wordpress攻击思路
Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress site from brute force attacks.
您想保护您的WordPress网站免受暴力攻击吗? 这些攻击会降低您的网站速度,使其无法访问,甚至破解您的密码以在您的网站上安装恶意软件。 在本文中,我们将向您展示如何保护WordPress网站免受暴力攻击。
什么是蛮力攻击? (What is a Brute Force Attack?)
Brute Force Attack is a hacking method which utilizes trial and error techniques to break into a website, a network or a computer system.
蛮力攻击是一种利用尝试和错误技术入侵网站,网络或计算机系统的黑客方法。
Hackers use automated software to send a large number of requests to the target system. With each request, these software attempt to guess the information needed to gain access, like passwords or pin codes.
黑客使用自动化软件向目标系统发送大量请求。 对于每个请求,这些软件都会尝试猜测获得访问权限所需的信息,例如密码或密码。
These tools can also disguise themselves by using different IP addresses and locations, which makes it harder for the targeted system to identify and block these suspicious activities.
这些工具还可以通过使用不同的IP地址和位置来伪装自己,这使目标系统更难识别和阻止这些可疑活动。
A successful brute force attack can give hackers access to your website’s admin area. They can install backdoor, malware, steal user information, and delete everything on your site.
成功的暴力攻击可以使黑客访问您网站的管理区域 。 他们可以安装后门程序,恶意软件,窃取用户信息并删除您网站上的所有内容。
Even unsuccessful brute force attacks can wreak havoc by sending too many requests which slows down your WordPress hosting servers and even crash them.
即使是不成功的暴力攻击也可能通过发送过多请求而造成严重破坏,这会减慢WordPress托管服务器的速度甚至崩溃。
That being said, let’s take a look at how to protect your WordPress site from brute force attacks.
话虽如此,让我们来看看如何保护您的WordPress网站免受暴力攻击。
步骤1.安装WordPress防火墙插件 (Step 1. Install a WordPress Firewall Plugin)
Brute force attacks put a lot of load on your servers. Even the unsuccessful ones can slow down your website or completely crash the server. This is why it’s important to block them before they get to your server.
蛮力攻击给您的服务器带来了很多负担。 甚至失败的网站也会降低您的网站速度或使服务器完全崩溃。 这就是为什么在它们到达您的服务器之前对其进行阻止很重要。
To do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.
为此,您需要一个网站防火墙解决方案。 防火墙会过滤掉不良流量并阻止其访问您的站点。
There are two types of website firewalls that you can use.
您可以使用两种类型的网站防火墙。
Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient because a brute force attack can still affect your server load.
应用程序级防火墙 –这些防火墙插件会在流量到达您的服务器后但在加载大多数WordPress脚本之前检查流量。 此方法效率不高,因为蛮力攻击仍会影响服务器负载。
DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your main web hosting server while giving a boost to your WordPress speed and performance.
DNS级网站防火墙 –这些防火墙通过其云代理服务器路由您的网站流量。 这使他们只能将真正的流量发送到您的主Web托管服务器,同时提高WordPress的速度和性能 。
We recommend using Sucuri. It is the industry leader in website security and the best WordPress firewall in the market. Since it’s a DNS level website firewall, it means all your website traffic goes through their proxy where bad traffic is filtered out.
我们建议使用Sucuri 。 它是网站安全性和市场上最好的WordPress防火墙的行业领导者。 由于它是DNS级别的网站防火墙,因此意味着您的所有网站流量都通过其代理进行过滤,从而过滤掉不良流量。
We use Sucuri on our website, and you can read our complete Sucuri review to learn more.
我们在网站上使用Sucuri ,您可以阅读我们完整的Sucuri评论以了解更多信息。
步骤2.安装WordPress更新 (Step 2. Install WordPress Updates)
Some common brute force attacks actively target known vulnerabilities in older versions of WordPress, popular WordPress plugins, or themes.
一些常见的暴力攻击主动针对较旧版本的WordPress, 流行的WordPress插件或主题中的已知漏洞。
WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However if you fail to install updates, then you leave your website vulnerable to those old threats.
WordPress核心和最流行的WordPress插件都是开源的 ,漏洞通常可以通过更新非常Swift地得到修复。 但是,如果无法安装更新,则您的网站容易受到那些旧威胁的攻击。
Simply go to Dashboard » Updates page in WordPress admin area to check for available updates. This page will show all updates for your WordPress core, plugins, and themes.
只需转到WordPress管理区域中的仪表板»更新页面,以检查可用更新。 此页面将显示WordPress核心,插件和主题的所有更新。
For more details, see our guide on how to properly update WordPress plugins.
有关更多详细信息,请参阅有关如何正确更新WordPress插件的指南 。
步骤3.保护WordPress管理员目录 (Step 3. Protect WordPress Admin Directory)
Most brute force attacks on a WordPress site are trying to get access to the WordPress admin area. You can add password protection on your WordPress admin directory on a server level. This would block unauthorized access to your WordPress admin area.
WordPress网站上的大多数蛮力攻击都试图访问WordPress管理区域。 您可以在服务器级别的WordPress管理员目录上添加密码保护。 这将阻止未经授权的访问您的WordPress管理区域。
Simply login to your WordPress hosting control panel (cPanel) and click on the ‘Directory Privacy’ icon under Files section.
只需登录到WordPress托管控制面板(cPanel),然后单击“文件”部分下的“目录隐私”图标。
Note: We’re using Bluehost in our screenshot but similar settings are available on other top hosting companies as well like SiteGround, HostGator, etc.
注意:我们在截图中使用的是Bluehost ,但是其他顶级托管公司以及SiteGround , HostGator等也可以使用类似的设置。
Next, you need to locate the wp-admin folder and click on the folder name.
接下来,您需要找到wp-admin文件夹,然后单击文件夹名称。
cPanel will now ask you to provide a name for the restricted folder, username, and password. After entering this information click on the save button to store your settings.
cPanel现在将要求您提供受限文件夹的名称,用户名和密码。 输入此信息后,单击保存按钮以存储您的设置。
Your WordPress admin directory is now password protected. You will see a new login prompt when you visit your WordPress admin area.
您的WordPress管理目录现已受密码保护。 当您访问WordPress管理区域时,您将看到一个新的登录提示。
If you run into a 404 error or error too many redirects message, then you need to add the following line to your WordPress .htaccess file.
如果您遇到404错误或错误太多重定向消息,则需要将以下行添加到WordPress .htaccess文件中 。
ErrorDocument 401 default
For more details, see our article on how to password protect WordPress admin directory.
有关更多详细信息,请参阅有关如何密码保护WordPress admin目录的文章 。
步骤4.在WordPress中添加两因素身份验证 (Step 4. Add Two-Factor Authentication in WordPress)
Two-Factor authentication adds an additional security layer to your WordPress login screen. Basically, users will need their phones to generate a one-time passcode along with their login credentials to access the WordPress admin area.
两因素身份验证为您的WordPress登录屏幕添加了一个额外的安全层。 基本上,用户将需要手机来生成一次性密码以及其登录凭据才能访问WordPress管理区域。
Adding two-factor authentication will make it harder for hackers to gain access even if they are able to crack your WordPress password.
添加双重身份验证将使黑客更难获得访问权限,即使他们能够破解您的WordPress密码也是如此。
For detailed step by step instructions, see our guide on how to how to add two-factor authentication in WordPress
有关详细的分步说明,请参阅有关如何在WordPress中添加两因素身份验证的指南
步骤5.使用唯一的强密码 (Step 5. Use Unique Strong Passwords)
Passwords are the keys to gain access to your WordPress site. You need to use unique strong passwords for all your accounts. A strong password is a combination of numbers, letters, and special characters.
密码是访问您的WordPress网站的关键。 您需要为所有帐户使用唯一的强密码。 强密码是数字,字母和特殊字符的组合。
It’s important that you use strong passwords for not just your WordPress user accounts but also for FTP, web hosting control panel, and your WordPress database.
重要的是,您不仅要对WordPress用户帐户使用强密码,而且还要对FTP,虚拟主机控制面板和WordPress数据库使用强密码。
Most beginners ask us how to remember all these unique passwords? Well, you don’t need to. There are excellent password manager apps available that will securely store your passwords and automatically fill them in for you.
大多数初学者问我们如何记住所有这些唯一的密码? 好吧,你不需要。 有出色的密码管理器应用程序可安全存储您的密码并自动为您填写。
To learn more, see our beginner’s guide on best way to manage passwords for WordPress.
要了解更多信息,请参阅有关管理WordPress密码的最佳方法的初学者指南。
步骤6.禁用目录浏览 (Step 6. Disable Directory Browsing)
By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory.
默认情况下,当您的Web服务器未找到索引文件(即诸如index.php或index.html之类的文件)时,它将自动显示一个显示目录内容的索引页。
During a brute force attack, hackers can use directory browsing to look for vulnerable files. To fix this, you need to add the following line at the bottom of your WordPress .htaccess file.
在暴力攻击期间,黑客可以使用目录浏览来查找易受攻击的文件。 要解决此问题,您需要在WordPress .htaccess文件底部添加以下行。
Options -Indexes
For more details, see our article on how to disable directory browsing in WordPress.
有关更多详细信息,请参见有关如何在WordPress中禁用目录浏览的文章。
步骤7.禁用特定WordPress文件夹中PHP文件执行 (Step 7. Disable PHP File Execution in Specific WordPress Folders)
Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.
黑客可能希望在WordPress文件夹中安装并执行PHP脚本。 WordPress主要是用PHP编写的,这意味着您不能在所有WordPress文件夹中禁用它。
However, there are some folders that don’t need any PHP scripts. For example, your WordPress uploads folder located at /wp-content/uploads.
但是,有些文件夹不需要任何PHP脚本。 例如,您的WordPress上载文件夹位于/ wp-content / uploads。
You can safely disable PHP execution in the uploads folder which is a common place hackers use to hide backdoor files.
您可以在上载文件夹中安全地禁用PHP执行,这是黑客用来隐藏后门文件的常见位置。
First, you need to open a text editor like Notepad on your computer and paste the following code:
首先,您需要在计算机上打开一个文本编辑器(如记事本),并粘贴以下代码:
<Files *.php>
deny from all
</Files>
Now, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.
现在,将该文件另存为.htaccess并使用FTP客户端将其上传到您网站上的/ wp-content / uploads /文件夹中。
步骤8.安装和设置WordPress备份插件 (Step 8. Install and Setup a WordPress Backup Plugin)
Backups are the most important tool in your WordPress security arsenal. If all else fails, then backups will allow you to easily restore your website.
备份是WordPress安全工具库中最重要的工具。 如果所有其他方法均失败,则备份将使您轻松恢复网站。
Most WordPress hosting companies offer limited backup options. However, these backups are not guaranteed, and you are solely responsible for making your own backups.
大多数WordPress托管公司提供有限的备份选项。 但是,不能保证这些备份,并且您应全权负责制作自己的备份。
There are several great WordPress backup plugins, which allow you to schedule automatic backups.
有几个很棒的WordPress备份插件 ,可让您安排自动备份。
We recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on remote locations like Google Drive, Dropbox, Amazon S3, and more.
我们建议使用UpdraftPlus 。 它适合初学者,可让您快速设置自动备份并将其存储在远程位置,例如Google Drive,Dropbox,Amazon S3等。
For step by step instructions, see our guide on how to how to backup and restore your WordPress site with UpdraftPlus
有关逐步说明,请参阅我们的指南,了解如何使用UpdraftPlus备份和还原WordPress网站
All above-mentioned tips will help you protect your WordPress site against brute force attacks. For a more comprehensive security setup, you should follow the instructions in our ultimate WordPress security guide for beginners.
所有上述技巧将帮助您保护WordPress网站免受暴力攻击。 要获得更全面的安全设置,您应该按照初学者的终极WordPress安全指南中的说明进行操作。
We hope this article helped you learn how to protect your WordPress site from brute force attacks. You may also want to look out for the signs that your WordPress is hacked and how to fix a hacked WordPress site.
我们希望本文能帮助您学习如何保护WordPress网站免受暴力攻击。 您可能还需要注意WordPress被黑的迹象以及如何修复被黑的WordPress网站 。
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
如果您喜欢这篇文章,请订阅我们的YouTube频道 WordPress视频教程。 您也可以在Twitter和Facebook上找到我们。
wordpress攻击思路
424
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
