document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-28 01:01:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25369 from hwlife/20200426-6-tips-for-securing-your-WordPress-website.md

Browse Source 
Translated
This commit is contained in:
Xingyu.Wang 2022-04-28 07:15:33 +08:00 committed by GitHub
commit 03a7850c60
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 179 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
sources/tech/20200426 6 tips for securing your WordPress website.md
View File

@ -1,175 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (hwlife)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (6 tips for securing your WordPress website)
[#]: via: (https://opensource.com/article/20/4/wordpress-security)
[#]: author: (Lucy Carney https://opensource.com/users/lucy-carney)
6 tips for securing your WordPress website
======
Even beginners can—and should—take these steps to protect their
WordPress sites against cyberattacks.
![A lock on the side of a building][1]
Already powering over 30% of the internet, WordPress is the fastest-growing content management system (CMS) in the world—and it's not hard to see why. With tons of customization available through coding and plugins, top-notch SEO, and a supreme reputation for blogging, WordPress has certainly earned its popularity.
However, with popularity comes other, less appealing attention. WordPress is a common target for intruders, malware, and cyberattacks—in fact, WordPress accounted for around [90% of hacked CMS platforms][2] in 2019.
Whether you're a first-time WordPress user or an experienced developer, there are important steps you can take to protect your WordPress website. The following six key tips will get you started.
### 1\. Choose reliable hosting
Hosting is the unseen foundation of all websites—without it, you can't publish your site online. But hosting does much more than simply host your site. It's also responsible for site speed, performance, and security.
The first thing to do is to check if a host includes SSL security in its plans.
SSL is an essential security feature for all websites, whether you're running a small blog or a large online store. You'll need a more [advanced SSL certificate][3] if you're accepting payments, but for most sites, the basic free SSL should be fine.
Other security features to look out for include:
* Frequent, automatic offsite backups
* Malware and antivirus scanning and removal
* Distributed denial of service (DDoS) protection
* Real-time network monitoring
* Advanced firewall protection
In addition to these digital security features, it's worth thinking about your hosting provider's _physical_ security measures as well. These include limiting access to data centers with security guards, CCTV, and two-factor or biometric authentication.
### 2\. Use security plugins
One of the best—and easiest—ways of protecting your website's security is to install a security plugin, such as [Sucuri][4], which is an open source, GPLv2 licensed project. Security plugins are vitally important because they automate security, which means you can focus on running your site rather than committing all your time to fighting off online threats.
These plugins detect and block malicious attacks and alert you about any issues that require your attention. In short, they constantly work in the background to protect your site, meaning you don't have to stay awake 24/7 to fight off hackers, bugs, and other digital nasties.
A good security plugin will provide all the essential security features you need for free, but some advanced features require a paid subscription. For example, you'll need to pay if you want to unlock [Sucuri's website firewall][5]. Enabling a web application firewall (WAF) blocks common threats and adds an extra layer of security to your site, so it's a good idea to look for this feature when choosing a security plugin.
### 3\. Choose trustworthy plugins and themes
The joy of WordPress is that it is open source, so anyone and everyone can pitch in with themes and plugins that they've developed. This can also pose problems when it comes to picking a high-quality theme or plugin.
It serves to be cautious when picking a free theme or plugin, as some are poorly designed—or worse, may hide malicious code.
To avoid this, always source free themes and plugins from reputable sources, such as the WordPress library. Always read reviews and research the developer to see if they've built any other programs.
Outdated or poorly designed themes and plugins can leave "backdoors" open for attackers or bugs to get into your site, which is why it pays to be careful in your choices. However, you should also be wary of nulled or cracked themes. These are premium themes that have been compromised by hackers and are for sale illegally. You might buy a nulled theme believing that it's all above-board—only to have your site damaged by hidden malicious code.
To avoid nulled themes, don't get drawn in by discounted prices, and always stick to reputable stores, such as the official [WordPress directory][6]. If you're looking elsewhere, stick to large and trusted stores, such as [Themify][7], a theme and plugin store that has been running since 2010. Themify ensures all its WordPress themes pass the [Google Mobile-Friendly][8] test and are open source under the [GNU General Public License][9].
### 4\. Run regular updates
It's a fundamental WordPress rule: _always keep your site up to date._ However, it's a rule not everyone sticks to—in fact, only [43% of WordPress sites][10] are running the latest version.
The problem is that when your site becomes outdated, it becomes susceptible to glitches, bugs, intrusions, and crashes because it falls behind on security and performance fixes. Outdated sites can't fix bugs the same way as updated sites can, and attackers can tell which sites are outdated. This means they can search for the most vulnerable sites and attack accordingly.
This is why you should always run your site on the latest version of WordPress. And in order to keep your security at its strongest, you must update your plugins and themes as well as your core WordPress software.
If you choose a managed WordPress hosting plan, you might find that your provider will check and run updates for you—be clear whether your host offers software _and_ plugin updates. If not, you can install an open source plugin manager, such as the GPLv2-licensed [Easy Updates Manager plugin][11], as an alternative.
### 5\. Strengthen your logins
Aside from creating a secure WordPress website through carefully choosing your theme and installing security plugins, you also need to safeguard against unauthorized access through logins.
#### Password protection
The first and simplest way to strengthen your login security is to change your password—especially if you're using an [easily guessed phrase][12] such as "123456" or "qwerty."
Instead, try to use a long passphrase rather than a password, as they are harder to crack. The best way is to use a series of unrelated words strung together that you find easy to remember.
Here are some other tips:
* Never reuse passwords
* Don't include obvious words such as family members' names or your favorite football team
* Never share your login details with anyone
* Include capitals and numbers to add complexity to your passphrase
* Don't write down or store your login details anywhere
* Use a [password manager][13]
#### Change your login URL
It's a good idea to change your default login web address from the standard format: yourdomain.com/wp-admin. This is because hackers know this is the default URL, so you risk brute-force attacks by not changing it.
To avoid this, change the URL to something different. Use an open source plugin such as the GPLv2-licensed [WPS Hide Login][14] for safe, quick, and easy customization.
#### Apply two-factor authentication
For extra protection against unauthorized logins and brute-force attacks, you should add two-factor authentication. This means that even if someone _does_ get access to your login details, they'll need a code that's sent directly to your phone to gain access to your WordPress site's admin.
Adding two-factor authentication is pretty easy. Simply install yet another plugin—this time, search the WordPress Plugin Directory for "two-factor authentication," and select the plugin you want. One option is [Two Factor][15], a popular GPLv2 licensed project that has over 10,000 active installations.
#### Limit login attempts
WordPress tries to be helpful by letting you guess your login details as many times as you like. However, this is also helpful to hackers trying to gain unauthorized access to your WordPress site to release malicious code.
To combat brute-force attacks, install a plugin that limits login attempts and set how many guesses you want to allow.
### 6\. Disable file editing
This isn't such a beginner-friendly step, so don't attempt it unless you're a confident coder—and always back up your site first!
That said, disabling file editing _is_ an important measure if you're really serious about protecting your WordPress website. If you don't hide your files, it means anyone can edit your theme and plugin code straight from the admin area—which is dangerous if an intruder gets in.
To deny unauthorized access, go to your **wp-config.php** file and enter:
```
<Files wp-config.php>
order allow,deny
deny from all
</Files>
```
Or, to remove the theme and plugin editing options from your WordPress admin area completely, edit your **wp-config.php** file by adding:
```
`define( 'DISALLOW_FILE_EDIT', true );`
```
Once you've saved and reloaded the file, the plugin and theme editors will disappear from your menus within the WordPress admin area, stopping anyone from editing your theme or plugin code—including you**.** Should you need to restore access to your theme and plugin code, just delete the code you added to your **wp-config.php** file when you disabled editing.
Whether you block unauthorized access or totally disable file editing, it's important to take action to protect your site's code. Otherwise, it's easy for unwelcome visitors to edit your files and add new code. This means an attacker could use the editor to gather data from your WordPress site or even use your site to launch attacks on others.
For an easier way of hiding your files, you can use a security plugin that will do it for you, such as Sucuri.
### WordPress security recap
WordPress is an excellent open source platform that should be enjoyed by beginners and developers alike without the fear of becoming a victim of an attack. Sadly, these threats aren't going anywhere anytime soon, so it's vital to stay on top of your site's security.
Using the measures outlined above, you can create a stronger, more secure level of protection for your WordPress site and ensure a much more enjoyable experience for yourself.
Staying secure is an ongoing commitment rather than a one-time checklist, so be sure to revisit these steps regularly and stay alert when building and using your CMS.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/4/wordpress-security
作者:[Lucy Carney][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/lucy-carney
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_3reasons.png?itok=k6F3-BqA (A lock on the side of a building)
[2]: https://cyberforces.com/en/wordpress-most-hacked-cms
[3]: https://opensource.com/article/19/11/internet-security-tls-ssl-certificate-authority
[4]: https://wordpress.org/plugins/sucuri-scanner/
[5]: https://sucuri.net/website-firewall/
[6]: https://wordpress.org/themes/
[7]: https://themify.me/
[8]: https://developers.google.com/search/mobile-sites/
[9]: http://www.gnu.org/licenses/gpl.html
[10]: https://wordpress.org/about/stats/
[11]: https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/
[12]: https://www.forbes.com/sites/kateoflahertyuk/2019/04/21/these-are-the-worlds-most-hacked-passwords-is-yours-on-the-list/#4f157c2f289c
[13]: https://opensource.com/article/16/12/password-managers
[14]: https://wordpress.org/plugins/wps-hide-login/
[15]: https://en-gb.wordpress.org/plugins/two-factor/

179
translated/tech/20200426 6 tips for securing your WordPress website.md Normal file
View File

@ -0,0 +1,179 @@
[#]: collector: (lujun9972)
[#]: translator: (hwlife)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (6 tips for securing your WordPress website)
[#]: via: (https://opensource.com/article/20/4/wordpress-security)
[#]: author: (Lucy Carney https://opensource.com/users/lucy-carney)
保护 WordPress 网站的 6 个提示
======
即使初学者也可以并且应该采取这些步骤来保护他们的 WordPress 网站免受网络攻击。
![A lock on the side of a building][1]
已经驱动了互联网 30% 的网站,不难看出, WordPress 是世界上增长最快的 <ruby>CMS<rt>内容管理系统</rt></ruby>。通过大量可用的定制化代码和插件,顶级的 <ruby>SEO<rt>搜索引擎优化</rt></ruby> 和一个在博客界超高的美誉度WordPress 确实赢得了它的流行度。
然而随着流行度而来的还有些不太吸引人的注意。WordPress 是入侵者恶意软件和网络攻击的常规目标事实上在2019年WordPress 遭受了大约 [<ruby>CMS<rt>内容管理系统</rt></ruby> 平台 90% 的黑客攻击][2].
无论你是 WordPress 新用户或者有经验的开发者,这里有一些你可以采取的重要步骤来保护你的 WordPress 网站。以下 6 个关键提示将帮助你开始。
### 1\. 选择可靠的托管主机
主机是所有网站无形的基础,没有它,你不能在线发布你的网站。但是主机比起简单的托管你的网站还能做的更多。它也要对你的网站速度,性能和安全负责。
第一件要做的事情就是检查主机在它的套餐中是否包含 SSL 安全协议。
无论你是运行一个小博客或是一个大的在线商店SSL 协议都是所有网站必需的安全功能。如果你正在进行线上交易,你还需要 [高级 SSL 数字证书][3] ,但是对大多数网站来说,基本免费的 SSL 协议就很好了。
其他的安全功能包括以下几种:
* 日常的自动离线网站备份
* 恶意软件和杀毒软件扫描和删除
* <ruby>DDOS<rt>分布式服务攻击</rt></ruby>保护
* 实时网络检测
* 高级防火墙保护
另外除了这些数字安全功能之外,你的主机供应商的 _物理_ 安全措施也是值得考虑的。这些包括安全警卫,<ruby>CCTV<rt>闭路电视</rt></ruby>和二次验证或生物识别来限制对数据中心的访问。
### 2\. 使用安全插件
保护你的网站安全最有效且容易的方法之一是安装一个安全插件,比如 [Sucuri][4] 这样的具有 GPLv2 许可项目的开源软件,安全插件是非常重要的,因为他们能自动化管理安全,这意味着你能够集中精力运行好你的网站而不是花大量的时间来与在线网站的威胁作斗争。
这些插件探测到并阻止恶意攻击并关于这些问题警告你来获取你的注意。简言之它们持续在后台运行保护你的网站意味着你不必保持7天24小时保持清醒与黑客漏洞和其他数字垃圾斗争。
一个好的安全插件会免费提供给你所有必要的安全功能,但是一些高级功能区要付费订阅。举个例子,如果你想要解锁 [Sucuri 的网站防火墙l][5] ,你需要付费。开启 <ruby>WAF<rt>网络程序防火墙</rt></ruby> 阻挡常规威胁然后给你的网站加入一个额外的安全层,所以当选择安全插件的时候,寻找这个功能是一个好的主意。
### 3\. 选择值得信任的插件和主题
WordPress 的快乐在于它是开源的,所以任何人,每个人都能加入他们开发的主题和插件。当选择高质量的主题和插件时,这也抛出一些问题。
在加入免费主题或插件时,有一些是设计较为差的或者糟糕的,可能会隐藏恶意代码。
为了避免这种情况,始终从可靠的来源来获取免费主题和插件,比如 WordPress 主题库。阅读评论并研究查看开发者是否编译了一些其他的程序。
过期和设计较差的主题和插件可能留有 "后门" 对袭击者开放或者存在进入你网站的漏洞,这就是为什么选择时要谨慎。然而,你也应该提防无效或者被破解的主题。这些高级主题已经被黑客重新编译并非法销售。你可能会相信买一个无效的主题,它看起来没什么问题,但会通过隐藏的恶意代码破坏你的网站。
为了避免无效主题,不要被打折的价格所吸引,始终坚持可靠的主题商店,比如官方的 [WordPress 目录][6]。如果你要找其他的主题,坚持找大的且信任的商店,比如 [Themify][7] ,自从 2010 年这个主题和插件商店就已经在经营了。Themify 确保它的所有 WordPress 主题通过 [<ruby>Google Mobile-Friendly<rt>谷歌友好移动</rt></ruby>][8] 测试和 [<ruby>GNU<rt>通用公共许可证</rt></ruby>][9]。
### 4\. 运行日常更新
这是 WordPress 的基本规则: _始终保持你的网站最新._ 然而,不是所有人都坚持了这个规则,只有 [43% 的 WordPress 网站][10] 是运行的最新版本。
问题是当你的网站过期的时候,由于它在安全和性能修复方面的原因,故障,漏洞,入侵和破坏会变得更加容易出现。过期的网站不能修复漏洞,而更新过的可以,攻击者能够分辨出哪些网站是过期的。这意味着他们能够依此来搜索最易受攻击的网站并袭击它们。
这就是为什么你始终要运行最新的 WordPress 版本的原因。为了保持网站安全是最强的,你必须更新你的插件和主题以及你的核心 WordPress 软件。
如果你选择一个可管理的 WordPress 托管套餐,你可能会发现你的提供商会检查并运行你的主机是否提供的软件 _和_ 插件更新。如果没有,你可以安装一个开源插件管理器。比如 GPLv2 许可的 [Easy Updates Manager plugin][11] 作为替代品。
### 5\. 强化你的登录
除了通过仔细选择主题和安装安全插件来创建一个安全的 WordPress 网站外,你还需要防止未经授权的登录访问。
#### 密码保护
如果你在使用 [容易猜到的短语][12] 比如 "123456" 或 "qwerty" ,第一步要做的增强登录安全最简单的方法是更改你特定的密码。
尝试使用一个长密码段而不是一个单词,这样他们很难破解。最好的方式是用一系列你容易记住且不相关的单词合并加强。
这里有一些其它的提示:
* Never reuse passwords 绝不要重复使用密码
* 密码不要包括像家庭成员的名字或者你喜欢的球队等明显的单词
* 不要和任何人分享你的登录信息
* 你的密码段要包括大小写和数字来增加复杂程度
* 不要在任何地方写下或者存储你的登录信息
* 使用 [密码管理器][13]
#### 变更你的登录地址
将标准格式的默认登录网址变更是一个好的主意yourdomain.com/wp-admin。 这是因为黑客知道这是缺省登录网址,所以不变更会有暴力破解的风险。
为避免这种情况,变更登录网址到和以前有些不同。使用开源插件比如 GPLv2 许可的 [WPS Hide Login][14] 会更加安全,快速和轻松的自定义登录地址。
#### 应用二次验证
对于额外阻止未授权的登录和暴力破解,你应该添加二次验证。这意味着即使有人 _确实_ 访问到你的登录信息,但是他们还需要一个直接发送到你手机的验证码来获得存取 WordPress 网站管理的权限。
添加二次验证是非常容易的,简单的安装另一个插件,在 WordPress 插件目录搜索 "二次验证" ,然后选择你要的插件。一个选择是 [Two Factor][15] ,这是比较火的 GPLv2 许可的插件,已经超过 10000 安装次数。
#### 限制登录尝试
WordPress 通过让你多次猜你的登录信息来尝试帮助你登录。然而,这对黑客尝试获取未授权访问 WordPress网站释放恶意代码也是有帮助的。
为了应对暴力破解,安装插件来限制登录尝试并设置你要允许猜解的次数。
### 6\. 禁用文件编辑功能
这不是对初学者友好的步骤,所以不要尝试除非你是个自信的码农并且一直优先备份你的网站。
那就是说,如果关于保护你的 WordPress 网站是认真的,禁用文件编辑功能 _是_ 一个重要的措施 。如果你不隐藏你的文件,它意味着任何人从管理员区域都可以编辑你的主题和插件代码,如果入侵者进入,那就危险了。
为了拒绝未授权的访问,转到你的 **wp-config.php** 文件并打开:
```
&lt;Files wp-config.php&gt;
order allow,deny
deny from all
&lt;/Files&gt;
```
或者,从你的 WordPress 管理区直接删除主题和插件的编辑选项,通过添加编辑你的 **wp-config.php** 文件:
```
`define( 'DISALLOW_FILE_EDIT', true );`
```
一旦你保存并重新加载这个文件,插件和主题编辑器将会从你的 WordPress 管理区菜单中消失,阻止任何人编辑你的主题或者插件代码,包括你自己 **.** 当你禁用编辑的状态下,需要恢复访问你的主题和插件代码的时候,只需要删除你添加在 **wp-config.php** 文件中的代码即可。
无论你阻止未授权的访问还是总的禁用文件编辑功能,采取保护你网站代码的行动是重要的。否则,不受欢迎的访问者编辑你的文件并添加新代码是很容易的。这意味着袭击者可以使用编辑器从你的 WordPress 站点来获取数据或者甚至利用你的网站对其他站点发起攻击。
隐藏文件更容易的方式是利用安全插件来为你服务,比如 Sucuri 。
### WordPress 安全概要
WordPress是一个优秀的开源平台初学者和开发者都应该享受它而不用担心成为攻击的受害者。遗憾的是这些威胁不会去任何地方保持网站的安全性至关重要。
利用以上措施,你可以创建一个更加强壮,更高安全保护级别的 WordPress 站点并确保给自己带来更好的使用体验。
保持安全是一个持续的任务而不是一次性的检查清单,所以当搭建和使用 <ruby>CMS<rt>内容管理系统</rt></ruby> 时,一定要在日常中回顾这些步骤并保持警惕。
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/4/wordpress-security
作者:[Lucy Carney][a]
选题:[lujun9972][b]
译者:[hwlife](https://github.com/hwlife)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/lucy-carney
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_3reasons.png?itok=k6F3-BqA (A lock on the side of a building)
[2]: https://cyberforces.com/en/wordpress-most-hacked-cms
[3]: https://opensource.com/article/19/11/internet-security-tls-ssl-certificate-authority
[4]: https://wordpress.org/plugins/sucuri-scanner/
[5]: https://sucuri.net/website-firewall/
[6]: https://wordpress.org/themes/
[7]: https://themify.me/
[8]: https://developers.google.com/search/mobile-sites/
[9]: http://www.gnu.org/licenses/gpl.html
[10]: https://wordpress.org/about/stats/
[11]: https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/
[12]: https://www.forbes.com/sites/kateoflahertyuk/2019/04/21/these-are-the-worlds-most-hacked-passwords-is-yours-on-the-list/#4f157c2f289c
[13]: https://opensource.com/article/16/12/password-managers
[14]: https://wordpress.org/plugins/wps-hide-login/
[15]: https://en-gb.wordpress.org/plugins/two-factor/