First of all I thank Packt Publishers for gifting me this great book. For the past few days I was reading the book and felt I should be sharing my thoughts about the book. WordPress 3 Ultimate Security was written by Olly Connelly who is a freelance content producer, web developer and system administrators. Though the book is more into security than just wordpress, auther was successful in presenting them in the wordpress point of view.
Chapter 1: So What's the Risk?
Chapter 2: Hack or Be Hacked
Chapter 3: Securing the Local Box
Chapter 4: Surf Safe
Chapter 5: Login Lock-Down
Chapter 6: 10 Must-Do WordPress Tasks
Chapter 7: Galvanizing WordPress
Chapter 8: Containing Content
Chapter 9: Serving Up Security
Chapter 10: Solidifying Unmanaged
Chapter 11: Defense in Depth
In the first two chapters author describes the risks and challenges in web security and hacking tools that are commonly used by hackers creackers and botnets. Also he gives an overview of how well one can use google for obtaining the required information about the target site. Different phases in attacking the target includes Reconnaissance, Scanning, Gain Access, Secure Access and Cover Tracks. This book gives introduction to set of tools that are used in each phases and how they can be used to check the vulnerabilities of our system.
The third chapter, Securing the local box discusses how to secure the local Windows machine. Though it was not much interesting to me(In fact I am not a windows fan) It will be much useful for Mr (below) Average Programmer. I personally recommend not to use windows for opensource application developement, unless you are so sure you are below average.
Going forth we will see securing the network for safe browsing and data transfer. Discussion on browsers was another interesting section. One thing that I think author missed to mention is the security issues related to browser extensions/addons. Any extension developer can pack a malicious code inside an extension which seems useful. Since the extensions can access the data entered in the web pages, its a serious issue when one of your extensions capture all your usernames and passwords and send to the crackers database.
Fifth chapter Login lockdown discusses pretty much on securing the wordpress login area and the dashboard, using SSL as well as htaccess. He also describes how to secure the server access using SSH and SFTP. An intruder can easily try for a brute force attack if you use standard ports for FTP/SFTP. So its much better to change the default port not only for ftp but also for phpMyadmin which is the mostly used web enterface for database management. Introduction on different apache modules like mod_auth, mod_auth_digest, etc was interesting for me and I should be researching further on this.
Different backup strategies and methods are covered in chapter 6. Author emphasis on using principle of least privilege, while coming to user management. Most of the users tend to use the default 'admin' username which also must be changed or should change the privilege.
As we continue to explore we will see how to clean wordpress installation for improved security and also for performance. Another thing most of the users will be interested in is restricting hotlinking to the site assets. In the last chapter Defence in Depth author describes how to ensure the security in the core and gives an introduction to OSSEC, a tool that will monitor system configuration and file integrity. Another useful tool , Snort also detailed in this chapter
This is a must have book both for system administrators and web developers (Not only for wordpress developers), for learning security concerns and for reference. And my final rating is 8/10.