数据库|wordpress 漏洞_WordPress漏洞。 如何保护我的WordPress博客()
wordpress 漏洞
文章图片
WordPress, being one of the most popular blogging platforms used, powers 60 million websites worldwide. So quite naturally, it is a prime target for criminals to try and find exploits in – because there are millions of important websites which use it. This article will explain some of the steps you can take to make sure your WordPress blog, and website, are safe and secure.
WordPress是最流行的博客平台之一,为全球6000万个网站提供支持。 因此,自然而然地,这是犯罪分子尝试在其中进行攻击的主要目标-因为有数百万个重要网站在使用它。 本文将说明您可以采取的一些步骤,以确保WordPress博客和网站安全可靠。
确保您的WordPress博客始终是最新的。 (Make sure your WordPress blog is always up to date.) It is critically important to make sure your WordPress blog is kept up to date at all times. If an update becomes available, it likely includes security and other bug fixes. You must always have the latest WordPress version – some updates may fix severe security vulnerabilities, so always update to the latest version of WordPress when possible.
确保您的WordPress博客始终保持最新是至关重要的。 如果有可用更新,则可能包括安全性和其他错误修复。 您必须始终拥有最新的WordPress版本-一些更新可能会修复严重的安全漏洞,因此请尽可能将其更新为最新版本的WordPress。
As a web hosting provider, time and again we notice the principle cause of site hacks are through security vulnerabilities found in WordPress. Criminals tend to inject code into every PHP file they can get their hands on before moving on to the next website to infect. Also bear in mind you can be held responsible under data protection law if criminals get access to the e-mail addresses of anyone which may have registered on your blog – e-mail addresses constitute personal information by law.
作为虚拟主机提供商,我们一次又一次注意到站点被黑客入侵的主要原因是通过WordPress中的安全漏洞。 犯罪分子倾向于将代码注入每个可以获取PHP文件中,然后再转到下一个网站进行感染。 另外请记住,如果罪犯可以访问可能已在您的博客上注册的任何人的电子邮件地址,则您可能根据数据保护法承担责任-电子邮件地址依法律构成个人信息。
So, first and foremost, keep your blog updated.
因此,最重要的是, 保持博客更新 。
将您的博客通过单独的托管帐户托管到您的网站。 (Host your blog on a separate hosting account to your website.) If you have reseller hosting, host your blog on a separate sub domain. Why? Well, in case something does go terribly wrong and some code is injected into your blog’s files, your website will be safe. If a hacker is able to inject some PHP code into WordPress files, he could just transverse up to inject any PHP file including any files on your website if you host your blog simply in a separate directory to your website.
如果您拥有转销商托管,则将博客托管在单独的子域中。 为什么? 好吧,如果确实发生了严重错误,并且某些代码被注入到博客文件中,那么您的网站将是安全的。 如果黑客能够将一些PHP代码注入WordPress文件,那么只要您将博客托管在网站的单独目录中,他就可以横向注入任何PHP文件,包括网站上的任何文件。
If you only have shared hosting, consider purchasing a reseller hosting plan so you can separate your blog from your website in case anything goes wrong.
如果只有共享托管,请考虑购买经销商托管计划,以便在出现任何问题时将博客与网站分开。
定期备份您的博客和数据库。 (Make regular backups of your blog and database.) While we take regular backups for our own internal disaster recovery procedures and we will restore one of these backups if absolutely necessary when a customer requests us to do so, we strongly advise every customer to take regular backups. It would make it easier for you to restore your blog if a malicious user injected code into your WordPress files than having to manually remove the code from each file that may have been infected.
尽管我们为自己的内部灾难恢复程序进行常规备份,并且在客户要求我们这样做时,如果绝对必要,我们将还原其中一种备份,但我们强烈建议每位客户进行常规备份。 如果恶意用户向您的WordPress文件中注入了代码,则比必须手动从可能已被感染的每个文件中删除代码,使您更轻松地还原博客。
More importantly, if your database is compromised, this is a much more serious concern. While you can just restore WordPress files without losing any blog posts because they are stored in a MySQL database, what if your blog’s database is compromised? A criminal could destroy every blog post you’ve ever created and without backups, you’ve got no chance in getting them back.
更重要的是,如果您的数据库遭到破坏,这是一个更加严重的问题。 虽然您可以恢复WordPress文件而不会丢失任何博客文章,因为它们存储在MySQL数据库中,但是如果您的博客数据库遭到破坏怎么办? 犯罪分子可以销毁您创建的每篇博客文章,而且如果没有备份,您就没有机会将其恢复。
So quite simply, regularly backup up your files and databases. You’ll need to remember to do this regularly. If you don’t want to need to do this yourself, we offer cloud backup solutions which automates this process and stores your backups securely in our cloud environment.
因此,很简单,定期备份您的文件和数据库。 您需要记住要定期进行此操作。 如果您不想自己做,我们提供云备份解决方案 ,该解决方案可以自动执行此过程,并将您的备份安全地存储在我们的云环境中。
仅安装具有良好用户评价的受信任插件。 (Only install trusted plugins that have good user reviews.) Plugins which have security vulnerabilities could pose the same sort of risk that a security vulnerability with WordPress can create. Only install plugins you find via the official WordPress plugins repository that look trustworthy and have good user reviews. Always make sure every plugin you have installed is always kept up to date.
具有安全漏洞的插件可能会带来WordPress安全漏洞可能造成的相同风险。 仅安装通过官方WordPress插件存储库找到的,看起来可信赖并具有良好用户评论的插件。 始终确保已安装的每个插件始终保持最新状态。
If you no longer use a particular WordPress plugin, always uninstall it. It is best to never keep plugins installed which you no longer use.
如果您不再使用特定的WordPress插件,请始终将其卸载。 最好不要安装不再使用的插件。
Making sure your blog is secure in general.
确保您的博客总体上是安全的。
Some factors which no software can prevent is user error and clumsiness.
没有软件可以阻止的一些因素是用户错误和笨拙。
- Always make sure your passwords are secure: Too many people have the habit of using the same password across multiple websites and having passwords that doesn’t require a lot of thought to try and crack. If you want to have a password that is secure but still memorable, why not have a password where each letter corresponds to something you can easily remember? For example: [email protected]$p065 (I Must Have A Secure Password 065). You are simply using alternate characters which look similar to the first letter of the word you can remember. Alternatively (and something which we’d recommend you consider instead) is using KeePass. KeePass allows you to create and store very secure passwords in what is essentially an encrypted database. This means you do not need to remember any password you create using KeePass as you would simply copy the password from KeePass, paste it and KeePass would automatically clear your clipboard after 30 seconds. It is also free and open source, so a win all round.
始终确保您的密码是安全的:太多的人习惯在多个网站上使用相同的密码,并且不需要很多思想就可以尝试破解密码。 如果您想拥有一个安全但又令人难忘的密码,为什么不准备一个密码,使每个字母对应一个您容易记住的字母呢? 例如: [受电子邮件保护] $ p065(我必须具有安全密码065)。 您只是使用替代字符,它们看起来与您可以记住的单词的第一个字母相似。 另外一种方法(我们建议您考虑使用这种方法)是使用KeePass 。 KeePass允许您在本质上是加密的数据库中创建和存储非常安全的密码。 这意味着您无需记住使用KeePass创建的任何密码,因为您只需从KeePass复制密码,粘贴密码,并且KeePass会在30秒后自动清除剪贴板。 它也是免费和开源的,因此全面赢了。
- Keep tabs on who has author, editorial and administrative privileges: Do others contribute articles on your blog? Only give them the privileges that are necessary to fulfil what they do. If there are any users on your blog that previously contributed to your blog but still have editorial or administrative privileges, it is best to change their account status back to ‘Subscriber’ so you always know who has access so you don’t get any nasty surprises later on. It is better to be safe than sorry.
【数据库|wordpress 漏洞_WordPress漏洞。 如何保护我的WordPress博客()】 跟踪谁拥有作者,编辑和管理特权:其他人是否在您的博客上发表文章? 只给他们完成工作所需的特权。 如果您博客上的任何用户以前曾对您的博客有所贡献,但仍然具有编辑或管理特权,则最好将其帐户状态更改回“订阅者”,这样您就始终知道谁可以访问,因此不会感到讨厌以后会有惊喜。 安全比后悔好。
翻译自: https://www.eukhost.com/blog/webhosting/wordpress-vulnerabilities-how-do-i-secure-my-wordpress-blog/wordpress 漏洞
推荐阅读
- CVE-2020-16898|CVE-2020-16898 TCP/IP远程代码执行漏洞
- Docker应用:容器间通信与Mariadb数据库主从复制
- 难道你仅会钻规则的漏洞吗()
- 数据库设计与优化
- 数据库总结语句
- MySql数据库备份与恢复
- 数据库|SQL行转列方式优化查询性能实践
- MySQL数据库的基本操作
- springboot整合数据库连接池-->druid
- Android|Android sqlite3数据库入门系列