我有一个 WordPress 网站,注意到它只是简单地在其中安装了一个主题, 一天后,我的管理员用户名和密码已更改。我的一个名为“wordfence”的安全插件通过电子邮件通知了我这一点。 在其访问历史记录中,它显示了类似的攻击者信息,我也有强密码,但是......
任何人都可以分析这些信息吗? 我如何投影我的 WordPress 网站?
如何保护 WordPress 网站?
/* 这里列出了 WordPress 网站的 32 个安全措施点以及解决方案*/
检查您当前的管理设置
/*please add the condition as per your need in the plugin/theme file*/
if( current_user_can( 'administrator' ) ){} // only if administrator
if( current_user_can( 'editor' ) ){} // only if editor
if( current_user_can( 'author' ) ){} // only if author
if( current_user_can( 'contributor' ) ){} // only if contributor
if( current_user_can( 'subscriber' ) ){} // only if subscriber
内容安全政策
<!-- Add the code directly to the functions.php file of your active WordPress theme. -->
// Content Security Policy
function add_content_security_policy_header() {
header("Content-Security-Policy: default-src 'self';");
}
add_action('send_headers', 'add_content_security_policy_header');
添加安全标头
<!-- Add the code directly to the functions.php file of your active WordPress theme. -->
add_action('send_headers', 'add_security_headers');
function add_security_headers() {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: SAMEORIGIN");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: no-referrer-when-downgrade");
}
强制重定向到 HTTPS
<!-- please add code at the top of file in .htaccess file -->
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
删除已安装且处于活动状态的未使用插件
删除安装的额外 WordPress 主题
强制使用 FTP
<!-- please add code in wp-config.php file. -->
define('FTP_SSL', 'true');
define('FS_METHOD', 'ssh2');
保护 wp-config.php 文件
<!-- please add code at the top of file in .htaccess file -->
<files wp-config.php>
order allow, deny
deny from all
</files>
使用 SSL 管理保护 wp-admin
定义('FORCE_SSL_ADMIN',true);
停止目录浏览
<!-- please add code at the top of file in .htaccess file -->
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -Indexes
</IfModule>
</IfModule>
保护 .htaccess 文件
<!-- please add code at the top of file in .htaccess file -->
<Files ~ "^.*.([Hh][Tt][Tt][Aa])">
order allow, deny
deny from all
satisfy all
</Files>
<Files *.php>
deny from all
</Files>
保护许可证.txt 和保护 readme.html
<!-- please add code in .htaccess file -->
<FilesMatch "(?:readme|license)\.(?:txt|html?)">
Redirect 404
</FilesMatch>
关闭Web服务器上的服务器签名
<!-- please add code in .htaccess file -->
ServerSignature Off
关闭所有错误,但打开日志记录
<!-- please add code in .htaccess file -->
// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', true );
// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );
更改数据库表前缀wp_
禁用 PHP 执行
<!-- please add code in .htaccess file -->
<Files *.php>
deny from all
</Files>
禁用元信息 - WP 生成器标签、样式和脚本版本控制
<!-- Add the code directly to the functions.php file of your active WordPress theme. -->
add_filter( 'style_loader_src', 'cxc_remove_css_js_version_callback', 9999 );
add_filter( 'script_loader_src', 'cxc_remove_css_js_version_callback', 9999 );
// Remove version from scripts and styles
function cxc_remove_css_js_version_callback( $src ) {
if( $src && strpos( $src, '?ver=' ) ){
$src = remove_query_arg( 'ver', $src );
}
return $src;
}
// Remove version from head
remove_action('wp_head', 'wp_generator');
// Remove version from RSS
add_filter( 'the_generator', '__return_null' );
禁用 WordPress 主题/插件的自动更新。
<!-- Add the code directly to the functions.php file of your active WordPress theme. -->
// disable automatic updates for WordPress plugins
add_filter( 'plugins_auto_update_enabled', '__return_false' );
// disable automatic updates for WordPress themes
add_filter( 'themes_auto_update_enabled', '__return_false' );
在管理仪表板中禁用编辑主题/插件文件
<!-- please add code in wp-config.php file. -->
define('DISALLOW_FILE_EDIT', true );
禁用 XML-RPC。
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
限制登录尝试或阻止用户登录 - x 次
<!-- Add the code directly to the functions.php file of your active WordPress theme. -->
/**
* CLASS LIMIT LOGIN ATTEMPTS
* Prevent Mass WordPress Login Attacks by locking the system when a login fails.
* To be added in functions.php or as an external file.
*/
if ( ! class_exists( 'Limit_Login_Attempts' ) ) {
class Limit_Login_Attempts {
var $failed_login_limit = 3; //Number of authentication accepted
var $lockout_duration = 1800; //Stop authentication process for 30 minutes: 60*30 = 1800
var $transient_name = 'attempted_login'; //Transient used
public function __construct() {
add_filter( 'authenticate', array( $this, 'check_attempted_login' ), 30, 3 );
add_action( 'wp_login_failed', array( $this, 'login_failed' ), 10, 1 );
}
/**
* Lock login attempts if the failed login limit is reached
*/
public function check_attempted_login( $user, $username, $password ) {
if ( get_transient( $this->transient_name ) ) {
$datas = get_transient( $this->transient_name );
if ( $datas['tried'] >= $this->failed_login_limit ) {
$until = get_option( '_transient_timeout_' . $this->transient_name );
$time = $this->when( $until );
//Display error message to the user when the limit is reached
return new WP_Error( 'too_many_tried', sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ), $time ) );
}
}
return $user;
}
/**
* Add transient
*/
public function login_failed( $username ) {
if ( get_transient( $this->transient_name ) ) {
$datas = get_transient( $this->transient_name );
$datas['tried']++;
if ( $datas['tried'] <= $this->failed_login_limit )
set_transient( $this->transient_name, $datas , $this->lockout_duration );
} else {
$datas = array(
'tried' => 1
);
set_transient( $this->transient_name, $datas , $this->lockout_duration );
}
}
/**
* Return difference between 2 given dates
* <a href="/param">@param</a> int $time Date as Unix timestamp
* @return string Return string
*/
private function when( $time ) {
if ( ! $time )
return;
$right_now = time();
$diff = abs( $right_now - $time );
$second = 1;
$minute = $second * 60;
$hour = $minute * 60;
$day = $hour * 24;
if ( $diff < $minute )
return floor( $diff / $second ) . ' secondes';
if ( $diff < $minute * 2 )
return "about 1 minute ago";
if ( $diff < $hour )
return floor( $diff / $minute ) . ' minutes';
if ( $diff < $hour * 2 )
return 'about 1 hour';
return floor( $diff / $hour ) . ' hours';
}
}
}
//Enable it:
new Limit_Login_Attempts();
删除用户 ID #1 的默认用户
Method 1. Create a new user by the backend side with set - [ administrator ] role after that login with this user and go to all user listing in backend WordPress -> delete the admin user.
Method 2. UPDATE wp_user SET user_id = 1000 WHERE user_id = 1; // you can change 1000 to your need
UPDATE wp_usermeta SET user_id = 1000 WHERE user_id = 1;
更改 wp-config.php 文件中的安全所有密钥
please click on click you get the security key after that update in the wp-config.php file
https://api.wordpress.org/secret-key/1.1/salt/
添加用于添加自定义管理员登录 URL 的插件
示例 - https://example.com/wp-login 到 https://example.com/customtext-login
I used this plugin to change the custom login URL
https://wordpress.org/plugins/wps-hide-login/
控制/限制图片盗链
<!-- please add code at the top of file in .htaccess file -->
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
禁用所有核心更新:
<!-- please add code in wp-config.php file. -->
define( 'WP_AUTO_UPDATE_CORE', false );
define( 'AUTOMATIC_UPDATER_DISABLED', true );
拒绝访问某些文件
<!-- please add code in .htaccess file -->
<files your-file-name.txt>
order allow, deny
deny from all
</files>
脚本注入保护
<!-- please add code in .htaccess file -->
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
插件安全审核
All-in-One Security plugin installation is free.
阻止访问 wp-include 目录
<!-- please add code in .htaccess file -->
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compact/ - [F,L]
</IfModule>
阻止访问 wp-content 目录
<!-- please add code in .htaccess file -->
RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*)$ check-auth.php?file=$1 [QSA, L]