wordpress汉化技巧
Keeping WordPress secure is important in order to ensure that your site isn’t compromised. Uptime is maximized, your data is safe, and your site runs as quickly and reliably as possible.
为了确保您的网站不受损害,确保WordPress安全非常重要。 正常运行时间被最大化,您的数据是安全的,并且您的站点尽可能快而可靠地运行。
Today we’ll look at 10 ways to help improve and maintain your WordPress site’s security, starting with the simplest and working through to some more advanced tips to help you secure WordPress.
今天,我们将从10个最简单的方法开始,以帮助您提高WordPress网站安全性的10种方法,逐步介绍一些更高级的技巧来帮助您保护WordPress。
用户安全 (User Security)
A key area that attackers will attempt to access is the WordPress administration interface. If a malicious user is able to login as an admin, they’ll be free to do whatever they like to your site.
攻击者尝试访问的一个关键区域是WordPress管理界面。 如果恶意用户能够以管理员身份登录,他们将可以自由地对您的网站执行任何操作。
Some will attempt to login using a brute force attack, by setting up a botnet (many computers which the attacker controls) to repetitively attempting to login to your site, using different username and password combinations.
通过设置僵尸网络(攻击者控制的许多计算机)以使用不同的用户名和密码组合重复尝试登录到您的站点,某些人将尝试使用蛮力攻击进行登录。
Here are some changes that you can make to help secure the WordPress admin interface:
您可以进行以下更改来帮助保护WordPress管理界面:
1.使用唯一,安全的用户名和密码 (1. Use a Unique, Secure Username and Password)
Avoid using the default admin username. While you’re able to choose your own username when setting up a new WordPress site, if you’re on an older installation (which you should really upgrade – we’ll cover that later), or you’ve already set your username to admin, you can use a WordPress Plugin such as Username Changer to change your username to something more secure. You can also create a new user with admin rights and remove the old ‘admin’ username.
避免使用默认的管理员用户名。 虽然您可以在设置新的WordPress网站时选择自己的用户名,但如果您使用的是较旧的安装(您应该进行真正的升级-我们稍后会介绍),或者您已经将用户名设置为admin ,您可以使用WordPress插件(例如Username Changer)将您的用户名更改为更安全的名称。 您还可以创建一个具有管理员权限的新用户,并删除旧的“ admin”用户名。
Try to avoid common usernames such as administrator, your website’s name or your name.
尽量避免使用常见的用户名,例如管理员 ,您的网站名称或名称。
For passwords, it’s important to choose a complex password comprised of letters, numbers and characters. Don’t choose a password that’s similar to your username, website name or a simple word with a few changes. Avoid dictionary words, and preferably use a random string of characters. A good password management tool will help you securely generate, store and use these complex passwords.
对于密码,选择由字母,数字和字符组成的复杂密码很重要。 不要选择与您的用户名,网站名称或经过简单更改的简单单词相似的密码。 避免使用字典单词,最好使用随机的字符串。 一个好的密码管理工具将帮助您安全地生成,存储和使用这些复杂的密码。
Alternatively, an easy way to remember a password, whilst maintaining sufficient complexity, is to use a phonetic password generator (such as this one).
或者,在保持足够复杂性的同时记住密码的一种简单方法是使用语音密码生成器(例如该密码生成器)。
2.使用两因素身份验证 (2. Use Two-factor Authentication)
Two-factor authentication (known as 2FA, or sometimes 2-step verification) requires a user to login with not just their username and password, but also a unique code that’s generated for one-time-use and sent to a device (typically a smartphone) via SMS or an iOS/Android app.
两因素身份验证(称为2FA验证,有时也称为两步验证)要求用户不仅使用其用户名和密码登录,而且还需要生成用于一次性使用并发送到设备的唯一代码(通常是智能手机)通过短信或iOS / Android应用。
We’ve covered how to setup 2FA in our Google Authenticator tutorial.
我们已经在Google Authenticator教程中介绍了如何设置2FA。
3.确认用户是人类 (3. Verify the User Is Human)
reCAPTCHA forms, which ask the user to input what they see in an image as text, are a useful way to stop botnets from attempting to brute force login to your WordPress site. Botnets typically can’t automate this part of the login process, therefore it helps prevent them from accessing your site.
reCAPTCHA表单要求用户输入他们在图像中看到的文本形式,这是阻止僵尸网络尝试强行登录WordPress网站的一种有用方法。 僵尸网络通常无法自动执行登录过程的这一部分,因此有助于防止僵尸网络访问您的网站。
We’ve covered how to implement ‘No CAPTCHA reCAPTCHA’ as part of your WordPress login process here.
在此,我们已经介绍了如何在您的WordPress登录过程中实现“ No CAPTCHA reCAPTCHA” 。
4.密码保护wp-login.php (4. Password Protecting wp-login.php)
If you’re a more advanced WordPress user or developer, and you’re comfortable with some server-side changes, you can require a server-side login before the WordPress login screen is displayed.
如果您是更高级的WordPress用户或开发人员,并且对某些服务器端更改感到满意,则可以要求服务器端登录,然后显示WordPress登录屏幕。
This provides another layer of security, and we’ve covered how you can do this in our Preventing Brute Force attacks against WordPress websites article.
这提供了另一层安全性,我们在《 防止对WordPress网站的暴力攻击》一文中介绍了如何实现此目的。
代码安全 (Code Security)
Whether you’re developing your own theme or plugin for your site, or using something from a third-party, it’s important that the code used is secure, and doesn’t open the door to potential attacks.
无论您是为站点开发自己的主题或插件,还是使用第三方提供的内容,重要的是所使用的代码安全且不会打开潜在的攻击之门。
Insecure code, and not following best practices, may result in attackers being able to gain control of some or all of your WordPress site.
不安全的代码,没有遵循最佳实践,可能会导致攻击者能够控制您的部分或全部WordPress网站。
There are a few ways we can help ensure code integrity and security:
我们可以通过以下几种方式来确保代码完整性和安全性:
5.保持WordPress更新 (5. Keep WordPress Updated)
Since WordPress 3.7, minor releases – which cover security and maintenance – are automatically applies. However, you can also extend this to automatically install major WordPress releases, by adding the following to your site’s wp-config.php file:
从WordPress 3.7开始,适用于安全性和维护性的次要版本会自动应用。 但是,您还可以通过将以下内容添加到您站点的wp-config.php文件中,将其扩展为自动安装主要的WordPress版本:
define( 'WP_AUTO_UPDATE_CORE', true );Whilst this may seem like a good idea, it may result in incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It’s always a good idea to maintain a testing environment for this sort of thing.
虽然这似乎是个好主意,但可能会导致新安装的WordPress版本与您现有的主题和/或插件之间不兼容。 维护此类环境的测试环境总是一个好主意。
There are third party tools which can connect to your WordPress website and let you manage all of your WordPress installations from a single, unified interface. Best of all, you can perform one-click installs of WordPress, theme and plugin updates:
有第三方工具可以连接到您的WordPress网站,并允许您从一个统一的界面管理所有WordPress安装。 最重要的是,您可以一键安装WordPress,主题和插件更新:
iThemes Sync (free for up to 10 sites)
iThemes Sync (最多10个站点免费)
ManageWP (free for up to 5 sites)
ManageWP (最多5个站点免费)
For further reading, we’ve published articles on how to keep your WordPress website up to date:
为了进一步阅读,我们发布了有关如何使您的WordPress网站保持最新状态的文章:
6.明智地选择主题和插件 (6. Choose Your Theme and Plugins Wisely)
It’s important to choose themes and plugins that are actively maintained and regularly updated. Whilst this isn’t a guarantee of security, it should mean that if there are security vulnerabilities found in a theme or plugin, it’ll be addressed and updated quickly.
选择积极维护并定期更新的主题和插件很重要。 尽管这不是安全性的保证,但应意味着,如果在主题或插件中发现了安全漏洞,将可以对其进行快速解决和更新。
Also check the detailed descriptions of plugins, as some will be audited by third parties (such as Sucuri) for security, which can help give you peace of mind.
还请检查插件的详细说明,因为其中的一些插件将由第三方(例如Sucuri)审核以确保安全性,这可以使您高枕无忧。
7.开发主题和插件 (7. Developing Themes and Plugins)
Whether you’re new to WordPress development, or have been working with WordPress for some time developing themes and/or plugins, it’s important to follow key WordPress security best practices.
无论您是刚接触WordPress开发人员,还是已经与WordPress合作开发主题和/或插件已有一段时间,遵循重要的WordPress安全最佳实践都是很重要的。
From sanitizing data, using nonces and adhering to WordPress Roles and Capabilities, it’s important to keep up-to-date with WordPress development best practices:
从清理数据,使用随机数到WordPress角色和功能,坚持最新的WordPress开发最佳做法很重要:
托管安全 (Hosting Security)
With your WordPress installation more secure due to improving user authentication and the quality of our code, it’s also important to ensure you have well supported, secure, hosting.
由于改进了用户身份验证和我们的代码质量,随着WordPress安装的安全性提高,确保您得到良好的支持,安全的托管也很重要。
8.使用托管主机 (8. Use Managed Hosting)
There are several companies now offering Managed WordPress hosting, such as WP Engine, SiteGround and Media Temple. Whilst you’ll typically pay a premium over more traditional shared or unmanaged hosting, a managed host will help keep your site secure.
现在有几家公司提供WordPress托管托管,例如WP Engine,SiteGround和Media Temple。 尽管您通常会比传统的共享或非托管主机支付更多费用,但托管主机将有助于确保您的网站安全。
For example, WP Engine will automatically update WordPress and key plugins, if there are known security vulnerabilities, as well as disable plugins known to cause performance and security issues. As with most managed WordPress hosts, they provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.
例如,如果存在已知的安全漏洞,WP Engine将自动更新WordPress和密钥插件,并禁用已知会导致性能和安全问题的插件。 与大多数托管WordPress主机一样,它们提供基于硬件的防火墙和配置,以确保分布式拒绝服务(DDoS)攻击不会使您的网站瘫痪。
Some users might find this approach intrusive, it does provide peace of mind and expertise to ensure your WordPress website remains functioning.
一些用户可能会发现这种方法具有侵入性,它确实提供了省心和专业知识,以确保您的WordPress网站保持正常运行。
9.确保文件和文件夹权限正确 (9. Ensure File and Folder Permissions Are Correct)
If you’re not using a managed web host, it’s important to ensure that WordPress files and folders have the correct ownership and permissions. Not only does this allow WordPress to keep itself updated, it also prevents attackers from exploiting poor file security and taking control of your site.
如果您不使用托管的Web主机,请务必确保WordPress文件和文件夹具有正确的所有权和权限。 这不仅可以使WordPress保持更新,还可以防止攻击者利用不良的文件安全性并控制您的网站。
As a basic guide, WordPress folders should always have 0755 permissions, and WordPress files should always have 0644 permissions – although this can vary from host to host.
作为基本指南,WordPress文件夹应始终具有0755权限,而WordPress文件应始终具有0644权限-尽管主机之间的权限可能有所不同。
If you’re getting errors when attempting to install plugins, or upload new media, don’t be tempted to set any folder permissions to 0777. Instead, work with your web host to ensure that PHP is run with the correct user, and that the folders are owned by the same user.
如果尝试安装插件或上载新媒体时遇到错误, 请不要将任何文件夹权限设置为0777 。 而是与您的Web主机一起使用,以确保PHP以正确的用户身份运行,并且文件夹由同一用户拥有。
If you’ve got shell access, you can run a few commands to ensure WordPress is secure:
如果您具有外壳程序访问权限,则可以运行一些命令以确保WordPress安全:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;If you know the user and group that should have ownership of the WordPress files and folders, use:
如果您知道应该拥有WordPress文件和文件夹所有权的用户和组,请使用:
sudo chown -R username:group /path/to/your/wordpress/install10.服务器端强化 (10. Server Side Hardening)
For advanced users managing their own web hosting, you can also:
对于管理自己的虚拟主机的高级用户,您还可以:
- Ensure your database user has access to SELECT, INSERT, UPDATE and DELETE privileges only 确保您的数据库用户只能访问SELECT,INSERT,UPDATE和DELETE特权
- Use strong database usernames and passwords 使用强大的数据库用户名和密码
Disallow server-side file editing within WordPress, by adding
define('DISALLOW_FILE_EDIT', true);to yourwp-config.phpfile通过添加
define('DISALLOW_FILE_EDIT', true);禁止在WordPress中进行服务器端文件编辑define('DISALLOW_FILE_EDIT', true);到您的wp-config.php文件
Some web hosts will be able to perform some of these actions for you – it’s always worth asking.
某些网络托管服务商将能够为您执行其中一些操作-总是值得您提出的问题。
For more information on WordPress and server hardening, check out the WordPress Codex documentation on Hardening WordPress.
有关WordPress和服务器强化的更多信息,请参阅强化WordPress上的WordPress Codex文档。
结论 (Conclusion)
In this article we’ve covered 10 tips for securing your WordPress website, ranging from basic user authentication through to coding practices and hosting setup. For more advanced users, we’ve touched on some of the advanced hardening techniques that can be used to ensure WordPress is as secure as possible.
在本文中,我们介绍了10个技巧来保护您的WordPress网站,从基本的用户身份验证到编码实践和托管设置,不一而足。 对于更高级的用户,我们介绍了一些高级强化技术,这些技术可用于确保WordPress尽可能安全。
Another option which is worth considering is the use of a security plugin such as WordFence or BulletProof Security. There are many to choose from, and they all have their advantages and disadvantages, so it’s best to do some research to find one which best suits your requirements. We’ve covered some of the more advanced options of security plugins here.
值得考虑的另一种选择是使用安全插件,例如WordFence或BulletProof Security。 有很多选择,并且它们都有其优点和缺点,因此最好进行一些研究以找到最适合您要求的一项。 我们在这里介绍了安全插件的一些更高级的选项 。
And, it always pays to remember that while prevention is better than cure, it only takes one small mistake to result in loss of data through a hacked WordPress installation. Therefore it’s vital to install a WordPress backup service, such as VaultPress and BackupBuddy, so that your website can be restored easily in case of attack or error. We cover the topic of backups, plus plenty more, in our Definitive Guide to WordPress Maintenance.
而且,总是值得记住的是,虽然预防胜于治疗,但只需一个小小的错误就可以通过被黑客入侵的WordPress安装导致数据丢失。 因此,至关重要的是安装WordPress备份服务,例如VaultPress和BackupBuddy,以便在遭受攻击或错误的情况下可以轻松地恢复您的网站。 在《 WordPress维护指南》中 ,我们讨论了备份主题以及更多内容。
wordpress汉化技巧
526
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
