您或许已经知道,WordPress的很多重要信息都放在/wp-admin/文件夹里面。WordPress允许这个文件夹公开,因此,别人如果掌握这个文件夹里的文件,他或她就可以访问这些文件。
Matt建议在/wp-admin/文件夹里面建立一个.htaccess文件,从而阻止除了您自己以外的所有IP的访问。以下是.htaccess中需要包括的代码:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx(填写您自己的IP——精博注)
allow from xx.xx.xxx.xx(填写您自己的IP——精博注)
</LIMIT>2 隐藏您的插件
许多WordPress插件都存在缺陷和漏洞,这些缺陷和漏洞如果给人利用,就会破坏您的网站,所以,您最不想发生的就是被别人知道您装了什么插件。
如果您访问大多数博客的/wp-content/plugins/文件夹,您将可以看到这些博客使用的所有插件。为了隐藏您的插件,您只需要在/wp-content/plugins/文件夹里建立一个index.html的空白文件。
3 坚持安装补丁和更新
许多博客或许都已经这样做了。保持WordPress的更新就会相安无事。Matt建议我们订阅WordPress开发博客。
最后的附加措施是,去掉网页标头(header)的WordPress版本的元标识(Meta tag)。
您还知道WordPress需要哪些安全措施吗?
更新:冲浪的时候,我发现一个叫做Login LockDown的WordPress插件,这个插件主要的功能是跟踪网站登录次数。如果同一个IP地址在短时间内的登录次数太频繁,这个插件就会禁止那个IP的登录。这对避免密码被强行破解很有用。
原文:3 Must Apply Security Tips for WordPress
关于第一点,Matt是这样写的:
AuthUserFile /dev/null AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27
</LIMIT>-------------------------------------------------------
Today I was reading through my RSS feeds and I came across a very interesting post from Matt Cutts. Basically he was describing 3 (plus a bonus) tips to secure your WordPress install. I was already using two of them, but the first one was new to me, and looks like it is the most effective one as well.
1. Secure the /wp-admin/ directory
You probably know that most of your WordPress sensitive information is stored in the /wp-admin/ folder. Right out of the box, WordPress leaves that folder open, so people can access these files if they know what they are doing.
Matt suggests to place a .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours. Here is the code you need to put in the .htaccess file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>2. Hide your plugins
Many WordPress plugins come with bugs and vulnerabilities that can be exploited to damage your website. The last thing you want, therefore, is other people being able to know what plugins you are using.
If you visit the folder /wp-content/plugins/ on most blogs, however, you will be able to see all the plugins that are being used. In order to hide that list you just need to create an empty index.html file and drop it there.
3. Keep up with patches and updates
Most bloggers probably carry out this tip already. Just keep your WordPress updated and you should be fine. Matt suggests subscribing to the WordPress Development Blog.
The final bonus tip was just to delete the meta tag that reveals your WordPress version on the header of your site.
Do you know any other security tips that WordPress users should apply?
Update: Browsing on the Internet I also came across a WordPress plugin called Login LockDown. Basically it will track down login attempts to your site, and if there are too many of them coming from the same IP address on a short period of time the plugin will disable the login function for that IP range. Useful to avoid people trying to brute force your password.
No comments:
Post a Comment