如何通过阻止WordPress中的作者扫描来阻止暴力破解-CSDN博客

A common technique used by hackers to gain unauthorized access to websites is called ‘Brute Force’. Using this technique, hackers use software designed to scan a website for vulnerabilities and gain access by exploiting any of them. We use Sucuri for security of our websites because they actively block malicious requests. One common entry point that these brute force bots try to exploit is by running an author scans. In this article, we will show you how to discourage brute force by blocking author scans in WordPress.

黑客用来获取未经授权的网站访问权限的一种常见技术称为“暴力破解”。黑客使用这种技术来设计用于扫描网站漏洞的软件，并通过利用其中的任何漏洞来获得访问权限。我们使用Sucuri来保护我们网站的安全，因为它们会主动阻止恶意请求。这些蛮力机器人试图利用的一个常见切入点是运行作者扫描。在本文中，我们将向您展示如何通过阻止WordPress中的作者扫描来阻止暴力。

Note: If you are using Limit Login Attempt and Google Authenticator, then you are pretty well-protected against brute-force attacks.

注意：如果您正在使用Limit Login Attempt和Google Authenticator ，那么您就可以很好地防范暴力攻击。

First lets understand what these brute force attempts are trying to do. At first they try to find a username on your blog or the author id. Often username used to sign into WordPress and the author name are the same. Once they find a username, then this solves 50% of the puzzle. Now they brute force your site to crack the password by trying various different password combinations.

首先，让我们了解一下这些蛮力尝试正在试图做什么。首先，他们尝试在您的博客上找到用户名或作者ID。通常用于登录WordPress的用户名和作者名是相同的。一旦找到用户名，就可以解决50％的难题。现在，他们通过尝试各种不同的密码组合来强行迫使您的网站破解密码。

To block author scanning on your website, simply add this code in .htaccess file in WordPress root directory.

要阻止作者扫描您的网站，只需将此代码添加到WordPress根目录下的.htaccess文件中。

# BEGIN block author scans

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

# END block author scans

This will block bots from running author scans on your website. Your website users can still access the author pages, but bots will not be able to do so.

这将阻止漫游器在您的网站上运行作者扫描。您的网站用户仍然可以访问作者页面，但漫游器将无法访问。

We hope that you found this tip useful. We want to emphasize that this does not prevent brute force attacks. This is just a cautionary step that you can take to discourage the hacker. When someone desperately wants to attack your site, then they will find a way to do so. We strongly recommend that you use Sucuri and keep regular WordPress backups. P.S. here are 5 reasons why we use Sucuri.

我们希望您发现此技巧有用。我们要强调的是，这不能防止暴力攻击。这只是一个警告步骤，可以用来阻止黑客。当有人拼命想要攻击您的网站时，他们会找到一种方法。我们强烈建议您使用Sucuri并保留常规的WordPress备份。 PS这是我们使用Sucuri的5个原因。

This tip was sent by: Ian Armstrong

此提示由以下人员发送： Ian Armstrong