You are previewing CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone®.
O'Reilly logo
CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone®

Book Description

Learn to secure Web sites built on open source CMSs

Web sites built on Joomla!, WordPress, Drupal, or Plone face some unique security threats. If you're responsible for one of them, this comprehensive security guide, the first of its kind, offers detailed guidance to help you prevent attacks, develop secure CMS-site operations, and restore your site if an attack does occur. You'll learn a strong, foundational approach to CMS operations and security from an expert in the field.

  • More and more Web sites are being built on open source CMSs, making them a popular target, thus making you vulnerable to new forms of attack

  • This is the first comprehensive guide focused on securing the most common CMS platforms: Joomla!, WordPress, Drupal, and Plone

  • Provides the tools for integrating the Web site into business operations, building a security protocol, and developing a disaster recovery plan

  • Covers hosting, installation security issues, hardening servers against attack, establishing a contingency plan, patching processes, log review, hack recovery, wireless considerations, and infosec policy

CMS Security Handbook is an essential reference for anyone responsible for a Web site built on an open source CMS.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright
  4. Dedication
  5. Credits
  6. About the Author
  7. About the Technical Editor
  8. Acknowledgments
  9. Contents
  10. Introduction
    1. Overview of the Book and Technology
    2. How This Book Is Organized
    3. Who Should Read This Book
    4. Tools You Will Need
    5. Summary
  11. CHAPTER 1: Introduction to CMS Security and Operations
    1. Target Acquired
    2. Operational Considerations
    3. Looking at Your Site Through the Eyes of a Hacker
    4. Steps to Gaining Access to Your Site
    5. Examples of Threats
    6. Reviewing Your Perimeter
    7. How Will You Respond to an Incident?
    8. Summary
  12. CHAPTER 2: Choosing the Right Hosting Company
    1. Types of Hosting Available
    2. Selecting the Right Hosting Option
    3. What to Look for in Web Host Security
    4. Accepting Credit Cards on Your Website
    5. Domain Name System Servers
    6. Hosting Your Own Website Server
    7. Summary
  13. CHAPTER 3: Preventing Problems Before They Start
    1. Choosing an Appropriate CMS for Your Needs
    2. Building It Before You Build It
    3. Performing CMS Installations
    4. Advanced Security After Installation
    5. Cleanup and Verification Before Going Live
    6. Summary
  14. CHAPTER 4: Baselining Your Existing Website
    1. Starting Your Baseline
    2. Identifying Areas of Trouble
    3. Uncovering Hidden Dangers Through Vulnerability Scanning
    4. Remediating Problems
    5. Summary
  15. CHAPTER 5: Hardening the Server Against Attack
    1. Ensuring Secure Passwords
    2. Securely Configuring the Linux Operating System
    3. Securing an Apache Server
    4. Securing SNMP
    5. Configuring PHP for Secure Operation
    6. Checking for Open Ports
    7. Securing FTP Communications Ports
    8. Securing SFTP Communications Ports
    9. Ensuring Secure Logging
    10. Using SSL
    11. Miscellaneous Hardening Tasks
    12. Physically Securing Equipment
    13. Summary
  16. CHAPTER 6: Establishing a Workable Disaster Recovery Plan
    1. Understanding Site and Systems Disaster Planning
    2. Identifying a Basic Backup Policy
    3. Server-Side Backup and Restoration Methods
    4. CMS Backup and Restoration Methods
    5. Considerations for Setting Up Alternative Web Hosts
    6. Additional Considerations
    7. Summary
  17. CHAPTER 7: Patching Process
    1. Understanding the Patching Process
    2. Understanding the Need for the Patching Process
    3. Organizational Requirements
    4. Security Metrics
    5. Monitoring for New Vulnerabilities
    6. Testing for Deployment
    7. Deploying a Patch or Fix
    8. Documenting Your Patches
    9. Patching after a Security Breach
    10. Patching a CMS
    11. Summary
  18. CHAPTER 8: Log Review
    1. Understanding the Need to Retain Logs
    2. Planning for Your Logs
    3. Using Standard Log Files
    4. Using Tools to Assist in Log Analysis
    5. Using Log Rotation
    6. Summary
  19. CHAPTER 9: Hack Recovery
    1. Activating Your Disaster Recovery Plan
    2. Tools for Successful Recovery
    3. Collecting the Information
    4. Procedures for Containment
    5. Crisis Communication to the User Community
    6. Reporting Attack(s) to the ISP of Origin
    7. Summary
  20. CHAPTER 10: Wireless Networks
    1. Determining the Business Need for Wireless Networks
    2. Understanding Threats to Your Wireless Security
    3. Securing the Data in the Air
    4. Employing Adequate Countermeasures
    5. Bluetooth Security Considerations
    6. Summary
  21. CHAPTER 11: Information Security Policy and Awareness
    1. Establishing an Information Security Policy
    2. Social Engineering
    3. Summary
  22. APPENDIX A: Security Tools, Port Vulnerabilities, and Apache Tips
    1. Security Tools
    2. Backdoor Intruders
    3. Apache Status Codes
    4. .htaccess settings
  23. APPENDIX B: Acronyms and Terminology
  24. Index