如何防止对 WordPress wp-login.php 页面的攻击
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4444296/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to prevent attacks on WordPress wp-login.php page
提问by epaps
On my website, the highest GPU usage is actually on the WordPress login page, not the home page. I have basically come to the conclusion that it is being attacked by a brute force attack, or something similar.
在我的网站上,GPU 使用率最高的是 WordPress 登录页面,而不是主页。我基本上得出的结论是,它正在受到蛮力攻击或类似的攻击。
I have installed a plugin that prevents password attacks from bots, but it doesn't prevent the bots from actually visiting the page in the first place.
我已经安装了一个插件来防止来自机器人的密码攻击,但它并不能阻止机器人首先实际访问页面。
I want to change the location of the login page to something like wp-login-here.php, or perhaps there is a better solution. The Stealth Pluginseems like it would do the trick, but it is not compatible with recent versions of WordPress. Any ideas?
我想将登录页面的位置更改为 wp-login-here.php 之类的内容,或者可能有更好的解决方案。该隐形插件好像它会做的伎俩,但它是不是最新版本的WordPress的兼容。有任何想法吗?
EDIT:The real solution to this problem was for me to do a clean install of WordPress, this time in a version that was supported by the Stealth plugin. After installing WP and the Stealth plugin on this earlier version of WP, I used the .htaccess file that the plugin created and copied it over (after making a few modifications) to the production site. The reason I accepted the answer I did was because Bad Behavior ended up being a good plugin, and the other advice was useful.
编辑:这个问题的真正解决方案是让我全新安装 WordPress,这次是在 Stealth 插件支持的版本中。在此早期版本的 WP 上安装 WP 和 Stealth 插件后,我使用了该插件创建的 .htaccess 文件并将其复制(在进行了一些修改后)到生产站点。我接受我所做的答案的原因是因为 Bad Behavior 最终成为一个很好的插件,而其他建议很有用。
采纳答案by pootzko
bad behaviorcan block out some known malicious IP addresses. it works together with ProjectHoneyPotand keeps bad IPs out of your webpage before it's even fully loaded...
also, there is a way to hide your login pageusing .htaccess
lock out everyone attempting to login more than a few times as already pointed out by Jimmy
不良行为可能会阻止一些已知的恶意 IP 地址。它与ProjectHoneyPot一起工作,并在它完全加载之前将坏 IP 排除在你的网页之外......
此外,有一种方法可以使用 .htaccess来隐藏你的登录页面,
锁定每个尝试登录多次的人,正如已经指出的那样吉米
and besides that you should probably enforce the following practises:
除此之外,您可能应该执行以下做法:
- don't use admin account (create another account with admin privileges, but with a different username than admin and then remove the default admin account)
- force using SSL
- use strong passwords
- 不要使用管理员帐户(创建另一个具有管理员权限的帐户,但用户名与管理员不同,然后删除默认管理员帐户)
- 强制使用 SSL
- 使用强密码
回答by TheDeadMedic
How would I go about adding a password to a single file?
我将如何将密码添加到单个文件?
Add this to WP's current .htaccess:
将此添加到 WP 的当前.htaccess:
<FilesMatch "wp-login.php">
AuthName "WordPress Admin"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
</FilesMatch>
回答by FatherStorm
create a .htaccess rule for the wp-admin directory and set it to either a set list of IP's or a user/pass combo. You don't want to start hacking wordpress if you can avoid it as the next upgrade will just undo your changes, and setting it at the Apache .htaccess level will be a lot more effective than trying to patch wordpress.
为 wp-admin 目录创建一个 .htaccess 规则,并将其设置为一组 IP 列表或用户/密码组合。如果可以避免的话,您不想开始破解 wordpress,因为下一次升级只会撤消您的更改,并且将其设置在 Apache .htaccess 级别将比尝试修补 wordpress 更有效。
回答by Jimmy
What's the issue with just limiting the number of login attempts by IP address? http://wordpress.org/extend/plugins/limit-login-attempts/
仅通过 IP 地址限制登录尝试次数有什么问题?http://wordpress.org/extend/plugins/limit-login-attempts/
回答by user1138
To update upon epapsabove EDIT and Answer to the similar question Is there any way to rename or hide wp-login.php?, I too have found the .htaccess rules generated by the (now long abandoned) stealth-login plugin to be the least complex yet most effective means of preventing direct access to wp-login.php / wp-admin and protecting against various attacks (particularly brute-forcing).
更新上面的epaps编辑并回答类似问题有没有办法重命名或隐藏 wp-login.php?,我也发现由(现已长期放弃)隐形登录插件生成的 .htaccess 规则是防止直接访问 wp-login.php / wp-admin 并防止各种攻击的最简单但最有效的方法(特别是蛮力)。
Other "solutions" I have read require php functions, changes to wp-config.php and .htaccess rewrites. Or the installation of yet another (bulky) plugin! Many of these either only block the /wp-admin/ URI (easily subverted by going straight to wp-login.php), or break commenter/customer logins.
我读过的其他“解决方案”需要 php 函数,对 wp-config.php 的更改和 .htaccess 重写。或者安装另一个(庞大的)插件!其中许多要么只阻止 /wp-admin/ URI(通过直接进入 wp-login.php 很容易被破坏),要么破坏评论者/客户登录。
The stealth-login plugin's final version was v1.3 and was compatible with WordPress versions 2.3 to 2.7.1. The last Internet Archive snapshot from Oct 15, 2011 can be found herewhere stealth-login.1.3.zip can be downloaded. A compatible version of WordPress can be downloaded from the Release Archive - https://wordpress.org/download/release-archive/. Do the famous 5 minute install, unzip the stealth-login plugin to /wp-content/plugins and you can now generate a ruleset for your own use.
隐形登录插件的最终版本是 v1.3,兼容 WordPress 2.3 到 2.7.1 版本。2011 年 10 月 15 日的最后一个 Internet Archive 快照可以在这里找到,这里可以下载 Stealth-login.1.3.zip。可以从 Release Archive - https://wordpress.org/download/release-archive/下载兼容版本的 WordPress 。进行著名的 5 分钟安装,将隐形登录插件解压缩到 /wp-content/plugins,您现在可以生成供您自己使用的规则集。
Mine is as per below and is working perfectly on WordPress 4.7.4 with WooCommerce 3.0.5. The only change I made was adding the rewrite condition on line 12. It was necessary to prevent WooCommerce /my-account/customer-logout from breaking (it was 302 redirecting without the /wp-login.php URI - meaning the query string on its own would not execute the logout, thus nothing happened. Note the string has been left open to pickup the wpnonce variable.
我的如下所示,并且在 WordPress 4.7.4 和 WooCommerce 3.0.5 上完美运行。我所做的唯一更改是在第 12 行添加重写条件。有必要防止 WooCommerce /my-account/customer-logout 中断(它是 302 重定向,没有 /wp-login.php URI - 意思是查询字符串在它自己不会执行注销,因此什么也没发生。注意字符串已被打开以获取 wpnonce 变量。
So as noted earlier, this is THE best solution I have found yet - and it can even be made to work with WooCommerce. So simple, yet so effective - thanks epapsfor pointing this out.
所以如前所述,这是我找到的最好的解决方案 - 它甚至可以与 WooCommerce 一起使用。如此简单,但如此有效 - 感谢epaps指出这一点。
RewriteRule ^signout wp-login.php?action=logout&_wpnonce=a3d57642ab&stealth_out_key=ow4hzd5lxudcetbgbfreaox6c1 [L]
RewriteRule ^signin wp-login.php?stealth_in_key=05gvov4wuuruahpuchpohavitl&redirect_to=https://yourwebsite.com/wp-admin/ [R,L]
RewriteRule ^admin wp-admin/?stealth_admin_key=f4ji1q6tpwr55s5a0h65clg0qk [R,L]
RewriteCond %{HTTP_REFERER} !^https://yourwebsite.com/wp-admin
RewriteCond %{HTTP_REFERER} !^https://yourwebsite.com/wp-login\.php
RewriteCond %{HTTP_REFERER} !^https://yourwebsite.com/signin
RewriteCond %{HTTP_REFERER} !^https://yourwebsite.com/admin
RewriteCond %{QUERY_STRING} !^stealth_in_key=05gvov4wuuruahpuchpohavitl
RewriteCond %{QUERY_STRING} !^stealth_out_key=ow4hzd5lxudcetbgbfreaox6c1
RewriteCond %{QUERY_STRING} !^stealth_reg_key=rue2bekyask21pwtegavqbbp5n
RewriteCond %{QUERY_STRING} !^stealth_admin_key=f4ji1q6tpwr55s5a0h65clg0qk
RewriteCond %{QUERY_STRING} !^action=logout&redirect_to=https%3A%2F%2Fyourwebsite.com%2Fmy-account%2F&_wpnonce=
RewriteRule ^wp-login\.php https://yourwebsite.com [L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^wp-login\.php https://yourwebsite.com [L]
回答by John Parker
As a suggestion, if you're on a static IP you could use a .htaccess .passwd file to restrict access to the admin directory to a known list of IP addresses. Whilst this won't prevent the access attempts, it will at least lower the resource usage.
作为建议,如果您使用的是静态 IP,您可以使用 .htaccess .passwd 文件将访问 admin 目录的权限限制为已知的 IP 地址列表。虽然这不会阻止访问尝试,但至少会降低资源使用率。
回答by Alvego
As an addition to your security you can try this simple WordPress plugin:
作为安全的补充,您可以尝试这个简单的 WordPress 插件:
http://themext.com/protected-wp-login/
http://themext.com/protected-wp-login/
The website is no longer available but the code is still on GitHub
该网站不再可用,但代码仍在 GitHub 上
It protects against brute force your admin's login page (by using a secure key in the url).
它可以防止对管理员的登录页面进行暴力破解(通过在 url 中使用安全密钥)。
回答by Jesse Petersen
I've created a plugin that allows you to customize the login URL and also prevents remote form $_POST commands by checking the URL of the request.
我创建了一个插件,允许您自定义登录 URL,还可以通过检查请求的 URL 来防止远程表单 $_POST 命令。
It's not perfected with the rest of the WP login URLs that are in the toolbar and lost password link, but it has reduced login attempts to zero for several days during the brute force attacks of 2013 still going on.
它没有完善工具栏中的其余 WP 登录 URL 和丢失的密码链接,但在 2013 年的蛮力攻击仍在继续的几天里,它已将登录尝试减少到零。
回答by Mohan Kumar
Its might me brute force attack
它可能是我的蛮力攻击
Add the following code to bottom of your functions.php in theme folder it will stop the ping back request.
将以下代码添加到主题文件夹中的functions.php 底部,它将停止ping 回请求。
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
}
and change the wplogin page by using the following plugin
并使用以下插件更改 wplogin 页面
回答by Tom Egil D?rum
I seem to have found an answer to this.
我似乎找到了这个问题的答案。
I`ve been struggling with theese login attempts for a long time and decided to do an experiment.
我一直在努力解决这些登录尝试,并决定做一个实验。
First of all i don't use admin as my admin user. Therefore they wont get in since all the attacks are based on the "admin" user name.
首先,我不使用 admin 作为我的管理员用户。因此他们不会进入,因为所有的攻击都是基于“admin”用户名的。
I set up a user account that i named Admin and set the password to "12345". I forwarded this account to a html page that i call "busted". At first i was suprised that the bots still could`nt get in.
我设置了一个名为 Admin 的用户帐户并将密码设置为“12345”。我将此帐户转发到我称为“破坏”的 html 页面。起初我很惊讶机器人仍然无法进入。
A bot finally got in two weeks ago. I haven't had any attacks since. No attacks at all after that.
一个机器人终于在两周前进来了。从那以后我没有受到任何攻击。之后就没有任何攻击了。
It might be luck, but it also might have worked.
这可能是运气,但也可能奏效。
