如今,启动您自己的WordPress网站非常容易。不幸的是,黑客很快就会开始瞄准您的网站。
确保WordPress(WordPress)网站安全的最佳方法是了解运行WordPress网站的每个漏洞点。然后安装适当的安全措施以在每个点上阻止黑客。
在本文中,您将学习如何更好地保护您的域、您的WordPress登录以及可用于保护您的(WordPress)WordPress站点的工具和插件。
创建私有域
现在很容易找到一个可用的域(find an available domain)并以非常便宜的价格购买它。大多数人从不为其域购买任何域插件。但是,您应该始终考虑的一个附加组件是隐私保护(Privacy Protection)。
GoDaddy提供三个基本级别的隐私保护,但这些也与大多数域名提供商的产品相匹配。
- 基本:从(Basic)WHOIS目录中隐藏您的姓名和联系信息。这仅在您的政府允许您隐藏域联系信息时可用。
- 完整(Full):将您自己的信息替换为备用电子邮件地址和联系信息,以掩盖您的实际身份。
- Ultimate:阻止恶意域扫描的附加安全性,并包括对您的实际站点的网站安全监控。
通常,将您的域升级到这些安全级别之一只需要从域列表页面上的下拉列表中选择升级。
基本(Basic)的域保护相当便宜(通常每年 9.99 美元左右),而更高级别的安全性也不会贵很多。
这是阻止垃圾邮件发送者从WHOIS数据库中抓取您的联系信息或其他恶意想要访问您的联系信息的人的绝佳方法。
隐藏(Hide)wp-config.php 和 .htaccess 文件
首次安装 WordPress(install WordPress)时,您需要在 wp-config.php 文件中 包含WordPress SQL数据库的管理 ID 和密码。(WordPress SQL)
该数据在安装后会被加密,但您还希望阻止黑客编辑此文件并破坏您的网站。为此,请在站点的根文件夹中找到并编辑 .htaccess 文件,然后在文件底部添加以下代码。
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
要防止更改 .htaccess 本身,请将以下内容添加到文件底部。
# Protect .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
保存文件并退出文件编辑器。
您还可以考虑右键单击每个文件并更改权限以完全删除每个人的写入(Write)权限。
虽然对 wp-config.php 文件执行此操作不会导致任何问题,但对 .htaccess 执行此操作可能会导致问题。特别是如果您正在运行任何可能需要为您编辑 .htaccess 文件的安全WordPress插件。(WordPress)
如果您确实收到来自WordPress的任何错误,您可以随时更新权限以再次允许对 .htaccess 文件进行写入访问。(Write)
更改您的 WordPress 登录 URL
由于每个WordPress站点的默认登录页面是 yourdomain/wp-admin.php,因此黑客将使用此 URL 尝试入侵您的站点。
他们将通过所谓的“蛮力”攻击来做到这一点,他们将发送许多人常用的典型用户名和密码的变体。黑客希望他们能走运并找到正确的组合。
您可以通过将WordPress 登录 URL(WordPress login URL)更改为非标准的内容来完全阻止这些攻击。
有很多WordPress插件可以帮助您做到这一点。最常见的一种是WPS 隐藏登录(WPS Hide Login)。
此插件在 WordPress设置下的(Settings)常规(General)选项卡中添加了一个部分。
在那里,您可以输入任何您想要的登录URL ,然后选择(URL)保存更改(Save Changes)以激活它。下次您想登录您的WordPress网站时,请使用这个新URL。
如果有人试图访问您的旧 wp-admin URL,他们将被重定向到您网站的 404 页面。
注意(Note):如果您使用缓存插件,请确保将您的新登录URL添加到(URL)不(not)缓存的站点列表中。然后确保在再次登录WordPress站点之前清除缓存。
安装 WordPress 安全插件
有很多WordPress 安全插件(WordPress security plugins)可供选择。在所有这些软件中,Wordfence是最常下载的软件,这是有充分理由的。
Wordfence的免费版本包括一个强大的扫描引擎,可以查找后门威胁、插件(malicious code in your plugins)或站点中的恶意代码、MySQL注入威胁等。它还包括一个防火墙来阻止DDOS攻击等主动威胁。
它还可以让您通过限制登录尝试并锁定进行过多错误登录尝试的用户来阻止暴力攻击。
免费版中有很多设置可用。足以保护中小型网站免受大多数攻击。
您还可以查看一个有用的仪表板页面来监控最近被阻止的威胁和攻击。
使用WordPress 密码生成器(WordPress Password Generator)和 2FA
您最不想要的就是让黑客轻松猜出您的密码。不幸的是,太多人使用很容易猜到的非常简单的密码。一些示例包括使用网站名称或用户自己的名称作为密码的一部分,或者不使用任何特殊字符。
如果您已升级到最新版本的WordPress,您可以使用强大的密码安全工具来保护您的WordPress网站。
提高密码安全性的第一步是转到您网站的每个用户,向下滚动到“帐户管理(Account Management)”部分,然后选择“生成密码(Generate Password)”按钮。
这将生成一个包含字母、数字和特殊字符的长且非常安全的密码。将此密码保存在安全的地方,最好保存在外部驱动器上的文档中,您可以在在线时断开与计算机的连接。
选择在其他地方注销(Log Out Everywhere Else)以确保所有活动会话都已关闭。
最后,如果您安装了Wordfence安全插件,您将看到一个激活 2FA(Activate 2FA)按钮。选择此项可为您的用户登录启用双重身份验证。
如果您不使用Wordfence,则需要安装这些流行的 2FA 插件中的任何一个。
其他重要的安全注意事项(Important Security Considerations)
您还可以采取更多措施来完全保护您的WordPress网站。
WordPress 插件(WordPress plugins)和WordPress本身的版本都应该随时更新。黑客经常试图利用您网站上旧版本代码中的漏洞。如果您不更新这两项,您的网站将面临风险。
1. 定期在您的WordPress管理面板中选择插件(Plugins)和已安装的插件。(Installed Plugins)查看(Review)所有插件是否有新版本可用的状态。
当您确实看到一个已过期的内容时,请选择立即更新(update now)。您也可以考虑为您的插件选择启用自动更新。
但是,有些人对此持谨慎态度,因为插件更新有时会破坏您的网站或主题。因此,在您的实时站点上启用它们之前,在本地 WordPress 测试站点上测试插件更新总是一个好主意。(local WordPress test site)
2. 当您登录WordPress仪表板时,如果您运行的是旧版本,您会看到WordPress已过期的通知。(WordPress)
同样,备份站点并将其加载到您自己 PC 上的本地测试站点,以测试WordPress更新不会破坏您的站点,然后再在您的实时网站上更新它。
3. 利用您的虚拟主机的免费安全功能。大多数网络主机为您在其中托管的网站提供各种免费的安全服务。他们这样做是因为它不仅可以保护您的站点,还可以保证整个服务器的安全。当您使用其他客户端在同一服务器上拥有网站的共享主机帐户时,这一点尤其重要。
这些通常包括为您的站点免费安装SSL 安全、(free SSL security)免费备份(free backups)、阻止恶意 IP 地址的能力,甚至是一个免费的站点扫描程序,它会定期扫描您的站点以查找任何恶意代码或漏洞。
运行网站绝不仅仅是安装WordPress并发布内容那么简单。让您的WordPress网站尽可能安全非常重要。以上所有提示都可以帮助您轻松做到这一点。
How to Make a WordPress Site Secure
Launching your own WordPress site these days is pretty easy. Unfortunately, it won’t tаke long fоr hackers to start targeting your sіte.
The best way to make a WordPress site secure is to understand every point of vulnerability that comes from running a WordPress site. Then install the appropriate security to block hackers at each of those points.
In this article you’ll learn how to better secure your domain, your WordPress login, and the tools and plugins available to secure your WordPress site.
Create a Private Domain
It’s all too easy these days to find an available domain and purchase it at a very cheap price. Most people never purchase any domain addons for their domain. However, one add-on you should always consider is Privacy Protection.
There are three basic levels of privacy protection with GoDaddy, but these also match offerings of most domain providers.
- Basic: Hide your name and contact info from the WHOIS directory. This is only available if your government allows you to hide domain contact information.
- Full: Replace your own information with an alternative email address and contact info to cloak your actual identity.
- Ultimate: Additional security that blocks malicious domain scanning, and includes website security monitoring for your actual site.
Usually, upgrading your domain to one of these security levels just requires choosing to upgrade from a dropdown on your domain listing page.
Basic domain protection is fairly cheap (usually around $9.99/yr), and higher levels of security aren’t much more expensive.
This is an excellent way to stop spammers from scraping your contact info off of the WHOIS database, or others with malicious intent who want to get access to your contact information.
Hide wp-config.php and .htaccess Files
When you first install WordPress, you’ll need to include the administrative ID and password for your WordPress SQL database in the wp-config.php file.
That data gets encrypted after installation, but you also want to block hackers from being able to edit this file and break your website. To do this, find and edit the .htaccess file on the root folder of your site and add the following code at the bottom of the file.
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
To prevent changes to .htaccess itself, add the following to the bottom of the file as well.
# Protect .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Save the file and exit the file editor.
You might also consider right-clicking each file and changing the permissions to remove Write access entirely for everyone.
While doing this on the wp-config.php file shouldn’t cause any issues, doing it on .htaccess could cause issues. Especially if you’re running any security WordPress plugins that may need to edit the .htaccess file for you.
If you do receive any errors from WordPress, you can always update permissions to allow Write access on the .htaccess file again.
Change Your WordPress Login URL
Since the default login page for every WordPress site is yourdomain/wp-admin.php, hackers will use this URL to try and hack into your site.
They will do this through what’s known as “brute force” attacks where they’ll send variations of typical usernames and passwords many people commonly use. Hackers hope that they’ll get lucky and land the right combination.
You can stop these attacks entirely by changing your WordPress login URL to something non-standard.
There are lots of WordPress plugins to help you do this. One of the most common is WPS Hide Login.
This plugin adds a section to the General tab under Settings in WordPress.
There, you can type in any login URL you want and select Save Changes to activate it. Next time you want to log into your WordPress site, use this new URL.
If anyone tries to access your old wp-admin URL, they’ll get redirected to your site’s 404 page.
Note: If you use a cache plugin, make sure to add your new login URL to the list of sites not to cache. Then make sure to purge the cache before you log back into your WordPress site again.
Install a WordPress Security Plugin
There are a lot of WordPress security plugins to choose from. Of all of them, Wordfence is the most commonly downloaded one, for good reason.
The free version of Wordfence includes a powerful scan engine that looks for backdoor threats, malicious code in your plugins or on your site, MySQL injection threats, and more. It also includes a firewall to block active threats like DDOS attacks.
It will also let you stop brute force attacks by limiting login attempts and locking out users who make too many incorrect login attempts.
There are quite a few settings available in the free version. More than enough to protect small to medium websites from most attacks.
There is also a useful dashboard page you can review to monitor recent threats and attacks that have been blocked.
Use the WordPress Password Generator and 2FA
The last thing you want is for hackers to easily guess your password. Unfortunately, too many people use very simple passwords that are easy to guess. Some examples include using the website name or the user’s own name as part of the password, or not using any special characters.
If you’ve upgraded to the latest version of WordPress, you have access to powerful password security tools to secure your WordPress site.
The first step to improve your password security is to go to each user for your site, scroll down to the Account Management section, and select the Generate Password button.
This will generate a long, very secure password that includes letters, numbers, and special characters. Save this password somewhere safe, preferably in a document on an external drive that you can disconnect from your computer while you’re online.
Select Log Out Everywhere Else to make sure all active sessions are closed.
Finally, if you’ve installed the Wordfence security plugin, you’ll see an Activate 2FA button. Select this to enable two-factor authentication for your user logins.
If you aren’t using Wordfence, you’ll need to install any of these popular 2FA plugins.
Other Important Security Considerations
There are a few more things you can do to fully secure your WordPress site.
Both the WordPress plugins and the version of WordPress itself should be updated at all times. Hackers often try to exploit vulnerabilities in older versions of code on your site. If you don’t update both of these, you’re leaving your site at risk.
1. Regularly select Plugins and Installed Plugins in your WordPress admin panel. Review all plugins for a status that says a new version is available.
When you do see one that’s out of date, select update now. You may also consider selecting Enable auto-updates for your plugins.
However, some people are wary of doing this since plugin updates can sometimes break your site or theme. So it’s always a good idea to test plugin updates on a local WordPress test site before enabling them on your live site.
2. When you log into your WordPress dashboard, you’ll see a notification that WordPress is out of date if you’re running an older version.
Again, backup the site and load it to a local test site on your own PC to test that the WordPress update doesn’t break your site before you update it on your live website.
3. Take advantage of your web host’s free security features. Most web hosts offer a variety of free security services for the sites you host there. They do this because it not only protects your site, but it keeps the entire server safe. This is especially important when you’re on a shared hosting account where other clients have websites on the same server.
These often include free SSL security installs for your site, free backups, the ability to block malicious IP addresses, and even a free site scanner that’ll regularly scan your site for any malicious code or vulnerabilities.
Running a website is never just as simple as installing WordPress and just posting content. It’s important to make your WordPress website as secure as possible. All of the above tips can help you do so without too much effort.