Recommended practices to pass security audit

Is there any place where these are documented? We have to pass a security check before our central computing will let the server be visible to the world and the process is normally pretty painful.

Things that I know aren't kosher in their eyes that go with the default installation include the world writeable directories and not forcing SSL for all logins.

These were easy changes, but I was wondering what other things I should do before letting them take a look at it?

I can't think of any other specific advice to give you up front.

The SSL setting is the one really obvious change to make, assuming that your server setup supports it, and you've already done that.

In running "find . -perm -o=w ! -type l -ls" from the Omeka base directory, I didn't see any Other-writable directories. Was that fixed in an Omeka update since the version to which banerjek was referring (as the post is from a few months ago), or am I misunderstanding what he or she meant with regard to world writeability?

(Unless I already chmod-ed out such a write permission a while back and have forgotten I did so.)

Omeka's never actually had things marked as world-writable out of the package. Some older versions of the documentation were a little less specific about the ways you could set up permissions for things like the files folder, and gave a catch-all suggestion of world-writability.

I assume that's what the original post here was referring to.