wordpress 黑客
There’s no disputing the popularity of WordPress, which powers more than 74.6m sites around the world, with 48% of Technorati’s top 100 blogs being managed by the platform. In the online world though, anything that’s popular is more open to attack and WordPress is no exception. However, the types of attack that tend to hit WordPress sites – unless you’re a big brand – are generally carried out by people without a huge amount of technical know-how. These are often referred to ‘script kiddies’ as they use common code, techniques and kits in order to hack target sites.
毫无疑问,WordPress的受欢迎程度为WordPress提供了多达7460万个站点,其中Technorati的前100个博客中有48%由该平台管理。 但是,在在线世界中,任何流行的东西都更容易受到攻击,WordPress也不例外。 但是,往往会攻击WordPress网站的攻击类型-除非您是一个大品牌-通常是由没有大量技术知识的人们进行的。 这些通常被称为“脚本小子”,因为它们使用通用的代码,技术和工具包来入侵目标站点。
The good news about this is that it means that often an attack can be dealt with quickly and easily. It’s not necessary to get to the stage where an attack does damage though, as most can be prevented in the first place. So today, we’ll be looking at how you can secure your installation and avoid common hacks.
好消息是,这意味着通常可以快速轻松地应对攻击。 虽然没有必要进入攻击造成损害的阶段,因为大多数情况可以首先得到预防。 因此,今天,我们将研究如何确保安装安全并避免常见的黑客攻击。
Before you think about securing your site, you should start from the ground up and that means making sure that your hosting server is secure in the first place. Starting with the basics, you should choose a host based on security and reputation and not on price. Whilst I’m sure there are some decent cheap hosts out there, for the most part hosting that costs you $2 per month is not going to cut the mustard.
在考虑保护站点之前,您应该从头开始,这意味着首先要确保您的托管服务器是安全的。 从基础开始,您应该基于安全性和信誉而不是价格来选择主机。 虽然我敢肯定那里有一些不错的廉价主机,但在大多数情况下,每月花费您2美元的主机并不会减少芥末。
Most of the managed WordPress hosting services have a reputation for secure hosting. They don’t all allow some performance-related plugins though, so you should check first to see exactly what access and level of control you have.
大多数托管WordPress托管服务在安全托管方面享有盛誉。 尽管它们都不都允许使用一些与性能相关的插件,所以您应该首先检查一下您所拥有的访问权限和控制级别。
Most of them offer:
他们大多数提供:
Managed WordPress hosting 托管WordPress托管 Automatic security updates 自动安全更新 Daily backups 每日备份 One-click restore points 一键还原点 Automatic caching 自动缓存 Top-tier security 顶级安全Whatever host you decide to go with you should check that they offer the following:
无论您决定与哪个主机一起使用,都应检查它们是否提供以下内容:
Run stable versions of server software and patch as necessary 运行稳定版本的服务器软件和必要的修补程序 Enable a server-level firewall 启用服务器级防火墙 Allow you to back up and restore often and easily (site and database) 允许您轻松方便地备份和还原(站点和数据库) Intrusion detection 入侵检测Managed hosts (such as WPEngine for example) use caching which is passed through a CDN, so if you really don’t want to use a managed WordPress host, then do consider implementing a CDN alongside a caching plugin such as W3 Total Cache. This is a simple way of setting up your site so that all traffic that’s passed through the CDN caches is then also passing through a secure socket layer (SSL/TLS). If you need a hand getting your head around these technologies, I’d recommend the following visual guides by MaxCDN. In the interest of full disclosure, I work for MaxCDN, but I’m sure you’ll find them to be useful resources:
托管主机(例如WPEngine)使用通过CDN传递的缓存,因此,如果您真的不想使用托管WordPress主机,则可以考虑在缓存插件(例如W3 Total Cache)旁边实现CDN。 这是设置站点的一种简单方法,这样,通过CDN缓存传递的所有流量也将通过安全套接字层(SSL / TLS)传递。 如果您需要帮助掌握这些技术,我建议您使用MaxCDN的以下视觉指南。 为了全面披露,我为MaxCDN工作,但是我敢肯定您会发现它们是有用的资源:
What is a CDN?
什么是CDN?
How SSL Works
SSL如何运作
Setting up WordPress with W3 Total Cache with a CDN
设置带有CDN的W3总缓存的WordPress
Unfortunately, WordPress installations on shared servers, rather than those on a VPS or dedicated server, are generally installed and configured in such a way that’s easiest for the host, but not necessarily the most secure.
不幸的是,在共享服务器上而不是在VPS或专用服务器上的WordPress安装通常以对主机最简单但不一定最安全的方式进行安装和配置。
Note that the following configurations are for advanced users who are familiar with coding or basic sysadmin tasks. If you’re not, then ask your web developer to set this up for you.
请注意,以下配置适用于熟悉编码或基本sysadmin任务的高级用户。 如果您不是,请让您的网络开发人员为您进行设置。
Just a quick word on this one that bears repeating given that more than 70% of WordPress installations are vulnerable to attack. Always ensure that when you have installed WordPress that you update to the latest version as soon as it becomes available. The same goes for your theme and for all plugins that you use. The same applies to your server software. It might sound obvious to many of you, but the statistics speak for themselves, there are many, many older versions of the platform installed.
考虑到70%以上的WordPress安装都容易受到攻击,因此需要重复一下。 始终确保在安装WordPress后,只要有可用版本,便立即更新到最新版本。 您的主题和所使用的所有插件也是如此。 这同样适用于您的服务器软件。 对于您中的许多人来说,这听起来似乎很明显,但是统计数据可以说明一切,安装了许多很多旧版本的平台。
When it comes to passwords, I come across people on a daily basis who still use something like ‘companyname123’ as their password and these are people that are in the tech industry and should know better. So for yourself and every other user, generate complex passwords and store in a password manager such as LastPass, it’s safer that way.
关于密码,我每天都会碰到仍然使用“ companyname123”之类的密码作为密码的人,这些人属于技术行业,应该对此有所了解。 因此,对于您自己和所有其他用户,生成复杂的密码并将其存储在诸如LastPass之类的密码管理器中,这样做更安全。
To ensure that minor and major updates take place in WordPress automatically, you can make a small change to the code which will apply them. This removes the need for you to do it manually (only minor updates are applied automatically to WordPress v.3.7 and later) but you should ensure that you enable automatic, frequent backups in the event that something goes wrong and it takes your site out.
为了确保WordPress会自动进行次要和主要更新,您可以对将应用它们的代码进行少量更改。 这样就无需手动进行操作(只有较小的更新会自动应用到WordPress v.3.7及更高版本),但是您应该确保在出现问题并将站点撤出时启用自动频繁备份。
To enable updates, apply the following code to your wp-config.php file:
要启用更新,请将以下代码应用于wp-config.php文件:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );It’s more common that you’ll experience a problem with automatic updates if you use plugins that are not updated reasonably frequently, so do try to ensure that the plugins you install are maintained and support is available where possible.
如果您使用的插件更新得不太频繁,则经常会遇到自动更新的问题,因此请尝试确保维护已安装的插件并在可能的情况下提供支持。
If a plugin or theme that you’re using throws up an error, then it’s possible that the resulting error message will display your server path which in turn could be intercepted by hackers. With this in mind, you should disable error reporting by adding the following code to your wp-config.php file:
如果您正在使用的插件或主题抛出错误,则结果错误消息可能会显示您的服务器路径,而该路径又可能被黑客拦截。 考虑到这一点,您应该通过将以下代码添加到wp-config.php文件中来禁用错误报告:
error_reporting (0); @ini_set ('display_errors', 0);Alternatively, if you’re not confident when it comes to editing your config files, then you can ask your web host to disable it for you.
另外,如果您不确定编辑配置文件的时间,则可以要求网络主机为您禁用它。
If you were to monitor how many login attempts there are on your WordPress site each day you’d probably be shocked. These are common attacks which are preventable to some degree by using complex passwords. Brute force attacks generally come from a botnet that attempts to guess your admin password. You can mitigate the risk and stop most brute force attacks by adding an extra layer of protection at the login screen level with HTTP AUTH.
如果您每天要监视WordPress网站上的登录尝试次数,您可能会感到震惊。 这些是常见的攻击,通过使用复杂的密码可以在某种程度上防止这些攻击。 蛮力攻击通常来自试图猜测您的管理员密码的僵尸网络。 您可以使用HTTP AUTH在登录屏幕级别添加额外的保护层,从而降低风险并阻止大多数暴力攻击。
To do this you’ll first need to password protect your directory by setting up .htaccess password protection. Once you’ve done this, you need to add the following code to your .htaccess file:
为此,您首先需要通过设置.htaccess密码保护来对目录进行密码保护。 完成此操作后,需要将以下代码添加到.htaccess文件中:
#Protect wp-login <files wp-login.php=""> AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user mysecretuser </files>This will bring up the authentication box which prompts you to put in your username and password and you’ll then be required to login on the normal WordPress login screen – you should of course use different passwords for both.
这将弹出身份验证框,提示您输入用户名和密码,然后需要您在正常的WordPress登录屏幕上登录-当然,您应同时使用不同的密码。
You can also prevent brute force attacks by monitoring IP addresses that attempt to login and then locking them out. Or, you can simply change the admin username from ‘admin’ to your own name or something else and then delete the default admin user profile. You and your webmaster/developer really should be the only people with administrative rights across the site.
您还可以通过监视尝试登录然后将其锁定的IP地址来防止暴力攻击。 或者,您可以简单地将admin用户名从'admin'更改为您自己的名称或其他名称,然后删除默认的admin用户个人资料。 您和您的网站管理员/开发人员确实应该是唯一拥有整个网站管理权限的人。
These are really a stab in the dark for hackers who attempt to find weak spots in the site by making URL requests that should return an error but are sometimes completed.
对于试图通过发出应返回错误但有时已完成的URL请求来发现站点中的薄弱环节的黑客来说,这些确实是一个黑暗的刺探。
The URL might look something like this: http://yourwebsite.com/your/files/%3G/config
该URL可能看起来像这样:http://yourwebsite.com/your/files/%3G/config
Commonly, a hacker will use an opening bracket in the URL so firstly, to overcome this, it’s necessary to generate a 403 Forbidden page to stop any request that contains the bracket. To do this, just paste the following line into your .htaccess file:
通常,黑客会在URL中使用一个开括号,因此,首先,为了解决这个问题,必须生成403禁止页面以停止任何包含该括号的请求。 为此,只需将以下行粘贴到您的.htaccess文件中:
RedirectMatch 403 [To create a more complex ruleset, you needn’t write all the code yourself. If you’re familiar with working with .htaccess and your site is on an Apache server, then you can use the 5G Firewall which is a blacklist for common exploits. You don’t have to use all of the lines either, as it’s modular, and in the event that it does produce errors, you can delete line-by-line until you discover the problem.
要创建更复杂的规则集,您无需自己编写所有代码。 如果您熟悉使用.htaccess并且您的站点位于Apache服务器上,则可以使用5G防火墙,这是常见漏洞利用的黑名单。 您不必全部使用所有行,因为它是模块化的,并且如果确实会产生错误,则可以逐行删除,直到发现问题为止。
You can protect the .htaccess file itself by adding the following line to the file:
您可以通过在文件中添加以下行来保护.htaccess文件本身:
<files .htaccess> order allow,deny deny from all </files>You can of course use one of the security plugins that are available for WordPress too. Before installation, you should check that any plugin you use is supported and updated frequently. If so, then you should also check out the ratings and reviews to determine which is seen to be the best by the WordPress community.
您当然也可以使用WordPress可用的安全性插件之一。 在安装之前,您应该检查所使用的任何插件是否受支持并经常更新。 如果是这样,那么您还应该查看评分和评论,以确定哪个被WordPress社区视为最佳。
Remember too, that if you have a lot of plugins on your installation, to periodically removing anything you’re not using. Ask yourself if the functionality that any given plugin allows you is really necessary and cut out the ones you can do without. For those plugins that you’ve deactivated you should also delete them as they provide a potential way in for a hacker. If plugins are no longer supported, then you should look for an alternative as it’s bound to create a vulnerability at some point, if it hasn’t already.
还要记住,如果您的安装中有很多插件,则要定期删除不使用的任何内容。 问问自己,是否确实有任何给定插件允许您使用的功能,并切出了您可以不用的功能。 对于您已停用的那些插件,您还应该删除它们,因为它们为黑客提供了潜在的途径。 如果不再支持插件,那么您应该寻找一种替代方法,因为它一定会在某个时候创建一个漏洞(如果尚未存在)。
For the most part, WordPress security is about using common sense and understanding that a lot of the time, hacks and malware can be put down to errors by the end user. For the most part, hackers get in via exploits in software, so if you ensure that you always have the latest versions you’ll do a good job protecting yourself. Hackers look for the easiest route unless they are targeting you specifically, so tighten up your site and don’t make it easy for them.
在大多数情况下,WordPress安全性是关于使用常识并了解最终用户在很多时候都可以将黑客和恶意软件归为错误。 在大多数情况下,黑客通过软件中的漏洞进入,因此,如果您确保始终拥有最新版本,则可以很好地保护自己。 除非他们专门针对您,否则骇客会寻找最简单的方法,因此请加强您的网站,不要让他们感到容易。
If you’re interesting in reading more, here’s a selection of previous articles related to WordPress security on SitePoint that are worth taking a look at:
如果您对阅读更多内容感兴趣,这里有一些与SitePoint上的WordPress安全相关的文章可供参考:
What You May Not Know about WordPress Security Plugins
您可能不了解的WordPress安全插件
How to Protect Yourself from Rogue WordPress Plugins
如何保护自己免受Rogue WordPress插件的侵害
The Definitive Guide to WordPress Maintenance
WordPress维护权威指南
Managed WordPress Hosting: The Pros and Cons
托管WordPress托管:利弊
2-Step Verification for WordPress Using Google Authenticator
使用Google Authenticator对WordPress进行两步验证
Uncovering WordPress Vulnerabilities with Ease
轻松发现WordPress漏洞
A Guide to Updating WordPress, Plugins and Themes
更新WordPress,插件和主题的指南
Preventing Brute Force Attacks Against WordPress Websites
防止针对WordPress网站的暴力攻击
翻译自: https://www.sitepoint.com/securing-wordpress-hackers-ddos-attacks/
wordpress 黑客