10个简单的WordPress安全提示

This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.

本文是与SiteGround合作创建的系列文章的一部分。 感谢您支持使SitePoint成为可能的合作伙伴。

WordPress is not inherently insecure and the developers work hard to ensure breaches are patched quickly. Unfortunately, WordPress’s success has made it a target: if you can break just one WordPress installation, many millions of sites may be open to you. Even if WordPress is secure, not all themes and plugins are developed with the same level of care.

WordPress并非天生就没有安全感，开发人员会努力确保漏洞得到快速修补。 不幸的是，WordPress的成功使它成为了目标：如果您只能破坏一个WordPress安装，那么可能有数百万个网站向您开放。 即使WordPress是安全的，也并非所有主题和插件都经过相同级别的开发。

Some will attack WordPress for the challenge or to cause malicious damage. Those are easy to spot. The worst culprits sneak links into your content, place phishing sites deep within your folder structure, or use your server to send spam. Once your installation is cracked, it may be necessary to delete everything and reinstall from scratch.

有些人会攻击WordPress以应对挑战或造成恶意破坏。 这些很容易发现。 最糟糕的罪魁祸首是潜入您的内容的链接，将钓鱼网站放置在文件夹结构的深处或使用服务器发送垃圾邮件。 安装破解后，可能有必要删除所有内容并从头开始重新安装。

Fortunately, there is a range of simple options to improve security. None of the following security fixes should take longer than a few minutes.

幸运的是，有一系列简单的选项可以提高安全性。 以下安全修复程序都不会花费超过几分钟的时间。

1.切换到HTTPS (1. Switch to HTTPS)

HTTPS prevents man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. Ideally, you should activate HTTPS before installing WordPress but it’s possible to update WordPress settings if you add it later.

HTTPS可以防止第三方侦听或修改客户端与服务器之间的通信的中间人攻击 。 理想情况下，您应该在安装WordPress之前激活HTTPS，但是如果稍后添加它，则可以更新WordPress设置。

HTTPS can also boost your Google PageRank. Hosts such as SiteGround offer free SSL certificates and you can receive up to 65% off their hosting plans.

HTTPS还可以增强您的Google PageRank。 诸如SiteGround之类的主机提供免费的SSL证书，您可以享受最多65％的托管计划优惠 。

2.限制MySQL连接地址 (2. Limit MySQL Connection Addresses)

Ensure your MySQL databases rejects connections from people and systems outside to your local server. Most managed web hosts do this by default but those using a dedicated server can add the following line to the [mysqld] section of the MySQL my.cnf configuration file:

确保您MySQL数据库拒绝来自外部人员和系统到本地服务器的连接。 默认情况下，大多数托管的Web主机都会执行此操作，但是使用专用服务器的Web主机可以[mysqld]下行添加到MySQL my.cnf配置文件的[mysqld]部分：

bind-address = 127.0.0.1

3.使用强大的数据库凭证 (3. Use Strong Database Credentials)

Use a strong, randomly-generated database user ID and password when you create your MySQL database prior to a WordPress installation. The credentials are used once during WordPress installation to connect to the database — you don’t need to remember them. You should also enter a table prefix different to the default of wp_.

在安装WordPress之前创建MySQL数据库时，请使用随机生成的强大数据库用户ID和密码。 这些凭据在WordPress安装期间仅使用一次即可连接到数据库-您无需记住它们。 您还应该输入与默认wp_不同的表前缀。

The user ID and password can be changed after installation but remember to update the WordPress wp-config.php configuration file accordingly.

安装后可以更改用户ID和密码，但请记住要相应地更新WordPress wp-config.php配置文件。

4.使用强大的管理员帐户凭据 (4. Use Strong Administrator Account Credentials)

Similarly, use a strong ID and password for the administrator account created during installation. Anyone using the ID admin and password password deserves to be hacked. Consider creating another account with fewer privileges for daily editing tasks.

同样，对安装期间创建的管理员帐户使用强ID和密码。 使用ID admin和password 密码的任何人都应该被黑客入侵。 考虑为日常编辑任务创建具有较少特权的另一个帐户。

5.移动或保护wp-config.php (5. Move or Secure wp-config.php)

wp-config.php contains your database access credentials and other useful information for someone intent on breaking into your system. Most people keep it in the main WordPress folder but it can be moved to the folder above. In many cases, that folder will be outside the web server root and inaccessible to HTTP requests.

wp-config.php包含您的数据库访问凭据和其他有用的信息，以供打算侵入系统的人员使用。 大多数人将其保存在WordPress主文件夹中，但可以将其移动到上面的文件夹中。 在许多情况下，该文件夹将位于Web服务器根目录之外，并且无法访问HTTP请求。

Alternatively, you can secure it by configuring your web server such as an Apache .htaccess file:

另外，您可以通过配置Web服务器(例如Apache .htaccess文件)来保护它：

order allow,deny
deny from all

6.授予用户尽可能低的角色 (6. Grant Users the Lowest Role Possible)

Users are the weakest point of any system — especially when they can choose their own weak passwords and happily pass credentials to anyone who asks! Few need administrative access. WordPress offers a range of roles and capabilities. In most cases, users should either be:

用户是任何系统中最薄弱的环节-尤其是当他们可以选择自己的弱密码并愉快地将凭据传递给提出要求的任何人时！ 很少需要管理访问权限。 WordPress提供了一系列角色和功能 。 在大多数情况下，用户应为：

• an Editor: someone who can publish and manage their own and other people’s posts

  编辑者 ：可以发布和管理自己和其他人的帖子的人

• an Author: someone who can publish and manage their own posts, or

  作者 ：可以发布和管理自己的帖子的人，或者

• a Contributor: someone who can write and manage their own posts but cannot publish them.

  贡献者 ：可以撰写和管理自己的帖子但不能发布的人。

None of these roles can configure WordPress or install plugins.

这些角色均无法配置WordPress或安装插件。

7.通过IP地址限制访问 (7. Restrict Access by IP Address)

If you have a few editors with static IP addresses, you can restrict access by adding another .htaccess file to the wp-admin folder:

如果您有一些具有静态IP地址的编辑器，则可以通过将另一个.htaccess文件添加到wp-admin文件夹来限制访问：

order deny, allow
allow from 1.2.3.4 # user 1 IP
allow from 5.6.7.8 # user 2 IP, etc
deny from all

8.隐藏WordPress版本号 (8. Hide the WordPress Version Number)

Some versions of WordPress have known vulnerabilities. It’s easy for anyone to discover which edition you’re using because it’s shown in the HTML <head> of every page. Remove that information by adding the following line to your theme’s functions.php file:

某些版本的WordPress已知漏洞。 任何人都很容易发现您使用的是哪个版本，因为它显示在每个页面HTML <head>中。 通过将以下行添加到主题的functions.php文件中，删除该信息：

remove_action('wp_head', 'wp_generator');

9.明智地选择第三方插件和主题 (9. Choose Third-Party Plugins and Themes Wisely)

WordPress plugins and themes have power users can only dream of! A poor plugin can affect performance, leak private data or grant another method of access. Avoid installing code unless it’s absolutely essential. Verify a plugin’s authenticity and test on a local server before proceeding with live installation.

WordPress插件和主题具有高级用户只能梦想的功能！ 劣质的插件可能会影响性能，泄漏私有数据或授予其他访问方法。 除非绝对必要，否则避免安装代码。 在继续进行实时安装之前，请验证插件的真实性并在本地服务器上进行测试。

10.定期更新WordPress和插件 (10. Regularly Update WordPress and Plugins)

WordPress will update itself but major releases require a one-click activation process. Do it … after backing up your database and files, of course. Similarly, check for updates to themes and plugins on a regular basis.

WordPress会自我更新，但主要版本需要一键激活过程。 当然……备份数据库和文件之后。 同样，请定期检查主题和插件的更新。

The risk adverse should check updates on a duplicate test server before updating the live system. That said, the WordPress update process and backward compatibility rarely cause issues.

有风险的风险应该在更新实时系统之前检查重复测试服务器上的更新。 也就是说，WordPress更新过程和向后兼容性很少会引起问题。

Do you have any other quick and easy WordPress security tips?

您还有其他快速简便的WordPress安全提示吗？

翻译自: https://www.sitepoint.com/10-easy-wordpress-security-tips/