Home > Article > CMS Tutorial > Strengthening WordPress Security, Part 1
Strengthening WordPress Security, Part 1
- WBOYOriginal
- 2023-09-01 16:17:05920browse
It's a terrible nightmare: one day you open your website and find out that you have been hacked. If you're running a simple personal blog, this might just be an annoying incident. If you host your clients' websites, your day can become difficult and stressful. If you're running a high-volume e-commerce site, it can be a source of panic. No matter the situation, you don't share news using happy emojis. Therefore, you need a strategy to prevent attacks from happening.
You have come to the right place. In this two-part mini-series, I’ll show you how to make your WordPress project as secure as possible.
Introduction to WordPress Security
Do you think WordPress is safe? It’s okay if you don’t, as many people think WordPress is an insecure content management system, but nothing could be further from the truth… at least today.
What do Microsoft Windows, Android, Google Chrome and WordPress have in common? They are both very popular software and people find security holes in them all the time. Although they are all regularly patched for bugs and security flaws, does the presence of security holes make them unsafe?
I'm sorry if you thought differently, but that's not the case. Frequent patches don't necessarily mean a piece of software is poorly coded against security threats. The cat-and-mouse game between developers and hackers will always continue, and hackers will always find ways to crack software. If the software is scalable like WordPress, the chances of hacking also increase.
What’s important here is responsiveness and pre-emptiveness, and that’s what WordPress excels at. You'll have to wait a few days for Google Chrome to plug the security hole, and even a few weeks for Microsoft to release a security fix, but the large WordPress developer community will be able to patch zero-day security holes before the end of 2019. first day. Plus, there's an entire team dedicated to protecting WordPress core, so we have a pretty good handle on that as well. When it comes to themes and plugins, it may be a little easier to find bugs and flaws, and it may take more time to fix them, but the community has the support of the developers.
However, nothing is 100% safe. We live in an age where scientists are on the verge of cracking the code on our brains! Nothing is incomprehensible including our brains obviously, and WordPress is no exception. But just because 100% security is impossible, doesn’t mean we shouldn’t strive for 99.999% security.
Improving WordPress Security
Based on personal experience and further research, I've put together some safety measures you should take if you haven't already. Without further ado, let’s get to know them now!
Protect .htaccess File
Let’s start simple.
If your WordPress site is hosted on a web server powered by Apache and you enable "Pretty Permalinks" in Settings , WordPress will generate a file called .htaccess file to store basic information about WordPress permalink instructions. If you don't enable pretty permalinks, core won't generate the .htaccess file, but the tips I'm about to show still apply - you just have to create the file yourself.
Nano-tip: If you want to create a .htaccess file yourself but have trouble creating one without any name but with a .htaccess extension, just upload one Use an empty file with any name (eg Untitled.txt) and change the name and extension in the FTP client.
My first thought was to protect the htaccess file. This is the easiest thing to do out of the tips and tricks I'm going to show you. All you have to do is add the following lines to the file:
# protect .htaccess <Files .htaccess> order allow,deny deny from all </Files>
This is a harmless trick that will protect the htaccess file from anyone who wants to access it (or any).
Next, let’s disable showing the contents of the folder:
# disable directory browsing Options All -Indexes
This will prevent strangers from seeing the contents of your folder if they want to access, for example, myblog.com/wp-content/uploads/. Normally, they would be able to view uploaded files or browse subfolders in the /uploads/ directory, but with this little trick, they will see a 403 Forbidden response from the server.
Finally, I’d like to refer to a great “blacklist” provided by Perishable Press: The 5G Blacklist. This blacklist protects your site from a wide range of malicious activity, from harmful query strings to bad user agents.
This is the htaccess trick. Now, let’s move on to the wp-config.php tips.
wp-config.php 文件及其内容的安全技巧
就安全性而言,wp-config.php 文件可能是整个 WordPress 安装中最重要的文件。您可以用它做很多事情来强化您的网站。
让我们从一个有趣的技巧开始:您是否知道可以将 wp-config.php 文件放在 WordPress 根目录中的上一级?如果它不会让您感到困惑,请立即执行。大多数时候,我将 WordPress 安装在 public_html 目录中,并且喜欢将 wp-config.php 文件放在用户根目录中。不确定这是否是万金油配方,但至少它感觉更安全。 Stack Exchange 的一些人就这个话题进行了很好的辩论。
顺便说一下,让我们回到根 .htacccess 文件并添加以下行以拒绝访问 wp-config.php 文件:
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
这是一个有趣的想法:删除编辑主题和插件文件的权限怎么样?所需要做的就是将以下行添加到 wp-config.php 文件中:
define( 'DISALLOW_FILE_EDIT', true );
感觉更加偏执?将以下行粘贴到上面一行下方以完全禁用主题和插件安装和删除:
define( 'DISALLOW_FILE_MODS', true );
关于强化 WordPress 的另外两个技巧:更改数据库前缀,并在 wp-config.php 文件中添加安全密钥(或 salt 密钥)。
第一个很简单:通过查找以下行来检查是否将数据库前缀设置为默认值:
$table_prefix = 'wp_';
如果它设置为 wp_,您应该将其更改为除此默认值之外的其他值。您无需记住它,因此可以输入任何内容。我喜欢使用 wp_fd884vg_ 这样的组合来保证它的安全性和可读性。
更改安全密钥也非常容易。通过找到以下行来查看键是否为空:
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
如果他们都说'把你独特的短语放在这里',这意味着他们还没有设置。在这种情况下,只需转到此 URL(也在代码注释中引用)并使用上面的行更改该页面中生成的行。
Nano-tip:如果您想知道这些“盐密钥”是什么,WPBeginner 有一篇很棒的文章介绍了这种安全措施的好处。
wp-config.php 技巧就到此为止!今天就到此为止吧。
今天总结
我希望您今天喜欢这些 .htaccess 和 wp-config.php 技巧。在这个迷你系列的下一部分中,我们将介绍一些安全插件和其他有关强化 WordPress 的重要技巧。如果您有任何问题或意见,请随时在下面的评论部分中提出。
下一部分见!
The above is the detailed content of Strengthening WordPress Security, Part 1. For more information, please follow other related articles on the PHP Chinese website!