wordpress攻击思路
This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
本文由Incapsula赞助。 感谢您支持使SitePoint成为可能的合作伙伴。
Distributed denial of service (DDoS) attacks are rapidly ramping in scale. They’ve been on the radar since at least 2000, and 2017 may be the year they become your biggest security concern. If you don’t have a DDoS strategy in place, it’s time to choose one.
分布式拒绝服务(DDoS)攻击的规模正在Swift扩大。 他们至少从2000年就开始受到关注,而2017年可能会成为您最大的安全隐患。 如果您没有适当的DDoS策略,那么该是一种选择的时候了。
Based on current trends, industry experts predict that this may be a crisis year. That’s reflected in recent headlines like these:
根据当前趋势,行业专家预测这可能是危机之年。 反映在最近这样的头条新闻中:
DDoS in 2017: Strap yourself in for a bumpy ride, The Register.
2017年的DDoS:颠簸骑行 , The Register 。
DDoS attacks up 380% in Q1 2017, CIO Dive
CIO Dive 2017年第一季度DDoS攻击上升380%
The 2017 DDoS tsunami will cost companies millions, TechRepublic
2017年的DDoS攻击海啸将耗资数百万的公司 , TechRepublic的
Hackers take no holidays: 2017 DDoS attacks rise fivefold, SiliconANGLE
黑客无休假:2017年DDoS攻击上升五倍 , SiliconANGLE
Expect an increase in ransomware and DDoS attack combos in 2017, Enterprise Innovation
预计2017年勒索软件和DDoS攻击组合将有所增加 , 企业创新
2017 may be crisis year for DDoS attacks, ComputerWeekly.
ComputerWeekly称 , 2017年可能是DDoS攻击的危机之年 。
The more popular a platform is, the more likely it will become a target for attacks, and WordPress is the most popular platform on the internet. In a previous post we outlined 48 ways to keep your WordPress site secure. By all means keep your WordPress patched and updated, but that won’t protect you from the zombie hoards. You need a targeted DDoS solution you can trust.
平台越受欢迎,它就越有可能成为攻击目标,而WordPress是互联网上最流行的平台。 在上一篇文章中,我们概述了48种确保WordPress网站安全的方法 。 一定要对WordPress进行补丁和更新,但这并不能保护您免受僵尸the积。 您需要可以信任的目标DDoS解决方案。
How do DDoS attacks work? And what is the most effective way to guard your WordPress site?
DDoS攻击如何工作? 守护您的WordPress网站的最有效方法是什么?
DDoS威胁的快速增长 (The Rapid Growth of the DDoS Threat)
DDoS attacks use your site’s bandwidth limitations against you. How many visitors can it handle at once? Too many, and it will become overwhelmed and unresponsive, just like when hundreds of customers walk into a physical shop at the same time. A DDoS attack simulates exactly that.
DDoS攻击会利用您站点的带宽限制。 一次可以处理多少个访客? 太多了,它将变得不知所措,React迟钝,就像数百名顾客同时走进实体店一样。 DDoS攻击正好模拟了这一点。
A DDoS attack is equivalent to hundreds of thousands of fake customers converging on a traditional shop at the same time. The shop quickly becomes overwhelmed. The genuine customers cannot get in and the shop is unable to trade as it cannot serve them. (Deloitte Predictions 2017)
DDoS攻击等效于成千上万的假顾客同时汇聚在一间传统商店中。 商店很快变得不知所措。 真正的客户无法进入,商店无法交易,因为它无法为他们提供服务。 ( 2017年德勤预测 )
For an online store or website, those fake visitors are often members of a botnet—a network of hundreds of thousands of compromised devices that are being controlled by a third party. Those devices may include:
对于在线商店或网站,那些虚假的访问者通常是僵尸网络的成员,僵尸网络是由第三方控制的成千上万个受感染设备的网络。 这些设备可能包括:
- older PCs running less secure, unpatched operating systems like Windows XP 运行较不安全,未修补操作系统(例如Windows XP)的旧PC
- compromised smartphones and other mobile, internet-connected devices 受损的智能手机和其他移动,互联网连接的设备
- smart devices such as thermostats, TVs, refrigerators, cameras and even light bulbs—commonly referred to as IoT (“the internet of things”) 恒温器,电视,冰箱,相机甚至灯泡等智能设备,通常称为IoT(“物联网”)
- and fake IP addresses spoofed by compromised servers. 以及受感染服务器欺骗的虚假IP地址。
Combined, these devices can send gigabits of garbage data to your server each second, and right now the scale of the onslaught is exploding. Late last year The Hacker News site reported the first 1 Tbps DDoS attack powered by 150,000 hacked IoT devices, and Deloitte predicts there will be ten similar attacks this year.
这些设备组合在一起可以每秒将大量垃圾数据发送到您的服务器,而现在,攻击的规模正在爆炸式增长。 去年下半年 , 《黑客新闻》网站报道了由150,000台被入侵的IoT设备提供的前1 Tbps DDoS攻击,而Deloitte预测,今年将有十次类似的攻击。
Why is 2017 such a turning point? Several trends are converging to create the perfect storm:
为什么2017年会是一个转折点? 有几种趋势正在汇聚在一起,以创造一场完美的风暴:
- There are more IoT devices than ever, and they’re easy to incorporate into botnets. 物联网设备比以往任何时候都多,并且易于集成到僵尸网络中。
- There is more bandwidth available than ever, and it can be used to spew junk data at your website. 可用带宽比以往任何时候都更多,可用于在您的网站上散布垃圾数据。
- New DDoS strategies cause more damage with less bandwidth by hitting web applications, and there’s more of them than ever. 新的DDoS策略通过访问Web应用程序以更少的带宽造成更大的破坏,而且比以往任何时候都存在更多的危害。
Malware tools, like Mirai, are easier to use than ever, and DDoS-for-hire services are more accessible than ever, costing as little as $5.
像Mirai这样的恶意软件工具比以往更易于使用,而且DDoS租用服务比以往任何时候都更易于访问,价格仅为5美元。
DDoS-for-hire is going to ramp up. The IoT botnets, combined with an easy money-making opportunity, will bring more of this kind of thing in 2017. Sceptical? Well, there’s already a 400,000 strong IoT zombie army for rent, using the Mirai malware. (The Register)
租用DDoS将会增加。 物联网僵尸网络与轻松赚钱的机会相结合,将在2017年带来更多此类收益。 好吧,已经有40万名使用Mirai恶意软件的强大物联网僵尸军队可供出租 。 ( 登记册 )
How can you protect your site from a massive attack of unwanted visitors? Take a lesson from the nightclubs, and call in a bouncer. The key is to deal with the threat before it reaches your door.
您如何保护您的站点免受大规模的有害访问者的攻击? 从夜总会上课,然后请保镖。 关键是在威胁到达您的门之前对其进行处理。
抵御DDoS攻击的最佳防御 (The Best Defence Against DDoS Attacks)
How do you stop the impact of a DDoS attack before it hits your site? Use a reverse proxy. Send all of your traffic to someone who can weed out any threats before they get in, and forward only genuine visitors to your site. Like a bouncer, they need to be bigger and stronger than you are. They need to be able to stand up to the attacker without being knocked over.
如何在DDoS攻击袭击您的站点之前阻止它的影响? 使用反向代理。 将您的所有流量发送给可以清除任何威胁的人,然后再将真正的访问者转发到您的站点。 像保镖一样,它们需要比您更大更强。 他们需要能够抵御攻击者而不会被击倒。
So choose a solution that uses:
因此,请选择使用以下解决方案:
- a global network of high-powered servers that are able to dedicate more resources when an attack ramps up, ensuring that legitimate traffic can still get through; and 一个由高性能服务器组成的全球网络,能够在攻击加剧时分配更多资源,以确保合法流量仍然可以通过; 和
- a WAF that can intelligently profile incoming traffic in real-time, ensuring all threats are blocked. WAF可以实时智能地分析传入流量,确保阻止所有威胁。
Where can you find such a solution? Incapsula can do all of that and more. You can use it on any website with its own domain, whether it uses WordPress or some other platform.
在哪里可以找到这样的解决方案? Incapsula可以做更多的事情。 您可以在具有自己域的任何网站上使用它,无论它使用WordPress还是其他平台。
Incapsula enhances the security and performance of your WordPress site by blocking threats from incoming traffic and accelerating outgoing traffic to optimize your site’s load time. Its global network is able to thwart DDoS attacks of hundreds of thousands of gigabytes per second. And that protection won’t cost you any speed—in fact, its global CDN will actually make your site load even faster.
Incapsula通过阻止来自传入流量的威胁并加速传出流量来优化站点的加载时间,从而增强了WordPress网站的安全性和性能。 它的全球网络能够阻止每秒数十万千兆字节的DDoS攻击。 而且这种保护不会花费您任何速度-实际上,它的全局CDN实际上将使您的站点加载更快。
如何使用封装保护您的网站 (How to Protect Your Site with Incapsula)
Setting up Incapsula isn’t hard—it’s normally just three steps, with no software to install. They take a few minutes to work through, and possibly a couple of days to come into effect.
设置Incapsula并不困难-通常只需三个步骤,无需安装任何软件。 他们需要几分钟才能完成,可能需要几天才能生效。
1.注册并选择计划 (1. Sign Up and Choose a Plan)
Incapsula offer a range of plans, each starting with a free trial. To get a web application firewall, you need the $59/month Pro plan, and for full DDoS protection you need the $299/month Business plan. Once you choose the plan that makes sense for your site, you open an account and submit your credit card information.
Incapsula提供了一系列计划,每个计划都从免费试用开始。 要获得Web应用程序防火墙,您需要每月$ 59的Pro计划,而要获得全面的DDoS保护,则需要每月$ 299的商业计划。 选择适合您站点的计划后,您将开设一个帐户并提交您的信用卡信息。
2.提交您的域名URL (2. Submit Your Domain URL)
Incapsula will ask for the domain URL of the website you want to protect, and then provide you with instructions of how to make the changes needed for the next step. If your website supports secure HTTPS traffic, you’ll be led through a few additional steps to activate SSL support. SSL support is available for Pro, Business and Enterprise accounts.
Incapsula将询问您要保护的网站的域URL,然后为您提供有关如何进行下一步更改的说明。 如果您的网站支持安全的HTTPS流量,则将引导您执行一些其他步骤来激活SSL支持。 Pro,Business和Enterprise帐户均提供SSL支持。
The preferred option is to add your domain to one of Incapsula’s Globalsign shared certificates. This can be done either by email or DNS:
首选选项是将您的域添加到Incapsula的Globalsign共享证书之一中。 可以通过电子邮件或DNS来完成:
- Email: You (the domain owner) will receive two emails from Globalsign. Reply to each with “yes” in the body of the email. 电子邮件:您(域所有者)将收到来自Globalsign的两封电子邮件。 在电子邮件正文中以“是”答复每个人。
- DNS: Create a TXT record with a provided string. DNS:使用提供的字符串创建TXT记录。
This will request approval for both the naked and the wildcard of the site’s domain, which simplifies the process. If you’d like to only approve the specific site name, you’ll need to send a support ticket. Read more on the Incapsula blog.
这将要求批准站点域的裸名和通配符,从而简化了流程。 如果您只想批准特定的网站名称,则需要发送支持通知单。 在Incapsula博客上阅读更多内容。
3.更改您的DNS设置 (3. Change Your DNS Settings)
Your DNS settings normally direct visitors directly to your website. You need to change them to direct traffic to Incapsula’s servers instead.
您的DNS设置通常会将访问者直接定向到您的网站。 您需要更改它们,以将流量定向到Incapsula的服务器。
That involves making the following changes in your cPanel’s Advanced DNS Zone Editor:
这涉及在cPanel的高级DNS区域编辑器中进行以下更改:
- Change your A record to point to Incapsula’s IP address 更改您的A记录以指向Incapsula的IP地址
- Add a second A record to point to another Incapsula IP address 添加第二条A记录以指向另一个封装IP地址
Update (or create) a www CNAME record to also point to Incapsula.
更新(或创建) www CNAME记录,使其也指向Incapsula。
The specific changes needed will be given to you, along with a link to a tutorial.
所需的特定更改以及教程的链接将提供给您。
DNS changes may take 48 hours to propagate, but your website will stay live during the changeover. After that your website’s traffic will be routed through Incapsula’s network, and you’ll be protected from DDoS attacks.
DNS更改可能需要48个小时才能传播,但是您的网站将在转换期间保持活动状态。 之后,您的网站流量将通过Incapsula的网络进行路由,您将免受DDoS攻击。
进一步的步骤 (Further Steps)
Are there any other considerations when setting up Incapsula? Probably not, though some users found they had to also make sure their email wasn’t directed through Incapsula, otherwise it would time out. This may happen if you’re using your hosting provider’s email solution. If you’re using a third-party option like G Suite or Exchange, you shouldn’t have any problems.
设置Incapsula时还有其他注意事项吗? 可能不是,尽管有些用户发现他们还必须确保自己的电子邮件未通过Incapsula定向,否则将超时。 如果您使用的是托管服务提供商的电子邮件解决方案,则可能会发生这种情况。 如果您使用的是第三方套件(例如G Suite或Exchange),则应该不会有任何问题。
Your email may end up in a black hole if your mail.domain.com record is a CNAME pointing back to domain.com (which is being redirected to Incapsula). Instead, change it to an A record pointing to the IP address of your hosting account.
如果您的mail.domain.com记录是一个指向domain.com (将被重定向到Incapsula)的CNAME,则您的电子邮件可能会陷入一个黑洞。 而是将其更改为指向您的托管帐户IP地址的A记录。
Here are some screenshots of how I would make the changes from my SiteGround cPanel’s Advanced DNS Zone Editor. You’ll find more detailed instructions here.
以下是一些截图,这些截图说明了如何从SiteGround cPanel的高级DNS区域编辑器进行更改。 您可以在此处找到更详细的说明 。
不要等到太晚了 (Don’t Wait Until It’s Too Late)
Until now, perhaps you haven’t given DDoS attacks a second thought. It’s time for that attitude to change.
到目前为止,也许您还没有想过DDoS攻击。 是时候改变这种态度了。
Protecting your WordPress site from brute force attacks is not something you can do yourself. You need outside help—a solution that can deal with the threat before it reaches your site. Your hosting provider may offer a solution, and that’s worth looking into.
保护自己的WordPress网站免受暴力攻击不是您自己可以做的事情。 您需要外部帮助-一种可以在威胁到达您的站点之前对其进行处理的解决方案。 您的主机提供商可能会提供解决方案,值得研究。
But if it’s just not an option for your site to be forced down, hire the best bouncer you can afford. Incapsula is a great choice. It’s easy to set up, copes with large attacks, and dynamically weeds out threats. With free trials of every plan, you have nothing to lose.
但是,如果这不是迫使您的网站瘫痪的一种选择,请雇用您负担得起的最佳保镖。 封装是一个不错的选择。 它易于设置,应对大规模攻击并动态清除威胁。 每个计划都有免费试用版,您将一无所获。
翻译自: https://www.sitepoint.com/secure-your-wordpress-site-from-the-growing-ddos-onslaught/
wordpress攻击思路
387
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
