wordpress插件

tech2023-01-11  126

wordpress插件

When it comes to securing your WordPress install with a security plugin, it can be tempting to enable every feature of the plugin to harden your site. If you start enabling features blindly, you can end up bringing your site to a halt.

在使用安全插件保护WordPress安装安全时,可能会想启用该插件的所有功能来加固您的网站。 如果您开始盲目启用功能,最终可能会导致站点暂停。

This is because security plugins such as iThemes Security and Wordfence Security automatically modify core elements of WordPress such as the database, file paths, permissions, and more to harden the install from attacks.

这是因为安全插件(例如iThemes安全性和Wordfence安全性)会自动修改WordPress的核心元素(例如数据库,文件路径,权限等),以使安装免受攻击。

In a previous article on managed WordPress hosting pros and cons, I briefly went over common security plugins which are used to harden WordPress, however it didn’t discuss how many of the security features work and how they impact your site.

在上一篇有关托管WordPress托管利弊的文章中,我简要介绍了用于加固WordPress的常见安全性插件,但是它没有讨论多少种安全性功能有效以及它们如何影响您的网站。

Although one-click WordPress security plugins are a great way to streamline WordPress security, they often have unintended side effects which can hinder the performance of your sites. You can avoid seeing the dreaded WordPress ‘white screen of death’ by paying attention to the details below.

尽管一键式WordPress安全插件是简化WordPress安全性的好方法,但它们通常具有意想不到的副作用,可能会影响您网站的性能。 您可以通过关注以下详细信息来避免看到可怕的WordPress“死亡白屏”。

文件更改检测 (File Change Detection)

In the digital security space, intrusion detection systems (IDS) and integrity monitoring are critical tools for server administrators because they allow server administrators to detect malicious activity which happens due to preventive measures failing. In the past, IDS tools were cumbersome and expensive to maintain, however many WordPress security plugins provide similar tools to monitor your website for changes with a few mouse clicks.

在数字安全领域,入侵检测系统(IDS)和完整性监视对于服务器管理员而言是至关重要的工具,因为它们使服务器管理员能够检测到由于预防措施失败而导致的恶意活动。 过去,IDS工具笨重且维护昂贵,但是许多WordPress安全插件提供了类似的工具,只需单击几下鼠标即可监视您的网站的变化。

In theory, this feature is a great safeguard against subtle attacks which happen behind the scenes, but if not configured properly, your inbox will be flooded with thousands of false positive notices regarding your site. For example, if you have a caching plugin installed on your website, you’ll receive emails documenting every single change as it occurs.

从理论上讲,此功能可以很好地防止在后台发生细微的攻击,但是,如果配置不正确,收件箱中将充满成千上万个关于站点的误报。 例如,如果您的网站上安装了缓存插件,那么您会收到一封电子邮件,记录每次更改的发生。

In general, the best way to get around this issue is to avoid change detection all together if you aren’t an experienced WordPress developer. Since every server and WordPress configuration is different, this feature is only beneficial if you can decipher the alerts.

通常,解决此问题的最佳方法是,如果您不是经验丰富的WordPress开发人员,请避免一起进行更改检测。 由于每个服务器和WordPress配置都不相同,因此仅当您可以解密警报时,此功能才有用。

国家封锁 (Country Blocking)

It can be tempting to use country blocking to prevent rogue traffic from hitting your site, however this feature often does more harm than good. The biggest reason is that it’s pretty easy for attackers to get around these blockers simply by spoofing their IP address or using readily available VPN services. In fact, this is something many consumers do themselves in order to get around copyright restrictions on multimedia content.

使用国家/地区阻止功能来阻止恶意流量攻击您的网站可能很诱人,但是此功能的弊大于利。 最大的原因是,攻击者很容易通过欺骗其IP地址或使用现成的VPN服务来绕过这些阻止程序。 实际上,这是许多消费者自己为了避免对多媒体内容的版权限制而做的事情。

In theory, country blocking might help if you’re an online merchant who is very concerned about fraudulent transactions. However, if a consumer can spoof their IP to watch a video clip outside of their country, then a fraudster probably is going to use the same technology to access your site.

从理论上讲,如果您是非常担心欺诈交易的在线商人,则阻止国家访问可能会有所帮助。 但是,如果消费者可以欺骗他们的IP来观看本国境外的视频片段,那么欺诈者可能会使用相同的技术来访问您的站点。

Shipping restrictions usually are a better way to protect your company from fraudulent transactions. Additionally, while country blocking can block some botnets, an entire cottage industry has spawned around malicious people selling access to compromised systems in developed nations.

限制运输通常是保护您的公司免遭欺诈性交易的更好方法。 此外,尽管国家封锁可以阻止某些僵尸网络,但整个家庭手工业已围绕恶意人产生,他们在发达国家出售对受感染系统的访问权限。

Long story short, country blocking may have once been a valid way to reduce your websites threat exposure, however today it’s only good at providing a false sense of security.

长话短说,阻止国家访问曾经曾经是减少网站威胁暴露的有效方法,但是今天它仅能提供虚假的安全感。

强制登录SSL (Forced SSL for Logins)

Forced SSL is one of the best features many WordPress security plugins provide because it is a relatively simple change which can make a huge difference in protecting yourself and users. One of the biggest reasons many websites used to have logins unencrypted is because servers couldn’t handle the overhead for frequent transactions. As computing power became cheaper, SSL became more common.

强制SSL是许多WordPress安全插件提供的最佳功能之一,因为它是相对简单的更改,可以在保护自己和用户方面产生巨大的变化。 许多网站过去未加密登录的最大原因之一是服务器无法处理频繁交易的开销。 随着计算能力的降低,SSL变得越来越普遍。

Today, encryption has become so important that Google recently said it is integrating it into their SEO criteria. The rise of wireless Internet and recent concerns over protecting privacy mean that website operators need to protect their users. Even if you don’t encrypt your entire website, ensuring users have secure login pages is a must in today’s society.

如今,加密变得非常重要,以至于Google最近表示正在将其集成到其SEO标准中。 无线互联网的兴起以及最近对保护隐私的关注意味着网站运营商需要保护其用户。 即使您不加密整个网站,在当今社会中也必须确保用户具有安全的登录页面。

Before you enable forced SSL on your WordPress site, make sure that you have a SSL certificate installed and configured. Most web hosts will handle the installation for you, and you can test the certificate simply by adding https:// to your site name and then visiting it. If you get a certificate error, then you’ll know you shouldn’t go forward with enabling this option. On the other hand if your site goes through as usual, feel free to go forward with it.

在WordPress网站上启用强制SSL之前,请确保已安装和配置SSL证书。 大多数Web主机将为您处理安装,您只需在站点名称中添加https://然后访问它即可测试证书。 如果遇到证书错误,那么您将不应该启用此选项。 另一方面,如果您的站点照常运行,请随时进行处理。

Keep in mind that you’ll need to keep your SSL certificate paid up to ensure the functionality of your site. If you’re on a development server, you could technically use self signed certificates, however they’ll often trigger browser warnings when individuals attempt to visit your site.

请记住,您需要使SSL证书保持完整状态,以确保网站的功能。 如果您在开发服务器上,则可以从技术上使用自签名证书,但是当个人尝试访问您的网站时,它们通常会触发浏览器警告。

常识的重要性 (The Importance of Common Sense)

Just as you wouldn’t change settings blindly on your workstation, you shouldn’t enable security features on your WordPress site without knowing exactly what they do.

就像您不会在工作站上盲目更改设置一样,您不应该在不知道其功能的情况下就在WordPress网站上启用安全功能。

Randomly enabling security features not only increases the odds of encountering the dreaded ‘white screen of death’ but also can result in giving you a false sense of security.

随机启用安全功能不仅增加了遇到可怕的“死亡白屏”的几率,而且还可能给您带来错误的安全感。

As with any tools, they only are useful if they are used properly. If you don’t fully understand the power of common security plugins, then you could be doing more harm than good.

与任何工具一样,它们只有在正确使用的情况下才有用。 如果您不完全了解常见安全性插件的功能,那么弊大于利。

进一步阅读 (Further Reading)

It’s worth mentioning that many experienced WordPress administrators don’t rely on any security plugins at all, they prefer to manually harden WordPress and their servers themselves. If you’re interested in learning more about WordPress security, I’d recommend starting with the official WordPress documentation:

值得一提的是,许多经验丰富的WordPress管理员根本不依赖任何安全插件,他们更喜欢手动加固WordPress及其服务器。 如果您有兴趣了解有关WordPress安全性的更多信息,建议您从WordPress官方文档开始:

Hardening WordPress (WordPress Codex)

强化WordPress(WordPress Codex)

Finally, make sure to exercise common sense when selecting and installing themes and plugins. I’ve also written some tips that can be found below that you may find useful:

最后,请确保在选择和安装主题和插件时保持常识。 我还写了一些技巧,这些技巧可能对您有用:

How to Spot a Rogue or Subpar WordPress Theme

如何发现Rogue或Subpar WordPress主题

How to Protect Yourself from Rogue WordPress Plugins

如何保护自己免受Rogue WordPress插件的侵害

翻译自: https://www.sitepoint.com/wordpress-security-plugins/

wordpress插件

最新回复(0)