wordpress汉化技巧
WordPress has often been seen as the unofficial scapegoat to blame various security breaches on. Like many other popular web applications, WordPress is an attractive target for attack. Obviously, the security in WordPress, as with any application, needs to be put into context. Luckily, WordPress benefits from a wide variety of security configuration options and third party plugins to help satisfy those who are looking to increase their overall security.
WordPress通常被视为将各种安全漏洞归咎于非官方的替罪羊。 像许多其他流行的Web应用程序一样,WordPress是有吸引力的攻击目标。 显然,与任何应用程序一样,WordPress中的安全性需要放在上下文中。 幸运的是,WordPress受益于各种安全配置选项和第三方插件,可帮助满足那些希望提高整体安全性的人们的需求。
In this article, I’m going to add to Tim Carr’s 10 Tips to Secure WordPress with even more ways you can help secure your site, starting prior to the WordPress installation.
在本文中,我将在安装WordPress之前,添加Tim Carr的“ 保护WordPress的10条技巧”,以及更多帮助您保护网站的方法 。
Before starting the WordPress installation, be sure that your computer is malware/virus free. It might sound obvious, but it’s critical that your system is free of malware and in a trusted state.
在开始安装WordPress之前,请确保您的计算机没有恶意软件/病毒。 听起来似乎很明显,但是至关重要的是,您的系统必须没有恶意软件,并处于受信任的状态。
If your computer is infected, every security related measure of yours could be futile. It is suggested to protect your systems with antivirus, to keep all the malware and viruses at bay.
如果您的计算机被感染,则与您的所有安全性相关的措施可能都是徒劳的。 建议使用防病毒软件保护您的系统,以防止所有恶意软件和病毒。
The WordPress core files can happily exist in another location, other than the root directory. This technique is often debated, so your mileage may vary. Scanners and attackers can still find out where WordPress lives, however we thought it’s worth mentioning since the topic does come up often.
WordPress核心文件可以愉快地存在于根目录以外的其他位置。 这项技术经常引起争议,因此您的里程可能会有所不同。 扫描程序和攻击者仍然可以找到WordPress的住处,但是我们认为值得一提,因为该主题确实经常出现。
Even if this doesn’t directly provide additional security, it will definitely help keep your server organized which is also very important.
即使这不能直接提供额外的安全性,它也绝对有助于使服务器井井有条,这也非常重要。
For example, if your site has the domain www.example.com, it would be preferable to install WordPress in something like www.example.com/directory.
例如,如果您的站点的域名为www.example.com,则最好将WordPress安装在类似www.example.com/directory的目录中。
The next step is to copy the index.php and .htaccess files to the root directory. If the .htaccess file is invisible, you have to make hidden files visible in your FTP/SFTP/SCP software or in your cPanel File Manager.
下一步是将index.php和.htaccess文件复制到根目录。 如果.htaccess文件不可见,则必须使隐藏的文件在FTP / SFTP / SCP软件或cPanel文件管理器中可见。
Don’t worry about the error you’ll now get if you browse to your site. Go to index.php and modify following:
不用担心,如果浏览到您的网站,现在会出现错误。 转到index.php并修改以下内容:
require(‘/wp-blog-header.php’); to require(‘/directory/wp-blog-header.php’);
require('/ wp-blog-header.php'); 要求('/directory/wp-blog-header.php');
Now your login URL will be www.example.com/directoy/wp-admin.
现在,您的登录URL为www.example.com/directoy/wp-admin。
After installation, you should go to your WordPress settings in the admin panel and change the WordPress URL, so that it points at www.example.com/directory and blog URL www.example.com.
安装后,您应该在管理面板中转到WordPress设置并更改WordPress URL,以使其指向www.example.com/directory和博客URL www.example.com 。
By default, WordPress creates the database with tables prefixed in wp_. The thinking is that spammers and hackers that are using automated tools know your database structure. Having a default database prefix makes their life much easier. This is another topic of debate, however as with installing WordPress in another directory, it’s a question that comes up frequently.
默认情况下,WordPress使用wp_前缀的表创建数据库。 这种想法是,使用自动工具的垃圾邮件发送者和黑客知道您的数据库结构。 使用默认的数据库前缀可以使它们的工作变得更加轻松。 这是另一个争论的话题,但是与在另一个目录中安装WordPress一样,这是一个经常出现的问题。
During wp-config.php configuration in the installation process, change the table prefix to something random and unique like wp_Df3R_.
在安装过程中的wp-config.php配置期间,将表前缀更改为随机且唯一的名称,例如wp_Df3R_。
To organize your tables in a more efficient way, start the prefix with wp_ and end it with _. You may use numbers, letters, and underscores.
要以更有效的方式组织表,请以wp_开头前缀,以_结束前缀。 您可以使用数字,字母和下划线。
As the most important file in WordPress, it stores valuable information like database, username, password and authentication keys, nobody should have direct access to wp-config.php.
作为WordPress中最重要的文件,它存储有价值的信息,如数据库,用户名,密码和身份验证密钥,没有人可以直接访问wp-config.php 。
As mentioned above, we can store wp-config.php outside of the root folder. Now we’ll add an additional layer of security to it.
如上所述,我们可以将wp-config.php存储在根文件夹之外。 现在,我们将为其添加一个额外的安全层。
To deny access to this file, you should add the code below at the top of the .htaccess file:
要拒绝对此文件的访问,您应该在.htaccess文件顶部添加以下代码:
<files wp-config.php> order allow,deny deny from all </files>This file shouldn’t be modifiable or writable by others. To prevent other users from reading it, the file permission should be 440 or 400, however you should consult your host to check this.
该文件不得被他人修改或写入。 为防止其他用户读取该文件,文件许可权应为440或400,但是您应咨询您的主机以进行检查。
Sometimes leaving the WordPress version number can be a security risk, especially if WordPress isn’t updated regularly. Of course, we strongly recommend regular updates, as with performing other regular WordPress maintenance tasks.
有时留下WordPress版本号可能会带来安全风险,尤其是在WordPress不会定期更新的情况下。 当然,我们强烈建议您进行定期更新,就像执行其他常规WordPress维护任务一样 。
The code that generates the WordPress version is in header.php:
生成WordPress版本的代码在header.php :
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />To remove the WordPress version number, you should add the following line to your active theme’s functions.php file:
要删除WordPress版本号,您应该将以下行添加到活动主题的functions.php文件中:
<?php remove_action('wp_head', 'wp_generator'); ?>Using Secret Keys plays a role in WordPress security. These security keys help encrypt the data stored in the cookies WordPress uses. Without knowing these keys, attackers will have a harder time entering your WordPress site.
使用秘密密钥在WordPress安全中发挥作用。 这些安全密钥有助于加密WordPress使用的cookie中存储的数据。 如果不知道这些密钥,攻击者将很难进入您的WordPress网站。
WordPress creates these for you at the time of installation, however these values might not exist with older sites or if the wp-config.php file has been manually replaced.
WordPress在安装时为您创建了这些值,但是,这些值可能在较旧的站点中不存在,或者如果wp-config.php文件已被手动替换。
By default Secret Keys are listed listed in wp-config.php, like the following:
默认情况下,秘密密钥在wp-config.php中列出,如下所示:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');If you ever need to regenerate these keys, you can visit the official generator provided by WordPress.org at https://api.wordpress.org/secret-key/1.1/salt/.
如果您需要重新生成这些密钥,可以访问WordPress.org提供的官方生成器, 网址为https://api.wordpress.org/secret-key/1.1/salt/ 。
If an attacker has the security keys, they can regain access to the site even if the passwords have been changed. So if your site is compromised, don’t forget to change your secret keys – not just your passwords!
如果攻击者拥有安全密钥,即使密码已更改,他们也可以重新访问该站点。 因此,如果您的网站遭到入侵,请不要忘记更改您的秘密密钥-不仅仅是密码!
WordPress allows users to browse the web directories, if they know where to look. Obviously, this is something we want to avoid. Directory browsing can be used by attackers to find your most vulnerable files. It’s not uncommon for developers or webmasters to leave backup files or archives in odd places.
WordPress允许用户浏览Web目录(如果他们知道要查找的位置)。 显然,这是我们要避免的事情。 攻击者可以使用目录浏览来找到您最容易受到攻击的文件。 对于开发人员或网站管理员来说,将备份文件或档案保存在奇怪的地方并不少见。
Ensuring that no one can view the contents of directories can be done by adding a single line in .htaccess
通过在.htaccess添加一行来确保没有人可以查看目录的内容
Options –IndexesIf you have more than one instance of WordPress on the same host, you should use different user credentials for each database. The database username and password should be unique in the wp-config.php files for each of your websites. This will ensure the isolation of every single site, in case one of them gets hacked.
如果同一主机上有多个WordPress实例,则应为每个数据库使用不同的用户凭据。 在每个网站的wp-config.php文件中,数据库用户名和密码应该唯一。 这样可以确保隔离每个站点,以防其中一个站点被黑客入侵。
It’s a simple tip, but reusing the same credentials is something people do all the time.
这是一个简单的技巧,但是人们一直在重复使用相同的凭据。
If you don’t feel comfortable making the above mentioned changes, there are several plugins that help you maintain the security of your WordPress installation, or even to help you recover quickly if you fall victim to a malicious attack.
如果您不满意进行上述更改,可以使用几个插件来维护WordPress安装的安全性,甚至在遭受恶意攻击的情况下也可以帮助您快速恢复。
Here’s a list of the most popular security plugins:
以下是最受欢迎的安全性插件列表:
Sucuri
苏库里
iThemes Security
iThemes安全性
All In One WP Security & Firewall
多合一WP安全性和防火墙
BulletProof Security
防弹安全
Wordfence
围栏
Charles Costa has previously explored the topic of WordPress Security Plugins, that is well worth reading.
查尔斯·科斯塔(Charles Costa) 之前曾探讨过WordPress安全插件的主题 ,这很值得一读。
With a large percentage of websites being powered by WordPress it’s no big surprise WordPress security is a popular topic. If you’re serious about your website and your website security, you should definitely explore your options and take the extra time to lock your site down.
WordPress拥有大量网站,这并不奇怪,WordPress安全是一个热门话题。 如果您对自己的网站和网站安全性很认真,则绝对应该探索您的选择,并花费额外的时间来锁定网站。
To recap, we’ve previously covered 10 Tips to Secure WordPress, in this article, we covered even more tips to help you better manage your website security. If you’re keen about learning more, I’d also recommend reading the official WordPress.org documentation “Hardening WordPress“.
回顾一下,我们之前已涵盖了WordPress的10个技巧 ,我们还介绍了更多技巧,以帮助您更好地管理网站安全性。 如果您想了解更多信息,我还建议您阅读WordPress.org官方文档“ Harding WordPress ”。
Please let us know in the comments below if you have any of your own extra tips for increasing WordPress security.
如果您有提高WordPress安全性的任何其他提示,请在下面的评论中告诉我们。
翻译自: https://www.sitepoint.com/more-tips-to-further-secure-wordpress/
wordpress汉化技巧
相关资源:Jupiter中文版大气强大wordpress汉化主题模板完美企业【6.1】