This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
本文是与SiteGround合作创建的系列文章的一部分。 感谢您支持使SitePoint成为可能的合作伙伴。
Website administrators, especially those in smaller businesses or organizations without people dedicated to the job and large IT and web arms, often overlook quite a few basic tenets of website security. This can be quite dangerous in the modern era of not only directed hacking, but the mass scripting attacks carried out against a seemingly endless and random pool of targets. No matter how small and relatively unimportant your site is, it can be a target. And whether you’re the person who developed the site, or just the one managing it, you may not be familiar with a few of these basic tips for website security.
网站管理员,特别是那些没有人专门从事这项工作的大型企业或组织的管理员,以及大型IT和Web部门,通常会忽略很多网站安全的基本原则。 在不仅是直接黑客攻击的现代时代,而且对于看似无休止的随机目标池进行的大规模脚本攻击,这可能是非常危险的。 无论您的网站有多小而且相对不重要,它都可以成为目标。 而且,无论您是开发网站的人,还是仅仅是管理网站的人,您都可能不熟悉网站安全的一些基本技巧。
If you’re an employee who’s been asked to oversee a website and are reading this article, some security considerations might sound difficult, but remember that everything you need to know you can learn. There are plenty of resources out there (including our own SitePoint Premium) that can help you with website development and administration. The important takeaway from this article, I hope, is for you to spend a few moments and really think about your site’s security.
如果您是被要求监督网站并阅读本文的员工,则听起来有些安全方面的考虑可能很困难,但请记住,您需要了解的一切都可以学习。 有很多资源(包括我们自己的SitePoint Premium )可以帮助您进行网站开发和管理。 我希望这篇文章的重要内容是让您花一些时间来真正考虑站点的安全性。
Good password security is one of the most important considerations for your website’s security. As an administrator, you may be responsible for a variety of important passwords. The hosting account management, FTP access, SSH access, MySQL databases, your site’s control panel, WordPress admin panel, etc. All of these need to be different passwords (never re-use a password) and long. Pass phrases are better than passwords in that regard. Complexity helps too, but it should be something that you can remember, or you should use a password manager to assist you.
良好的密码安全性是网站安全的最重要考虑因素之一。 作为管理员,您可能要负责各种重要的密码。 托管帐户管理,FTP访问,SSH访问,MySQL数据库,站点的控制面板,WordPress管理面板等。所有这些都需要使用不同的密码(永远不要重复使用密码)并且要长。 在这方面,密码短语比密码更好。 复杂性也有帮助,但是您应该记住它,或者应该使用密码管理器来帮助您。
Another thing to consider is the access of administrative users to your website. If your organization will require more than one or two users to be administering a site, you should have separate accounts for things like admin panels. Those users should also have different access levels. In terms of content management systems, the users should be limited from website administrative settings, altering other people’s content, or file management, unless they actually require those permissions.
要考虑的另一件事是管理用户对您的网站的访问。 如果您的组织将需要一个或两个以上的用户来管理一个站点,则应该为管理面板等帐户使用单独的帐户。 这些用户还应具有不同的访问级别。 在内容管理系统方面,除非用户实际需要这些权限,否则应该限制用户使用网站管理设置,更改其他人的内容或文件管理。
Having user account levels and separated accounts will help to prevent accidental or malicious damage to your site, and using individual accounts will also help you track and log who makes particular changes, just in case any nefarious activity occurs (or a user is hacked). It will also help with removing users from the organization who leave your company – you can simply and easily deactivate their account without needing to reset shared passwords, if their account is their own.
具有用户帐户级别和分开的帐户将有助于防止对您的网站造成意外或恶意破坏,并且使用单个帐户还可以帮助您跟踪和记录由谁进行特定更改,以防万一发生任何恶意活动(或用户被黑)。 它还将有助于从组织中删除离开公司的用户-如果他们的帐户是自己的,则可以简单轻松地停用他们的帐户,而无需重置共享密码。
The importance of a good backup process can’t be too overstated. A working (that means test it occasionally!) backup system will prevent data loss in the event of negligent actions, faulty coding, bad actors, cataclysmic hardware failure, or acts of nature. Even for small informational sites who aren’t altered often, the lack of a backup can cost a business thousands to have a website rebuilt.
好的备份过程的重要性不能过分夸大。 一个工作正常的备份系统(这意味着需要对其进行偶尔的测试!)将防止在操作失误,编码错误,行为不当,灾难性的硬件故障或自然行为的情况下丢失数据。 即使对于不经常更改的小型信息站点,缺少备份也会使企业重建网站花费成千上万的成本。
Our hosting partner, SiteGround, solved this problem for all their clients by providing them with a free daily backup.
我们的托管合作伙伴SiteGround为他们的所有客户提供了免费的每日备份,从而为他们解决了这个问题。
With the most recent Google requirements for SSL certificates, sites without HTTPS who accept sensitive user information will be labeled insecure by browsers, and perhaps soon all sites without HTTPS will be labelled as such. Because of this, practically every site needs HTTPS, especially those being freshly developed. You’ll be protecting your users’ information, and if your site doesn’t accept sensitive information, you’ll still be providing confidence and peace of mind to your viewers, and with candidates like Let’s Encrypt on the scene, you can do it for free. And if you’re using shared hosting, many hosts such as SiteGround offer Let’s Encrypt certificates for free right from your control panel, making it that much easier to secure your site.
根据Google对SSL证书的最新要求,没有HTTPS的接受敏感用户信息的网站将被浏览器标记为不安全,也许很快所有没有HTTPS的网站都将被标记为不安全。 因此,几乎每个站点都需要HTTPS ,尤其是那些刚开发的站点 。 您将保护用户的信息,并且如果您的网站不接受敏感信息,您仍将为观众提供信心和安心,并且可以在现场使用“ 让我们加密 ”之类的候选人免费。 而且,如果您使用共享主机,则很多主机(例如SiteGround)都可以从控制面板免费提供“让我们加密证书”,这使保护站点更加容易。
Databases are essential to many website platforms now, including most content management systems and sites with users and backends. However, databases also present security risks. If the data is being stored, it’s now vulnerable to access by malicious entities. You’ll want to consider the safety of your databases. Who has access to your site’s control panels, or SSH accounts to your server if you have them, and are their credentials secure? What about the actual databases? Do your database users have appropriate permissions for their own databases? Do they have global permissions that they shouldn’t have? Are their passwords secure?
现在,数据库对于许多网站平台都是必不可少的,包括大多数内容管理系统以及具有用户和后端的网站。 但是,数据库也存在安全风险。 如果正在存储数据,则现在很容易受到恶意实体的访问。 您需要考虑数据库的安全性。 谁可以访问您站点的控制面板,或者谁可以访问您服务器的SSH帐户,并且它们的凭据安全吗? 实际的数据库呢? 您的数据库用户是否对自己的数据库具有适当的权限? 他们是否拥有不应该拥有的全局权限? 他们的密码安全吗?
Additionally, you may want to look at how databases are accessed. Ideally, you can lock down access to UIs like phpMyAdmin to only particular IP addresses, or disallow remote db access altogether, and instead use the command line via SSH, or tools like MySQL Workbench or Sequel Pro instead, limiting the number of vulnerabilities.
此外,您可能希望查看如何访问数据库。 理想情况下,您可以将对诸如phpMyAdmin之类的UI的访问锁定为仅特定IP地址,或者完全禁止远程数据库访问,而是通过SSH使用命令行,或者使用MySQL Workbench或Sequel Pro之类的工具来代替,以限制漏洞的数量。
Another thing you may want to do is set up some sort of service for monitoring website alerts, to get near-instant notifications for downtime, or usage alerts (such as excessive RAM or CPU usage). If you’re using a CMS such as WordPress or Drupal, you can also use security plugins to get security related alerts, hacking attempts, etc. There are plenty of services out there (such as Uptime Robot or Pingdom) to provide you with these kind of alerts, ranging from free up-checks down to paid service packages to get detailed monitoring and reports.
您可能想要做的另一件事是设置某种服务来监视网站警报,以获取有关停机时间或使用率警报(例如过多的RAM或CPU使用率)的近乎即时的通知。 如果您使用的是WordPress或Drupal之类的CMS,还可以使用安全性插件来获取与安全性相关的警报,黑客入侵等。那里有很多服务(例如Uptime Robot或Pingdom )为您提供这些服务各种警报,从免费的向上检查到付费服务包,以获取详细的监控和报告。
These, of course, are just a few reminders and tips. The most important tip is to really change your mindset. Think about these things, and more. Consider vulnerabilities within your organization and without. Consider the level of access your users have. From a development perspective, consider how you’re filtering and validating information that comes directly from website users. How are you de-provisioning accounts for employees who leave your company? Are there any shared credentials that need checked or changed? What about SSH access that might need revoked, or version control systems?
当然,这些只是一些提示和技巧。 最重要的技巧是真正改变您的心态。 想想这些事情,还有更多。 考虑组织内部和外部的漏洞。 考虑用户的访问级别。 从开发角度来看,请考虑如何过滤和验证直接来自网站用户的信息。 您如何为离开公司的员工取消准备帐户? 是否有任何需要检查或更改的共享凭据? 可能需要撤销的SSH访问或版本控制系统呢?
The more you think about these things, the more successful you’ll be at keeping your assets safe. Hopefully this article has at least stirred your thoughts about website security, especially if it’s something you’ve never thought of before. Feel free to leave comments below, if you have more ideas for beginners to consider about security, or a story to tell!
您对这些事情的思考越多,您在确保资产安全方面就越会成功。 希望本文至少引起了您对网站安全性的想法,尤其是如果您从未想到过的话。 如果您对初学者有更多关于安全性的想法或要讲的故事,请随时在下面留下评论。
翻译自: https://www.sitepoint.com/think-about-website-security-as-admin/
