wordpress主题
Security is an important topic.
安全是一个重要的话题。
Security is everyone’s problem. In particular, if you’re a developer, you should take responsibility for things you create. Even if you’re just starting out as a WordPress user or developer, you should make sure that the sites you’re building for your clients are as secure as possible.
安全是每个人的问题。 特别是,如果您是开发人员,则应对您创建的内容负责。 即使您只是以WordPress用户或开发人员起家,也应确保为客户构建的网站尽可能安全。
There is no such thing as absolute security.
没有绝对的安全性。
To quote Bruce Schneier from his book “Applied Cryptography”:
引用布鲁斯·施耐尔(Bruce Schneier)的著作“应用密码学”:
The only secure computer system in the world is unplugged, locked in a vault at the bottom of the ocean and only one person knows the location and combination of that vault. And he is dead.
拔下世界上唯一安全的计算机系统,将其锁定在海洋底部的保管库中,只有一个人知道该保管库的位置和组合。 他死了。
You’ve probably heard that even big companies like Facebook, Microsoft, Adobe and Google have had their share security problems. These companies have many developers and dedicated teams that only deal with security and things still go wrong.
您可能已经听说,即使像Facebook,Microsoft,Adobe和Google这样的大公司也存在共享安全问题。 这些公司有许多开发人员和专门的团队,他们只处理安全问题,但仍然出错。
I hope you haven’t forgotten the Sony incident with plain text passwords. If you’re developing anything, please don’t store passwords in plain text, just don’t.
希望您不要忘记使用纯文本密码进行的Sony事件。 如果要开发任何内容,请不要以纯文本形式存储密码,否则请不要这样做。
There are many tools that can help you better harden your applications. Some of them are general, some very specific. Such tools exist for WordPress too. For a WordPress site, theme quality is a important part of your overall website security. One of the plugins that can help you in this area is VIP Scanner. The VIP Scanner plugin is a UI for VIP Scanner library. You can find the library in the plugins folder under vip-scanner.
有许多工具可以帮助您更好地加强应用程序。 其中有些是一般性的,有些是非常具体的。 WordPress也存在此类工具。 对于WordPress网站,主题质量是整个网站安全的重要组成部分。 VIP Scanner就是其中一个可以帮助您的插件。 VIP Scanner插件是VIP Scanner库的UI。 您可以在vip-scanner下的plugins文件夹中找到该库。
My current local setup uses Vagrant with Chassis, take a look at this article on Chassis if you want to use it too.
我当前的本地设置使用Vagrant with Chassis,如果您也想使用它,请查看有关Chassis的这篇文章 。
There are two ways to install VIP Scanner. From the plugin page and by installing it manually with git in the plugins folder. The preferred way is to install it is via git. That’s because the VIP Scanner plugin page only has an older version ( v0.7 ) available, as opposed to the GitHub repo which is version v0.8. The developers of this plugin prefer the git way too. To install the plugin navigate inside plugin folder and execute:
有两种安装VIP Scanner的方法。 从插件页面,并通过在plugins文件夹中使用git手动安装它。 首选方法是通过git安装它。 这是因为VIP Scanner插件页面仅具有较旧的版本(v0.7),而GitHub回购版本为v0.8。 该插件的开发人员也喜欢git方法。 要安装插件,请在插件文件夹中导航并执行:
git clone https://github.com/Automattic/vip-scanner.git vipscanner cd vipscanner git submodule update --init --recursiveThe first command will download the plugin. The second will navigate into our newly cloned directory. The third will clone all the submodules (PHP-Parser).
第一个命令将下载插件。 第二个将导航到我们新克隆的目录中。 第三个将克隆所有子模块(PHP-Parser)。
Now, navigate to your WordPress dashboard and activate the plugin. To see this plugin in action, navigate on Tools > VIP Scanner.
现在,导航至WordPress仪表板并激活插件。 要查看此插件的实际效果,请在“工具”>“ VIP扫描仪”上导航。
There you will find 3 different types of scanning options:
在那里,您会发现3种不同类型的扫描选项:
Undefined function check 未定义的功能检查 wp.com theme review wp.com主题评论 VIP theme review VIP主题评论When you first run a scan using this tool, it will use the current active theme – it’s worth mentioning that this tool only deals with themes. Each type of scan is different, this comes in handy when you develop WordPress themes and care about code quality (which everyone should).
首次使用此工具运行扫描时,它将使用当前的活动主题-值得一提的是,此工具仅处理主题。 每种类型的扫描都是不同的,这在您开发WordPress主题并关心代码质量(每个人都应该这样做)时会派上用场。
You can also use this tool with WP-CLI, you can check out the VIP Scanner docs for more information.
您也可以将此工具与WP-CLI结合使用 ,可以查看VIP扫描器文档以获取更多信息。
When you scan a theme (the active theme), you’ll find all sort of problems. The first scan type (undefined function check) does what the name says. It scans the whole theme directory for undefined functions. This is the basic scan and you should use it on every theme that you develop. The other two are more specific. The second scan type (wp.com theme review) is used when you are developing themes for the community. The third scan is used only for WordPress VIP.
扫描主题(活动主题)时,您会发现各种问题。 第一种扫描类型(未定义的功能检查)按照名称说明进行操作。 它将扫描整个主题目录以查找未定义的功能。 这是基本扫描,您应该在开发的每个主题上使用它。 其他两个更具体。 在为社区开发主题时,将使用第二种扫描类型(wp.com主题审查)。 第三次扫描仅用于WordPress VIP 。
So now we know a little bit about VIP Scanner, lets have some fun! Let’s scan the official themes that come preinstalled with WordPress (the latest theme). The first scan (undefined function) will not throw any errors. The second one will display some errors (mostly warnings). There are 3 sections for the scanning, Errors, Notes and Analysis. The first one is the section where errors will be shown, the second are warnings and the third is a nice way where we can find more information about the structure of the theme. Information like the number of classes, functions and author details.
现在,我们对VIP Scanner有了一些了解,让我们玩得开心! 让我们扫描WordPress预先安装的官方主题(最新主题)。 第一次扫描(未定义的函数)将不会引发任何错误。 第二个将显示一些错误(主要是警告)。 扫描分为三个部分:错误,注释和分析。 第一个是显示错误的部分,第二个是警告,第三个是一种很好的方式,我们可以在其中找到有关主题结构的更多信息。 诸如类数,函数和作者详细信息之类的信息。
Even with the official WordPress themes, we found a few errors. Most of them are:
即使使用官方WordPress主题,我们仍然发现了一些错误。 其中大多数是:
The theme uses @package WordPress. This is reserved for WordPress Core files.
主题使用@package WordPress。 这是为WordPress Core文件保留的。
This is because you are not supposed to use @package WordPress in any of your themes (despite being the official WordPress themes).
这是因为您不应在任何主题中使用@package WordPress(尽管是官方WordPress主题)。
Now go and scan a few more themes with this tool. This tool is very powerful when you’re developing your own themes (or even reviewing) for a client. If you’re writing your own themes, take small steps and then scan. This way you’re less likely to screw things up. Also you can find bugs in the early stages of development, which saves time.
现在,使用此工具扫描其他主题。 当您为客户开发自己的主题(甚至进行审查)时,此工具非常强大。 如果您要编写自己的主题,请采取一些步骤,然后再扫描。 这样,您不太可能搞砸事情。 您还可以在开发的早期阶段发现错误,从而节省时间。
One thing that I find very frustrating with WordPress in general is the lack of good quality code. VIP Scanner does its job very well, and from the commits, pull requests and issues it tells us that it’s under active development, which is great. What I’d like to see is the project using git submodules for dependency management. Packagist and Composer exist for that reason. PHP lacked dependency management tools, but they’re finally here. Also, I had a few problems with Code Sniffer. When scanning themes with the “VIP theme review”, I always got the error telling me I didn’t have Code Sniffer installed locally. I tried to work around this and install that tool, but I couldn’t get it to work. Please leave a comment if you figured this out.
总的来说,我发现令WordPress感到沮丧的一件事是缺乏高质量的代码。 VIP Scanner的工作做得非常好,并且从提交,拉出请求和发出的问题中得知,它正在积极开发中,这很棒。 我想看到的是使用git子模块进行依赖管理的项目。 因此存在Packagist和Composer。 PHP缺少依赖项管理工具,但是它们终于来了。 另外,我在使用Code Sniffer时遇到了一些问题。 使用“ VIP主题审查”扫描主题时,总是出现错误,告诉我我没有在本地安装Code Sniffer。 我尝试解决此问题并安装该工具,但无法正常工作。 如果您发现此问题,请发表评论。
This tool does lack a few things, mostly code standards. But, it is a good tool and does its job very well, so you definitely should use it on every theme you develop.
该工具确实缺少一些东西,主要是代码标准。 但是,它是一个很好的工具,并且做得很好,因此您绝对应该在开发的每个主题上使用它。
In this article we saw what the VIP Scanner plugin is and how use it to better harden our sites. This is a nice plugin that can help you, not only for existing WordPress sites, but also assist you when you’re developing your own themes. Using this plugin you can speed up the development of your themes, knowing you’re building them with peace of mind. This is a kind of Unit Testing for WordPress themes, so you’ll know for sure that things are working the right way. Security comes from good practices and that will help you grow as a developer.
在本文中,我们了解了VIP Scanner插件是什么以及如何使用它来更好地加固我们的网站。 这是一个不错的插件,不仅可以为现有的WordPress网站提供帮助,而且在开发自己的主题时也可以为您提供帮助。 使用此插件,您可以放心地构建主题,从而可以加快主题的开发速度。 这是针对WordPress主题的一种单元测试,因此您将肯定会知道事情以正确的方式进行。 安全来自良好的实践,它将帮助您成长为开发人员。
What do you think about this plugin. Would you consider using it in your workflow? What other plugins are you using when creating themes to improve quality?
您如何看待该插件。 您是否考虑在工作流程中使用它? 您在创建主题以提高质量时还使用了哪些其他插件?
翻译自: https://www.sitepoint.com/improve-wordpress-theme-quality-vip-scanner/
wordpress主题
