I know that being open source does not necessarily makes a program more/less secure than closed source (let's assume this neutrality, to keep flames out of this post). Fact is: since the source code is open, everybody knows your defaults urls, default administrator logins, etc.
I'm using Wordpress and Joomla in some projects of my clients, and I always try to create some kind of additional security. Excluding always updating your files to latest version, what do you usually do to add more security in this scenario? Some of my thoughts:
I always change the "admin" name when applicable;
I would like to don't explicity say which technologies I'm using, but since I want to promote the cms (I think is the minimal I should do), I just don't say the exact version so attackers don't know which exact vulnerabilities they can attack (wordpress automatically creates a meta tag in html saying "Wordpress 2.8.4" for example);
Set correct permissions in directories, and bash scripts in my server that run everyday at 0h setting 755 to directories I may have changed to 775 during the day and forgot to turn back;
When applicable, I set apache configuration to limit ips.
What else should I try to do? What "out of the box" solutions do you usually do to your installations?
Using something like the mod_security
or mod_evasive
Apache's modules can be an idea too -- I suppose they require some configuration, though ; and you should test you website still works OK before using those on your production server.
As they are Apache's modules, it also requires you can install new Apache's module -- which means you have to be admin of the server.
On a pure PHP-level, there is a tool called PHP-IDS ; quoting its website :
PHPIDS (PHP-Intrusion Detection
System) is a simple to use, well
structured, fast and state-of-the-art
security layer for your PHP based web
application. The IDS neither strips,
sanitizes nor filters any malicious
input, it simply recognizes when an
attacker tries to break your site and
reacts in exactly the way you want it
to. Based on a set of approved and
heavily tested filter rules any attack
is given a numerical impact rating
which makes it easy to decide what
kind of action should follow the
hacking attempt. This could range from
simple logging to sending out an
emergency mail to the development
team, displaying a warning message for
the attacker or even ending the user’s
session.
I suppose you could "plug" it in front of the CMS you are using, by adding a couple of lines to its entry point -- if there is a common entry point you can identify, or some file that's included once at the beginning of each page.
There is a "How to use it in my application?" entry in the FAQ.
And, like you said, securing your server is nice : no remote SQL access, for instance ; checking the provileges of each user on the system, too ; keeping your software up to date, ...
If you're super paranoid, would be to setup the application in a sandbox and have apache proxy over to it. But that's pretty much over-kill unless you have a lot of sensitive data and/or are truly paranoid and/or have been broken into before.
If the application allows it changing the admin path is generally a good idea too. For example, it's pretty easy with a search-replace to change Wordpresses default admin from /wp-admin to something else entirely (like /my-admin for example). This isn't always possible though.
You'll also want to thoroughly check any user roles and permissions that can be set with in the application its self. For example, Drupal has a pretty robust user access system. But you need to make sure you don't give any users access they don't
Other things include disabling, or deleting, any modules/extensions/plugins that are not 100% necessary to the operation of the system. Personally checking all MySQL users to make sure no one can connect to the server remotely. You can also setup a chroot jail for all users on the server (except root of course) so they're locked into a directory and can't get out of it.
See Hardening Wordpress and Hardening Wordpress with htaccess at the wordpress.org codex.
In Wordpress, put this
function remove_header_info() {
remove_action('wp_head', 'wp_generator');
}
add_action('init', 'remove_header_info');
in the theme's functions.php file to remove the WP version from being output by wp_head in header.php.
In Joomla, I would change the database prefix to something different to jos_ .
I've found two interesting links that can add information about Wordpress.
This first one is from Wordpress blog itself, saying that you should always keep your installation up to date with all the security fixes.
The second one is a great list from a lot of steps (from configuration to pugins) that I believe is really well written and with a lot of interesting advices (it's divided in two parts).