed 110

Firefox security settings 111The password manager 111

Extending security 111

Ad and cookie cullers 112

FEBE* 112

LastPass* 113

Locationbar2 113

Lock The Text 113

Anti-scripting attacks 113

SSL certificate checks 113

Web of Trust (WOT)*

114

Anonymous browsing 114

Locally private browsing 114Online private browsing 115

Anonymous proxy server 115

Chained proxies 116

SSL proxies and Virtual Private Networks (VPNs) 116

Corporate and private VPNs 116

Private SOCKS proxy with SSH 117

Networking, friending, and info leak 117

Third party apps and short links 118

Summary 119

[vi]

Table ofContents

Chapter 5: Login Lock-Down 121

Sizing up connection options 122

Protocol soup 122

WordPress administration with SSL 124

SSL for shared hosts 124

Shared, server-wide certificates 124

Dedicated, domain-specific certificates 125

SSL for VPS and dedicated servers 126

Creating a self-signed certificate 127

Using a signed certificate 130

Testing SSL and insecure pages 130

SSL reference 131

SSL and login plugins 131

Locking down indirect access 131

Server login 132

Hushing it up with SSH 132

Shared hosting SSH request 132

Setting up the terminal locally 133

Securing the terminal 134

SFTP not FTP 137

SFTP from the command line 137

SFTP using S/FTP clients 137

Connecting up a client 137

phpMyAdmin login 138

Safer database administration 139

Control panel login 139

Apache modules 139

IP deny with mod_access 139

What is my IP? 140

IP spoofing 140

Password protect directories 140

cPanel's Password Protect Directories 141

Authentication with mod_auth 141

The htaccess file 142

The passwd file 143

Creating and editing password files 143

Creating group membership 144

Basically, it's basic 146

Better passwords with mod_auth_digest 146

Easily digestible groups 148

More authentication methods 148

mod_auth_db and mod_auth_dbm 148

mod_authjnysql 149

mod_auth_pg95 149

Table ofContents.

Yet more authentication methods 149

Summary ^5u

Chapter 6: 10 Must-Do WordPress Tasks 151

Locking it down 152

Backing up the lot I52

Prioritizing backup 152

Full, incremental and differential 153

How and where to backup 153

Backing up db + files on the web server 153

Backing up db + files by your web host 154

Backing up db to (web)mail 154

Backing up db and/or files to cloud storage 154

Backing up files for local Windows users 155

Backing up a database to local machines 160

Files and db backup for local Mac 'n Linux users 162

Backing up backup! 165

Updating shrewdly 165

Think, research, update 165

Dry run updates 166

Updating plugins, widgets and other code 166

The new update panel 166

Neutering the admin account 167

The problem with admin 167

Deleting admin 167

OK, don't delete admin! 167

Creating privileged accounts 168Private account names and nicknames 168

Least privilege users 168

Custom roles 169

Denying subscriptions 169

Correcting permissions creep 169

Pruning permissions at the terminal 170

Restyling perms with a control panel 170777 permissions 170

wp-config.php permissions 170

Hiding the WordPress version 171

Binning the readme 171

Cloaking the login page and the version 171

Silver bullets won't fly 173

Nuking the wp_ tables prefix 173

Backing up the database 174

Automated prefix change 174Manual prefix change 174

Table of Contents

Installing WordPress afresh 175

Setting up secret keys 175

Denying access to wp-config.php 176

Hardening wp-content and wp-includes 177

Extra rules for wp-include's htaccess 177

Extra rules for wp-content's htaccess 177

Summary 178

Chapter 7: Galvanizing WordPress 179

Fast installs with Fantastico...

but is it? 179

Considering a local development server 181

Using a virtual machine 181

Added protection for wp-config.php 182

Moving wp-config.php above the WordPress root 182

Less value for non-root installations 182

WordPress security by ultimate obscurity 183

Just get on with it 184

Introducing remove_actions 184

Blog client references 184

Feed references 185

Relational links 185

Linking relationships thingy 185

Stylesheet location 185

Renaming and migrating wp-content 185

The problem with plugins 186

The other problem with plugins 186

Yet another problem with those pesky plugins 187

Default jQuery files 187

Themes and things 188

"Just another WordPress blog" 188

Ultimate security by obscurity: worth it? 188

Revisiting the htaccess file 189

Blocking comment spam 189

Limiting file upload size 189

Hotlink protection 190

Protecting files 190

Hiding the server signature 191

Protecting the htaccess file 191

Hiding htaccess files 191

Ensuring correct permissions 191

Adding a deny rule 191

Table ofContents___ . _

Good bot, bad bot 191

Bot what? 192

Good bot 192

Bad bot 192

Bots blitzkrieg 193

Snaring the bots 193

Short circuiting bots with htaccess 193

Bots to trot 194

Honey pots 19^

Setting up an antimalware suite 196

Firewall 196

Antivirus 197

More login safeguards 197

Limit Login Attempts 197

Scuttle log-in errors 198

Concerning code 198

Deleting redundant code 198

Scrutinize widgets, plugins and third party code 199

Ditto for themes 199

Running malware scans and checking compatibility 200

Routing rogue plugins 200

Hiding your files 200

Summary 201

Chapter 8: Containing Content 203

Abused, fair use and user-friendly 204

Scraping and swearing 204The problem with scrapers 204

Fair play to fair use 204

Illegality vs. benefit 205A nice problem to have (or better still to manage) 206

Sharing and collaboration 207Sack lawyers, employ creative commons 207Site and feed licensing 208

Protecting content 208

Pre-emptive defense 209Backlink bar none 209Tweaking the title

209Linking lead content

209Reasserting with reference

209

Binning the bots210

Coining a copyright notice 210

Table of Contents

Fielding your feeds 210

Adding a digi-print footer 210

Showing only summaries 211

Preventing media hotlinks 211

Refusing right-clicks 212

Watermarking your media 212

Reactive response 212

Seeking out scrapers 212

Investigating the Dashboard 213

Investigating the site and server log 213

Online investigation 213

Pinpointing scrapers 216

Tackling offenders 217

The cordial approach 217The DMCA approach 219

The jugular approach 222

The legal approach 222

Finding the abuse department 222

Summary 223

Chapter 9: Serving Up Security 225

.com blogs vs .org sites 226

Host type analysis 226

Choices choices...

229

Querying support and community 230

Questions to ask hosting providers 230

Control panels and terminals 231

Safe server access 231

Understanding the terminal 232

Elevating to superuser permissions 233

Setting up a panel 233

Managing unmanaged with Webmin 233

Installing Webmin 234

Securing Webmin 234

Users, permissions, and dangers 235

Files and users 235

Ownership and permissions 236

Translating symbolic to octal notation 237

Using change mode to modify permissions 238

Using change owner to modify ownership 239

Sniffing out dangerous permissions 240

Suspect hidden files and directories 240

Protecting world-writable files 241

Table ofContents

Scrutinising SUID and SGID files (aka SxlD files) 241

Keeping track of changes with SXiD 242

CronningSXID 242

System users 243

Shared human accounts 243

Administrative accounts 243

Deleting user accounts 243

Home directory permissions 244

User access 244

Non-human accounts 244

Repositories, packages, and integrity 244

Verifying genuine software 245

MD5 checksums 245

GnuPG cryptographic signatures 245

Tracking suspect activity with logs 246

Reading the Common Log Format (CLF) 247

What visitor 248

What file 248

From where 249

What client 249

Exercising the logged data 249

Chicken and egg with togging plugins 249

Legwork for access logs 250

Logs and hosting types 250

Checking the authorization log 250

Securing and parsing logs 251

Enabling logs 251

Dynamic logs 251

Off-site logging 252

Log permissions 252

Summary 252

Chapter 10: Solidifying Unmanaged 253

Hardening the Secure Shell 254

Protocol 2 254

Port 22 254

PermitRootLogin yes 255

PasswordAuthentication yes 255

AllowUsers USERNAME 255

Reloading SSH 255

chrooted SFTP access with OpenSSH 256

Binning the FTP service and firewalling the port 258

Providing a secure workspace 258

Deleting users safely 259

Table ofContents

PHP's .ini mini guide 259

Locating your configuration options 259

Making .ini a meany 260

open_basedir 261

Patching PHP with Suhosin 261

Installing Suhosin 262

Isolating risk with SuPHP 262

Installing SuPHP 262

Alternatives to SuPHP 263

Containing MySQL databases 263

Checking for empty passwords 264

Deleting the test database 264

Remote db connections with an SSH tunnel 264

phpMyAdmin: friend or foe? 264

Did we mention backup? 265

Bricking up the doors 265

Ports 101 265

Fired up on firewalls 266

Bog-standard iptables firewall 266

Adding the firewall to the network 268

Quitting superuser 269

Reference for iptables 269

Enhancing usability with CSF 269

Installing CSF 269

CSF as a control panel module 270

Setting up the firewall 271

Error on stopping the firewall 271

CSF from the command line 272

Using CSF to scan for system vulnerabilities 272

Service or disservice? 273

Researching services with Netstat 273

Preparing to remove services 274

Researching services 274

inetd and xinetd super-servers 276

Service watch 276

Disabling services using a service manager 277

Using sysv-rc-conf 277

Deleting unsafe services with harden-servers 278

Closing the port 278

Gatekeeping with TCP wrappers 279

Stockier network stack 280

Summary 281

Table of Contents

Chapter 11: Defense in Depth 283

Hardening the kernel with grsecurity 284

Growling quietly with greater security 284

Controlling user access with RBAC 285

Memory protection with PaX 286

The multi-layered protection model 286

Debian grsecurity from repositories 286

Compiling grsecurity into a kernel 287

Integrity, logs, and alerts with OSSEC 295

Obtaining and verifying the source 295

The installation process 296

Using OSSEC 297

Updating OSSEC 298

Easing analysis with a GUI 298

OSSEC-WUI 298

Splunk 298

Slamming backdoors and rootkits 299

(D)DoS protection with mod_evasive 300

Sniffing out malformed packets with Snort 301

Installing the packages 302

Snort's installation options 302

Ruby on Rails dependencies 302

Creating the web interface 302

Creating a sub-domain using an A record 303

Setting up the virtual host file 303

Creating the database 304

Deploying Ruby on Rails with Passenger 305

Enabling everything 305

Browsing to Snorby 305

Hacking yourself 306

Configuring the network 306

Updating Snort's rule-base 307

Sourcefire Vulnerability Research Team (VRT) 307

Emerging Threats 307

Firewalling the web with ModSecurity 307

Installing mod-security, the Apache module 308

Applying a ruleset 308

Enabling CRS and logging 310

Tuning your ruleset 311

Rulesets and WordPress 311

Updating rulesets 312

ModSecurity resources 312

Summary 312

Table of Contents

Appendix A: Plugins for Paranoia 3_13Anti-malware 313

Backup 314

Content 315

Login 315

Spam 316

SSL 317

Users 317

Appendix B: Don't Panic! Disaster Recovery 319

Diagnosis vs. downtime 319

Securing your users 320

Considering maintenance mode 321

Using a plugin 321

Using a rewrite rule 321

Local problems 323

Server and file problems 323

WordPress problems 324

Incompatible plugins 324

Injected plugins 325

Widgets, third party code and theme problems 325

Fun 'n' frolics with files 326

Deep file scanning 327

Verifying uploads and shared areas 327

Checking htaccess files 328

Pruning hidden users 328

Reinstalling WordPress 329

Some provisos 329

Upload WordPress and plugins 330

Importing a database backup 331

Editing wp-config-sample.php 331

Setting least privileges 331

Sending the clean platform live 331

Changing your passwords 331

Checking your search engine results pages 333

Revisiting WordPress security 333

Appendix C: Security Policy 335

Security policy for somesite.com 335

Aim 336

Goals 336

Table of Contents

Roles and responsibilities 336

Security Manager (SM) 336

System Administrator 336

Site Administrator 336

Site Editors 337

Other roles 337

Network assets 337

PCs and media 337

Routing gear 338

Server 338

Website assets 338

Backup 338

Code updates 338

Database 338

Domain 338

Further policy considerations 339

Appendix D: Essential Reference 341

WordPress 3 Ultimate Security 341

Bloggers and zines 341

Forums 343

Hacking education 343

Linux 344

Macs and Windows 345

Organizations 345

Penetration testing 346

Server-side core documents 347

Toolkits 347

Web browsers 348

WordPress 349

Mailing lists 351

Non-official support 351

Index 353

[xvi]