安全的 WordPress 网站
1] 确保您的Windows 计算机(Windows computer)没有恶意软件。如果您的计算机上安装了非法键盘记录器,那么WordPress或您的 Web 服务器上的任何安全性都不会产生任何影响。
2] 始终确保您安装了最新版本(latest version)的WordPress和插件。您的 Web 服务器也可能存在漏洞。因此,请确保您的Web 主机(Web Host)在其上运行最新、安全、稳定的服务器软件版本。更好的是,确保您使用的是一个为您处理这些事情的受信任的主机。
3] 使用强用户名(strong username)和强密码(strong passwords)。最好使用大小写字母、数字和长度超过 15 个字符的特殊字符的混合复杂密码。也为所有作者强制(Enforce)使用强密码。
4]将您的 WordPress 安装的管理员用户名从默认(Change the Administrator username)管理员(admin)更改为与您自己或网站名称无关的强名称。您可以创建另一个管理员帐户,以新管理员用户身份登录并删除旧的默认管理员用户名帐户。或者您可以使用管理员用户名更改器(Admin username changer)或管理员重命名器扩展(Admin renamer extended)插件或下面提到的安全插件之一来重命名默认管理员用户名。
5]使用验证(Use)码(Captcha)进行登录。
BWS(Captcha plugin from BWS)的Captcha 插件是一个不错的插件,您可能想看看。它允许您选择操作和复杂性级别。
6]限制登录尝试(Limit Login Attempts)插件将通过 cookie 限制每个 IP 的登录尝试率。它将仅允许配置的尝试次数,之后用户将被锁定。您可以配置其所有设置,例如允许的尝试次数、锁定期限、允许的重试次数等。这个插件在防止暴力攻击(brute force attacks)方面很有用。
如果用户使用不正确的用户名或密码,他或她将看到此消息。
7]使用重命名 wp-login(Rename wp-login)插件将 WordPress 面板登录 URL(Change the WordPress Panel login URL)从默认/wp-admin/这个插件在防止暴力攻击方面也很有用。
8] 使用Security Scanner 插件(Security Scanner plugin)定期扫描您的WordPress安装文件。(WordPress)Sucuri Security – SiteCheck Malware Scanner(Sucuri Security – SiteCheck Malware Scanner)插件使您能够直接在WordPress仪表板中使用(WordPress)Sucuri SiteCheck扫描您的(Sucuri SiteCheck)WordPress站点。它检查恶意软件、垃圾邮件、黑名单、.htaccess 重定向、隐藏的评估代码和其他安全问题。
此外,它会验证WordPress和PHP是否是最新的,并且如果您的网站受到Web Firewall的保护,则会对公众隐藏(Web Firewall)WordPress版本等。它还可以保护您的上传目录(Uploads Directory),通过强化文件权限来限制 wp-content 和 wp-includes 访问,并检查您的核心WordPress文件的完整性。它监视大量操作,包括登录尝试、(Login)登录(Logins)失败、文件更改(File Changes)等。
Sucuri还会检查您的网站是否已被列入黑名单,例如Google Safe Browsing、Norton Safe Web、Phish Tank、SiteAdvisor、Eset、Yandex等,并通知您。
除了 Sucuri、Secure WordPress插件、Exploit Scanner、WordFence Security、WordPress Sentinel、Quttera、VIP Scanner、iThemes Security(以前是 Better WP Security)、 BulletProof Security和All In One WP Security & Firewall等其他优秀的扫描器和安全插件你可能想看看。这些插件中的大多数,除了扫描您的网站以查找恶意软件外,还将帮助您强化文件权限(Harden File Permissions)、删除自述(ReadMe)文件、隐藏WordPress版本等。
请记住在对(Remember)WordPress安装进行任何显着更改之前备份您的数据库或完整站点,因为其中一些一键式修复可能会破坏您站点的某些功能。所以请注意这里。
8] 使用Cloudflare免费的内容交付网络来过滤您的所有流量,并最大限度地降低您的WordPress网站成为目标的风险,因为它充当您的访问者和您的网站托管的服务器之间的代理。Cloudflare basic 是免费的,但如果您支付象征性的金额,您也可以使用其Web 应用程序防火墙(Web Application Firewall)服务。它可以阻止实时攻击,例如SQL注入、跨站点脚本、垃圾评论和网络边缘的其他滥用行为。我们在这里使用Sucuri 防火墙(Sucuri Firewall)。 Sucuri提供了一个很棒的防火墙,但它不是免费的。Google Project Shield提供免费的DDoS保护选择网站。
9] 尽量减少您使用的插件数量。(number of plugins)停用(Deactivate)甚至更好,删除您不使用的那些。
10]定期为您的站点创建备份,并将它们上传到某些(backups)云(Cloud)服务和/或您的桌面。BackWPUp、VaultPress、BackupBuddy、DropBox for WordPress、 BackUpWordPress是您可能想要查看的优秀备份插件。(Backup)
虽然这对于大多数WordPress(WordPress)网站来说可能已经足够了,但如果您需要更进一步,您可以阅读WordPress.org上的这篇文章。
阅读:(Read:) 为什么网站被黑客入侵?
你们中的一些人可能想查看我关于新博主的有用提示的(Useful tips for new bloggers)帖子。(Some of you might want to check out my post on Useful tips for new bloggers.)
Protect and secure WordPress website from Hackers
Secure WordPress website
1] Make sure your Windows computer is free of malware. No amount of security in WordPress or on your web server will make any difference if there is an illegal keylogger installed on your computer.
2] Always make sure that you have the latest version of WordPress and your Plugins installed. Your web server can have vulnerabilities too. Therefore, make sure that your Web Host is running latest, secure, stable versions of server software on it. Better still, make sure you are using a trusted host that takes care of these things for you.
3] Use a strong username and a strong passwords. Best to go for mixed complex passwords using upper, lower case alphabets, numerals and special characters of length exceeding 15 characters. Enforce usage of strong passwords for all your Authors too.
4] Change the Administrator username of your WordPress installation from the default admin to something strong and unrelated to your own or sites name. You can create another administrator account, login as new administrator user and delete the old default admin username account. Or you could use Admin username changer or Admin renamer extended plugin or one of the security plugins mentioned below to rename the default admin username.
5] Use a Captcha for login purposes.
The Captcha plugin from BWS is a good one you may want to have a look at. It lets you choose the operations and the complexity levels.
6] The Limit Login Attempts plugin will limit the rate of login attempts, by way of cookies, for each IP. It will allow only the configured number of attempts after which the user will get locked out. You can configure all its settings like the number of attempts allowed, lockout period, allowed re-tries and so on. This plugin is useful in preventing brute force attacks.
If a user uses an incorrect username or password, he or she will see this message.
7] Change the WordPress Panel login URL from default /wp-admin/ to something else using Rename wp-login plugin. This plugin is useful in preventing brute force attacks too.
8] Use a Security Scanner plugin to scan your WordPress installation files periodically. The Sucuri Security – SiteCheck Malware Scanner plugin enables you to scan your WordPress site using Sucuri SiteCheck right in your WordPress dashboard. It checks for malware, spam, blacklisting, .htaccess redirects, hidden eval code, and other security issues.
Furthermore, it verifies if WordPress and PHP are up-to-date and hides the WordPress version from the public, etc if your site is protected by a Web Firewall. It also protects your Uploads Directory, restricts wp-content and wp-includes access by hardening file permissions, and checks for the integrity of your core WordPress files. It monitors a large number of actions, including, Login attempts, Failed Logins, File Changes, and so on.
Sucuri also checks if your site has been black-listed anywhere like Google Safe Browsing, Norton Safe Web, Phish Tank, SiteAdvisor, Eset, Yandex, etc and informs you about it.
Apart from Sucuri, Secure WordPress plugin, Exploit Scanner, WordFence Security, WordPress Sentinel, Quttera, VIP Scanner, iThemes Security (formerly Better WP Security), BulletProof Security and All In One WP Security & Firewall are among the other good scanners and security plugins you may want to have a look at. Most of these plugins, apart from scanning your site for malware, will also help you Harden File Permissions, delete ReadMe files, hide WordPress versions, and more.
Remember to back up your database or full site before making any notable changes to your WordPress installation as some of these 1-click fixes could potentially break some functionality of your site. So please be careful here.
8] Use Cloudflare free content delivery network to filter all your traffic and minimizes the risk of your WordPress website from becoming a target, as it acts as a proxy between your visitors and the server your website is hosted on. Cloudflare basic is free, but if you pay a nominal amount, you can also avail of its Web Application Firewall service. It stops real-time attacks like SQL injection, cross-site scripting, comment spam and other abuse at the network edge. We use Sucuri Firewall here. Sucuri offers a great firewall, but it is not free. Google Project Shield offers free DDoS protection to select websites.
9] Minimize the number of plugins you use. Deactivate or even better, delete the ones you don’t use.
10] Keep creating backups of your site at regular intervals, and upload them to some Cloud service and/or to your desktop. BackWPUp, VaultPress, BackupBuddy, DropBox for WordPress, BackUpWordPress are among the good Backup plugins you may want to check out.
While this may be enough for most WordPress sites, if you need to go further, you could read this post on WordPress.org.
Read: Why are websites hacked?
Some of you might want to check out my post on Useful tips for new bloggers.