WordPress安全提示

保持最新 (Keep Up to Date)

The first and the most basic measure to secure your WordPress installation is to keep it updated to the latest release. This helps patch security vulnerabilities. The process of updating WordPress is easy and fast.

确保您的WordPress安装安全的第一项也是最基本的措施是将其更新为最新版本。 这有助于修补安全漏洞。 更新WordPress的过程既简单又快速。

With the release of every new version of WordPress, the security bug fixing information becomes public. The WordPress dashboard is upgraded automatically or a manual upgrade can be achieved by overwriting the old files with newly downloaded files from the website. Obsolete older versions of WordPress do not have access to security patches. You don’t want to miss the advanced features and functionality.

随着WordPress的每个新版本的发布，安全漏洞修复信息已公开。 WordPress仪表板会自动升级，或者可以通过用网站上新下载的文件覆盖旧文件来实现手动升级。 WordPress的过时较旧版本无法访问安全补丁。 您不想错过高级功能。

The same is true for plugins. Whenever there is a new version of a plugin available, make sure you update. If you are not using any of the plugins installed, it’s better to remove them from the dashboard.

插件也是如此。 每当有新版本的插件可用时，请确保进行更新。 如果您没有使用任何已安装的插件，最好将其从仪表板上删除。

自定义您的登录名 (Customize Your Login)

The default username for WordPress installation is always ‘admin’. If you don’t change the username, you are giving hackers a head start – they only have to crack your password to get access to your dashboard. You can use the following steps to make a new username:

WordPress安装的默认用户名始终为“ admin”。 如果您不更改用户名，则可以让黑客抢先一步–他们只需破解密码即可访问仪表板。 您可以使用以下步骤创建新的用户名：

1. Login with your admin username first. When you are inside the WordPress dashboard, click on Users > Add New.
   首先使用您的管理员用户名登录。 当您位于WordPress仪表板中时，单击“用户”>“添加新的”。
2. Type in a new name and give it full administrative access.
   输入一个新名称，并赋予其完全的管理访问权限。
3. Log out and then log in with the newly created Administrative account.
   注销，然后使用新创建的管理帐户登录。
4. Make sure that all earlier posts and pages are given authorship to the new account. This is to make sure all your posts and pages don’t get deleted when you delete your Admin account and they are just transferred to another username.
   确保所有以前的帖子和页面均被授予新帐户的作者权限。 这是为了确保删除您的管理员帐户时不会删除您所有的帖子和页面，而只是将它们转移到另一个用户名。
5. Delete the original admin account.
   删除原始管理员帐户。

It is recommended to use a different username to make new posts and pages, with Author status. Use your Administrative account when you need to update WordPress and plugins.

建议使用其他用户名创建具有作者状态的新帖子和页面。 当您需要更新WordPress和插件时，请使用您的管理帐户。

The password you set needs to be a complex one, a mix of letters, numerals and symbols. Using a strong password is essential on all entry points to secure your website fully.

您设置的密码必须是复杂的密码，必须由字母，数字和符号组成。 在所有入口点都必须使用强密码，以完全保护您的网站。

隐藏WordPress版本 (Hide the WordPress Version)

Outdated versions of WordPress are easier to hack and knowing the version number presents an incentive for hackers. Even if you are using an older version of WordPress for some reason, you don’t have to advertise that fact.

WordPress的过时版本更容易被黑客入侵，并且知道版本号会给黑客带来诱因。 即使出于某种原因使用了旧版本的WordPress，也不必宣传这一事实。

The WordPress version is by default displayed on the blog and is visible to the public eye. There are plugins available which remove the WordPress version from your source code. One such plugin is Sucuri Security, another is Secure WordPress, both available in the WordPress plugins repository. Keep the hackers guessing!

默认情况下，WordPress版本显示在博客上，并且对公众可见。 有可用的插件可以从您的源代码中删除WordPress版本。 一个这样的插件是Sucuri Security ，另一个是Secure WordPress ，都可以在WordPress插件存储库中使用。 让黑客猜测！

If you prefer to keep the use of plugins to a minimum, you can include a line of code in the functions.php file to prevent the WordPress version from getting displayed:

如果您希望尽量减少使用插件，则可以在functions.php文件中包含一行代码，以防止显示WordPress版本：

/* Remove WordPress version number */
function nm_remove_wp_version() {
return '';
}
add_filter('the_generator', 'nm_remove_wp_version');

The above code ensures complete removal of the WordPress version number from everywhere, be it your header file or RSS Feeds.

上面的代码可确保从任何地方完全删除WordPress版本号，无论是您的头文件还是RSS Feed。

限制文件权限 (Restrict File Permissions)

File permissions should be restricted to prevent breach of security of your site. The file permissions should be set to the bare minimum.

文件权限应加以限制，以防止破坏您网站的安全性。 文件权限应设置为最低限度。

Setting the CHMOD value to 755 for folders means only the owner has write permissions and others will have read and execute permissions. Setting the CHMOD value to 644 for files means the owners have the read and write permissions and others can only read the files.

将文件夹的CHMOD值设置为755意味着只有所有者才具有写权限，其他人将具有读和执行权限。 将文件的CHMOD值设置为644意味着所有者拥有读取和写入权限，而其他人只能读取文件。

后备 (Backup)

You should keep backups of all important files. Keeping a backup of WordPress data and files can play a crucial role in times of emergency. Backups can put an end to a lot of your troubles and set your mind at peace.

您应该保留所有重要文件的备份。 在紧急情况下，保留WordPress数据和文件的备份可以发挥至关重要的作用。 备份可以消除许多麻烦，使您安心。

WP-DB Manager is a good option for backing up the whole of a WordPress website. Online backup options are also a good choice. Maintaining regular backup would ensure that your website is restored within the minimum possible time just in case it gets compromised. WordPress Database Backup is another plugin and can be used as a good option. It allows you to save the database to the server or download it on to your computer. You can also email the backup on your chosen email id. You can schedule the backup hourly, daily or weekly.

WP-DB Manager是备份整个WordPress网站的一个不错的选择。 联机备份选项也是一个不错的选择。 维护常规备份将确保您的网站在最短的时间内被恢复，以防万一它受到威胁。 WordPress数据库备份是另一个插件，可以用作一个不错的选择。 它允许您将数据库保存到服务器或将其下载到计算机上。 您也可以通过选择的电子邮件ID通过电子邮件发送备份。 您可以每小时，每天或每周安排备份。

限制对插件的访问 (Restrict Access to Your Plugins)

You should definitely restrict or simply deny access to your WordPress plugins directory. A visit to www.your-domain.com/wp-content/plugins/ reveals all the plugins that have been used in the website. These plugins might contain vulnerabilities, which might put the site’s security at risk and attract hackers.

您绝对应该限制或仅拒绝对WordPress插件目录的访问。 访问www.your-domain.com/wp-content/plugins/ ，可以看到该网站中已使用的所有插件。 这些插件可能包含漏洞，可能使站点的安全受到威胁并吸引黑客。

To deny access to the directories, the easiest way is to use a .htaccess file or just upload a blank index.html file to that directory. If the index.php or index.html files are not present in the particular directory, you must also add the following line at the start in your .htaccess file in the root folder:

要拒绝对目录的访问，最简单的方法是使用.htaccess文件或仅将空白的index.html文件上传到该目录。 如果特定目录中不存在index.php或index.html文件，则还必须在根文件夹的.htaccess文件的开头添加以下行：

Options –Indexes

Options –Indexes

This will prevent the public accessing your files in the directories.

这样可以防止公众访问您目录中的文件。

更改数据库表前缀 (Change Database Table Prefixes)

When you first install WordPress using the default values and options, WordPress tables use table prefixes like Wp_. As hackers can exploit this feature, it is recommended to change the default table prefix Wp_ to something else. To change the database table prefixes after install, you can use WP Secure Scan plugin. If you use another plugin named Change DB Prefix plugin, it can rename table prefix to another string.

首次使用默认值和选项安装WordPress时，WordPress表使用表前缀，如Wp_ 。 由于黑客可以利用此功能，因此建议将默认表前缀Wp_为其他名称。 要在安装后更改数据库表前缀，可以使用WP Secure Scan插件。 如果您使用另一个名为Change DB Prefix插件的插件，则可以将表前缀重命名为另一个字符串。

更改默认密钥 (Change Default Secret Keys)

When you first install WordPress, there are four secret keys written in your wp-config.php file. Go here and copy all the six keys and use them to replace the four keys present in wp-config.php file. These are the random keys generated by WordPress and are changed every time you refresh the page. This helps making your passwords more secure and if anybody is logged into WordPress at that time, they will be logged out of the dashboard immediately as the cookies become invalid.

首次安装WordPress时， wp-config.php文件中有四个秘密密钥。 转到此处 ，复制所有六个键，然后使用它们替换wp-config.php文件中存在的四个键。 这些是WordPress生成的随机密钥，每次刷新页面时都会更改。 这有助于使您的密码更安全，并且如果当时有人登录WordPress，则当cookie无效时，它们将立即从仪表板中注销。

保护您的登录页面 (Secure Your Login Page)

Your WordPress login page is accessible to the world and you must secure it so that nobody could gain access to the installation. Error messages on login pages can give clues to hackers.

您的WordPress登录页面可以被全世界访问，您必须保护它的安全，以便没有人可以访问安装。 登录页面上的错误消息可以为黑客提供线索。

To remove error messages on the login page, add the following line of code in your theme functions.php file:

要删除登录页面上的错误消息，请在主题functions.php文件中添加以下代码行：

add_filter('login_errors',create_function('$a', "return null;"));

This will remove the error message displayed above the username and password box.

这将删除用户名和密码框上方显示的错误消息。

You can use plugins such as Google Authenticator and Login Dongle for an extra layer of security. Google Authenticator is a great plugin that adds a two-step verification to your WordPress blog, as the name suggests – similar to Google Account security. Enter a password and a code sent your mobile phone.  Login Dongle plugin generates a bookmarklet with a secret question.

您可以使用Google Authenticator和Login Dongle之类的插件来增强安全性。 顾名思义， Google Authenticator是一个很棒的插件，可为您的WordPress博客添加两步验证，类似于Google帐户安全性。 输入密码，并向您的手机发送验证码。 登录加密狗插件会生成一个带有秘密问题的书签。

保护您的设备 (Secure Your Device)

Make sure your workstation, PC, mobile, tablet or alternate device is fully secure and automatically updated. The antivirus software and the operating systems should also be updated to the latest release. Set secure passwords for all authentication vectors. These passwords should be complex and should also be changed frequently.

确保您的工作站，PC，移动设备，平板电脑或备用设备是完全安全的并已自动更新。 防病毒软件和操作系统也应更新为最新版本。 为所有身份验证向量设置安全密码。 这些密码应该很复杂，还应该经常更改。

The PCs and servers should be equipped with the latest and the best anti-virus software and be secure from all malware threats. This should include periodic cleaning of harmful bugs. Firewalls should be installed at every level: operating system level, router level and even Internet service protocol level. This should ensure that all the PCs and web servers of your work station are secure.

PC和服务器应配备最新，最好的防病毒软件，并应防范所有恶意软件的威胁。 这应该包括定期清除有害错误。 防火墙应安装在每个级别：操作系统级别，路由器级别甚至Internet服务协议级别。 这应该确保工作站的所有PC和Web服务器都是安全的。

不要分享您的登录信息 (Don’t Share Your Login)

Just like any other secured networks or accounts, you should be careful not to share the username or password with anybody you don’t fully trust. Even in the worst case scenario where you have hired a webmaster to manage your website, ensure you do not share your username or password. You can create separate accounts for them with customized permissions.

就像任何其他安全网络或帐户一样，您应注意不要与您不完全信任的任何人共享用户名或密码。 即使在最坏的情况下，您雇用了网站管理员来管理您的网站，也请确保不要共享用户名或密码。 您可以使用自定义权限为其创建单独的帐户。

保护您的内容 (Secure Your Content)

While uploading content to the website, ensure that the content itself is authentic and is downloaded from safe/reliable sources. Even when you are uploading a script, you need to be cautious as there can be malwares intentionally designed to harm your website.

在将内容上传到网站时，请确保内容本身是真实的，并且是从安全/可靠的来源下载的。 即使您正在上传脚本，也需要谨慎，因为可能有意设计用于损害您的网站的恶意软件。

This is not intended to be an exhaustive list of all possible ways of securing your WordPress installation, but it does give you a handy list of WordPress security issues to consider and ways of addressing them, whether by the use of purpose-specific plugins or simple actions you can take.

这并不是要详尽地列出所有确保WordPress安装安全的方法，但是它确实为您提供了方便的WordPress安全问题列表，以供您考虑以及解决这些问题的方法，无论是使用特定目的的插件还是简单的插件都可以。您可以采取的行动。

Feel free to add more methods in the comments below.

随时在下面的评论中添加更多方法。

翻译自: https://www.sitepoint.com/wordpress-security/