保护WordPress安装的10种方法

WordPress is one of the most dangerous pieces of web software you can install on your server. A hacker can cause real havoc accessing your WordPress administrator account. Believe me, I know from firsthand experience!While hackers or spammers can maliciously delete or change content, the worst ones won’t. They’re more likely to sneak a few links into your content, or place phishing sites deep within your file structure. You’ll only know your site’s been compromised when Google, PayPal, or a bank contacts you.Changing your password isn’t enough, either. The first thing a hacker will do is install a file-browsing plugin. This will enable them to upload systems that could create additional WordPress administrator accounts or place further phishing pages on your site.

WordPress是您可以在服务器上安装的最危险的Web软件之一。 黑客可能会对您的WordPress管理员帐户造成严重破坏。 相信我，我从第一手的经验中知道！尽管黑客或垃圾邮件发送者可以恶意删除或更改内容，但最糟糕的不会。 他们更有可能潜入您的内容中的一些链接，或将钓鱼网站放置在文件结构中。 仅当Google，PayPal或银行与您联系时，您才会知道自己的网站已受到入侵。更改密码也不够。 黑客要做的第一件事是安装文件浏览插件。 这将使他们能够上载可以创建其他WordPress管理员帐户或在您的网站上放置其他网络钓鱼页面的系统。

第一次安装？ (Installing for the first time?)

If you’re embarking on a new WordPress installation, there are several steps you can take that provide additional security from day one.1. Use strong MySQL database namesI’d recommend using a new database for every WordPress installation. Just because WordPress can install tables within an existing database, doesn’t mean you should!Strong IDs and passwords are essential: avoid naming your database “wordpress” with a user ID of “user” and a password of “password.” You’re only likely to set these once, so they can be as complex as you like. If you forget them, you can check the details in wp-config.php.Finally, remember to back up your database regularly. Automate the process so it’s impossible to forget.2. Set a custom table prefixBy default, WordPress uses a table prefix of wp_—for example, wp_posts, wp_users, and so on. Change the prefix so that it becomes more difficult to run SQL injection queries and similar attacks.

如果您要进行新的WordPress安装，则可以从第一天开始采取几个步骤来提供额外的安全性。 1.使用强MySQL数据库名称我建议每次WordPress安装都使用一个新数据库。 仅仅因为WordPress可以在现有数据库中安装表，并不意味着您应该这样做！强大的ID和密码至关重要：请避免使用用户ID为“ user”和密码为“ password”来命名数据库“ wordpress”。 您只需设置一次即可，因此它们可以随您的喜好复杂。 如果忘记了它们，可以在wp-config.php查看详细信息。最后，请记住定期备份数据库。 自动化过程，因此无法忘记。 2.设置自定义表前缀默认情况下，WordPress使用表前缀wp_例如wp_posts ， wp_users等。 更改前缀，使运行SQL注入查询和类似攻击变得更加困难。

安装后的安全性 (Post-installation Security)

You can add further security walls following a successful installation.3. Lock down wp-config.phpAs mentioned, wp-config.php contains vital information about your installation and only you should have access. The following entry in your root’s .htaccess file should prevent unauthorized copying:

成功安装后，您可以添加更多的安全墙。 3.锁定wp-config.php如前所述， wp-config.php包含有关安装的重要信息，只有您有权访问。 根目录的.htaccess文件中的以下条目应防止未经授权的复制：

<files wp-config.php>	order deny,allow	deny from all</files>

4. Avoid using the default “admin” IDPrior to version 3, WordPress set the ID of the first administrator account to “admin.” The version 3 installer gives you the option to change it, but I suspect many who updated from earlier editions never did.If a hacker knows your ID is “admin,” all they have to do is guess the password. It’s easy to define a new administrator account and then delete “admin” from the Users section. Remember to use a strong password too.5. Restrict access to your IP addressIf you only have a few WordPress users accessing the administration panels, you can restrict access to those IP addresses. If you’re using Apache, create an .htaccess file in wp-admin with the following code:

4.避免使用默认的“ admin” ID在版本3之前，WordPress将第一个管理员帐户的ID设置为“ admin”。 版本3安装程序为您提供了更改它的选项，但是我怀疑许多从早期版本进行更新的人从未使用过。如果黑客知道您的ID为“ admin”，那么他们所要做的就是猜测密码。 定义新的管理员帐户，然后从“用户”部分删除“ admin”很容易。 记住也要使用强密码。 5.限制对IP地址的访问如果只有几个WordPress用户访问管理面板，则可以限制对这些IP地址的访问。 如果您使用的是Apache，请使用以下代码在wp-admin创建一个.htaccess文件：

order deny, allowallow from 1.2.3.4 # user 1 IPallow from 5.6.7.8 # user 2 IP, etcdeny from all

Similar conditions can be configured for IIS.Note that you can’t use this method if you have a dynamic IP address; however, you could implement an extra level of basic server password authentication if necessary.6. Remove WordPress references from your themeA hacker will only try to hack WordPress if they know you’re using it. You can remove all references to the CMS and its version number within the theme files; for example, most header.php files contain code such as:

可以为IIS配置类似的条件。请注意，如果您具有动态IP地址，则不能使用此方法。 但是，如果需要，您可以实现更高级别的基本服务器密码身份验证。 6.从主题中删除WordPress参考黑客只有在知道您正在使用WordPress的情况下，才会尝试破解WordPress。 您可以在主题文件中删除对CMS及其版本号的所有引用； 例如，大多数header.php文件包含以下代码：

<meta name="generator" content="WordPress" />

Removing these references will fail to stop a hardened hacker, but it will make it less obvious to script kiddies.7. Update regularlyIf you’re still using WordPress 1.5, perhaps it’s time for an upgrade. Newer versions fix many of the publicized exploits and, by using the latest edition, you know hackers have had less time to hone their skills.8. Install good security plugins …The WordPress site has a collection of security plugins with useful descriptions and reviews from other users. The WP Security Scan plugin scans your WordPress installation for vulnerabilities and suggests security fixes.9. … but be careful what you installThe Web is awash with great and not-so-great free WordPress plugins and themes. Any of them could contain malicious code, handing over the driving keys to your installation. Be careful and, where possible, test code locally before deploying it to your live server.

删除这些引用将无法阻止顽固的黑客，但是这会使编写小子脚本变得不那么明显。 7.定期更新如果您仍在使用WordPress 1.5，也许是时候进行升级了。 较新的版本修复了许多已公开的漏洞，并且通过使用最新版本，您知道黑客花了更少的时间来磨练他们的技能。 8.安装良好的安全性插件… WordPress网站上有一系列安全性插件，其中包含有用的描述和其他用户的评论。 WP Security Scan插件会扫描您的WordPress安装中的漏洞，并提出安全修复建议。 9.…但是要小心安装 。大量而不是那么免费的WordPress插件和主题充斥着网络。 它们中的任何一个都可能包含恶意代码，从而将驱动密钥移交给您的安装。 在将代码部署到活动服务器之前，请小心并在可能的情况下在本地测试代码。

10.我被黑了！ 我该怎么办？ (10. I’ve been hacked! What do I do?)

If you’ve received an email alerting you to phishing content on your site, I’d recommend the following course of action:

如果您收到一封电子邮件，警告您网站上的网络钓鱼内容，则建议您采取以下措施：

1. Change all your site passwords, such as FTP, cPanel, SSH, and so on.
   更改所有站点密码，例如FTP，cPanel，SSH等。
2. If you have no recent database backup, export your articles to a WordPress XML file. Double-check it for any PHP code or unexpected content.
   如果您最近没有数据库备份，请将文章导出到WordPress XML文件。 仔细检查是否有任何PHP代码或意外内容。
3. Make a note of any plugins or settings you’re using.
   记下您正在使用的所有插件或设置。
4. If absolutely necessary, download resource files such as images or videos, but check each one to ensure it’s what you expect.
   如果绝对必要，请下载资源文件，例如图像或视频，但请检查每个文件以确保它符合您的期望。
5. Wipe your files and database from your website. That’s all of them—not just the WordPress folders.
   从您的网站上清除文件和数据库。 仅此而已-不只是WordPress文件夹。
6. Return to the top of this page and do a fresh reinstallation.
   返回此页面的顶部，然后重新安装。

I bet you wish you’d secured WordPress earlier!Do you have any tips for improving WordPress security? Do you have any hacker scare stories?

我敢打赌，希望您早日获得WordPress的安全！您是否有任何提高WordPress安全性的技巧？ 您是否有黑客惊恐故事？

note:Want more? 注意：需要更多吗？

If you want to read more from Craig, subscribe to our weekly tech geek newsletter, Tech Times.

如果您想了解Craig的更多信息，请订阅我们的每周技术新闻通讯Tech Times 。

翻译自: https://www.sitepoint.com/10-wordpress-security-tips/