利用WordPress建设网站时的10个安全提醒

webphp 13年前
     <h2>1. Don’t use ‘admin’ username(不要使用admin作为用户名)</h2>    <p>As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.</p>    <p>If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database. Open your phpMyAdmin and run this query:</p>    <div id="highlighter_121445" class="syntaxhighlighter ">     <div class="lines">      <div class="line alt1">       <table class="ke-zeroborder">        <tbody>         <tr>          <td class="number"><pre class="brush:sql; toolbar: true; auto-links: false;">UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';</pre><br /> </td>          <td class="content"><br /> </td>         </tr>        </tbody>       </table>      </div>     </div>    </div>    <h2>2. Install Login LockDown Plugin(安装Login LockDown插件)</h2>    <p><a href="https://simg.open-open.com/show/677d59db243c1b61e01c773ba2315184.png"><img title="Login Lockdown WordPress plugin" border="0" alt="Login Lockdown WordPress plugin" src="https://simg.open-open.com/show/10bd87d3ed0ed401e88f8dbf27a1ff4c.jpg" /></a></p>    <p>Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. <strong>Login LockDown Plugin</strong> will prevent that.</p>    <p><strong>Login LockDown</strong> records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. </p>    <p>Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.</p>    <p>You can download Login LockDown plugin from <a href="/misc/goto?guid=4958188577240061552" target="_blank">here.</a></p>    <h2>3. Install Secure WordPress plugin(安装安全插件)</h2>    <p><img style="visibility:visible;opacity:1;" class="alignnone size-full wp-image-993" title="Secure WordPress Plugin" alt="Secure WordPress Plugin" src="https://simg.open-open.com/show/a2fb82598c034b09aa8cb936cc9647dd.jpg" width="500" height="309" /></p>    <p>There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.</p>    <p><strong>Secure WordPress</strong> beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.</p>    <ul>     <li>Removes error-information on login-page</li>     <li>Adds index.php plugin-directory (virtual)</li>     <li>Removes the wp-version, except in admin-area</li>     <li>Removes Really Simple Discovery</li>     <li>Removes Windows Live Writer</li>     <li>Removes core update information for non-admins</li>     <li>Removes plugin-update information for non-admins</li>     <li>Removes theme-update information for non-admins (only WP 2.8 and higher)</li>     <li>Hides wp-version in backend-dashboard for non-admins</li>     <li>Removes version on URLs from scripts and stylesheets only on frontend</li>     <li>Blocks any bad queries that could be harmful to your WordPress website</li>    </ul>    <p>You can download this plugin from <a href="/misc/goto?guid=4958188578088784441" target="_blank">here.</a></p>    <h2>4. Move your <em>wp-config.php</em> file(修改<em>wp-config.php</em>文件的位置)</h2>    <p>In your <em>wp-config.php</em> file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.</p>    <p>To do this simply move your <em>wp-config.php</em> file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.</p>    <p>This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.</p>    <h2>5. Change database table prefixes(改一下数据库的前缀)</h2>    <p>By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables. </p>    <p>You can change your table prefix during installation by entering new prefix in your <em>wp-config.php</em> file. For changing the prefix after install, use <a href="/misc/goto?guid=4958188578824020425" target="_blank">WP Secure Scan plugin.</a></p>    <h2>6. Change default secret keys(修改默认的安全密钥)</h2>    <p>When you open your <em>wp-config.php</em> file, you will see 4 secret keys:</p>    <div id="highlighter_338353" class="syntaxhighlighter ">     <div class="lines">      <div class="line alt2">       <table class="ke-zeroborder">        <tbody>         <tr>          <td class="number"><br /> </td>          <td class="content"><code class="plain"><pre class="brush:php; toolbar: true; auto-links: false;">define('AUTH_KEY', '');  define('SECURE_AUTH_KEY', '');  define('LOGGED_IN_KEY', '');  define('NONCE_KEY', '');</pre></code><br /> </td>         </tr>        </tbody>       </table>      </div>     </div>    </div>    <p>I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.</p>    <p>Simply visit <a href="/misc/goto?guid=4958188579572327489" target="_blank">https://api.wordpress.org/secret-key/1.1</a> and copy the 4 generated keys into your <em>wp-config.php</em> file. It’s that simple.</p>    <h2>7. Update(更新)</h2>    <p>Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.</p>    <p>Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.</p>    <h2>8. Protect your <em>wp-admin</em></h2>    <p><a href="/misc/goto?guid=4958188580309694850" target="_blank">AskApache Password Protect Plugin</a> adds some serious password protection to your WordPress Blog. Not only does it protect your <em>wp-admin</em> directory, but also your <em>wp-includes, wp-content, plugins</em>, etc. as well. </p>    <h2>9. Use strong password(使用复杂的密码)</h2>    <p>This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.</p>    <p>There are many tips how to make a strong password, I personally like this <a href="/misc/goto?guid=4958188581048437256" target="_blank">Strong Password Generator.</a> Read some tips over there to help you understand what a strong password is.</p>    <h2>10. Backup your data regularly()</h2>    <p>This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.</p>    <p>Regular backup is a must. There is a great list of WordPress Backup Plugins available <a href="/misc/goto?guid=4958188581788123439" target="_blank">here.</a></p>    <p>A few more general tips for securing WordPress installation:</p>    <ul>     <li>Remove unused users from WordPress.</li>     <li>Remove unused WordPress themes.</li>     <li>Remove all unused WordPress plugins.</li>    </ul>    <p>If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.</p>