by Joel S. Syder

喬爾·賽德(Joel S.Syder)

您需要了解的WordPress漏洞以及如何修復它們 (WordPress vulnerabilities you need to know about — and how to fix them)

WordPress is an incredibly useful and versatile platform for all kinds of blogging. It’s become very popular. Unfortunately, that popularity has brought with it quite a few vulnerabilities that can be exploited by hackers. It’s important that you know about these weaknesses and take measures to prevent their exploitation. Here are six WordPress vulnerabilities you need to know about.

WordPress是適用于各種博客的非常有用且用途廣泛的平臺。它變得非常流行。不幸的是，這種流行帶來了很多可以被黑客利用的漏洞。了解這些弱點并采取措施防止其被利用很重要。這是您需要了解的六個WordPress漏洞。

“The easiest way for someone to access your WordPress is by attacking your login. These kinds of brute force attacks are the most common way of having your WordPress compromised. “This method works by guessing your login and password over and over again by using certain software,” advises Martha Goss, WP programmer at WriteMyX and BritStudent.

“某人訪問您的WordPress的最簡單方法是攻擊您的登錄名。這些暴力攻擊是使WordPress遭到破壞的最常見方法。 “該方法通過使用某些軟件來一遍又一遍地猜測您的登錄名和密碼來起作用，” WriteMyX和BritStudent的 WP程序員Martha Goss建議。

WordPress doesn’t limit the number of login attempts, so brute force attacks can be very effective. Your best defense against this vulnerability is installing a plugin that will limit the number of allowed login attempts, such as iThemes Security Pro. You can also use a password manager to generate random passwords that are much less likely to be guessed. Stay away from passwords that seem obvious — don’t use anything like 123456, password, or anything related to you.

WordPress不會限制登錄嘗試的次數，因此蠻力攻擊可能非常有效。最好的防御方法是安裝一個插件，該插件將限制允許的登錄嘗試次數，例如iThemes Security Pro。您還可以使用密碼管理器來生成隨機密碼，這些密碼很少被猜中。遠離看似顯而易見的密碼-請勿使用123456，密碼或與您相關的任何東西。

For example, no pet names, children names, partner names, street names and so on since all of this can be used against you. If you think that mixing them together may prove to be a better security measure but still fairly easy to remember, think again. Your social media profiles are an easy way into your psychology, and anyone could find these passwords among your posts.

例如，沒有寵物名稱，孩子名稱，伴侶名稱，街道名稱等，因為所有這些都可以對您不利。如果您認為將它們混合在一起可能是一種更好的安全措施，但仍然很容易記住，請再考慮一下。您的社交媒體資料是您進入心理的一種簡便方法，任何人都可以在您的帖子中找到這些密碼。

It’s best to choose something unrelated to you — and make sure that you use a good combination of letters, upper case letters, and numbers as well as symbols. You can never be too careful or underestimate your enemy.

最好選擇與您無關的內容，并確保您使用字母，大寫字母，數字以及符號的良好組合。您永遠不能太小心或低估敵人。

Source: https://www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/

資料來源： https : //www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/

默認管理員用戶帳戶 (Default admin user account)

Hackers can gain access to the back end of your WordPress account by exploiting your default admin user account. Try deleting your admin account and accessing your site from a common account that has admin privileges. People can gain access by injecting SQL commands using a cookie value parameter. To prevent this kind of compromise, try updating your security software to the most current IPS.

黑客可以通過利用默認的管理員用戶帳戶來訪問WordPress帳戶的后端。嘗試刪除您的管理員帳戶，并從具有管理員權限的普通帳戶訪問您的網站。人們可以通過使用cookie值參數注入SQL命令來獲得訪問權限。為避免這種妥協，請嘗試將安全軟件更新為最新的IPS。

Jibu Pro can also be accessed by cross-site scripting because it doesn’t clear out user-supplied input properly. To guard against this vulnerability, strengthen the permissions on your site. You can even go as far as to hide your admin login so well that no one can find it. The best way to do that — and the simplest one by far — is naming it something else. Admin is quite obvious, and hackers will be searching for that. But if you name it something entirely different — Cat, SpaceMonkey or choose from a wide variety of funny and clever possibilities — the hackers will have a hard time finding it. By default, they will have a much harder time injecting an SQL command — they don’t know where to inject it.

也可以通過跨站點腳本訪問Jibu Pro，因為它不能正確清除用戶提供的輸入。為防止此漏洞，請增強您網站上的權限。您甚至可以隱藏自己的管理員登錄信息，以至于沒人能找到。做到這一點的最佳方法(也是迄今為止最簡單的方法)是將其命名。管理員是很明顯的，黑客將在搜索它。但是，如果您將其命名為完全不同的名稱(例如Cat，SpaceMonkey或從各種各樣有趣而機靈的可能性中進行選擇)，則黑客將很難找到它。默認情況下，他們將很難注入SQL命令-他們不知道在哪里注入它。

Source: https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/

資料來源： https : //www.acunetix.com/blog/articles/exploiting-sql-injection-example/

URL黑客 (URL hacking)

“WordPress uses PHP to execute all its server-side scripts, and that, unfortunately, makes it susceptible to URL attacks. It is all too easy for hackers to sneak into WordPress operations and create problems for you,” warns Dorothy Cox, tech writer at 1Day2Write. Because of the nature of its database, there is ample opportunity for hackers to steal your sensitive information. To avoid these breaches, host your WordPress on Apache Web Server, which uses .htaccess files and will protect you from URL hacking.

“ WordPress使用PHP執行所有服務器端腳本，但是不幸的是，這使其容易受到URL攻擊。 1Day2Write的技術作家多蘿西·考克斯(Dorothy Cox)警告說，黑客很容易潛入WordPress操作并為您制造問題。由于其數據庫的性質，黑客有很多機會竊取您的敏感信息。為了避免這些破壞，請將您的WordPress托管在使用.htaccess文件的Apache Web服務器上，并保護您免受URL黑客攻擊。

Make sure you uninstall and delete all of the unnecessary plugins that you have on your website. This limits the access points for the hackers — themes could also be your enemy, especially if you have a ton of them that you aren’t using. PHP is all too easy to exploit, and you should protect your website the best you can. As a bonus, those themes and extra plugins may be slowing your loading time down so you would be improving your SEO while protecting your website.

確保卸載并刪除網站上所有不必要的插件。這限制了黑客的訪問點-主題也可能是您的敵人，特別是如果您有很多不使用的主題。 PHP太容易利用了，您應該盡最大努力保護您的網站。另外，這些主題和額外的插件可能會減慢加載時間，因此您可以在保護網站的同時改善SEO。

Source: https://blog.websecurify.com/2017/02/hacking-wordpress-4-7-0-1.html

來源： https : //blog.websecurify.com/2017/02/hacking-wordpress-4-7-0-1.html

過時的軟件 (Out of date software)

Any time you’re running your WordPress using outdated software, you run an increased risk of being compromised. It’s easy to fall into the trap of thinking that updates just improve minor bugs and annoyances, but they also are important for the security patches they include.

每當您使用過時的軟件運行WordPress時，遭受威脅的風險都會增加。很容易陷入思維陷阱，即更新只會改善較小的錯誤和煩惱，但它們對于所包含的安全補丁程序也很重要。

Keeping your software updated is a very easy thing to do, and it will protect you from many hacking threats. If you’re worried, you will forget to update your software, simply install automatic updates with plugins such as iThemes’ WordPress version management. These kinds of features both save you time and ensure you don’t miss a security patch and have your site compromised.

保持軟件更新是一件非常容易的事，它將保護您免受許多黑客威脅的侵害。如果您擔心，您將忘記更新軟件，只需使用插件即可安裝自動更新，例如iThemes的WordPress版本管理。這類功能既可以節省您的時間，又可以確保您不會錯過安全補丁并危及您的網站。

Hackers will be looking for something that’s easy to crack. By updating, you are probably installing new security patches which can prevent any hacker from entering. Also, make sure that you don’t install anything from sources that are not safe. You could be inviting the hackers right in.

黑客將尋找易于破解的東西。通過更新，您可能正在安裝新的安全補丁程序，可以阻止任何黑客進入。另外，請確保不要從不安全的來源安裝任何東西。您可能會邀請黑客進入。

Source: https://www.kimiweb.com/wordpress-help/updating-wordpress-and-plugins/

來源： https : //www.kimiweb.com/wordpress-help/updating-wordpress-and-plugins/

數據庫表的默認前綴 (Default prefix for database tables)

There are many tables in the WordPress database, and in many installs, they are named with a default prefix beginning with “wp.” That may not sound like a big deal, but it gives hackers a bit of an advantage because it is one less thing for them to decipher.

WordPress數據庫中有很多表，在許多安裝中，它們都以默認前綴“ wp ”命名。這聽起來似乎沒什么大不了的，但是它卻給了黑客一些優勢，因為對他們來說解密是一件輕而易舉的事。

You can make things a lot more difficult for them by simply changing these default prefixes. Will it stop every hacker? No, but it will stop a lot, and it’s just one more useful tool in defending your WordPress account. This is a simple process that you can easily do on your own — hackers are always looking for an easy entry point first, and if you eliminate those, they might give up.

只需更改這些默認前綴，就可以使事情變得更加困難。它會阻止每個黑客嗎？不，但它會停止很多工作，它只是保護您的WordPress帳戶的另一種有用工具。這是一個簡單的過程，您可以輕松地自己完成-黑客總是始終在尋找一個簡單的入口點，如果您消除這些入口，他們可能會放棄。

Source: https://www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

資料來源： https : //www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

PHP漏洞 (PHP vulnerabilities)

Hackers can gain access to your account by exploiting your PHP code, and it’s more common than you would think. Limit your risk by uninstalling and then deleting any plugins you don’t need. Each one is a potential access point for people looking to compromise your information. Try and avoid using plugins that aren’t being updated anymore; if it’s been more than six months since an update, it’s time to consider just deleting it.

黑客可以通過利用您PHP代碼來訪問您的帳戶，這種情況比您想象的要普遍得多。通過卸載然后刪除不需要的插件來降低風險。對于希望破壞您的信息的人們，每個人都是一個潛在的訪問點。嘗試避免使用不再更新的插件；如果距更新已超過六個月，那么該考慮將其刪除了。

Source: https://www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

資料來源： https : //www.cloudways.com/blog/change-wordpress-database-table-prefix-manually/

切換到更好的托管 (Switch to better hosting)

When you are just starting out, the cheapest hosting seems like the best idea. But, cheap hosting also comes with a lack of security features that could be harmful. Make sure that you have the best and the safest hosting in order to protect yourself and your customers.

當您剛開始時，最便宜的托管似乎是最好的主意。但是，廉價主機還缺少一些可能有害的安全功能。確保您擁有最好和最安全的托管服務，以保護自己和客戶。

Source: https://www.webhostingsecretrevealed.net/blog/web-hosting-guides/switching-web-host/

來源： https : //www.webhostingsecretrevealed.net/blog/web-hosting-guides/switching-web-host/

結論 (Conclusion)

Keeping your site secure is one of the most important responsibilities when you’re running a WordPress account. Limit the number of tries for your login. Change the default prefixes for your tables. Download the plugins recommended in this article and see how they work for you. WordPress is a great resource for blogging, but just remember that there are plenty of people looking around the site for accounts vulnerable to hacking. Make sure yours isn’t one of them.

當您運行WordPress帳戶時，確保網站安全是最重要的職責之一。限制嘗試登錄的次數。更改表的默認前綴。下載本文推薦的插件，并查看它們如何為您工作。 WordPress是寫博客的好資源，但請記住，很多人在網站上尋找容易受到黑客攻擊的帳戶。確保您不是其中之一。

Joel Syder is WP coach at Originwritings.com and Australia2write.com. He enjoys helping people to build websites of their dreams as well as creating articles about things that excite him for Academicbrits.com, tutoring service.

Joel Syder是Originwritings.com和Australia2write.com的 WP教練。 他喜歡幫助人們建立自己夢想中的網站，并為Academicbrits.com (補習服務)撰寫有關使他興奮的事情的文章。