保护wp-admin文件夹-用途?重要吗?

时间:2014-09-17 作者:stadisco

我正在努力了解如何保护WordPress网站。我不明白的一个安全任务是。。。How important is it to protect the "wp-admin folder"? 例如,我认为限制登录尝试非常重要。

保护wp admin文件夹的目的是什么?是为了防止黑客进入你的WordPress仪表板吗?But if you protect wp-login.php, how would a hacker even get into the dashboard anyways? 

<Files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.x.x
</Files>

If you use "Code A" will you also need to whitelist frontend AJAX functionality, and whitelist install.css ?

“代码A”-限制对wp admin文件夹的访问

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
</LIMIT>


How does "Code A" compare to "Code B"? Would you use one or the other, or both at the same time?

“代码B”-保护wp管理目录

1   # enable basic authentication
2   AuthType Basic
3   # this text is displayed in the login dialog
4   AuthName “Restricted Area”
5   # The absolute path of the Apache htpasswd file. You should edit this
6   AuthUserFile /path/to/.htpasswd
7   # Allows any user in the .htpasswd file to access the directory
8   require valid-user




Allow front end Ajax functionality


Some WordPress plugins use Ajax functionality in WordPress.  
This means that such plugins might need access to the file admin-ajax.php  
To allow anonymous access to such file for the WordPress plugins to function,  
add the below to .htaccess  

1   <Files admin-ajax.php>
2       Order allow,deny
3       Allow from all
4       Satisfy any
5   </Files>



Update: /wp-admin/css/install.css is also sometimes needed on the frontend,  
you should whitelist that as well. Here\'s the necessary configuration 
to whitelist a file in a password protected location in lighttpd:


$HTTP["url"] =~ "^\\/wp-admin\\/.*" {
    $HTTP["url"] !~ "^\\/wp-admin\\/(admin-ajax\\.php|css\\/.*)" {
        auth.require = (
            "" => (
                "method" => "basic",
                "realm" => "Password protected area",
                "require" => "user=theuser",
            ),
        ),
    },
},

1 个回复
最合适的回答,由SO网友:David 整理而成

但如果您保护wp登录。php,黑客怎么会进入仪表板呢?

攻击者可能试图劫持或伪造有效的身份验证cookie。最近,有一个漏洞使得伪造这样的cookie变得“更容易”:CVE-2014-0166版本3.7.3/3.8.3修复了该漏洞

“代码A”与“代码B”相比如何?您会使用其中一个还是另一个,或者同时使用两者?

如果你是白名单wp-admin/admin-ajax.php (如»代码B«)此脚本仍然可以充当攻击者的联系点,以验证其cookie伪造,如果成功,还可以作为入口点来操作每个ajax操作的数据,这些操作不受额外nonce的保护。但即使是这些,理论上也可以猜测。

但是,如果公众不需要AJAX功能,并且可以将所有帐户的所有IP列入白名单,则可以保护wp-admin/ 目录将减少上述可能的攻击向量。

但这些方法无法保护您的站点免受中间人攻击或受感染客户端计算机的攻击,因为这些攻击将通过白名单检查。

最后,让我为您的第一个问题提供一个个人分类:

保护“wp admin文件夹”有多重要?

在我看来,更重要的是使用安全密码(可能是双因素身份验证)、安全密钥(在wp-config.php) 并且,如果可能的话,当您管理WordPress时,从第一个请求开始(请求https://…/wp-login.php). 还要使每个组件保持最新,并从服务器中删除未使用的组件(插件/主题)。之后,您仍然可以考虑保护wp-admin 目录

结束
标签: wp-admin   htaccess   security   小码农  

相关推荐

如何在数据库中插入图片路径以在wp-admin中显示产品图片?

我需要在哪个数据库表和列中插入图像路径,以便在wp admin中显示产品图像(不在前端)?我在WordPress中通过查询插入产品,而不是通过管理员插入产品。$insert = $wpdb->insert( $prefix.\"posts\", array( \"post_title\" => $posTitle, \"post_content\" => $postContent, \"post_status\" => \"pu