wordpress 漏洞

tech2022-12-28  110

wordpress 漏洞

As a developer or design professional, one of the biggest benefits of building your sites on WordPress is that in most cases you are building your code on a proven platform which has been fortified over time. Unfortunately when it comes to security, there’s no such thing as a fully hack-proof system. Fortunately though when it comes to securing both yours and your clients systems, there are a few WordPress vulnerability scanners which can help you spot errors before they get out of hand.

作为开发人员或设计专家,在WordPress上构建网站的最大好处之一是,在大多数情况下,您是在经过验证的平台上构建代码的,而该平台已逐步得到加强。 不幸的是,在安全性方面,还没有完全防黑客攻击的系统。 幸运的是,在保护您和您的客户端系统方面,有一些WordPress漏洞扫描程序可以帮助您在错误失控之前发现错误。

It is important to note that while this guide is primarily intended for WordPress.org users, the techniques can still be applied to WordPress.com users. For those unfamiliar with the differences between the two offerings, Sitepoint has a guide to clarify the differences. WordPress.com users will have less power when using the tools, but they technically will still work.

重要的是要注意,尽管本指南主要针对WordPress.org用户,但该技术仍可以应用于WordPress.com用户。 对于不熟悉这两种产品之间差异的用户, Sitepoint会提供指南以阐明差异。 WordPress.com用户使用这些工具时将具有较少的功能,但从技术上讲,它们仍然可以使用。

Although trusting generic online scanners is questionable at best, a new breed of Open Source security tools allow developers and other tech savvy professionals to test their code against exploits with ease. While these tools have a bit of a learning curve, learning the basics of penetration testing tools can help keep you ahead of most digital threats.

尽管对通用在线扫描仪的信任最多是有问题的,但新型的开源安全工具可以使开发人员和其他精通技术的专业人员轻松地测试其代码是否受到攻击。 尽管这些工具有一定的学习曲线,但是学习渗透测试工具的基础知识可以帮助您领先于大多数数字威胁。

WordPress专用工具 (WordPress Specific Tools)

WP扫描 (WP Scan)

WP Scan is an Open Source tool for Linux and Mac OSX which is a Swiss Army Knife for attacking virtually any WordPress install. Key features include the ability to pull user names from the WordPress database, scan the plugins which are being used by a specified website, and also see which themes are installed on a server. WP Scan also integrates with known vulnerability databases so that the software can filter results to only show code which is susceptible to attack.

WP Scan是适用于Linux和Mac OSX的开源工具,它是攻击几乎所有WordPress安装程序的瑞士军刀。 关键功能包括能够从WordPress数据库中提取用户名,扫描指定网站正在使用的插件以及查看服务器上安装了哪些主题的功能。 WP Scan还与已知的漏洞数据库集成在一起,因此该软件可以过滤结果以仅显示容易受到攻击的代码。

Although WP Scan is a powerful tool, the installation process can be difficult if you don’t already have Ruby installed on your system. This applies greatly to CentOS systems – the default Linux distro of many hosts – due to the operating system not having all the required libraries. Fortunately by using Ubuntu or MacOSX you can greatly simplify the process. If you are a complete Linux novice, WP Scan comes pre-installed on multiple security centric Linux distributions, a listing can be found on the project website.

尽管WP Scan是功能强大的工具,但是如果您的系统上尚未安装Ruby,则安装过程可能会很困难。 由于操作系统没有所有必需的库,因此这在很大程度上适用于CentOS系统(许多主机的默认Linux发行版)。 幸运的是,通过使用Ubuntu或MacOSX,您可以大大简化此过程。 如果您是Linux的新手,那么WP Scan已预装在多个以安全性为中心的Linux发行版中,可以在项目网站上找到列表。

成本 (Plecost)

Plecost is an Open Source WordPress fingerprinting tool which can analyze the plugins installed on a specified WordPress system along with the common WordPress vulnerabilities and exposures (CVE) codes if applicable. Since Plecost is a Python script, installing it is as simple as adding the files to your server and then following the instructions on the project website.

Plecost是一个开源WordPress指纹识别工具,可以分析安装在指定WordPress系统上的插件以及常见的WordPress漏洞和披露(CVE)代码(如果适用)。 由于Plecost是Python脚本,因此安装它就像将文件添加到服务器然后按照项目网站上的说明一样简单。

Although this tool is limited to only showing vulnerabilities in installed plugins, the CVE code integration makes Plecost a notable tool because it provides the users with instant feedback as to how to exploit outdated software on the server.

尽管此工具仅限于仅显示已安装插件中的漏洞,但CVE代码集成使Plecost成为著名的工具,因为它为用户提供了有关如何利用服务器上过时软件的即时反馈。

Since Plecost is a collection of Python scripts, installation is fairly simple, and you can run the utility on Windows, Mac OSX and Linux/Unix systems as long as they have Python installed and configured.

由于Plecost是Python脚本的集合,因此安装非常简单,只要安装并配置了Python,就可以在Windows,Mac OSX和Linux / Unix系统上运行该实用程序。

通用漏洞工具 (General Vulnerability Tools)

While this guide is primarily focused around your WordPress installs, as WordPress is only a single component of your server, knowing how to use general purpose penetration testing tools is also vital to protecting your system from hackers.

虽然本指南主要针对您的WordPress安装,但由于WordPress只是服务器的单个组件,因此了解如何使用通用渗透测试工具对于保护系统免受黑客攻击也至关重要。

尼克托 (Nikto)

Nikto is a general purpose vulnerability scanner which scans for outdated software, configuration files, hidden directories and much more. By default, Nikto is intended for testing your own servers as the tool runs rapidly and would likely trigger red flags with many intrusion detection systems. If needed, an extension is available to make it stealthier, however for basic tests of your own servers, this likely isn’t necessary.

Nikto是通用漏洞扫描程序,可扫描过时的软件,配置文件,隐藏目录等。 默认情况下,Nikto用于测试您自己的服务器,因为该工具运行Swift,并且可能会在许多入侵检测系统中触发危险信号。 如果需要,可以使用扩展名使其更隐秘,但是对于您自己的服务器的基本测试,可能没有必要。

Aside from just gathering information, Nikto also can brute force authentication sections of the targeted website, allowing you to ensure your website users are following security best practices. Since the tool can run on any system which supports Perl, it works on virtually any Linux and Unix system along with MacOSX. Nikto also can be configured to run on Windows, however, those systems need to have ActiveState Perl or Strawberry Perl installed.

除了收集信息之外,Nikto还可以对目标网站进行暴力认证部分,以确保您的网站用户遵循最佳安全做法。 由于该工具可以在支持Perl的任何系统上运行,因此它几乎可以与MacOSX一起在任何Linux和Unix系统上运行。 Nikto也可以配置为在Windows上运行,但是,这些系统需要安装ActiveState Perl或Strawberry Perl。

Wikto (Wikto)

Wikto is a tool primarily intended for Windows environments, which stands out from most of the tools on this list because of its ease of use. While the program is for Windows systems, it still includes powerful features such as: fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.

Wikto是主要用于Windows环境的工具,由于其易用性而在此列表中的大多数工具中脱颖而出。 尽管该程序是针对Windows系统的,但它仍包含强大的功能,例如:模糊逻辑错误代码检查,后端矿工,谷歌辅助目录挖掘和实时HTTP请求/响应监视。

The killer feature of this tool is centralized Google Hacking integration. While this is technically nothing more than using Google searches to uncover sensitive information, Wikto simplifies the process by allowing you to import databases of known queries into the program. From there you can automatically run queries against sites and view the results with minimal effort on your end.

该工具的杀手级功能是集中式Google Hacking集成。 尽管从技术上讲,这仅是使用Google搜索来发现敏感信息,但Wikto允许您将已知查询的数据库导入程序,从而简化了流程。 从那里,您可以自动进行针对站点的查询并以最小的努力查看结果。

掌握安全最佳实践 (Staying On Top of Security Best Practices)

Although security is a vast and complex field, you can protect your websites from tools such as the vulnerability scanners mentioned in this guide by following trends from the SANS Institute and by following the advice from the WordPress Codex.

尽管安全性是一个广阔而复杂的领域,但是您可以通过遵循SANS Institute的趋势以及遵循WordPress Codex的建议,来保护您的网站免受诸如本指南中提到的漏洞扫描程序之类的工具的侵害。

翻译自: https://www.sitepoint.com/uncovering-wordpress-vulnerabilities-ease/

wordpress 漏洞

相关资源:有漏洞的wordpress插件from exploit-db
最新回复(0)