CMS Security Handbook -- Contents -- Introduction -- Chapter 1 Introduction to CMS Security and Operations -- Target Acquired -- Operational Considerations -- Educating Your Employees and End Users -- Raising Security Awareness -- Training on Information Security Policies -- Providing a Standard Protocol for Threat Reporting -- Ensuring E-mail Security -- Applying Patches and Updates -- Being Aware and Staying Safe -- Looking at Your Site Through the Eyes of a Hacker -- Steps to Gaining Access to Your Site -- Researching -- Googling Away -- Using Google Hacking Tools (Dorks) -- Footprinting -- Using NMAP for Nefarious Means -- Using Traceroute -- Finding Subdomains -- Enumeration -- Attacking and Owning the Site -- Wiping Out Their Tracks -- Examples of Threats -- Social Engineering -- Calling into Your Office -- Sending in a Trusted Friend -- Using USB Keys -- Indiscriminate Browsing or Instant Messaging -- External Media -- Vendors or External Clients/Customers as the Threat -- Reviewing Your Perimeter -- Using Virus Protection -- Banning Passwords on Desks -- Enforcing a Password Complexity and Change Policy -- Policing Open Wireless -- Tools for Wireless Detection -- How Will You Respond to an Incident? -- Does Your Plan Exist? -- Is the Plan Up to Date? -- Where Are Your Backup Tapes, Disks, and USBs? -- Summary -- Chapter 2 Choosing the Right Hosting Company -- Types of Hosting Available -- Shared Hosting -- Virtual Private Server (VPS) -- Dedicated Server -- Cloud Hosting -- Security of Data in a Cloud -- Selecting the Right Hosting Option -- Budget Considerations -- Determining the Appropriate Server Size -- Case 1: Light Website Traffic (Shared Hosting) -- Case 2: Medium Website Traffic (VPS) -- Case 3: Heavy Website Traffic -- Using Backups -- What to Look for in Web Host Security -- Physical Security -- Glass Windows -- Flooding.

Signs -- People -- Dumpster Diving and Social Engineering -- Breach Response -- Terrorists -- Access to Equipment -- Water Detection -- Fire Suppression -- Emergency Procedures -- Disaster Recovery and Business Continuity -- Cyber Security -- Firewalls and Intrusion Detection -- Log File Auditing -- Spam, Virus Scanning, and Prevention -- Patching for Weaknesses -- VoIP -- Web Servers -- Environmental Support -- Network Redundancy -- Electrical Service -- Technical Support -- Emergency Planning for the Host -- Location of the Host's Data Center -- Processes -- Backups -- Offsite Procedures -- Accepting Credit Cards on Your Website -- Understanding PCI -- PCI Terminology -- Becoming PCI Certified -- Installing an SSL Certificate -- Testing by ASV -- Choosing a Shopping Cart -- Storing Data Securely -- PCI Vulnerability Management Plan -- Avoiding Common ASV Testing Pitfalls -- After Certification -- Domain Name System Servers -- Understanding DNS -- Threats to DNS -- DNS (Name Server) Failure -- Zone Transfers -- Lack of Patching DNS Servers -- DNS Poisoning -- Hosting Your Own Website Server -- Getting Ready -- Making Your Shopping List -- Choosing an Operating System -- Ensuring Security -- Patching -- Summary -- Chapter 3 Preventing Problems Before They Start -- Choosing an Appropriate CMS for Your Needs -- Making the Right Business Decisions -- Joomla! -- Drupal -- WordPress -- Plone -- Which CMS Offers the Best Security? -- Four Factors to Consider from a Business Point of View -- Considering Development Costs -- Considering Support -- Building It Before You Build It -- Developing on a Server -- Developing on a Desktop -- Performing CMS Installations -- Installing Joomla! 1.5 -- Installing Joomla! 1.6 -- Installing Drupal -- Post Install -- Permissions -- Drupal 7 -- Installing Plone -- Basic Zope Installation -- Other Resources.

Installing WordPress -- Optional Security Plug-in for WordPress -- Shared Hosting -- Advanced Security After Installation -- Cleanup and Verification Before Going Live -- Summary -- Chapter 4 Baselining Your Existing Website -- Starting Your Baseline -- Taking Inventory -- Documentation -- CMS -- Network -- Server -- Desktops -- Knowing When to Run Your Baseline -- Identifying Areas of Trouble -- Checking the Operating System and Add-ons -- Checking Third-Party Add-ons for Your CMS -- Joomla! -- Drupal -- Plone -- WordPress -- Understanding Hardware Vulnerabilities -- Network Gear -- Printers -- Uncovering Hidden Dangers Through Vulnerability Scanning -- Using the Nmap Tool -- Installing Nmap -- Using Nmap -- Using the Nessus Tool -- Setting Up and Running Nessus -- Interpreting the Results -- Using Virus Scanning Tools -- Remediating Problems -- Categorizing and Prioritizing Issues -- Patching Security Holes -- Reporting Problems to the Hosting Company -- Summary -- Chapter 5 Hardening the Server Against Attack -- Ensuring Secure Passwords -- Shadow Password File -- Expiring Passwords -- Spotting Default Passwords -- Securely Configuring the Linux Operating System -- Changing the Login Banner -- Using yum -- Basic yum Commands -- Updating the Server Using yum -- The Debian Distribution -- Setting File Permissions -- Permissions Represented as Octal Numbers -- Critical Password Files -- World-Writeable -- Unauthorized SUID/SGID System Executable Files -- Orphan Files -- Reviewing Disk Access -- Disabling Unneeded Services -- Securing an Apache Server -- Configuring Apache for Secure Operation -- Disabling or Setting Up Proper Services -- ModSecurity -- Securing SNMP -- Configuration -- Disabling -- Configuring PHP for Secure Operation -- suPHP -- phpinfo -- PhpSecInfo -- php.ini -- Checking for Open Ports -- Securing FTP Communications Ports.

Hazards of FTP -- Firewalls -- Remote Command Execution -- Bounce Attack -- Privacy -- Protecting Usernames -- Common FTP Mistakes -- Anonymous FTP -- Weak Passwords -- Misconception of Security -- Exploring Alternative Versions of FTP -- Using VSFTP -- Using Pure-FTPd -- Securing SFTP Communications Ports -- Ensuring Secure Logging -- VSFTP Logging -- Syslog -- Access Logs -- Security Logs -- Using cPanel -- Using logrotate -- Security of the Log Files -- Using SSL -- Understanding How SSL Works -- Understanding When to Use SSL -- Obtaining a Certificate -- Creating Self-Sign Certificates -- Installing a Certificate -- Working with Your Hosting Company -- Installing an SSL Certificate Yourself -- Miscellaneous Hardening Tasks -- Packet Sniffing -- Securing SMTP -- Zone Transfers -- Physically Securing Equipment -- Summary -- Chapter 6 Establishing a Workable Disaster Recovery Plan -- Understanding Site and Systems Disaster Planning -- Defining a Disaster -- Time Considerations -- Cost Considerations -- Formulating Your Contingency Plan -- Determining Responsibilities -- Mapping Your IT Assets -- Assessing Risks -- Establishing Plan Objectives -- Determining Data Value -- Drafting the Initial Plan -- Involving the Team -- Defining Team Roles -- Testing Your Plan -- Performing a Desktop Test -- Using a Phased Approach -- Conducting a Live Test -- Performing a Post-Test Review -- Anticipating the Unexpected -- Identifying a Basic Backup Policy -- Server-Side Backup and Restoration Methods -- Using cPanel -- Using the Command Line Method -- Backing Up the Database -- Restoring the Database -- Compressing the Files -- Restoring the Files -- CMS Backup and Restoration Methods -- Joomla! Backup and Restoration -- Requirements -- Configuration -- Backups -- Cloud Storage -- Restoration -- WordPress Backup and Restoration -- Requirements -- Configuration.

Backups -- Restoration -- Plone Backup and Restoration -- Requirements -- Configuration -- Backups -- Restoration -- Drupal Backup and Restoration -- Requirements -- Configuration -- Backups -- Restoration -- Snapshots in Drupal -- Considerations for Setting Up Alternative Web Hosts -- Additional Considerations -- E-mail System -- Where Does Your DNS Live? -- Planning for Lost, Damaged, or Dated Equipment -- Local Equipment -- Summary -- Chapter 7 Patching Process -- Understanding the Patching Process -- Understanding the Need for the Patching Process -- Organizational Requirements -- Medium to Large Organization -- Creating a Team -- Creating Patching Standards -- Assessing Threats -- Using a Threat Matrix -- Single-Person Business -- Security Metrics -- Determining What to Measure -- Susceptibility to Attack -- Response Time -- Costs Associated with Each Patch -- Eliminating Known Vulnerabilities from the Start -- Monitoring for New Vulnerabilities -- Sources of Information Regarding Patches -- Commercial Services -- Testing for Deployment -- Obtaining Safe Patches -- Deploying a Patch or Fix -- Distributing a Patch to Your Administrators -- Documenting Your Patches -- Patching after a Security Breach -- Issues and Concerns -- Rootkits -- Viruses -- Code Tampering -- Monitoring for Unauthorized Changes -- Patching a CMS -- Joomla! -- Minor Version Patches -- Full Update Files -- Conducting the Update -- Updating Extensions -- WordPress and Its Plug-ins -- Drupal -- Updating the Drupal Core -- Updating the Core with Drupal 7 -- Updating Drupal Modules -- Plone -- Before You Start -- Updating the Core and Add-Ons -- Add-On Updates -- Summary -- Chapter 8 Log Review -- Understanding the Need to Retain Logs -- Planning for Your Logs -- Developing a Retention Policy -- Who Does What and When? -- Determining Where to Store Logs.

Responding to an Incident.