[wp-hackers] [OT] Resources for Defending Against Blog Attacks

[Chris Williams]

Thank you all for your good input on this.  Lots of things to chew on, many
good resources.

Yes, I'm setting up a dedicated WP server machine.  Just centos, apache,
php, and mysql.  No mail, no X, no nothing.  Locked down /tmp (no execute)
and the like.  Only ports 80 and 22 open.  Checks on outbound port 80. That
kind of thing.

On the DDoS attacks, I'm comfortable that my host will help me here, and I'm
really not driven to distraction over them.  Of course I'll use
mod_security/mod_evasive/fail2ban kinds of things, but a truly distributed
attack will be unfazed by these.  As Sabin notes, sever level is really too
late.

My goal for surviving DDoS is to provide a truly speedy page serving
experience.  It will serve both the goal of making the user experience great
(and surviving slashdot/digg/NYT) and make it harder to have an impact on
us.  These attacks are always at the one given page, and with wp-cache it
server thousands of them a second.  Not a problem.

Even so, we're on our own server.  If the worst that happens is they slow us
to a crawl and we hunker down and survive it, we'll just wait till it
passes.  They'll soon tire.  This approach has worked so far... We survived
a couple of attempts shortly after I set up this approach.  They then
switched tactics.

As for the other stuff, is Nikto the current state of the art in testing my
system?  If I can get a clean bill of health from it can I feel relatively
confident?  Are there other ways/resources I should use to check to my
defenses?

Thanks again to all for the excellent advice.
Chris