WordPress 3 Ultimate Security -- Table of Contents -- WordPress 3 Ultimate Security -- Credits -- About the Author -- Acknowledgement -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers and more -- Why Subscribe? -- Free Access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the example code -- Errata -- Piracy -- Questions -- 1. So What's the Risk? -- Calculated risk -- An overview of our risk -- Meet the hackers -- White hat -- Black hat -- Botnets -- Cybercriminals -- Hacktivists -- Scrapers -- Script kiddies -- Spammers -- Misfits -- Grey hat -- Hackers and crackers -- Physically hacked off -- Social engineering -- Phone calls -- Walk-ins -- Enticing URLs -- Phishing -- Social networking (and so on) -- Protecting against social engineering -- Weighing up Windows, Linux, and Mac OS X -- The deny-by-default permission model -- The open source advantage -- System security summary -- Malwares dissected -- Blended threats -- Crimeware -- Data loggers -- At loggerheads with the loggers -- Hoax virus -- Rootkits -- Spyware -- Trojan horses -- Viruses -- Worms -- Zero day -- World wide worry -- Old browser (and other app) versions -- Unencrypted traffic -- Dodgy sites, social engineering, and phish food -- Infected public PCs -- Sniffing out problems with wireless -- Wireless hotspots -- Evil twins -- Ground zero -- Overall risk to the site and server -- Physical server vulnerabilities -- Open ports with vulnerable services -- Access and authentication issues -- Buffer overflow attacks -- Intercepting data with man-in-the-middle attacks -- Cracking authentication with password attacks -- The many dangers of cross-site scripting (XSS).

Assorted threats with cross-site request forgery (CSRF) -- Accessible round-up -- Lazy site and server administration -- Vulnerable versions -- Redundant files -- Privilege escalation and jailbreak opportunities -- Unchecked information leak -- Directory traversal attacks -- Content theft, SEO pillaging, and spam defacement -- Scraping and media hotlinking -- Damn spam, rants, and heart attacks -- Summary -- 2. Hack or Be Hacked -- Introducing the hacker's methodology -- Reconnaissance -- Scanning -- Gain access -- Secure access -- Cover tracks -- Ethical hacking vs. doing time -- The reconnaissance phase -- What to look for -- How to look for it -- Google hacking -- Sites and links -- Finding files -- Keyword scanning -- Phone numbers -- More on Google hacking -- Scouting-assistive applications -- Hacking Google hacking with SiteDigger -- WHOIS whacking -- Demystifying DNS -- Resolving a web address -- Domain name security -- The scanning phase -- Mapping out the network -- Nmap: the Network Mapper -- Using ping sweeps to map out a network -- Checking for open ports on a network device -- Checking for vulnerable services on a network device -- Secondary scanners -- Scanning for server vulnerabilities -- Nessus -- Creating policies with Nessus -- Assessing problems -- OpenVAS -- GFI Languard -- Qualys -- NeXpose and Metasploit -- Scanning for web vulnerabilities -- Wikto -- Paros Proxy -- HackerTarget -- Alternative tools -- Hack packs -- Summary -- 3. Securing the Local Box -- Breaking Windows: considering alternatives -- Windows security services -- Security or Action Center -- Windows Firewall -- Windows Update -- Internet Options -- Windows Defender -- User Account Control -- Configuring UAC in Vista -- Configuring UAC in Windows 7 -- Disabling UAC at the registry (Vista and 7) -- UAC problems with Vista Home and Premium.

Proactive about anti-malware -- The reactionary old guard: detection -- Regular antivirus scanners -- Signature-based -- Heuristics-based -- The proactive new guard: prevention -- HIPS and behavior scanning -- HIPS vs behavior scanners -- Sandbox isolation -- The almost perfect anti-malware solution -- Comodo Internet Security (CIS) -- Comodo Firewall -- Comodo Antivirus -- Scanning by signature -- Scanning by heuristics -- Comodo Defense+ (HIPS) and sandbox -- Pick 'n mix anti-malware modules -- Firewall with ZoneAlarm -- Antivirus with Avira AntiVir -- HIPS + sandbox + firewall with DefenseWall -- Behavior scanning with ThreatFire -- Updating ThreatFire -- Sensitivity Level -- System Activity Monitor -- Multiple sandboxes with Sandboxie -- Advanced sandboxing (and more) with virtual machines -- Rootkit detection with GMER and RootRepeal -- Malware cleaning with Malwarebytes -- Anti-malware product summary -- Prevention models and user commitment -- Windows user accounts -- XP user accounts -- Vista and Windows 7 user accounts -- Managing passwords and sensitive data -- Proper passphrase policy -- Password and data managers -- Web browser data managers -- Future-proofed data management -- Why LastPass? -- Setting up LastPass -- Installing LastPass -- Using LastPass -- Bolstering LastPass security -- LastPass multi-factor authentication -- Virtual keyboard -- One time passwords -- Grid system -- YubiKey support -- Sesame authentication -- Passed out? That's it! -- Securing data and backup solutions -- Have separate data drives -- Encrypting hard drives -- Automated incremental backup -- Registry backup -- Programming a safer system -- Patching the system and programs -- Binning unwanted software -- Disabling clutter and risky Windows services -- Disabling XP's Simple File Sharing -- Summary -- 4. Surf Safe -- Look (out), no wires.

Alt: physical cable connection -- The wireless management utility -- Securing wireless -- Router password -- Changing the SSID -- Hiding the SSID -- WEP vs. WPA vs. WPA2 -- WPA2 with AES -- AES vs. TKIP -- Wireless authentication key -- Optional: MAC address filtering -- Summing up wireless -- Network security re-routed -- Swapping firmware -- Using public computers - it can be done -- Booting a Preinstalled Environment (PE) -- Secure your browsing -- Online applications -- Portable applications -- Advanced data management and authentication -- Covering your tracks -- Checking external media -- Hotspotting Wi-Fi -- Hardening the firewall -- Quit sharing -- Disabling automatic network detection -- Alternative document storage -- Encrypted tunnelling with a Virtual Private Network -- E-mailing clients and webmail -- Remote webmail clients (and other web applications) -- Encrypted webmail -- Checking your encryption type -- Better webmail solutions -- Logging out -- Local software clients -- Keeping the client updated -- Instant scanning -- Sandboxing clients -- Local and remote clients -- Plain text or HTML -- E-mail encryption and digital signatures with PGP -- Encrypting attachments with compression utilities -- Your e-mail addresses -- Don't become phish food -- Beware of spoof addresses -- Damn spam -- SpamAssassin Trainer -- Browsers, don't lose your trousers -- Latest versions -- Internet Explorer (IE) -- Isolating older browsers -- Browsers and security -- Chrome's USPs (for good and very bad) -- Chrome outfoxed -- Firefox security settings -- The password manager -- Extending security -- Ad and cookie cullers -- AdBlock Plus * -- Beef Taco * -- BetterPrivacy * -- Ghostery -- Ad Hacker -- FEBE * -- LastPass * -- Locationbar2 -- Lock The Text -- Anti-scripting attacks -- NoScript * -- RequestPolicy -- SSL certificate checks.

Certificate Patrol * -- Perspectives * -- Web of Trust (WOT) * -- Anonymous browsing -- Locally private browsing -- Online private browsing -- Anonymous proxy server -- Chained proxies -- SSL proxies and Virtual Private Networks (VPNs) -- Corporate and private VPNs -- Private SOCKS proxy with SSH -- Networking, friending, and info leak -- Third party apps and short links -- Summary -- 5. Login Lock-Down -- Sizing up connection options -- Protocol soup -- WordPress administration with SSL -- SSL for shared hosts -- Shared, server-wide certificates -- Letting WordPress know -- Logging in -- Dedicated, domain-specific certificates -- Dedicated IP -- Obtaining signed certificates -- Setting up a signed certificate -- SSL for VPS and dedicated servers -- Creating a self-signed certificate -- Generating the files -- Required Apache modules -- Configuring the virtual host file -- Alerting WordPress and activating SSL -- Using a signed certificate -- Testing SSL and insecure pages -- SSL reference -- SSL and login plugins -- Locking down indirect access -- Server login -- Hushing it up with SSH -- Shared hosting SSH request -- Setting up the terminal locally -- Linux or Mac locally -- Windows locally -- Setting up Tunnelier -- Securing the terminal -- Creating keys: Linux or Mac locally -- Creating keys: Windows locally -- Uploading keys -- Using keys from multiple machines -- SFTP not FTP -- SFTP from the command line -- SFTP using S/FTP clients -- Connecting up a client -- phpMyAdmin login -- Safer database administration -- Control panel login -- Apache modules -- IP deny with mod_access -- What is my IP? -- IP spoofing -- Password protect directories -- cPanel's Password Protect Directories -- Authentication with mod_auth -- The htaccess file -- A quick shout out to htaccess, bless -- The passwd file -- Creating and editing password files.

Creating group membership.