It's a terrible nightmare: one day you open your website and find out that you have been hacked. If you're running a simple personal blog, this might just be an annoying incident. If you host your clients' websites, your day can become difficult and stressful. If you're running a high-volume e-commerce site, it can be a source of panic. No matter the situation, you don't share news using happy emojis. Therefore, you need a strategy to prevent attacks from happening.

You have come to the right place. In this two-part mini-series, I’ll show you how to make your WordPress project as secure as possible.

Introduction to WordPress Security

Do you think WordPress is safe? It’s okay if you don’t, as many people think WordPress is an insecure content management system, but nothing could be further from the truth… at least today.

What do Microsoft Windows, Android, Google Chrome and WordPress have in common? They are both very popular software and people find security holes in them all the time. Although they are all regularly patched for bugs and security flaws, does the presence of security holes make them unsafe?

I'm sorry if you thought differently, but that's not the case. Frequent patches don't necessarily mean a piece of software is poorly coded against security threats. The cat-and-mouse game between developers and hackers will always continue, and hackers will always find ways to crack software. If the software is scalable like WordPress, the chances of hacking also increase.

What’s important here is responsiveness and pre-emptiveness, and that’s what WordPress excels at. You'll have to wait a few days for Google Chrome to plug the security hole, and even a few weeks for Microsoft to release a security fix, but the large WordPress developer community will be able to patch zero-day security holes before the end of 2019. first day. Plus, there's an entire team dedicated to protecting WordPress core, so we have a pretty good handle on that as well. When it comes to themes and plugins, it may be a little easier to find bugs and flaws, and it may take more time to fix them, but the community has the support of the developers.

However, nothing is 100% safe. We live in an age where scientists are on the verge of cracking the code on our brains! Nothing is incomprehensible including our brains obviously, and WordPress is no exception. But just because 100% security is impossible, doesn’t mean we shouldn’t strive for 99.999% security.

Improving WordPress Security

Based on personal experience and further research, I've put together some safety measures you should take if you haven't already. Without further ado, let’s get to know them now!

Protect .htaccess File

Let’s start simple.

If your WordPress site is hosted on a web server powered by Apache and you enable "Pretty Permalinks" in Settings , WordPress will generate a file called .htaccess file to store basic information about WordPress permalink instructions. If you don't enable pretty permalinks, core won't generate the .htaccess file, but the tips I'm about to show still apply - you just have to create the file yourself.

Nano-tip: If you want to create a .htaccess file yourself but have trouble creating one without any name but with a .htaccess extension, just upload one Use an empty file with any name (eg Untitled.txt) and change the name and extension in the FTP client.

My first thought was to protect the htaccess file. This is the easiest thing to do out of the tips and tricks I'm going to show you. All you have to do is add the following lines to the file:

# protect .htaccess
<Files .htaccess>
   order allow,deny
   deny from all
</Files>

This is a harmless trick that will protect the htaccess file from anyone who wants to access it (or any).

Next, let’s disable showing the contents of the folder:

# disable directory browsing
Options All -Indexes

This will prevent strangers from seeing the contents of your folder if they want to access, for example, myblog.com/wp-content/uploads/. Normally, they would be able to view uploaded files or browse subfolders in the /uploads/ directory, but with this little trick, they will see a 403 Forbidden response from the server.

Finally, I’d like to refer to a great “blacklist” provided by Perishable Press: The 5G Blacklist. This blacklist protects your site from a wide range of malicious activity, from harmful query strings to bad user agents.

This is the htaccess trick. Now, let’s move on to the wp-config.php tips.

wp-config.php 文件及其內(nèi)容的安全技巧

就安全性而言，wp-config.php 文件可能是整個(gè) WordPress 安裝中最重要的文件。您可以用它做很多事情來(lái)強(qiáng)化您的網(wǎng)站。

讓我們從一個(gè)有趣的技巧開始：您是否知道可以將 wp-config.php 文件放在 WordPress 根目錄中的上一級(jí)？如果它不會(huì)讓您感到困惑，請(qǐng)立即執(zhí)行。大多數(shù)時(shí)候，我將 WordPress 安裝在 public_html 目錄中，并且喜歡將 wp-config.php 文件放在用戶根目錄中。不確定這是否是萬(wàn)金油配方，但至少它感覺(jué)更安全。 Stack Exchange 的一些人就這個(gè)話題進(jìn)行了很好的辯論。

順便說(shuō)一下，讓我們回到根 .htacccess 文件并添加以下行以拒絕訪問(wèn) wp-config.php 文件：

# protect wpconfig.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

這是一個(gè)有趣的想法：刪除編輯主題和插件文件的權(quán)限怎么樣？所需要做的就是將以下行添加到 wp-config.php 文件中：

define( 'DISALLOW_FILE_EDIT', true );

感覺(jué)更加偏執(zhí)？將以下行粘貼到上面一行下方以完全禁用主題和插件安裝和刪除：

define( 'DISALLOW_FILE_MODS', true );

關(guān)于強(qiáng)化 WordPress 的另外兩個(gè)技巧：更改數(shù)據(jù)庫(kù)前綴，并在 wp-config.php 文件中添加安全密鑰（或 salt 密鑰）。

第一個(gè)很簡(jiǎn)單：通過(guò)查找以下行來(lái)檢查是否將數(shù)據(jù)庫(kù)前綴設(shè)置為默認(rèn)值：

$table_prefix  = 'wp_';

如果它設(shè)置為 wp_，您應(yīng)該將其更改為除此默認(rèn)值之外的其他值。您無(wú)需記住它，因此可以輸入任何內(nèi)容。我喜歡使用 wp_fd884vg_ 這樣的組合來(lái)保證它的安全性和可讀性。

更改安全密鑰也非常容易。通過(guò)找到以下行來(lái)查看鍵是否為空：

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

如果他們都說(shuō)'把你獨(dú)特的短語(yǔ)放在這里'，這意味著他們還沒(méi)有設(shè)置。在這種情況下，只需轉(zhuǎn)到此 URL（也在代碼注釋中引用）并使用上面的行更改該頁(yè)面中生成的行。

Nano-tip：如果您想知道這些“鹽密鑰”是什么，WPBeginner 有一篇很棒的文章介紹了這種安全措施的好處。

wp-config.php 技巧就到此為止！今天就到此為止吧。

今天總結(jié)

我希望您今天喜歡這些 .htaccess 和 wp-config.php 技巧。在這個(gè)迷你系列的下一部分中，我們將介紹一些安全插件和其他有關(guān)強(qiáng)化 WordPress 的重要技巧。如果您有任何問(wèn)題或意見，請(qǐng)隨時(shí)在下面的評(píng)論部分中提出。

下一部分見！