终极WordPress安全指南-分步指南（2020）

WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

WordPress安全是每个网站所有者极为重要的主题。 Google每天将大约10,000多个网站列入黑名单，每周将大约50,000进行网络钓鱼。

If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

如果您认真对待自己的网站，则需要注意WordPress安全最佳实践。在本指南中，我们将分享所有最重要的WordPress安全提示，以帮助您保护网站免受黑客和恶意软件的侵害。

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.

尽管WordPress核心软件非常安全，并且经过数百名开发人员的定期审核，但可以做很多事情来确保您的网站安全。

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

在WPBeginner，我们相信安全不仅在于消除风险。这也与降低风险有关。作为网站所有者，您可以做很多事情来提高WordPress的安全性(即使您不懂技术)。

We have a number of actionable steps that you can take to protect your website against security vulnerabilities.

您可以采取许多可行的步骤来保护您的网站免受安全漏洞的侵害。

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

为简单起见，我们创建了一个目录，可帮助您轻松浏览最终的WordPress安全指南。

目录 (Table of Contents)

Basics of WordPress Security

WordPress安全基础

Why WordPress Security is Important?为什么WordPress安全很重要？
Keeping WordPress Updated保持WordPress更新
Passwords and User Permissions密码和用户权限
The Role of Web Hosting虚拟主机的作用

WordPress Security in Easy Steps (No Coding)

轻松完成WordPress安全性(无需编码)

Install a WordPress Backup Solution安装WordPress备份解决方案
Best WordPress Security Plugin最好的WordPress安全插件
Enable Web Application Firewall (WAF)启用Web应用程序防火墙(WAF)
Move WordPress Site to SSL/HTTPS将WordPress网站移至SSL / HTTPS

WordPress Security for DIY Users

DIY用户的WordPress安全

Change the Default “admin” username更改默认的“管理员”用户名
Disable File Editing禁用文件编辑
Disable PHP File Execution禁用PHP文件执行
Limit Login Attempts限制登录尝试
Add Two Factor Authentication添加两因素身份验证
Change WordPress Database Prefix更改WordPress数据库前缀
Password Protect WP-Admin and Login密码保护WP-Admin和登录
Disable Directory Indexing and Browsing禁用目录索引和浏览
Disable XML-RPC in WordPress在WordPress中禁用XML-RPC
Automatically log out Idle Users自动注销空闲用户
Add Security Questions to WordPress Login向WordPress登录添加安全问题
Scanning WordPress for Malware and Vulnerabilies扫描WordPress中的恶意软件和漏洞
Fixing a Hacked WordPress Site修复被黑的WordPress网站

Ready? Let’s get started.

准备？让我们开始吧。

为什么网站安全很重要？ (Why Website Security is Important?)

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

遭到入侵的WordPress网站可能会严重损害您的业务收入和声誉。黑客可以窃取用户信息，密码，安装恶意软件，甚至可以将恶意软件分发给您的用户。

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

最糟糕的是，您可能会发现自己向黑客支付了勒索软件，只是为了重新获得对您网站的访问权限。

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

2016年3月，谷歌报道称，已经有超过5000万网站用户被警告其访问的网站可能包含恶意软件或窃取信息。

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

此外，Google每周将大约20,000个网站列入恶意软件黑名单，并将大约50,000个网站列入网络钓鱼名单。

If your website is a business, then you need to pay extra attention to your WordPress security.

如果您的网站是一家公司，那么您需要特别注意WordPress的安全性。

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

与保护所有者的实体店建筑是企业所有者的责任类似，作为在线企业所有者，保护您的企业网站也是您的责任。

[Back to Top ↑]

[ 返回页首↑ ]

保持WordPress更新 (Keeping WordPress Updated)

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress是一个定期维护和更新的开源软件。默认情况下，WordPress自动安装次要更新。对于主要版本，您需要手动启动更新。

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

WordPress还带有成千上万的插件和主题，您可以在网站上安装它们。这些插件和主题由第三方开发人员维护，它们也定期发布更新。

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

这些WordPress更新对于WordPress网站的安全性和稳定性至关重要。您需要确保WordPress核心，插件和主题是最新的。

[Back to Top ↑]

[ 返回页首↑ ]

强大的密码和用户权限 (Strong Passwords and User Permissions)

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.

最常见的WordPress黑客尝试使用被盗密码。您可以通过使用网站独有的更强密码来解决这一难题。不仅适用于WordPress管理区域，还适用于FTP帐户，数据库， WordPress托管帐户以及使用您站点域名的自定义电子邮件地址。

Many beginners don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

许多初学者不喜欢使用强密码，因为它们很难记住。好消息是您不再需要记住密码。您可以使用密码管理器。请参阅有关如何管理WordPress密码的指南。

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

降低风险的另一种方法是，除非绝对必要，否则不授予任何人访问WordPress管理员帐户的权限。如果您有庞大的团队或来宾作者，那么在将新的用户帐户和作者添加到WordPress网站之前，请确保您了解WordPress中的用户角色和功能。

[Back to Top ↑]

[ 返回页首↑ ]

WordPress托管的作用 (The Role of WordPress Hosting)

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like Bluehost or Siteground take the extra measures to protect their servers against common threats.

您的WordPress托管服务在WordPress网站的安全中起着最重要的作用。诸如Bluehost或Siteground之类的优质共享托管服务提供商会采取额外措施来保护其服务器免受常见威胁的侵害。

Here is how a good web hosting company works in the background to protect your websites and data.

这是一家优秀的网络托管公司在后台如何保护您的网站和数据的方式。

They continuously monitor their network for suspicious activity.他们不断监视网络中的可疑活动。
All good hosting companies have tools in place to prevent large scale DDOS attacks所有优秀的托管公司都提供适当的工具来防止大规模DDOS攻击
They keep their server software and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.他们使服务器软件和硬件保持最新状态，以防止黑客利用旧版本中的已知安全漏洞。
They have ready to deploy disaster recovery and accidents plans which allows them to protect your data in case of major accident.他们已经准备好部署灾难恢复和事故计划，以便在发生重大事故时可以保护您的数据。

On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

在共享主机计划中，您与许多其他客户共享服务器资源。这带来了跨站点污染的风险，黑客可以在该站点中使用邻近站点来攻击您的网站。

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

使用托管的WordPress托管服务可为您的网站提供更安全的平台。托管WordPress托管公司提供自动备份，自动WordPress更新以及更高级的安全配置，以保护您的网站

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

我们建议WPEngine作为我们首选的托管WordPress托管提供商。它们也是业内最受欢迎的产品。 (请参阅我们的WPEngine特殊优惠券 )。

[Back to Top ↑]

[ 返回页首↑ ]

轻松完成WordPress安全性(无需编码) (WordPress Security in Easy Steps (No Coding))

We know that improving WordPress security can be a terrifying thought for beginners. Especially if you’re not techy. Guess what – you’re not alone.

我们知道，提高WordPress安全性对于初学者而言可能是一个恐怖的想法。尤其是当您不熟练时。猜猜是什么-您并不孤单。

We have helped thousands of WordPress users in hardening their WordPress security.

我们已经帮助成千上万的WordPress用户强化了WordPress安全性。

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

我们将向您展示如何通过单击几下即可提高WordPress安全性(无需编码)。

If you can point-and-click, you can do this!

如果您可以点击鼠标，就可以这样做！

安装WordPress备份解决方案 (Install a WordPress Backup Solution)

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

备份是抵御任何WordPress攻击的第一道防线。请记住，没有什么是100％安全的。如果政府网站可以被黑客入侵，那么您的网站也可以被黑客入侵。

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

备份可让您快速恢复WordPress网站，以防万一。

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

您可以使用许多免费和付费的WordPress备份插件。关于备份，您需要知道的最重要的事情是，您必须定期将全站点备份保存到远程位置(而不是托管帐户)。

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

我们建议将其存储在Amazon，Dropbox等云服务或Stash等私有云中。

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

根据您更新网站的频率，理想的设置可能是每天一次或实时备份。

Thankfully this can be easily done by using plugins like VaultPress or UpdraftPlus. They are both reliable and most importantly easy to use (no coding needed).

幸运的是，可以使用VaultPress或UpdraftPlus这样的插件轻松完成此操作。它们既可靠，又最重要的是易于使用(无需编码)。

[Back to Top ↑]

[ 返回页首↑ ]

最好的WordPress安全插件 (Best WordPress Security Plugin)

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

备份后，我们需要做的下一步是建立一个审核和监视系统，该系统可以跟踪您网站上发生的一切。

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

这包括文件完整性监视，失败的登录尝试，恶意软件扫描等。

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

幸运的是，最好的免费WordPress安全插件Sucuri Scanner可以解决所有这些问题。

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

您需要安装并激活免费的Sucuri Security插件。有关更多详细信息，请参阅有关如何安装WordPress插件的分步指南。

Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

激活后，您需要转到WordPress管理员中的Sucuri菜单。您将被要求做的第一件事是生成一个免费的API密钥。这样可以启用审核日志记录，完整性检查，电子邮件警报和其他重要功能。

The next thing, you need to do is click on the ‘Hardening’ tab from the settings menu. Go through every option and click on the “Apply Hardening” button.

接下来，您需要做的是从设置菜单中单击“强化”标签。遍历所有选项，然后单击“应用强化”按钮。

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

这些选项可帮助您锁定黑客经常在攻击中使用的关键区域。付费升级的唯一加固选项是Web应用程序防火墙，我们将在下一步中对其进行说明，因此暂时跳过。

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

在本文稍后的部分中，我们也为那些不使用插件或不需要其他步骤(例如“数据库前缀更改”或“更改管理员用户名”)的用户提供了许多“强化”选项。

After the hardening part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is ‘Email Alerts’.

强化部分之后，默认插件设置足以满足大多数网站的需要，不需要任何更改。我们建议自定义的唯一一件事是“电子邮件警报”。

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

默认警报设置可能会使您的收件箱中的电子邮件杂乱无章。我们建议接收有关关键操作(例如插件更改，新用户注册等)的警报。您可以通过转到Sucuri设置»警报来配置警报。

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

这个WordPress安全性插件功能非常强大，因此请浏览所有选项卡和设置以查看其所做的所有工作，例如恶意软件扫描，审核日志，失败的登录尝试跟踪等。

启用Web应用程序防火墙(WAF) (Enable Web Application Firewall (WAF))

The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).

保护您的网站并对WordPress安全充满信心的最简单方法是使用Web应用程序防火墙(WAF)。

A website firewall blocks all malicious traffic before it even reaches your website.

网站防火墙会在所有恶意流量甚至未到达您的网站之前对其进行阻止。

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

DNS级网站防火墙 –这些防火墙通过其云代理服务器路由您的网站流量。这使他们只能将真正的流量发送到您的Web服务器。

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.

应用程序级防火墙 –这些防火墙插件会在流量到达您的服务器后但在加载大多数WordPress脚本之前检查流量。在减少服务器负载方面，此方法不如DNS级别防火墙有效。

To learn more, see our list of the best WordPress firewall plugins.

要了解更多信息，请参阅我们的最佳WordPress防火墙插件列表。

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

我们使用并推荐 Sucuri作为WordPress的最佳Web应用程序防火墙。您可以阅读有关Sucuri如何帮助我们在一个月内阻止450,000 WordPress攻击的信息。

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

关于Sucuri防火墙的最好之处在于，它还带有恶意软件清除功能和黑名单清除保证。基本上，如果您要在他们的监视下被黑，他们保证(无论您有多少页)他们都会修复您的网站。

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

这是非常强大的保修，因为修复被黑客入侵的网站非常昂贵。安全专家通常每小时收取250美元。而您可以以每年199美元的价格获得整个Sucuri安全堆栈。

Improve your WordPress Security with the Sucuri Firewall »

使用Sucuri防火墙提高WordPress安全性»

Sucuri is not the only DNS level firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

Sucuri不是唯一的DNS级别防火墙提供商。另一个受欢迎的竞争对手是Cloudflare。请参阅我们对Sucuri与Cloudflare的比较(优点和缺点) 。

[Back to Top ↑]

[ 返回页首↑ ]

将您的WordPress网站移至SSL / HTTPS (Move Your WordPress Site to SSL/HTTPS)

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.

SSL(安全套接字层)是对您的网站和用户浏览器之间的数据传输进行加密的协议。这种加密使某人很难嗅探和窃取信息。

Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.

启用SSL后，您的网站将使用HTTPS而不是HTTP，并且在浏览器中您的网站地址旁边还会看到一个挂锁标志。

SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.

SSL证书通常是由证书颁发机构颁发的，其价格每年从80美元到数百美元不等。由于增加了成本，大多数网站所有者选择继续使用不安全的协议。

To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.

为了解决这个问题，一个名为Let's Encrypt的非营利组织决定为网站所有者提供免费的SSL证书。他们的项目得到了Google Chrome，Facebook，Mozilla和许多其他公司的支持。

Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.

现在，对您所有的WordPress网站开始使用SSL比以往更加容易。许多托管公司现在为您的WordPress网站提供免费的SSL证书。

If your hosting company does not offer one, then you can purchase one from Domain.com. They have the best and most reliable SSL deal in the market. It comes with a $10,000 security warranty and a TrustLogo security seal.

如果您的托管公司不提供服务，那么您可以从Domain.com购买一个。他们拥有市场上最好，最可靠的SSL协议。它带有10,000美元的安全保证和TrustLogo安全印章。

DIY用户的WordPress安全 (WordPress Security for DIY Users)

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

如果您到目前为止已经做了我们提到的所有事情，那么您的状态就很好。

But as always, there’s more that you can do to harden your WordPress security.

但是，与往常一样，您可以采取更多措施来加强WordPress的安全性。

Some of these steps may require coding knowledge.

其中一些步骤可能需要编码知识。

更改默认的“管理员”用户名 (Change the Default “admin” username)

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

过去，默认的WordPress管理员用户名是“ admin”。由于用户名占登录凭据的一半，因此使黑客更容易进行暴力攻击。

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

幸运的是，WordPress自此改变了这一点，现在要求您在安装WordPress时选择一个自定义用户名。

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

但是，某些一键式WordPress安装程序仍将默认管理员用户名设置为“ admin”。如果您注意到这种情况，那么切换虚拟主机可能是一个好主意。

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

由于WordPress默认情况下不允许您更改用户名，因此可以使用三种方法来更改用户名。

Create a new admin username and delete the old one.创建一个新的管理员用户名并删除旧的。
Use the Username Changer plugin使用用户名更改插件
Update username from phpMyAdmin从phpMyAdmin更新用户名

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

我们已在有关如何正确更改WordPress用户名(逐步)的详细指南中介绍了所有这三个方面。

Note: We’re talking about the username called “admin”, not the administrator role.

注意：我们所说的用户名是“ admin”，而不是管理员角色。

[Back to Top ↑]

[ 返回页首↑ ]

禁用文件编辑 (Disable File Editing)

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

WordPress带有内置的代码编辑器，可让您直接从WordPress管理区域编辑主题和插件文件。如果使用不当，此功能可能会带来安全风险，因此建议您将其关闭。

You can easily do this by adding the following code in your wp-config.php file.

您可以通过在wp-config.php文件中添加以下代码来轻松实现此目的。


// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

另外，您也可以使用上面提到的免费Sucuri插件中的强化功能，通过单击一下来完成此操作。

[Back to Top ↑]

[ 返回页首↑ ]

在某些WordPress目录中禁用PHP文件执行 (Disable PHP File Execution in Certain WordPress Directories)

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

加强WordPress安全性的另一种方法是通过在不需要的目录(例如/ wp-content / uploads /)中禁用PHP文件执行。

You can do this by opening a text editor like Notepad and paste this code:

您可以通过打开文本编辑器(如记事本)并粘贴以下代码来做到这一点：


<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

接下来，您需要将此文件另存为.htaccess并使用FTP客户端将其上传到网站上的/ wp-content / uploads /文件夹中。

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

有关更多详细说明，请参阅我们的指南，了解如何在某些WordPress目录中禁用PHP执行

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

另外，您也可以使用上面提到的免费Sucuri插件中的强化功能，通过单击一下来完成此操作。

[Back to Top ↑]

[ 返回页首↑ ]

限制登录尝试 (Limit Login Attempts)

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

默认情况下，WordPress允许用户尝试根据需要多次登录。这使您的WordPress网站容易受到暴力攻击。黑客尝试通过尝试使用不同的组合登录来破解密码。

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.

通过限制用户可以进行的失败登录尝试，可以轻松解决此问题。如果您使用的是前面提到的Web应用程序防火墙，则会自动进行处理。

However, if you don’t have the firewall setup, then proceed with the steps below.

但是，如果没有防火墙设置，请继续以下步骤。

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

首先，您需要安装并激活Login LockDown插件。有关更多详细信息，请参阅有关如何安装WordPress插件的分步指南。

Upon activation, visit Settings » Login LockDown page to setup the plugin.

激活后，访问设置»登录锁定页面以设置插件。

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

有关详细说明，请查看我们的指南，以了解如何以及为何应限制WordPress中的登录尝试。

[Back to Top ↑]

[ 返回页首↑ ]

添加两因素身份验证 (Add Two Factor Authentication)

Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

两因素身份验证技术要求用户使用两步身份验证方法登录。第一个是用户名和密码，第二个步骤要求您使用单独的设备或应用进行身份验证。

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

大多数顶级在线网站，例如Google，Facebook，Twitter，都可以为您的帐户启用它。您也可以向WordPress网站添加相同的功能。

First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.

首先，您需要安装并激活“ 双重身份验证”插件。激活后，您需要单击WordPress管理员侧栏中的“两因素验证”链接。

Next, you need to install and open an authenticator app on your phone. There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.

接下来，您需要在手机上安装并打开身份验证器应用程序。其中有几种可用的功能，例如Google Authenticator，Authy和LastPass Authenticator。

We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.

我们建议使用LastPass Authenticator或Authy，因为它们都允许您将帐户备份到云中。如果手机丢失，重设或购买新手机，这非常有用。您所有的帐户登录信息都可以轻松恢复。

We will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.

我们将在本教程中使用LastPass Authenticator。但是，所有身份验证应用程序的说明均相似。打开您的身份验证器应用程序，然后单击“添加”按钮。

You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.

系统将询问您是否要手动扫描站点或扫描条形码。选择扫描条形码选项，然后将手机的相机对准插件的设置页面上显示的QRcode。

That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.

就是这样，您的身份验证应用程序现在将保存它。下次登录您的网站时，输入密码后，系统会要求您输入两因素验证码。

Simply open the authenticator app on your phone and enter the code you see on it.

只需打开手机上的身份验证器应用，然后输入在其上看到的验证码即可。

[Back to Top ↑]

[ 返回页首↑ ]

更改WordPress数据库前缀 (Change WordPress Database Prefix)

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

默认情况下，WordPress使用wp_作为WordPress数据库中所有表的前缀。如果您的WordPress站点使用默认的数据库前缀，那么它使黑客更容易猜测表名是什么。这就是为什么我们建议更改它的原因。

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

您可以按照我们有关如何更改WordPress数据库前缀以提高安全性的分步教程来更改数据库前缀。

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

注意：如果操作不正确，可能会破坏您的网站。只有对编码技巧感到满意的情况下，才继续操作。

[Back to Top ↑]

[ 返回页首↑ ]

密码保护WordPress管理员和登录页面 (Password Protect WordPress Admin and Login Page)

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows them to try their hacking tricks or run DDoS attacks.

通常，黑客可以无限制地请求您的wp-admin文件夹和登录页面。这使他们可以尝试其黑客技巧或运行DDoS攻击。

You can add additional password protection on a server-side level, which will effectively block those requests.

您可以在服务器端级别上添加其他密码保护，这将有效地阻止这些请求。

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

请按照我们的分步说明进行操作，以了解如何密码保护WordPress admin(wp-admin)目录。

[Back to Top ↑]

[ 返回页首↑ ]

禁用目录索引和浏览 (Disable Directory Indexing and Browsing)

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

黑客可以使用目录浏览来发现您是否存在任何已知漏洞的文件，因此他们可以利用这些文件获得访问权限。

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

其他人还可以使用目录浏览来查看您的文件，复制图像，查找目录结构以及其他信息。这就是为什么强烈建议您关闭目录索引和浏览的原因。

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

您需要使用FTP或cPanel的文件管理器连接到您的网站。接下来，在您网站的根目录中找到.htaccess文件。如果您在此处看不到它，请参考我们的指南，了解为什么在WordPress中看不到.htaccess文件。

After that, you need to add the following line at the end of the .htaccess file:

之后，您需要在.htaccess文件的末尾添加以下行：

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

不要忘记将.htaccess文件保存并上传回您的站点。有关此主题的更多信息，请参阅有关如何在WordPress中禁用目录浏览的文章。

[Back to Top ↑]

[ 返回页首↑ ]

在WordPress中禁用XML-RPC (Disable XML-RPC in WordPress)

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

WordPress 3.5默认情况下启用XML-RPC，因为它有助于将WordPress网站与Web和移动应用程序连接。

Because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.

由于其强大的特性，XML-RPC可以大大增强暴力攻击。

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

例如，传统上，如果黑客想在您的网站上尝试使用500个不同的密码，则他们将不得不进行500次单独的登录尝试，而这些登录尝试将被登录锁定插件捕获和阻止。

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

但是使用XML-RPC，黑客可以使用system.multicall函数尝试说20个或50个请求的数千个密码。

This is why if you’re not using XML-RPC, then we recommend that you disable it.

这就是为什么如果您不使用XML-RPC，那么我们建议您禁用它。

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

有3种在WordPress中禁用XML-RPC的方法，并且在有关如何在WordPress中禁用XML-RPC的分步教程中已经介绍了所有这些方法。

Tip: The .htaccess method is the best one because it’s the least resource intensive.

提示：.htaccess方法是最好的方法，因为它占用最少的资源。

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

如果您使用的是前面提到的Web应用程序防火墙，则可以通过防火墙来解决。

[Back to Top ↑]

[ 返回页首↑ ]

自动注销WordPress中的空闲用户 (Automatically log out Idle Users in WordPress)

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

登录的用户有时可能会偏离屏幕，这带来了安全风险。有人可以劫持他们的会话，更改密码或更改其帐户。

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

这就是为什么许多银行和金融站点都会自动注销非活动用户的原因。您也可以在WordPress网站上实现类似的功能。

You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.

您将需要安装并激活非活动注销插件。激活后，访问设置»非活动注销页面以配置插件设置。

Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.

只需设置持续时间并添加注销信息即可。不要忘记单击“保存更改”按钮来存储您的设置。

[Back to Top ↑]

[ 返回页首↑ ]

将安全性问题添加到WordPress登录屏幕 (Add Security Questions to WordPress Login Screen)

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

在您的WordPress登录屏幕上添加安全问题，使他人更难获得未经授权的访问。

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

您可以通过安装WP安全问题插件来添加安全问题。激活后，您需要访问设置»安全问题页面来配置插件设置。

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

有关更多详细说明，请参阅有关如何向WordPress登录屏幕添加安全性问题的教程。

[Back to Top ↑]

[ 返回页首↑ ]

扫描WordPress中的恶意软件和漏洞 (Scanning WordPress for Malware and Vulnerabilies)

If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.

如果您安装了WordPress安全插件，则这些插件将定期检查恶意软件和安全漏洞迹象。

However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan. You can use your WordPress security plugin, or use one of these malware and security scanners.

但是，如果您看到网站访问量或搜索排名突然下降，则可能需要手动运行扫描。您可以使用WordPress安全插件，也可以使用以下恶意软件和安全扫描器之一。

Running these online scans is quite straight forward, you just enter your website URLs and their crawlers go through your website to look for known malware and malicious code.

运行这些在线扫描非常简单，只需输入您的网站URL，其爬网程序就会通过您的网站来查找已知的恶意软件和恶意代码。

Now keep in mind that most WordPress security scanners can just scan your website. They cannot remove the malware or clean a hacked WordPress site.

现在请记住，大多数WordPress安全扫描程序只能扫描您的网站。他们无法删除恶意软件或清理被黑客入侵的WordPress网站。

This brings us to the next section, cleaning up malware and hacked WordPress sites.

这使我们进入下一部分，清理恶意软件和被黑的WordPress网站。

[Back to Top ↑]

[ 返回页首↑ ]

修复被黑的WordPress网站 (Fixing a Hacked WordPress Site)

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

许多WordPress用户直到他们的网站遭到黑客入侵后才意识到备份和网站安全的重要性。

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

清理WordPress网站可能非常困难且耗时。我们的第一个建议是让专业人士来照顾它。

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

黑客在受影响的网站上安装了后门程序，如果这些后门程序没有正确修复，则您的网站可能会再次遭到黑客攻击。

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

允许像Sucuri这样的专业安全公司修复您的网站将确保您的网站可以安全再次使用。它还将保护您免受将来的任何攻击。

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

对于喜欢冒险的用户和DIY用户，我们已编制了逐步指南，以修复遭黑客入侵的WordPress网站。

[Back to Top ↑]

[ 返回页首↑ ]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

仅此而已，我们希望本文能帮助您学习WordPress最佳安全最佳实践，以及发现适合您网站的最佳WordPress安全插件。

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

如果您喜欢这篇文章，请订阅我们的YouTube频道 WordPress视频教程。您也可以在Twitter和Facebook上找到我们。

翻译自: https://www.wpbeginner.com/wordpress-security/