This article was also edited by Jeff Smith. Thanks for making SitePoint content the best it can be!
本文还由Jeff Smith编辑。 感谢您使SitePoint内容达到最佳状态!
处理WordPress安全性的回顾 (Handing WordPress Security: A Recap)
WordPress security isn’t a term most people get excited about. It’s a tricky topic which generally goes hand in hand with fear. Fear in wondering if you’re doing enough for your site, whether it’s done correctly, or even at all.
WordPress安全并不是让大多数人感到兴奋的术语。 这是一个棘手的话题,通常与恐惧并存。 害怕怀疑您是否为网站做得足够,是否做得正确,甚至根本做不到。
A couple of weeks ago we held a webinar with Chris Burgess on SitePoint to discuss WordPress security and how you can start making your site secure. We looked at:
几周前,我们与Chris Burgess在SitePoint上举行了一次网络研讨会,讨论WordPress安全性以及如何开始使站点安全。 我们看了看:
- Common myths and misconceptions. 常见的神话和误解。
- What made WordPress an easy target. 是什么使WordPress成为简单的目标。
- What motivated attackers and how they attack sites. 是什么促使了攻击者以及他们如何攻击站点。
Most importantly we also looked at:
最重要的是,我们还研究了:
- What you can do to strengthen the security of your site. 您可以采取哪些措施来增强网站的安全性。
- How you can avoid common WordPress security risks. 如何避免常见的WordPress安全风险。
One thing we should all understand and take away from our webinar is that security is critical, it isn’t a product — it’s a process! We didn’t just let Chris do all the speaking, you also got involved! It was great to see, so much activity in the chat room. Viewers were asking Chris questions, viewers were answering each other’s questions. It became a WordPress eco-system full of thriving discussions, so let’s jump into some of those.
我们所有人都应该理解并从我们的网络研讨会中删除的一件事是, 安全性至关重要 ,它不是产品, 而是一个过程! 我们不仅让克里斯做所有演讲,而且您也参与其中! 很高兴看到聊天室中有如此多的活动。 观众在问克里斯问题,观众在回答对方的问题。 它变成了一个充满热闹讨论的WordPress生态系统,因此让我们跳入其中。
你问克里斯的 (What you had asked Chris)
问:手动硬化是什么意思? (Q: What do you mean by manually harden?)
Chris: What a lot of security plugins will do is, make configuration changes to the hosting environment and the server configuration. This stops people from being able to either download files, view files and restrict access – this kind of thing. Did you know this can be done yourself? If you know what files to change. If you don’t, there are quite a few popular blogs, repositories, and recipes that people use for hardening WordPress sites. A good place to start is the official documentation, called the WordPress Codex. Specifically, a section dedicated to hardening WordPress.
克里斯:许多安全性插件将要做的是对托管环境和服务器配置进行配置更改。 这样一来,人们就无法下载文件,查看文件并限制访问权限。 您知道这可以自己完成吗? 如果您知道要更改的文件。 如果您不这样做,人们就会使用很多流行的博客,存储库和食谱来强化WordPress网站。 一个很好的起点是官方文档,称为WordPress Codex。 具体来说, 专用于强化WordPress的部分 。
I’ve met a few people that say, “look I don’t trust security plugins, I prefer to do it myself.” This is great, but you need to know what you’re doing and be prepared to put in the time. From my perspective, security plugins do a lot of the heavy lifting in a fraction of the time. Plus they also do give you other added benefits. For example, they can give you auditing and reporting, and if you’re working in a group environment, it helps to be able to have these features. You also need to consider that the security plugins are becoming more complex to protect against a growing number of threats, so there’s a lot of functionally behind the scenes. Still, if you enjoy doing the work yourself, and if you really want to get your hands dirty, you can do it! Just be prepared to put in the time.
我遇到了一些人,他们说: “看起来我不信任安全性插件,我更愿意自己做。” 很好,但是您需要知道自己在做什么,并准备投入时间。 从我的角度来看,安全插件在很短的时间内完成了很多繁重的工作。 另外,它们还为您带来其他额外的好处。 例如,他们可以为您提供审核和报告,如果您在小组环境中工作,那么拥有这些功能将很有帮助。 您还需要考虑到安全性插件正变得越来越复杂,以防范越来越多的威胁,因此幕后功能很多。 不过,如果您喜欢自己做这项工作,并且如果您真的想弄脏您的手,那么可以做到! 准备好投入时间。
问:即使隐藏了我的wp-login.php或/wp-admin位置,我的网站仍然受到登录尝试的攻击。 是这些机器人,我该怎么做以防止它们出现? (Q: Even after hiding my wp-login.php or /wp-admin location, my site is still being attacked by login attempts. Are these bots, and what can I do to prevent them?)
Chris: That’s a really brilliant question! It’s also why the WordPress Codex has information about brute force attacks.
克里斯:这是一个非常聪明的问题! 这也是WordPress Codex拥有有关暴力攻击的信息的原因。
There’re a few different schools of thought on how to tackle brute force attacks. All public facing sites are constantly getting probed, but for the most part these can be blocked using the popular security plugins. Security plugins can be configured to block someone after a certain number incorrect attempts, you can increase the sensitivity of this, for example, you could lock someone out after only a few attempts if it’s incorrect.
关于如何应对暴力攻击,存在几种不同的思想流派。 所有面向公众的网站都在不断地受到调查,但是在大多数情况下,可以使用流行的安全性插件将其阻止。 可以将安全性插件配置为在经过一定次数的不正确尝试后阻止某人,您可以提高其敏感性,例如,如果不正确,则可以仅在几次尝试后将某人锁定。
There’s also things you can do at the server level. There are also DNS services that will filter a lot of bad traffic, which can also help block harvesting and spam bots. Some of the popular DNS providers will filter some of this bad traffic even before it hits your server. These services can also often help with performance.
您还可以在服务器级别执行某些操作。 还有一些DNS服务可以过滤大量不良流量,这也可以帮助阻止收集和垃圾邮件机器人。 一些受欢迎的DNS提供商甚至会在某些有害流量到达您的服务器之前对其进行过滤。 这些服务通常也可以帮助提高性能。
问:继承WordPress网站时应采取的第一步是什么? (Q: What are the first steps you should take when inheriting a WordPress site?)
Chris: The first thing that I would do is make sure you’ve read the WordPress Codex guide on hardening WordPress so you’ve covered the basics and that all of the basic best practices are covered.
克里斯:我要做的第一件事是确保您已经阅读了有关加强WordPress的WordPress Codex 指南,因此您已经了解了基础知识,并且涵盖了所有基本最佳实践。
This means:
这表示:
- There’s no “admin” username, use strong password, restrict who has admin access. 没有“管理员”用户名,使用强密码,限制谁拥有管理员访问权限。
- There’s a security plugin installed (and run a full scan). 安装了一个安全插件(并运行完整扫描)。
- WordPress (including all theme and plugins) has been updated. WordPress(包括所有主题和插件)已更新。
- Remove all unused plugins or themes. 删除所有未使用的插件或主题。
I’d recommend auditing the site and looking into what plugins are being used. This can sometimes be a bit subjective and come down to preference. I tend to be as ruthless as possible when it comes to using plugins — there’s just so many out there! Try and stick to using only plugins by the most reputable developers that you can find. That doesn’t mean that it’s a company. There are developers that have really good reputations of being able to fix things quickly or have great support. These are the kinds of things to look for.
我建议审核站点并调查正在使用的插件。 有时这可能会有些主观,并且会偏向于偏好。 在使用插件时,我倾向于尽可能地狠心-那里有很多! 尝试并坚持只使用您能找到的最有名的开发人员的插件。 这并不意味着它是一家公司。 有迹象表明,拥有能够快速解决的事情,还是有很大的支持, 真的很不错的声誉开发商。 这些是要寻找的东西。
A checklist of what you should do when you’re inheriting a site:
继承站点时应采取的措施的清单:
- You’ve backed up your site, at least to a point where you can roll it back to how it was when you got it. That’s probably the important thing. 您已经备份了站点,至少可以将其回滚到获得站点时的状态。 那可能是重要的。
- Follow the best practices would be my first thing, the community documentation is very comprehensive. 遵循最佳实践将是我的第一件事,社区文档非常全面。
- Make sure that you have installed a security plugin, and that you’ve learned the options and are using it correctly. 确保已安装安全插件,并且已了解这些选项并正确使用它。
- Make sure everything is up to date, including themes and plugins. Make sure you have licences for any premium plugins. 确保所有内容都是最新的,包括主题和插件。 确保您具有任何高级插件的许可证。
- Tell the client the risks, plan your next steps based on the value of the sites you’re managing. 告诉客户风险,根据您管理的网站的价值计划下一步。
I think if you’re inheriting a site you have to say, “We didn’t build it, we didn’t write a lot of this code. But we’re going to do is everything we can to make sure that you’re in good hands now.” I know that’s a little bit warm and fuzzy but that’s really kind of the best that we can do because there’s a lot of sites out there that have been built and have been left with the site owner. A kind of — “Here’re the keys, see you later” approach. However most of us already think of a website as a work in progress. It’s a living ‘thing’, so clients really appreciate it when someone is willing to hold their hand and help them through something they don’t necessarily understand. You just have to try and educate them, and make sure that they understand that there are always risks. It’s not just a “build and dump”; if you want a robust online presence, it’s not just about new and shiny, it’s about also making sure that it’s maintained and secure.
我认为,如果您要继承一个网站,您必须说: “我们没有建立它,我们没有编写很多这样的代码。 但是我们将竭尽所能,以确保您现在处于良好状态。” 我知道这有点温暖和模糊,但这确实是我们可以做的最好的事情,因为那里已经建了很多网站,并留给了网站所有者。 一种“钥匙在这里,待会见”的方法。 但是,我们大多数人已经将网站视为正在进行中的工作。 这是一个活生生的“事物”,因此当有人愿意握住他们的手并帮助他们完成一些不一定理解的事情时,客户会非常感激。 您只需要尝试对他们进行教育,并确保他们了解始终存在风险。 这不仅仅是“构建和转储” ; 如果您想要一个强大的在线形象,这不仅是新颖的和有光泽的,还在于确保它的维护和安全。
问:是否有一个网站列出了WordPress安全性的好坏插件? (Q: Is there a site that lists the good vs bad plugins for WordPress Security?)
Chris: This is going be subjective. Just as if we would look for social proof in Amazon or an app store, these are things that would guide my decision:
克里斯:这将是主观的。 就像我们在亚马逊或应用商店中寻找社会证明一样,以下这些将指导我做出决定:
- Is it in the WordPress official plugin directory? 它在WordPress官方插件目录中吗?
- Does it have star ratings? 有星级吗?
- How many active installs does it currently have? 当前有多少活动安装?
- When was it last updated? 上次更新时间是什么时候?
- How many support queries does it have? 它有多少个支持查询?
Just remember that nothing beats talking to other developers or site owners. Aside from that, I would also recommend checking out the WordPress support forums, there are some very experienced people there willing to help those who need it, just make sure you’ve read the Welcome page.
请记住,与其他开发人员或网站所有者进行交流无处不在。 除此之外,我还建议您查看WordPress支持论坛,那里有一些非常有经验的人愿意为需要它的人提供帮助,只需确保您已经阅读了Welcome页面 。
If you’re researching from scratch, just look for the articles. You’ll find that there are a lot of people who write about this stuff and will actually do a deep dive into features.
如果您是从头开始研究,则只需查找文章即可。 您会发现有很多人写这些东西,并且实际上会深入研究功能。
A quick note on plugins. If something hasn’t been updated in two years, it’ll be flagged on the official plugin directory. Stay away from those because they’re likely going to be either problematic from a support point of view or a potential nightmare from a security perspective as well.
关于插件的快速说明。 如果两年内未进行任何更新,则会在官方插件目录中进行标记。 远离这些方面,因为从支持的角度来看它们可能会出现问题,或者从安全角度来看可能会造成潜在的噩梦。
It’s easier to just click a button and install a plugin. Remember, that ultimately these sites are going to be around for a long time, so make sure that we’re dealing with something that’s reliable.
单击按钮并安装插件会更容易。 请记住,最终这些站点将存在很长一段时间,因此请确保我们正在处理可靠的问题。
和更多 (And more)
There’s only so much we could cover in this recap, yet there’s plenty more we hadn’t spoken about. Watch the rest of the webinar below to see the rest of our discussion. Happy watching!
在此回顾中,我们只能涵盖很多内容,但还有很多我们没有谈论过。 观看下面的网络研讨会的其余部分,以查看我们其余的讨论。 观看愉快!
Our Handling WordPress Security webinar with Chris can be found in our Learn from the Experts compilation. Check it out to see talks with other industry experts like Chris Coyier, and more.
我们与Chris共同处理WordPress安全性网络研讨会可在“ 从专家那里学习”汇编中找到。 请查看与其他行业专家的对话,例如Chris Coyier等。
翻译自: https://www.sitepoint.com/head-slapping-wordpress-security-with-expert-chris-burgess/
217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
