You are previewing WordPress 3 Ultimate Security.
O'Reilly logo
WordPress 3 Ultimate Security

Book Description

WordPress is for everyone and so is this brilliant book on making your site impenetrable to hackers. This jargon-lite guide covers everything from stopping content scrapers to understanding disaster recovery.

  • Know the risks, think like a hacker, use their toolkit, find problems first – and kick attacks into touch

  • Lock down your entire network from the local PC and web connection to the server and WordPress itself

  • Find out how to back up and secure your content and, when it's scraped, know what to do to enforce your copyright

  • Understand disaster recovery and use the best-of-breed tools, code, modules, techniques, and plugins to insure against attacks

  • Learn fast with this easy-read, jargon-light book jam-packed with copy-paste solutions to suit all levels

  • In Detail

    Most likely – today – some hacker tried to crack your WordPress site, its data and content – maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book.

    WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some ""10 Tips ..."" guide. It's ultimate protection – because that's what you need.

    The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable.

    Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.

    This is an essential guide to securing your WordPress site and content, which shows what to do locally, wirelessly, server-side, and with the application to keep the bad guys out.

    Table of Contents

    1. WordPress 3 Ultimate Security
      1. WordPress 3 Ultimate Security
      2. Credits
      3. About the Author
      4. Acknowledgement
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. So What's the Risk?
        1. Calculated risk
        2. An overview of our risk
        3. Meet the hackers
          1. White hat
          2. Black hat
            1. Botnets
            2. Cybercriminals
            3. Hacktivists
            4. Scrapers
            5. Script kiddies
            6. Spammers
            7. Misfits
          3. Grey hat
          4. Hackers and crackers
        4. Physically hacked off
        5. Social engineering
          1. Phone calls
          2. Walk-ins
          3. Enticing URLs
          4. Phishing
          5. Social networking (and so on)
          6. Protecting against social engineering
        6. Weighing up Windows, Linux, and Mac OS X
          1. The deny-by-default permission model
          2. The open source advantage
          3. System security summary
        7. Malwares dissected
          1. Blended threats
          2. Crimeware
          3. Data loggers
            1. At loggerheads with the loggers
          4. Hoax virus
          5. Rootkits
          6. Spyware
          7. Trojan horses
          8. Viruses
          9. Worms
          10. Zero day
        8. World wide worry
          1. Old browser (and other app) versions
          2. Unencrypted traffic
          3. Dodgy sites, social engineering, and phish food
          4. Infected public PCs
          5. Sniffing out problems with wireless
          6. Wireless hotspots
            1. Evil twins
          7. Ground zero
        9. Overall risk to the site and server
          1. Physical server vulnerabilities
          2. Open ports with vulnerable services
          3. Access and authentication issues
            1. Buffer overflow attacks
            2. Intercepting data with man-in-the-middle attacks
            3. Cracking authentication with password attacks
            4. The many dangers of cross-site scripting (XSS)
            5. Assorted threats with cross-site request forgery (CSRF)
            6. Accessible round-up
          4. Lazy site and server administration
            1. Vulnerable versions
            2. Redundant files
            3. Privilege escalation and jailbreak opportunities
            4. Unchecked information leak
              1. Directory traversal attacks
          5. Content theft, SEO pillaging, and spam defacement
            1. Scraping and media hotlinking
            2. Damn spam, rants, and heart attacks
        10. Summary
      9. 2. Hack or Be Hacked
        1. Introducing the hacker's methodology
          1. Reconnaissance
          2. Scanning
          3. Gain access
          4. Secure access
          5. Cover tracks
        2. Ethical hacking vs. doing time
        3. The reconnaissance phase
          1. What to look for
          2. How to look for it
            1. Google hacking
              1. Sites and links
              2. Finding files
              3. Keyword scanning
              4. Phone numbers
            2. More on Google hacking
          3. Scouting-assistive applications
          4. Hacking Google hacking with SiteDigger
          5. WHOIS whacking
        4. Demystifying DNS
          1. Resolving a web address
        5. Domain name security
        6. The scanning phase
          1. Mapping out the network
            1. Nmap: the Network Mapper
              1. Using ping sweeps to map out a network
              2. Checking for open ports on a network device
              3. Checking for vulnerable services on a network device
            2. Secondary scanners
          2. Scanning for server vulnerabilities
            1. Nessus
              1. Creating policies with Nessus
              2. Assessing problems
            2. OpenVAS
            3. GFI Languard
            4. Qualys
            5. NeXpose and Metasploit
          3. Scanning for web vulnerabilities
            1. Wikto
            2. Paros Proxy
            3. HackerTarget
            4. Alternative tools
          4. Hack packs
        7. Summary
      10. 3. Securing the Local Box
        1. Breaking Windows: considering alternatives
        2. Windows security services
          1. Security or Action Center
          2. Windows Firewall
          3. Windows Update
          4. Internet Options
          5. Windows Defender
          6. User Account Control
            1. Configuring UAC in Vista
            2. Configuring UAC in Windows 7
            3. Disabling UAC at the registry (Vista and 7)
            4. UAC problems with Vista Home and Premium
        3. Proactive about anti-malware
          1. The reactionary old guard: detection
            1. Regular antivirus scanners
              1. Signature-based
              2. Heuristics-based
          2. The proactive new guard: prevention
            1. HIPS and behavior scanning
            2. HIPS vs behavior scanners
            3. Sandbox isolation
        4. The almost perfect anti-malware solution
          1. Comodo Internet Security (CIS)
            1. Comodo Firewall
            2. Comodo Antivirus
              1. Scanning by signature
              2. Scanning by heuristics
            3. Comodo Defense+ (HIPS) and sandbox
          2. Pick 'n mix anti-malware modules
          3. Firewall with ZoneAlarm
          4. Antivirus with Avira AntiVir
          5. HIPS + sandbox + firewall with DefenseWall
          6. Behavior scanning with ThreatFire
            1. Updating ThreatFire
            2. Sensitivity Level
            3. System Activity Monitor
          7. Multiple sandboxes with Sandboxie
          8. Advanced sandboxing (and more) with virtual machines
          9. Rootkit detection with GMER and RootRepeal
          10. Malware cleaning with Malwarebytes
          11. Anti-malware product summary
          12. Prevention models and user commitment
        5. Windows user accounts
          1. XP user accounts
          2. Vista and Windows 7 user accounts
        6. Managing passwords and sensitive data
          1. Proper passphrase policy
          2. Password and data managers
            1. Web browser data managers
            2. Future-proofed data management
            3. Why LastPass?
            4. Setting up LastPass
              1. Installing LastPass
              2. Using LastPass
              3. Bolstering LastPass security
              4. LastPass multi-factor authentication
                1. Virtual keyboard
                2. One time passwords
                3. Grid system
                4. YubiKey support
                5. Sesame authentication
            5. Passed out? That's it!
        7. Securing data and backup solutions
          1. Have separate data drives
          2. Encrypting hard drives
          3. Automated incremental backup
          4. Registry backup
        8. Programming a safer system
          1. Patching the system and programs
          2. Binning unwanted software
          3. Disabling clutter and risky Windows services
          4. Disabling XP's Simple File Sharing
        9. Summary
      11. 4. Surf Safe
        1. Look (out), no wires
          1. Alt: physical cable connection
          2. The wireless management utility
          3. Securing wireless
            1. Router password
            2. Changing the SSID
            3. Hiding the SSID
            4. WEP vs. WPA vs. WPA2
            5. WPA2 with AES
            6. AES vs. TKIP
          4. Wireless authentication key
          5. Optional: MAC address filtering
          6. Summing up wireless
        2. Network security re-routed
          1. Swapping firmware
        3. Using public computers it can be done
          1. Booting a Preinstalled Environment (PE)
          2. Secure your browsing
          3. Online applications
          4. Portable applications
          5. Advanced data management and authentication
          6. Covering your tracks
          7. Checking external media
        4. Hotspotting Wi-Fi
          1. Hardening the firewall
          2. Quit sharing
          3. Disabling automatic network detection
          4. Alternative document storage
          5. Encrypted tunnelling with a Virtual Private Network
        5. E-mailing clients and webmail
          1. Remote webmail clients (and other web applications)
            1. Encrypted webmail
            2. Checking your encryption type
            3. Better webmail solutions
            4. Logging out
          2. Local software clients
            1. Keeping the client updated
            2. Instant scanning
            3. Sandboxing clients
          3. Local and remote clients
            1. Plain text or HTML
            2. E-mail encryption and digital signatures with PGP
              1. Encrypting attachments with compression utilities
            3. Your e-mail addresses
            4. Don't become phish food
            5. Beware of spoof addresses
          4. Damn spam
            1. SpamAssassin Trainer
        6. Browsers, don't lose your trousers
          1. Latest versions
          2. Internet Explorer (IE)
          3. Isolating older browsers
          4. Browsers and security
          5. Chrome's USPs (for good and very bad)
          6. Chrome outfoxed
          7. Firefox security settings
            1. The password manager
          8. Extending security
            1. Ad and cookie cullers
              1. AdBlock Plus *
              2. Beef Taco *
              3. BetterPrivacy *
              4. Ghostery
              5. Ad Hacker
            2. FEBE *
            3. LastPass *
            4. Locationbar²
            5. Lock The Text
            6. Anti-scripting attacks
              1. NoScript *
              2. RequestPolicy
            7. SSL certificate checks
              1. Certificate Patrol *
              2. Perspectives *
            8. Web of Trust (WOT) *
        7. Anonymous browsing
          1. Locally private browsing
          2. Online private browsing
            1. Anonymous proxy server
            2. Chained proxies
            3. SSL proxies and Virtual Private Networks (VPNs)
            4. Corporate and private VPNs
            5. Private SOCKS proxy with SSH
        8. Networking, friending, and info leak
          1. Third party apps and short links
        9. Summary
      12. 5. Login Lock-Down
        1. Sizing up connection options
          1. Protocol soup
        2. WordPress administration with SSL
          1. SSL for shared hosts
            1. Shared, server-wide certificates
              1. Letting WordPress know
              2. Logging in
            2. Dedicated, domain-specific certificates
              1. Dedicated IP
              2. Obtaining signed certificates
              3. Setting up a signed certificate
          2. SSL for VPS and dedicated servers
            1. Creating a self-signed certificate
              1. Generating the files
              2. Required Apache modules
              3. Configuring the virtual host file
              4. Alerting WordPress and activating SSL
            2. Using a signed certificate
          3. Testing SSL and insecure pages
          4. SSL reference
        3. SSL and login plugins
        4. Locking down indirect access
          1. Server login
            1. Hushing it up with SSH
            2. Shared hosting SSH request
            3. Setting up the terminal locally
              1. Linux or Mac locally
              2. Windows locally
                1. Setting up Tunnelier
            4. Securing the terminal
              1. Creating keys: Linux or Mac locally
              2. Creating keys: Windows locally
              3. Uploading keys
              4. Using keys from multiple machines
          2. SFTP not FTP
            1. SFTP from the command line
            2. SFTP using S/FTP clients
            3. Connecting up a client
          3. phpMyAdmin login
            1. Safer database administration
          4. Control panel login
        5. Apache modules
          1. IP deny with mod_access
            1. What is my IP?
            2. IP spoofing
          2. Password protect directories
            1. cPanel's Password Protect Directories
          3. Authentication with mod_auth
            1. The htaccess file
              1. A quick shout out to htaccess, bless
            2. The passwd file
            3. Creating and editing password files
            4. Creating group membership
            5. Basically, it's basic
          4. Better passwords with mod_auth_digest
            1. Easily digestible groups
          5. More authentication methods
            1. mod_auth_db and mod_auth_dbm
            2. mod_auth_mysql
            3. mod_auth_pg95
          6. Yet more authentication methods
        6. Summary
      13. 6. 10 Must-Do WordPress Tasks
        1. Locking it down
        2. Backing up the lot
          1. Prioritizing backup
          2. Full, incremental and differential
          3. How and where to backup
            1. Backing up db + files on the web server
            2. Backing up db + files by your web host
            3. Backing up db to (web)mail
            4. Backing up db and/or files to cloud storage
              1. SMEStorage Multi-Cloud WordPress Backup
              2. Automatic WordPress Backup
              3. Updraft
              4. BackWPup
              5. VaultPress
              6. Un-clouding the issue
            5. Backing up files for local Windows users
              1. Installing Cobian as a service
              2. Setting up Tunnelier's FTP-to-SFTP bridge
                1. Setting up the bridge
                2. Saving your profile
              3. Creating the batch files
              4. Testing your batch files
              5. Setting up your first Cobian Backup task
                1. Hooking Tunnelier into Cobian
                2. Opening the bridge
              6. Testing the ruddy thing
            6. Backing up a database to local machines
              1. Dumping the data from a database
              2. Cron the script
              3. Grabbing the data dump for Windows locally
              4. Flushing the dump
            7. Files and db backup for local Mac 'n Linux users
              1. Full backup to local
              2. Full backup remote to remote
              3. Incremental backups to local
              4. Incremental remote-to-remote
            8. Backing up backup!
        3. Updating shrewdly
          1. Think, research, update
          2. Dry run updates
          3. Updating plugins, widgets and other code
          4. The new update panel
        4. Neutering the admin account
          1. The problem with admin
          2. Deleting admin
          3. OK, don't delete admin!
          4. Creating privileged accounts
            1. Private account names and nicknames
            2. Least privilege users
            3. Custom roles
          5. Denying subscriptions
        5. Correcting permissions creep
          1. Pruning permissions at the terminal
          2. Restyling perms with a control panel
          3. 777 permissions
          4. wp-config.php permissions
        6. Hiding the WordPress version
          1. Binning the readme
          2. Cloaking the login page and the version
          3. Silver bullets won't fly
        7. Nuking the wp_ tables prefix
          1. Backing up the database
          2. Automated prefix change
            1. Manual prefix change
          3. Installing WordPress afresh
        8. Setting up secret keys
        9. Denying access to wp-config.php
        10. Hardening wp-content and wp-includes
          1. Extra rules for wp-include's htaccess
          2. Extra rules for wp-content's htaccess
        11. Summary
      14. 7. Galvanizing WordPress
        1. Fast installs with Fantastico ... but is it?
        2. Considering a local development server
          1. Using a virtual machine
        3. Added protection for wp-config.php
          1. Moving wp-config.php above the WordPress root
            1. Less value for non-root installations
        4. WordPress security by ultimate obscurity
          1. Just get on with it
          2. Introducing remove_actions
            1. Blog client references
            2. Feed references
            3. Relational links
          3. Linking relationships thingy
          4. Stylesheet location
          5. Renaming and migrating wp-content
          6. The problem with plugins
          7. The other problem with plugins
          8. Yet another problem with those pesky plugins
          9. Default jQuery files
          10. Themes and things
          11. "Just another WordPress blog"
          12. Ultimate security by obscurity: worth it?
        5. Revisiting the htaccess file
          1. Blocking comment spam
          2. Limiting file upload size
          3. Hotlink protection
          4. Protecting files
          5. Hiding the server signature
          6. Protecting the htaccess file
            1. Hiding htaccess files
            2. Ensuring correct permissions
            3. Adding a deny rule
        6. Good bot, bad bot
          1. Bot what?
          2. Good bot
          3. Bad bot
            1. Bots blitzkrieg
          4. Snaring the bots
            1. Short circuiting bots with htaccess
            2. Bots to trot
              1. The Perishable Press 4G Blacklist
            3. Honey pots
              1. Project Honey Pot
              2. CloudFlare
              3. Bad Behavior
              4. Perishable Press Blackhole for bad bots
        7. Setting up an antimalware suite
          1. Firewall
          2. AntiVirus
        8. More login safeguards
          1. Limit Login Attempts
          2. Scuttle log-in errors
        9. Concerning code
          1. Deleting redundant code
          2. Scrutinize widgets, plugins and third party code
          3. Ditto for themes
          4. Running malware scans and checking compatibility
          5. Routing rogue plugins
        10. Hiding your files
        11. Summary
      15. 8. Containing Content
        1. Abused, fair use and user-friendly
          1. Scraping and swearing
            1. The problem with scrapers
          2. Fair play to fair use
            1. Extending knowledge, generally with non-commercial intent
            2. The public interest
            3. The amount and value of the extracted material
            4. The effect on the current and future worth of the original content
          3. Illegality vs. benefit
          4. A nice problem to have (or better still to manage)
        2. Sharing and collaboration
          1. Sack lawyers, employ creative commons
          2. Site and feed licensing
        3. Protecting content
        4. Pre-emptive defense
          1. Backlink bar none
            1. Tweaking the title
            2. Linking lead content
            3. Reasserting with reference
          2. Binning the bots
          3. Coining a copyright notice
          4. Fielding your feeds
            1. Adding a digi-print footer
            2. Showing only summaries
          5. Preventing media hotlinks
          6. Refusing right-clicks
          7. Watermarking your media
        5. Reactive response
          1. Seeking out scrapers
            1. Investigating the Dashboard
              1. Incoming links
              2. Trackbacks
            2. Investigating the site and server log
            3. Online investigation
              1. Searching with Google
              2. Don't bother with Google Blogs
              3. Using Google Alerts
              4. Copyscape
              5. Feedburner's Uncommon Uses
              6. Plagium
              7. TinEye
            4. Pinpointing scrapers
              1. Run a WHOIS search
        6. Tackling offenders
          1. The cordial approach
          2. The DMCA approach
          3. The jugular approach
          4. The legal approach
            1. Finding the abuse department
        7. Summary
      16. 9. Serving Up Security
        1. .com blogs vs .org sites
        2. Host type analysis
          1. Choices choices ...
          2. Querying support and community
          3. Questions to ask hosting providers
        3. Control panels and terminals
          1. Safe server access
          2. Understanding the terminal
            1. Elevating to superuser permissions
          3. Setting up a panel
        4. Managing unmanaged with Webmin
          1. Installing Webmin
          2. Securing Webmin
        5. Users, permissions, and dangers
          1. Files and users
          2. Ownership and permissions
            1. Translating symbolic to octal notation
            2. Using change mode to modify permissions
              1. WordPress permissions
              2. Permissions case study: super-tight wp-config.php
            3. Using change owner to modify ownership
              1. Owning your files
        6. Sniffing out dangerous permissions
          1. Suspect hidden files and directories
          2. Protecting world-writable files
          3. Scrutinising SUID and SGID files (aka SxID files)
            1. Keeping track of changes with SXID
            2. Cronning SXID
        7. System users
          1. Shared human accounts
          2. Administrative accounts
          3. Deleting user accounts
          4. Home directory permissions
          5. User access
          6. Non-human accounts
        8. Repositories, packages, and integrity
          1. Verifying genuine software
            1. MD5 checksums
            2. GnuPG cryptographic signatures
        9. Tracking suspect activity with logs
          1. Reading the Common Log Format (CLF)
            1. What visitor
            2. What file
            3. From where
            4. What client
          2. Exercising the logged data
            1. Chicken and egg with logging plugins
            2. Legwork for access logs
          3. Logs and hosting types
            1. Checking the authorization log
          4. Securing and parsing logs
            1. Enabling logs
            2. Dynamic logs
            3. Off-site logging
            4. Log permissions
        10. Summary
      17. 10. Solidifying Unmanaged
        1. Hardening the Secure Shell
          1. Protocol 2
          2. Port 22
          3. PermitRootLogin yes
          4. PasswordAuthentication yes
          5. AllowUsers USERNAME
          6. Reloading SSH
        2. chrooted SFTP access with OpenSSH
          1. Binning the FTP service and firewalling the port
          2. Providing a secure workspace
          3. Deleting users safely
        3. PHP's .ini mini guide
          1. Locating your configuration options
          2. Making .ini a meany
            1. open_basedir
        4. Patching PHP with Suhosin
          1. Installing Suhosin
        5. Isolating risk with SuPHP
          1. Installing SuPHP
          2. Alternatives to SuPHP
        6. Containing MySQL databases
          1. Checking for empty passwords
          2. Deleting the test database
          3. Remote db connections with an SSH tunnel
        7. phpMyAdmin: friend or foe?
          1. Did we mention backup?
        8. Bricking up the doors
          1. Ports 101
        9. Fired up on firewalls
          1. Bog-standard iptables firewall
            1. Adding the firewall to the network
            2. Quitting superuser
            3. Reference for iptables
        10. Enhancing usability with CSF
          1. Installing CSF
          2. CSF as a control panel module
          3. Setting up the firewall
          4. Error on stopping the firewall
          5. CSF from the command line
          6. Using CSF to scan for system vulnerabilities
        11. Service or disservice?
          1. Researching services with Netstat
          2. Preparing to remove services
          3. Researching services
          4. inetd and xinetd super-servers
          5. Service watch
          6. Disabling services using a service manager
            1. Using sysv-rc-conf
          7. Deleting unsafe services with harden-servers
          8. Closing the port
        12. Gatekeeping with TCP wrappers
        13. Stockier network stack
        14. Summary
      18. 11. Defense in Depth
        1. Hardening the kernel with grsecurity
          1. Growling quietly with greater security
            1. Controlling user access with RBAC
              1. Second-tier access control
              2. Training the RBAC system with Gradm
            2. Memory protection with PaX
            3. The multi-layered protection model
            4. Debian grsecurity from repositories
            5. Compiling grsecurity into a kernel
              1. Matching the kernel and grsecurity packages
              2. Exporting the version numbers
              3. Verifying the package downloads
              4. Patching the kernel
              5. Xen VPS configuration part 1
              6. Configuring the kernel
              7. grsecurity levels
              8. Kernel level chroot hardening
                1. Properly implemented?
                2. grsecurity and chroot
              9. Using Sysctl support to maximize security settings
              10. Options galore
              11. The kernel executable
              12. Xen VPS configuration part 2
              13. Booting and checking the kernel
              14. Installing Gradm
        2. Integrity, logs, and alerts with OSSEC
          1. Obtaining and verifying the source
          2. The installation process
                1. What kind of installation (server, agent, local, or help)?
                2. Choosing where to install the OSSEC HIDS [/var/ossec]
                3. Configuring the OSSEC HIDS
                4. Do you want to add more IPs to the white list?
                5. Setting the configuration to analyze the following logs
          3. Using OSSEC
          4. Updating OSSEC
          5. Easing analysis with a GUI
            1. OSSEC-WUI
            2. Splunk
        3. Slamming backdoors and rootkits
        4. (D)DoS protection with mod_evasive
        5. Sniffing out malformed packets with Snort
          1. Installing the packages
            1. Snort's installation options
              1. Specifying the network
              2. Point to the database
            2. Ruby on Rails dependencies
          2. Creating the web interface
            1. Creating a sub-domain using an A record
            2. Setting up the virtual host file
          3. Creating the database
          4. Deploying Ruby on Rails with Passenger
          5. Enabling everything
          6. Browsing to Snorby
          7. Hacking yourself
          8. Configuring the network
          9. Updating Snort's rule-base
            1. Sourcefire Vulnerability Research Team™ (VRT)
            2. Emerging Threats
        6. Firewalling the web with ModSecurity
          1. Installing mod-security, the Apache module
          2. Applying a ruleset
            1. Enabling CRS and logging
            2. Tuning your ruleset
            3. Rulesets and WordPress
            4. Updating rulesets
          3. ModSecurity resources
        7. Summary
      19. A. Plugins for Paranoia
        1. Anti-malware
        2. Backup
        3. Content
        4. Login
        5. Spam
        6. SSL
        7. Users
      20. B. Don't Panic! Disaster Recovery
        1. Diagnosis vs. downtime
        2. Securing your users
          1. Considering maintenance mode
            1. Using a plugin
            2. Using a rewrite rule
        3. Local problems
        4. Server and file problems
        5. WordPress problems
          1. Incompatible plugins
          2. Injected plugins
          3. Widgets, third party code and theme problems
          4. Fun 'n' frolics with files
            1. Scrutinizing file changes
            2. Remote file comparison
            3. Local file comparison
            4. Deep file scanning
          5. Verifying uploads and shared areas
          6. Checking htaccess files
          7. Pruning hidden users
        6. Reinstalling WordPress
          1. Some provisos
          2. Upload WordPress and plugins
          3. Importing a database backup
          4. Editing wp-config-sample.php
          5. Setting least privileges
          6. Sending the clean platform live
          7. Changing your passwords
          8. Checking your search engine results pages
          9. Revisiting WordPress security
      21. C. Security Policy
        1. Security policy for somesite.com
          1. Aim
          2. Goals
            1. Somesite.com
            2. Personal Computers
            3. Server
          3. Roles and responsibilities
            1. Security Manager (SM)
            2. System Administrator
            3. Site Administrator
            4. Site Editors
            5. Other roles
          4. Network assets
            1. PCs and media
            2. Routing gear
            3. Server
          5. Website assets
            1. Backup
            2. Code updates
            3. Database
            4. Domain
          6. Further policy considerations
      22. D. Essential Reference
        1. WordPress 3 Ultimate Security
        2. Bloggers and zines
          1. 2600: The Hacker Quarterly
          2. CGISecurity
          3. Darknet
          4. Dark Reading
          5. ha.ckers
          6. KrebsonSecurity
          7. Jeremiah Grossman
          8. Phrack Magazine
        3. Forums
          1. hack in the box
          2. sla.ckers
          3. WindowSecurity
        4. Hacking education
          1. Go Hacking
          2. HackThisSite
          3. Hellbound Hackers
          4. OWASP WebGoat Project
          5. We Chall
          6. YouTube
        5. Linux
          1. Linux Online
          2. Linux Journal
          3. YoLinux
        6. Macs and Windows
          1. Apple Product Security
          2. Microsoft Security
        7. Organizations
          1. OWASP
          2. SANS
          3. SecurityFocus
          4. WASC
          5. Wikipedia
        8. Penetration testing
          1. ISECOM's OSSTM
          2. OWASP Testing Guide
        9. Server-side core documents
          1. Apache HTTP Server Version 2.2 Documentation
          2. Apache: Module Index
          3. MySQL: Security
          4. PHP: Security
        10. Toolkits
          1. SecTools.Org
          2. TREACHERY UNLIMITED
          3. WASC Web Application Security Scanner List
        11. Web browsers
          1. Chrome
          2. Firefox
          3. Internet Explorer
          4. Opera
          5. Safari
          6. Browser Security Handbook
        12. WordPress
          1. Forums
          2. .com support
          3. Codex
          4. News
          5. Planet
          6. Development updates
          7. Trac
          8. Reporting Bugs
          9. Security issues
          10. Plugin Repository Trac
          11. Plugins and themes
          12. Plugins and themes source
          13. Kvetch!
          14. IRC
          15. Mailing lists
          16. Non-official support
            1. LinkedIn WordPress group
            2. WordPress forums
            3. WordPress Tavern