您需要了解的WordPress漏洞以及如何修复它们

by Joel S. Syder

乔尔·赛德(Joel S.Syder)

您需要了解的WordPress漏洞以及如何修复它们 (WordPress vulnerabilities you need to know about — and how to fix them)

WordPress is an incredibly useful and versatile platform for all kinds of blogging. It’s become very popular. Unfortunately, that popularity has brought with it quite a few vulnerabilities that can be exploited by hackers. It’s important that you know about these weaknesses and take measures to prevent their exploitation. Here are six WordPress vulnerabilities you need to know about.

WordPress是适用于各种博客的非常有用且用途广泛的平台。 它变得非常流行。 不幸的是，这种流行带来了很多可以被黑客利用的漏洞。 了解这些弱点并采取措施防止其被利用很重要。 这是您需要了解的六个WordPress漏洞。

WordPress登录 (WordPress login)

“The easiest way for someone to access your WordPress is by attacking your login. These kinds of brute force attacks are the most common way of having your WordPress compromised. “This method works by guessing your login and password over and over again by using certain software,” advises Martha Goss, WP programmer at WriteMyX and BritStudent.

“某人访问您的WordPress的最简单方法是攻击您的登录名。 这些暴力攻击是使WordPress遭到破坏的最常见方法。 “该方法通过使用某些软件来一遍又一遍地猜测您的登录名和密码来起作用，” WriteMyX和BritStudent的 WP程序员Martha Goss建议。

WordPress doesn’t limit the number of login attempts, so brute force attacks can be very effective. Your best defense against this vulnerability is installing a plugin that will limit the number of allowed login attempts, such as iThemes Security Pro. You can also use a password manager to generate random passwords that are much less likely to be guessed. Stay away from passwords that seem obvious — don’t use anything like 123456, password, or anything related to you.

WordPress不会限制登录尝试的次数，因此蛮力攻击可能非常有效。 最好的防御方法是安装一个插件，该插件将限制允许的登录尝试次数，例如iThemes Security Pro。 您还可以使用密码管理器来生成随机密码，这些密码很少被猜中。 远离看似显而易见的密码-请勿使用123456，密码或与您相关的任何东西。

For example, no pet names, children names, partner names, street names and so on since all of this can be used against you. If you think that mixing them together may prove to be a better security measure but still fairly easy to remember, think again. Your social media profiles are an easy way into your psychology, and anyone could find these passwords among your posts.

例如，没有宠物名称，孩子名称，伴侣名称，街道名称等，因为所有这些都可以对您不利。 如果您认为将它们混合在一起可能是一种更好的安全措施，但仍然很容易记住，请再考虑一下。 您的社交媒体资料是您进入心理的一种简便方法，任何人都可以在您的帖子中找到这些密码。

It’s best to choose something unrelated to you — and make sure that you use a good combination of letters, upper case letters, and numbers as well as symbols. You can never be too careful or underestimate your enemy.

最好选择与您无关的内容，并确保您使用字母，大写字母，数字以及符号的良好组合。 您永远不能太小心或低估敌人。

Source: https://www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/

资料来源： https : //www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/

默认管理员用户帐户 (Default admin user account)

Hackers can gain access to the back end of your WordPress account by exploiting your default admin user account. Try deleting your admin account and accessing your site from a common account that has admin privileges. People can gain access by injecting SQL commands using a cookie value parameter. To prevent this kind of compromise, try updating your security software to the most current IPS.

黑客可以通过利用默认的管理员用户帐户来访问WordPress帐户的后端。 尝试删除您的管理员帐户，并从具有管理员权限的普通帐户访问您的网站。 人们可以通过使用cookie值参数注入SQL命令来获得访问权限。 为避免这种妥协，请尝试将安全软件更新为最新的IPS。

Jibu Pro can also be accessed by cross-site scripting because it doesn’t clear out user-supplied input properly. To guard against this vulnerability, strengthen the permissions on your site. You can even go as far as to hide your admin login so well that no one can find it. The best way to do that — and the simplest one by far — is naming it something else. Admin is quite obvious, and hackers will be searching for that. But if you name it something entirely different — Cat, SpaceMonkey or choose from a wide variety of funny and clever possibilities — the hackers will have a hard time finding it. By default, they will have a much harder time injecting an SQL command — they don’t know where to inject it.

也可以通过跨站点脚本访问Jibu Pro，因为它不能正确清除用户提供的输入。 为防止此漏洞，请增强您网站上的权限。 您甚至可以隐藏自己的管理员登录信息，以至于没人能找到。 做到这一点的最佳方法(也是迄今为止最简单的方法)是将其命名。 管理员是很明显的，黑客将在搜索它。 但是，如果您将其命名为完全不同的名称(例如Cat，SpaceMonkey或从各种各样有趣而机灵的可能性中进行选择)，则黑客将很难找到它。 默认情况下，他们将很难注入SQL命令-他们不知道在哪里注入它。

Source: https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/

资料来源： https : //www.acunetix.com/blog/articles/exploiting-sql-injection-example/

URL黑客 (URL hacking)

“WordPress uses PHP to execute all its server-side scripts, and that, unfortunately, makes it susceptible to URL attacks. It is all too easy for hackers to sneak into WordPress operations and create problems for you,” warns Dorothy Cox, tech writer at 1Day2Write. Because of the nature of its database, there is ample opportunity for hackers to steal your sensitive information. To avoid these breaches, host your WordPress on Apache Web Server, which uses .htaccess files and will protect you from URL hacking.

“ WordPress使用PHP执行所有服务器端脚本，但是不幸的是，这使其容易受到URL攻击。 1Day2Write的技术作家多萝西·考克斯(Dorothy Cox)警告说，黑客很容易潜入WordPress操作并为您制造问题。 由于其数据库的性质，黑客有很多机会窃取您的敏感信息。 为了避免这些破坏，请将您的WordPress托管在使用.htaccess文件的Apache Web服务器上，并保护您免受URL黑客攻击。

Make sure you uninstall and delete all of the unnecessary plugins that you have on your website. This limits the access points for the hackers — themes could also be your enemy, especially if you have a ton of them that you aren’t using. PHP is all too easy to exploit, and you should protect your website the best you can. As a bonus, those themes and extra plugins may be slowing your loading time down so you would be improving your SEO while protecting your website.

确保卸载并删除网站上所有不必要的插件。 这限制了黑客的访问点-主题也可能是您的敌人，特别是如果您有很多不使用的主题。 PHP太容易利用了，您应该尽最大努力保护您的网站。 另外，这些主题和额外的插件可能会减慢加载时间，因此您可以在保护网站的同时改善SEO。

Source: https://blog.websecurify.com/2017/02/hacking-wordpress-4-7-0-1.html

来源： https : //blog.websecurify.com/2017/02/hacking-wordpress-4-7-0-1.html

过时的软件 (Out of date software)

Any time you’re running your WordPress using outdated software, you run an increased risk of being compromised. It’s easy to fall into the trap of thinking that updates just improve minor bugs and annoyances, but they also are important for the security patches they include.

每当您使用过时的软件运行WordPress时，遭受威胁的风险都会增加。 很容易陷入思维陷阱，即更新只会改善较小的错误和烦恼，但它们对于所包含的安全补丁程序也很重要。

Keeping your software updated is a very easy thing to do, and it will protect you from many hacking threats. If you’re worried, you will forget to update your software, simply install automatic updates with plugins such as iThemes’ WordPress version management. These kinds of features both save you time and ensure you don’t miss a security patch and have your site compromised.

保持软件更新是一件非常容易的事，它将保护您免受许多黑客威胁的侵害。 如果您担心，您将忘记更新软件，只需使用插件即可安装自动更新，例如iThemes的WordPress版本管理。 这类功能既可以节省您的时间，又可以确保您不会错过安全补丁并危及您的网站。

Hackers will be looking for something that’s easy to crack. By updating, you are probably installing new security patches which can prevent any hacker from entering. Also, make sure that you don’t install anything from sources that are not safe. You could be inviting the hackers right in.

黑客将寻找易于破解的东西。 通过更新，您可能正在安装新的安全补丁程序，可以阻止任何黑客进入。 另外，请确保不要从不安全的来源安装任何东西。 您可能会邀请黑客进入。

Source: https://www.kimiweb.com/wordpress-help/updating-wordpress-and-plugins/

来源： https : //www.kimiweb.com/wordpress-help/updating-wordpress-and-plugins/

数据库表的默认前缀 (Default prefix for database tables)

There are many tables in the WordPress database, and in many installs, they are named with a default prefix beginning with “wp.” That may not sound like a big deal, but it gives hackers a bit of an advantage because it is one less thing for them to decipher.

WordPress数据库中有很多表，在许多安装中，它们都以默认前缀“ wp ”命名。 这听起来似乎没什么大不了的，但是它却给了黑客一些优势，因为对他们来说解密是一件轻而易举的事。

You can make things a lot more difficult for them by simply changing these default prefixes. Will it stop every hacker? No, but it will stop a lot, and it’s just one more useful tool in defending your WordPress account. This is a simple process that you can easily do on your own — hackers are always looking for an easy entry point first, and if you eliminate those, they might give up.

只需更改这些默认前缀，就可以使事情变得更加困难。 它会阻止每个黑客吗？ 不，但它会停止很多工作，它只是保护您的WordPress帐户的另一种有用工具。 这是一个简单的过程，您可以轻松地自己完成-黑客总是始终在寻找一个简单的入口点，如果您消除这些入口，他们可能会放弃。

Source: https://www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

资料来源： https : //www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

PHP漏洞 (PHP vulnerabilities)

Hackers can gain access to your account by exploiting your PHP code, and it’s more common than you would think. Limit your risk by uninstalling and then deleting any plugins you don’t need. Each one is a potential access point for people looking to compromise your information. Try and avoid using plugins that aren’t being updated anymore; if it’s been more than six months since an update, it’s time to consider just deleting it.

黑客可以通过利用您PHP代码来访问您的帐户，这种情况比您想象的要普遍得多。 通过卸载然后删除不需要的插件来降低风险。 对于希望破坏您的信息的人们，每个人都是一个潜在的访问点。 尝试避免使用不再更新的插件； 如果距更新已超过六个月，那么该考虑将其删除了。

Source: https://www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

资料来源： https : //www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

切换到更好的托管 (Switch to better hosting)

When you are just starting out, the cheapest hosting seems like the best idea. But, cheap hosting also comes with a lack of security features that could be harmful. Make sure that you have the best and the safest hosting in order to protect yourself and your customers.

当您刚开始时，最便宜的托管似乎是最好的主意。 但是，廉价主机还缺少一些可能有害的安全功能。 确保您拥有最好和最安全的托管服务，以保护自己和客户。

Source: https://www.webhostingsecretrevealed.net/blog/web-hosting-guides/switching-web-host/

来源： https : //www.webhostingsecretrevealed.net/blog/web-hosting-guides/switching-web-host/

结论 (Conclusion)

Keeping your site secure is one of the most important responsibilities when you’re running a WordPress account. Limit the number of tries for your login. Change the default prefixes for your tables. Download the plugins recommended in this article and see how they work for you. WordPress is a great resource for blogging, but just remember that there are plenty of people looking around the site for accounts vulnerable to hacking. Make sure yours isn’t one of them.

当您运行WordPress帐户时，确保网站安全是最重要的职责之一。 限制尝试登录的次数。 更改表的默认前缀。 下载本文推荐的插件，并查看它们如何为您工作。 WordPress是写博客的好资源，但请记住，很多人在网站上寻找容易受到黑客攻击的帐户。 确保您不是其中之一。

Joel Syder is WP coach at Originwritings.com and Australia2write.com. He enjoys helping people to build websites of their dreams as well as creating articles about things that excite him for Academicbrits.com, tutoring service.

Joel Syder是Originwritings.com和Australia2write.com的 WP教练。 他喜欢帮助人们建立自己梦想中的网站，并为Academicbrits.com (补习服务)撰写有关使他兴奋的事情的文章。

翻译自: https://www.freecodecamp.org/news/wordpress-vulnerabilities-you-need-to-know-about-and-how-to-fix-them-497a2d8b2c3e/