wordpress安全
This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
本文是与SiteGround合作创建的系列文章的一部分。 感谢您支持使SitePoint成为可能的合作伙伴。
With 27% of the web using WordPress, security is the #1 concern for anyone running their website on this mega popular open source platform. Although the security of WordPress core is looked after by a dedicated team of developers, the same cannot be said of all the thousands of third-party plugins and themes that extend WordPress to make it do pretty much anything you want. Just one vulnerable plugin or theme can represent a high risk for millions of sites.
在27%的网络上使用WordPress时 ,对于在这种流行的大型开源平台上运行其网站的任何人来说,安全性都是排名第一的问题。 尽管WordPress核心的安全性由专门的开发人员团队负责,但对于扩展WordPress以使其能够执行几乎任何您想做的事的数千个第三方插件和主题而言,情况却并非如此。 仅有一个易受攻击的插件或主题可能对数百万个站点构成高风险。
Unless you’re using a reliable managed hosting provider that allows auto-updates for your WordPress plugins and runs regular security checkups, like our partner SiteGround, your website’s theme and plugins security is entirely on you.
除非您使用可靠的托管托管服务提供商,该提供商允许您的WordPress插件自动更新并运行常规安全检查,例如我们的合作伙伴SiteGround ,否则您的网站主题和插件安全性完全由您承担。
In this article, I’m going to introduce a few guidelines and WordPress functions you can apply in your WordPress theme development to ensure your products are coded with users’ security at their very core.
在本文中,我将介绍一些可在WordPress主题开发中应用的准则和WordPress函数,以确保您的产品在用户核心安全方面进行了编码。
For dedicated WordPress plugin and theme developers, security is at the top of their mind in every line of code they write.
对于专用的WordPress插件和主题开发人员而言,安全性是他们编写每一行代码的首要考虑。
A serious overall approach to coding safe WordPress themes includes paying attention to the following general principles:
编写安全的WordPress主题的严肃的总体方法包括注意以下一般原则:
Consider all data insecure until proven otherwise
考虑所有数据都是不安全的,除非有其他证明
Use WordPress functions whenever possible. Most WordPress APIs have built-in security mechanisms, which means using them puts your code at a much lower risk of being open to vulnerabilities
尽可能使用WordPress功能 。 大多数WordPress API都具有内置的安全性机制,这意味着使用它们会使您的代码面临的漏洞风险大大降低。
Keep your code up-to-date with the latest technologies and best practices.
使用最新技术和最佳实践来使代码保持最新。
The most common threats you need to watch out for are:
您需要注意的最常见威胁是:
SQL injections: an attacker injects malicious SQL code to take control of a website’s database server
SQL注入 :攻击者注入恶意SQL代码以控制网站的数据库服务器
Cross site scripting (XSS): an attacker injects malicious JavaScript code into a web page
跨站点脚本(XSS) :攻击者将恶意JavaScript代码注入网页
Cross-site Request Forgery (CSRF): an attacker forces users to perform undesired actions on a website where they are authenticated.
跨站点请求伪造(CSRF) :攻击者强迫用户在经过身份验证的网站上执行不良操作。
Web security is always evolving, therefore it’s important to stay current on the latest threats. Where WordPress is concerned, the Sucuri blog is a great place to learn about vulnerabilities and attacks.
Web安全一直在发展,因此,紧跟最新威胁非常重要。 关于WordPress, Sucuri博客是学习漏洞和攻击的好地方。
Before accepting any input data from any source, e.g., users, web services, APIs, etc., you must check that it is what you expect it to be and that it’s valid. This task is called validation.
在接受来自任何来源(例如,用户,Web服务,API等)的任何输入数据之前,必须检查它是否符合您的期望以及它是否有效。 此任务称为验证 。
For instance, if you collect users’ emails via a form on your website, your code needs to check if users have entered some text input (not some number or nothing at all, for example) and that the input corresponds to a valid email address before entering that data into the database.
例如,如果您通过网站上的表单收集用户的电子邮件,则代码需要检查用户是否输入了一些文本输入(例如,没有输入数字或完全没有输入),并且该输入对应于有效的电子邮件地址在将该数据输入数据库之前。
You might think this kind of check would hardly be required in a theme. In fact, forms are better included using a plugin rather than a theme. However, this is not entirely the case. If you plan on adding theme options via the Customizer, for example, you might need to perform some data validation on users’ input.
您可能会认为主题中几乎不需要这种检查。 实际上,最好使用插件而不是主题来包含表单。 但是,事实并非完全如此。 例如,如果您打算通过Customizer添加主题选项,则可能需要对用户输入进行一些数据验证。
Sanitizing consists in filtering or cleaning data coming from users, web services, etc., that it’s about to be stored in the database. During this process, you can remove anything that could be harmful or undesired from the data, e.g., JavaScript statements, special characters, etc.
消毒在于过滤或清洗数据从用户,网络服务等的到来,它的即将被存储在数据库中。 在此过程中,您可以从数据中删除任何有害或有害的内容,例如JavaScript语句,特殊字符等。
Escaping consists in making sure the data is safe to display, e.g., removing special characters, encoding HTML characters, etc. The recommended practice here is to escape as late as possible, just before displaying the data on the screen.
转义包括确保数据可以安全显示,例如,删除特殊字符,对HTML字符进行编码等。建议的做法是在屏幕上显示数据之前尽可能早地转义 。
You’ll need to do a lot of sanitization and escaping in WordPress themes. In fact, to be on the safe side, the best bet is to sanitize/escape all dynamic data, i.e., any data that is not hard-coded in the HTML source.
您需要对WordPress主题进行大量的清理和转义。 实际上,为了安全起见,最好的选择是清理/转义所有动态数据,即,未在HTML源代码中硬编码的任何数据。
You can perform basic validation using a number of handy PHP functions.
您可以使用许多方便PHP函数执行基本验证。
For instance, to check if a variable doesn’t exist or has a value set to false, you can use empty().
例如,要检查变量是否不存在或将值设置为false ,可以使用empty() 。
However, to make validation a breeze, WordPress offers these useful functions.
但是,为了使验证变得轻而易举,WordPress提供了这些有用的功能。
You can check if the data is a valid email address by using the is_email( $email ) function.
您可以使用is_email( $email )函数检查数据是否为有效的电子邮件地址。
For example:
例如:
if ( is_email( 'test@domain.com' ) ) { echo 'valid email address.'; }To check for valid usernames, WordPress makes available username_exists( $username ):
为了检查有效的用户名,WordPress使可用的username_exists( $username ) :
$username = 'testuser'; if ( username_exists( $username ) ): echo "Username exists."; endif;To make sure a tag, category, or other taxonomy term exists, you can use term_exists( $term, $taxonomy = '', $parent = null ):
要确保标签,类别或其他分类术语存在,可以使用term_exists( $term, $taxonomy = '', $parent = null ) :
//check if the category cats exists $term = term_exists('cats', 'category'); if ($term !== 0 && $term !== null) { echo "The 'cats' category exists."; }To ensure a file path is valid (but not if it exists), use validate_file( $file, $allowed_files ):
要确保文件路径有效(但如果存在则无效),请使用validate_file( $file, $allowed_files ) :
$path = 'uploads/2017/05/myfile.php'; // returns 0 (valid path) return validate_file( $path );Using built-in WordPress functions to sanitize and escape data is the quickest and safest way to do the job, therefore make them your first choice.
使用内置的WordPress函数清除和转储数据是完成工作的最快,最安全的方法,因此使它们成为您的首选。
Below are just the functions I find myself using quite a bit when developing WordPress themes.
以下是我在开发WordPress主题时发现自己经常使用的功能。
sanitize_email( $email ) strips the data of all the characters that are not allowed in a valid email address. Here’s an example taken from the Codex entry:
sanitize_email( $email )去除有效电子邮件地址中不允许的所有字符的数据。 这是从Codex条目中获取的示例:
$sanitized_email = sanitize_email(' admin@example.com! '); // will output: admin@example.com echo $sanitized_email;sanitize_option( $option, $value ) sanitizes option values, for instance from a Customizer input, on the basis of the nature of the option. Here’s an example:
sanitize_option( $option, $value )根据选项的性质对选项值(例如来自Customizer输入sanitize_option( $option, $value )清理。 这是一个例子:
sanitize_option( 'admin_email', 'admin@test.com!' );sanitize_text_field( $str ) sanitizes a string provided by the user or a database, but you can use it to sanitize any data you’d like to be just plain text:
sanitize_text_field( $str )清理用户或数据库提供的字符串,但是您可以使用它来清理任何您想要的纯文本数据:
//Output: Heading Title echo sanitize_text_field('<h1>Heading Title</h1>');sanitize_hex_color( $color ) and sanitize_hex_color_no_hash( $color ) work in the context of the WordPress Customizer.
sanitize_hex_color( $color )和sanitize_hex_color_no_hash( $color )在WordPress自定义程序的上下文中工作。
They come really handy when your theme lets users select colors for various website elements.
当您的主题允许用户为各种网站元素选择颜色时,它们非常方便。
The first function validates a hexadecimal color entry prefixed by the # sign, while the second one deals with color data without #.
第一个函数验证以#号为前缀的十六进制颜色输入,而第二个函数处理不带#颜色数据。
Example from WordPress.org’s code reference:
WordPress.org的代码参考示例:
$wp_customize->add_setting( 'accent_color', array( 'default' => '#f72525', 'sanitize_callback' => 'sanitize_hex_color', ) );wp_kses_post( $data ) filters content leaving only allowed HTML tags. This is super useful in the Customizer context in cases where your theme lets users enter some bit of text with HTML formatting:
wp_kses_post( $data )过滤内容,仅保留允许HTML标签。 在主题允许用户以HTML格式输入一些文本的情况下,这在Customizer上下文中非常有用:
function yourtheme_sanitize_html( $input ) { return wp_kses_post( force_balance_tags( $input ) ); }esc_html( $text ) is a simple way of escaping HTML blocks. For instance, if you want to output some text inside HTML tags, to make sure this text doesn’t itself contain any HTML tags or other invalid characters, you can write:
esc_html( $text )是转义HTML块的一种简单方法。 例如,如果要在HTML标记内输出一些文本,以确保该文本本身不包含任何HTML标记或其他无效字符,则可以编写:
<h2><?php echo esc_html( $title ); ?></h2>esc_url( $url ) is great when you want to check and clean a URL, including those inside href and src attributes. For example:
esc_url( $url )非常适合当您要检查和清理URL时,包括href和src属性中的URL。 例如:
<a href="<?php esc_url( 'https://website.com' ); ?>">Awesome website</a>esc_attr( $text ) is used everywhere your theme outputs an HTML attribute dynamically:
esc_attr( $text )用于主题动态输出HTML属性的任何地方:
<a href="<?php echo esc_url( home_url( '/' ) ); ?>" rel="home">You can use esc_textarea( $text ) to escape text users type inside a textarea:
您可以使用esc_textarea($ text)来避免用户在textarea中键入文本:
<textarea><?php echo esc_textarea( $text ); ?></textarea>The awesome resources below have been invaluable for me to really come to grips with writing secure code in WordPress themes:
以下真棒资源对于我真正掌握以WordPress主题编写安全代码的能力非常宝贵:
Theme Security, WordPress.org Theme Handbook
主题安全 ,WordPress.org主题手册
A Guide to Writing Secure Themes, Frank Klein
编写安全主题指南 ,弗兰克·克莱因(Frank Klein)
Sanitizing, Escaping and Validating Data in WordPress, Narayan Prusty
对WordPress中的数据进行消毒,转义和验证 ,Narayan Prusty
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices, Tony Perez
WordPress主题:XSS漏洞和安全编码做法 ,Tony Perez
Writing Secure Plugins and Themes the WordPress Way, Ben Lobaugh.
Ben Lobaugh 用WordPress方式编写安全的插件和主题 。
Alternatively, you can read about how managed hosting providers can help in terms of WordPress security in this handy comparison we’ve put together for you.
另外,您可以在我们为您提供的便捷比较中,了解托管托管服务提供商如何在WordPress安全方面提供帮助。
If you’re interested in theme development in general, you can learn to create a bare-bones theme from scratch in SitePoint’s Build Your First WordPress Theme course:
如果您总体上对主题开发感兴趣,则可以在SitePoint的“ 构建您的第一个WordPress主题”课程中学习从头开始创建准主题。
Loading the player… 正在加载播放器…Security must be at the forefront of all WordPress developers. WordPress gives you a great head start by making available tons of ready-made functions you can plug into your themes.
安全性必须是所有WordPress开发人员的首要任务。 WordPress通过提供大量可插入主题的现成功能,为您提供了一个良好的开端。
Therefore, using WordPress validation and sanitization/escaping functions is the simplest way for you to start coding safe and robust WordPress themes your users will learn to trust.
因此,使用WordPress验证和清理/转义功能是您开始编写用户将学会信任的安全且强大的WordPress主题的最简单方法。
When coding WordPress themes or plugins, how much thought do you give to security? How do you address security concerns?
在编写WordPress主题或插件的代码时,您如何看待安全性? 您如何解决安全问题?
Hit the comment box below to share!
点击下面的评论框分享!
翻译自: https://www.sitepoint.com/safe-wordpress-themes-validation-escaping-functions/
wordpress安全
