Chapter 11. Defense in Depth
The server's looking preened, huh? It is, pretty much. You may be tempted to skip this chapter. Hackers, you can be sure, hope you will.
For those of us with got-root responsibility, maybe on a VPS or dedicated box, the reality is that all we've enabled so far is a zero day waiting to happen.
That's not to say the safeguards to date have been a waste of time. Hardly! It is to say that, to give WordPress the best chance of surviving an unforeseen attack, we need to implement a multi-faceted protective solution. Basically, we need to cover the angles.
Welcome to security's deep end. Fortunately, we've got life rafts:
grsecurity's mega-patch culls exploits, restricts users, and hardens the kernel
OSSEC's Host-based Intrusion Detection System (HIDS) checks system and file changes, finds rootkits, blocks attacks, and manages our many log files
Snort's Network Intrusion Detection System (NIDS) sniffs out bad packets
chkrootkit and Rootkit Hunter stalk rootkits, backdoors...
