Daniel Cuthbert has written a paper on ModSecurity and WordPress. While I praise the work and the effort, I am not sure why they did not find it in themselves to protect the PDF document that they are distributing using some sort of an SHA1 checksum or the like to ensure the integrity of the download. Now I know that these guys know what they are doing but I have a problem with security related papers, help documents, scripts and other items when they cannot be verified with the source and the source itself cannot be verified with the original author of the product.
I have always been a big proponent of mod_security and I think it provides a comprehensive layer of web security without as much overhead. Although I have never thought of WordPress’ security to be as weak as the BlogSecurity folks have claimed it to be. mod_security requires various rules to be put in place for it to filter out malicious activity. This paper goes through some of those generic PHP rules and some specific WordPress based rules for webmasters to add to their mod_security filters.