👋🏼Welcome to my WP-Host blog where I am excited to share my knowledge and expertise on WordPress hosting and website construction tutorials with you. Let’s connect and learn from each other! You can reach me at info@yrshare.com.
(如果你会中文,可以点击微信图标与我联系。)
注:因个人英文水平有限,所以暂时只能为懂中文的朋友提供wordpress建站服务
微信:18200592859 或 yrwordpress
When you use SiteGround hosting to deploy WordPress with one click, it will also pre-install the SiteGround Security plugin for you. You can use it to protect your website completely, and enhance your website’s vulnerability protection, so that your WordPress site can run safely. If you don’t have this plugin in your SiteGround hosting or you accidentally deleted it, WP-Host strongly recommends installing this plugin, because it is really very useful.
Here’s an introduction to the official SiteGround hosting blog, which you can check out:
Original link:https://world.siteground.com/blog/sg-security-preinstalled/
We have recently launched our own WordPress security plugin — SiteGround Security, which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. It is available for anyone to download and use for free, regardless which hosting platform they use. To make sure that our WordPress sites are well protected on application level, however, we have started preinstalling SiteGround Security on all new installations on our platform with some of the features enabled by default.
Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the SiteGround Security plugin we enable the following settings:
Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file.
By default, our plugin removes the HTML tag with the WordPress version and we strongly recommend that you also remove the readme.html file via the option in the SiteGround Security plugin.
The cross site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default the SiteGround Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our SiteGround Security plugin disables this open access line to your WordPress application by default.
Jetpack plugin and mobile apps are valid users of the XML-RPC protocol. If you download Jetpack at some point, we will automatically enable the protocol back. You can also enable it yourself through the plugin interface.
Similar to XML-RPC, feeds are rarely used nowadays, but they are often used by attackers and bad bots to scrape your site content. So the SiteGround Security plugin allows you to disable them easily. Unless you really need them, we recommend to use this option and disable them as soon as possible.
Usually when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the SiteGround Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites. This feature protects those system folders and prevents potentially malicious scripts from being executed from them.
The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default.
Editing code through the plugins and themes editor poses direct security risks both from potential elevation of privileges attacks and errors made by a regular site administrator. If you want to edit your files, it is strongly recommended that you use the File Manager tool in Site Tools, or your preferred editor through FTP or SSH (ideally on a staging copy of your site). To help you avoid bad practices and attacks, we disable the themes & plugins editor by default.
There are a few settings, which you can control from the SiteGround Security plugin, which we have not enabled by default because they need your permission or they pose a risk on the way you use your app. Yet, we wish to encourage you to enable them consciously as they are quite powerful protection tools as well.
You already know that 2FA protects your login from bruteforce attacks and hijacking of login credentials. You can read more on the topic here and you can enable it easily using the SiteGround Security plugin.
When someone tries to log in several times with wrong credentials, they are most likely trying to guess your logins. That is why it is strongly recommended to block such attempts after the first few – 3 or 5. You can set that in the SiteGround Security plugin interface and after that many times of wrong logins, the user gets blocked for 1hour the first time, then 24hours on the second trial, and finally for 7 days on their third trial. Again, since if you don’t know about this functionality, you may lock yourself out of the WordPress admin area, we are not enabling it by default for you, but you can do it easily in a click!
We’re continuing the development of the plugin and will add a lot of new functionality soon. Monitor the change log for new features added with the upcoming updates. There isn’t a strict roadmap that we can share at this point but some of the features coming next are custom login URLs, Strict Transport Security headers and X Frame options that will prevent page hijacking. As usual, we want to bring what’s usually difficult to implement technologies to everyone and with an interface easily accessible without having to spend hours researching the exact syntax of the necessary headers or other code.
WordPress安全插件 – SiteGround Security,旨在保护WordPress用户免受困扰网站的最常见漏洞的侵害。任何人都可以免费下载和使用,无论他们使用哪个托管平台。但是,为了确保我们的WordPress网站在应用程序级别受到良好的保护,我们已经开始在我们平台上的所有新安装上预安装SiteGround Security,默认情况下启用某些功能。
从一开始就在设置站点时考虑安全性可以轻松保护您免受一些最流行的漏洞的侵害。为了帮助您实现这一目标,当我们预安装SiteGround安全插件时,我们启用以下设置:
黑客经常抓取网站,以获取有关所用软件版本的信息。这样,当他们发现任何这些版本中的漏洞时,他们能够使用该信息访问并快速批量破解许多站点。对于WordPress应用程序,此数据在2个地方公开可用 – 在HTML标签和自述文件.html文件中。
默认情况下,我们的插件会删除带有WordPress版本的HTML标签,我们强烈建议您也通过SiteGround安全插件中的选项删除自述文件.html文件。
跨站点脚本漏洞(称为XSS)允许不同的应用程序和插件访问WordPress中不应该访问的信息。例如,此类攻击通常用于收集敏感的用户数据。默认情况下,SiteGround 安全插件通过添加指示浏览器不接受 JS 或其他代码注入的标头来启用针对 XSS 的保护。
XML-RPC是WordPress用来与其他系统通信的旧协议。自从REST API出现以来,它的使用越来越少。但是,它在应用程序中可用,许多人正在使用它来利用漏洞,启动DDOS攻击和其他麻烦。这就是为什么我们的SiteGround安全插件默认禁用此开放访问线到您的WordPress应用程序的原因。
Jetpack 插件和移动应用程序是 XML-RPC 协议的有效用户。如果您在某个时候下载了 Jetpack,我们将自动重新启用该协议。您也可以通过插件界面自己启用它。
与 XML-RPC 类似,源现在很少使用,但攻击者和恶意机器人经常使用它们来抓取您的网站内容。因此,SiteGround 安全插件允许您轻松禁用它们。除非您确实需要它们,否则我们建议您使用此选项并尽快禁用它们。
通常,当发生漏洞利用时,攻击者会尝试在公共文件夹中插入和执行PHP文件,以添加后门并进一步破坏您的帐户。根据设计,这些可公开访问的WordPress文件夹用于上传媒体内容(例如图像)。通过SiteGround安全插件,我们不禁止上传文件,但我们阻止PHP文件和恶意脚本被执行并给您的网站带来问题。此功能可保护这些系统文件夹,并防止从中执行潜在的恶意脚本。
默认用户名及其所有者在所有应用程序上使用的最广泛的用户名是“管理员”。黑客知道这一点,当他们希望暴力破解登录表单时,他们肯定会尝试。这就是我们默认禁用此用户名的原因。
通过插件和主题编辑器编辑代码会带来直接的安全风险,包括潜在的特权提升攻击和常规站点管理员的错误。如果要编辑文件,强烈建议您使用站点工具中的文件管理器工具,或通过 FTP 或 SSH 使用首选编辑器(最好在站点的暂存副本上)。为了帮助您避免不良做法和攻击,我们默认禁用主题和插件编辑器。
有一些设置,您可以从SiteGround安全插件中控制,我们默认未启用这些设置,因为它们需要您的许可,或者它们会对您使用应用程序的方式构成风险。但是,我们希望鼓励您有意识地启用它们,因为它们也是非常强大的保护工具。
您已经知道 2FA 保护您的登录免受暴力攻击和登录凭据劫持。您可以在此处阅读有关该主题的更多信息,并且可以使用SiteGround安全插件轻松启用它。
当有人尝试使用错误的凭据多次登录时,他们很可能试图猜测您的登录信息。这就是为什么强烈建议在前几次 – 3 或 5 次之后阻止此类尝试的原因。您可以在SiteGround安全插件界面中进行设置,并且在多次错误登录之后,用户第一次被阻止1小时,然后在第二次试用中被阻止24小时,最后在第三次试用中被阻止7天。同样,由于如果您不了解此功能,您可以将自己锁定在 WordPress 管理区域之外,我们默认情况下不会为您启用它,但您只需单击一下即可轻松完成!
我们正在继续开发插件,并将很快添加许多新功能。监视更改日志中是否有随即将推出的更新添加的新功能。目前我们没有可以分享的严格路线图,但接下来的一些功能是自定义登录 URL、严格传输安全标头和 X Frame 选项,可以防止页面劫持。像往常一样,我们希望将通常难以实现的技术带给每个人,并具有易于访问的界面,而无需花费数小时研究必要标头或其他代码的确切语法。
