当前位置:   article > 正文


sucuri security 使用教程

WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

WordPress安全是每个网站所有者极为重要的主题。 Google每天将大约10,000多个网站列入黑名单,每周将大约50,000进行网络钓鱼。

If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

如果您认真对待自己的网站,则需要注意WordPress安全最佳实践。 在本指南中,我们将分享所有最重要的WordPress安全提示,以帮助您保护网站免受黑客和恶意软件的侵害。

Complete WordPress security guide

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.


At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

在WPBeginner,我们相信安全不仅在于消除风险。 这也与降低风险有关。 作为网站所有者,您可以做很多事情来提高WordPress的安全性(即使您不懂技术)。

We have a number of actionable steps that you can take to protect your website against security vulnerabilities.


To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.


目录 (Table of Contents)

Basics of WordPress Security


WordPress Security in Easy Steps (No Coding)


WordPress Security for DIY Users


Ready? Let’s get started.

准备? 让我们开始吧。

为什么网站安全很重要? (Why Website Security is Important?)

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

遭到入侵的WordPress网站可能会严重损害您的业务收入和声誉。 黑客可以窃取用户信息,密码,安装恶意软件,甚至可以将恶意软件分发给您的用户。

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.


Why WordPress security is important

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.


Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.


If your website is a business, then you need to pay extra attention to your WordPress security.


Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.


[Back to Top ↑]

[ 返回页首↑ ]

保持WordPress更新 (Keeping WordPress Updated)

Keeping WordPress updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress是一个定期维护和更新的开源软件。 默认情况下,WordPress自动安装次要更新。 对于主要版本,您需要手动启动更新。

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

WordPress还带有成千上万的插件和主题,您可以在网站上安装它们。 这些插件和主题由第三方开发人员维护,它们也定期发布更新。

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

这些WordPress更新对于WordPress网站的安全性和稳定性至关重要。 您需要确保WordPress核心,插件和主题是最新的。

[Back to Top ↑]

[ 返回页首↑ ]

强大的密码和用户权限 (Strong Passwords and User Permissions)

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.

最常见的WordPress黑客尝试使用被盗密码。 您可以通过使用网站独有的更强密码来解决这一难题。 不仅适用于WordPress管理区域,还适用于FTP帐户,数据库, WordPress托管帐户以及使用您站点域名的自定义电子邮件地址

Many beginners don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

许多初学者不喜欢使用强密码,因为它们很难记住。 好消息是您不再需要记住密码。 您可以使用密码管理器。 请参阅有关如何管理WordPress密码的指南。

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

降低风险的另一种方法是,除非绝对必要,否则不授予任何人访问WordPress管理员帐户的权限。 如果您有庞大的团队或来宾作者,那么在将新的用户帐户和作者添加到WordPress网站之前,请确保您了解WordPress中的用户角色和功能

[Back to Top ↑]

[ 返回页首↑ ]

WordPress托管的作用 (The Role of WordPress Hosting)

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like Bluehost or Siteground take the extra measures to protect their servers against common threats.

您的WordPress托管服务在WordPress网站的安全中起着最重要的作用。 诸如BluehostSiteground之类的优质共享托管服务提供商会采取额外措施来保护其服务器免受常见威胁的侵害。

Here is how a good web hosting company works in the background to protect your websites and data.


  • They continuously monitor their network for suspicious activity.

  • All good hosting companies have tools in place to prevent large scale DDOS attacks

  • They keep their server software and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.

  • They have ready to deploy disaster recovery and accidents plans which allows them to protect your data in case of major accident.


On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

在共享主机计划中,您与许多其他客户共享服务器资源。 这带来了跨站点污染的风险,黑客可以在该站点中使用邻近站点来攻击您的网站。

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

使用托管的WordPress托管服务可为您的网站提供更安全的平台。 托管WordPress托管公司提供自动备份,自动WordPress更新以及更高级的安全配置,以保护您的网站

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

我们建议WPEngine作为我们首选的托管WordPress托管提供商。 它们也是业内最受欢迎的产品。 (请参阅我们的WPEngine特殊优惠券 )。

[Back to Top ↑]

[ 返回页首↑ ]

轻松完成WordPress安全性(无需编码) (WordPress Security in Easy Steps (No Coding))

We know that improving WordPress security can be a terrifying thought for beginners. Especially if you’re not techy. Guess what – you’re not alone.

我们知道,提高WordPress安全性对于初学者而言可能是一个恐怖的想法。 尤其是当您不熟练时。 猜猜是什么-您并不孤单。

We have helped thousands of WordPress users in hardening their WordPress security.


We will show you how you can improve your WordPress security with just a few clicks (no coding required).


If you can point-and-click, you can do this!


安装WordPress备份解决方案 (Install a WordPress Backup Solution)

Install a WordPress backup solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

备份是抵御任何WordPress攻击的第一道防线。 请记住,没有什么是100%安全的。 如果政府网站可以被黑客入侵,那么您的网站也可以被黑客入侵。

Backups allow you to quickly restore your WordPress site in case something bad was to happen.


There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

您可以使用许多免费和付费的WordPress备份插件 。 关于备份,您需要知道的最重要的事情是,您必须定期将全站点备份保存到远程位置(而不是托管帐户)。

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.


Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.


Thankfully this can be easily done by using plugins like VaultPress or UpdraftPlus. They are both reliable and most importantly easy to use (no coding needed).

幸运的是,可以使用VaultPressUpdraftPlus这样的插件轻松完成此操作。 它们既可靠,又最重要的是易于使用(无需编码)。

[Back to Top ↑]

[ 返回页首↑ ]

最好的WordPress安全插件 (Best WordPress Security Plugin)

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.


This includes file integrity monitoring, failed login attempts, malware scanning, etc.


Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

幸运的是,最好的免费WordPress安全插件Sucuri Scanner可以解决所有这些问题。

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

您需要安装并激活免费的Sucuri Security插件 。 有关更多详细信息,请参阅有关如何安装WordPress插件的分步指南。

Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

激活后,您需要转到WordPress管理员中的Sucuri菜单。 您将被要求做的第一件事是生成一个免费的API密钥。 这样可以启用审核日志记录,完整性检查,电子邮件警报和其他重要功能。

Generate Sucuri API Key

The next thing, you need to do is click on the ‘Hardening’ tab from the settings menu. Go through every option and click on the “Apply Hardening” button.

接下来,您需要做的是从设置菜单中单击“强化”标签。 遍历所有选项,然后单击“应用强化”按钮。

Sucuri security hardening

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

这些选项可帮助您锁定黑客经常在攻击中使用的关键区域。 付费升级的唯一加固选项是Web应用程序防火墙,我们将在下一步中对其进行说明,因此暂时跳过。

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.


After the hardening part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is ‘Email Alerts’.

强化部分之后,默认插件设置足以满足大多数网站的需要,不需要任何更改。 我们建议自定义的唯一一件事是“电子邮件警报”。

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

默认警报设置可能会使您的收件箱中的电子邮件杂乱无章。 我们建议接收有关关键操作(例如插件更改,新用户注册等)的警报。您可以通过转到Sucuri设置»警报来配置警报。

Set up security email alerts

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.


启用Web应用程序防火墙(WAF) (Enable Web Application Firewall (WAF))

The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).


A website firewall blocks all malicious traffic before it even reaches your website.


DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

DNS级网站防火墙 –这些防火墙通过其云代理服务器路由您的网站流量。 这使他们只能将真正的流量发送到您的Web服务器。

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.

应用程序级防火墙 –这些防火墙插件会在流量到达您的服务器后但在加载大多数WordPress脚本之前检查流量。 在减少服务器负载方面,此方法不如DNS级别防火墙有效。

To learn more, see our list of the best WordPress firewall plugins.


Sucuri WAF

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

我们使用并推荐 Sucuri作为WordPress的最佳Web应用程序防火墙。 您可以阅读有关Sucuri如何帮助我们在一个月内阻止450,000 WordPress攻击的信息

Attacks blocked by Sucuri

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

关于Sucuri防火墙的最好之处在于,它还带有恶意软件清除功能和黑名单清除保证。 基本上,如果您要在他们的监视下被黑,他们保证(无论您有多少页)他们都会修复您的网站。

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

这是非常强大的保修,因为修复被黑客入侵的网站非常昂贵。 安全专家通常每小时收取250美元。 而您可以以每年199美元的价格获得整个Sucuri安全堆栈。

Improve your WordPress Security with the Sucuri Firewall »


Sucuri is not the only DNS level firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

Sucuri不是唯一的DNS级别防火墙提供商。 另一个受欢迎的竞争对手是Cloudflare。 请参阅我们对Sucuri与Cloudflare的比较(优点和缺点)

[Back to Top ↑]

[ 返回页首↑ ]

将您的WordPress网站移至SSL / HTTPS (Move Your WordPress Site to SSL/HTTPS)

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.

SSL(安全套接字层)是对您的网站和用户浏览器之间的数据传输进行加密的协议。 这种加密使某人很难嗅探和窃取信息。

How SSL works

Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.


SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.

SSL证书通常是由证书颁发机构颁发的,其价格每年从80美元到数百美元不等。 由于增加了成本,大多数网站所有者选择继续使用不安全的协议。

To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.

为了解决这个问题,一个名为Let's Encrypt的非营利组织决定为网站所有者提供免费的SSL证书。 他们的项目得到了Google Chrome,Facebook,Mozilla和许多其他公司的支持。

Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.

现在,对您所有的WordPress网站开始使用SSL比以往更加容易。 许多托管公司现在为您的WordPress网站提供免费的SSL证书

If your hosting company does not offer one, then you can purchase one from Domain.com. They have the best and most reliable SSL deal in the market. It comes with a $10,000 security warranty and a TrustLogo security seal.

如果您的托管公司不提供服务,那么您可以从Domain.com购买一个。 他们拥有市场上最好,最可靠的SSL协议。 它带有10,000美元的安全保证和TrustLogo安全印章。

DIY用户的WordPress安全 (WordPress Security for DIY Users)

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.


But as always, there’s more that you can do to harden your WordPress security.


Some of these steps may require coding knowledge.


更改默认的“管理员”用户名 (Change the Default “admin” username)

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

过去,默认的WordPress管理员用户名是“ admin”。 由于用户名占登录凭据的一半,因此使黑客更容易进行暴力攻击。

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.


However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

但是,某些一键式WordPress安装程序仍将默认管理员用户名设置为“ admin”。 如果您注意到这种情况,那么切换虚拟主机可能是一个好主意。

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.


  1. Create a new admin username and delete the old one.

  2. Use the Username Changer plugin

  3. Update username from phpMyAdmin


We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).


Note: We’re talking about the username called “admin”, not the administrator role.

注意:我们所说的用户名是“ admin”,而不是管理员角色。

[Back to Top ↑]

[ 返回页首↑ ]

禁用文件编辑 (Disable File Editing)

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

WordPress带有内置的代码编辑器,可让您直接从WordPress管理区域编辑主题和插件文件。 如果使用不当,此功能可能会带来安全风险,因此建议您将其关闭。

Disable file editing in WordPress

You can easily do this by adding the following code in your wp-config.php file.


  1. // Disallow file edit
  2. define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.


[Back to Top ↑]

[ 返回页首↑ ]

在某些WordPress目录中禁用PHP文件执行 (Disable PHP File Execution in Certain WordPress Directories)

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

加强WordPress安全性的另一种方法是通过在不需要的目录(例如/ wp-content / uploads /)中禁用PHP文件执行。

You can do this by opening a text editor like Notepad and paste this code:


  1. <Files *.php>
  2. deny from all
  3. </Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

接下来,您需要将此文件另存为.htaccess并使用FTP客户端将其上传到网站上的/ wp-content / uploads /文件夹中。

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

有关更多详细说明,请参阅我们的指南, 了解如何在某些WordPress目录中禁用PHP执行

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.


[Back to Top ↑]

[ 返回页首↑ ]

限制登录尝试 (Limit Login Attempts)

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

默认情况下,WordPress允许用户尝试根据需要多次登录。 这使您的WordPress网站容易受到暴力攻击。 黑客尝试通过尝试使用不同的组合登录来破解密码。

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.

通过限制用户可以进行的失败登录尝试,可以轻松解决此问题。 如果您使用的是前面提到的Web应用程序防火墙,则会自动进行处理。

However, if you don’t have the firewall setup, then proceed with the steps below.


First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

首先,您需要安装并激活Login LockDown插件。 有关更多详细信息,请参阅有关如何安装WordPress插件的分步指南。

Upon activation, visit Settings » Login LockDown page to setup the plugin.


Login Lockdown options

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.


[Back to Top ↑]

[ 返回页首↑ ]

添加两因素身份验证 (Add Two Factor Authentication)

Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

两因素身份验证技术要求用户使用两步身份验证方法登录。 第一个是用户名和密码,第二个步骤要求您使用单独的设备或应用进行身份验证。

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

大多数顶级在线网站,例如Google,Facebook,Twitter,都可以为您的帐户启用它。 您也可以向WordPress网站添加相同的功能。

First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.

首先,您需要安装并激活“ 双重身份验证”插件。 激活后,您需要单击WordPress管理员侧栏中的“两因素验证”链接。

Two Factor Authenticator settings

Next, you need to install and open an authenticator app on your phone. There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.

接下来,您需要在手机上安装并打开身份验证器应用程序。 其中有几种可用的功能,例如Google Authenticator,Authy和LastPass Authenticator。

We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.

我们建议使用LastPass AuthenticatorAuthy,因为它们都允许您将帐户备份到云中。 如果手机丢失,重设或购买新手机,这非常有用。 您所有的帐户登录信息都可以轻松恢复。

We will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.

我们将在本教程中使用LastPass Authenticator。 但是,所有身份验证应用程序的说明均相似。 打开您的身份验证器应用程序,然后单击“添加”按钮。

Add website

You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.

系统将询问您是否要手动扫描站点或扫描条形码。 选择扫描条形码选项,然后将手机的相机对准插件的设置页面上显示的QRcode。

That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.

就是这样,您的身份验证应用程序现在将保存它。 下次登录您的网站时,输入密码后,系统会要求您输入两因素验证码。

Enter your two-factor auth code

Simply open the authenticator app on your phone and enter the code you see on it.


[Back to Top ↑]

[ 返回页首↑ ]

更改WordPress数据库前缀 (Change WordPress Database Prefix)

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

默认情况下,WordPress使用wp_作为WordPress数据库中所有表的前缀。 如果您的WordPress站点使用默认的数据库前缀,那么它使黑客更容易猜测表名是什么。 这就是为什么我们建议更改它的原因。

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.


Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

注意:如果操作不正确,可能会破坏您的网站。 只有对编码技巧感到满意的情况下,才继续操作。

[Back to Top ↑]

[ 返回页首↑ ]

密码保护WordPress管理员和登录页面 (Password Protect WordPress Admin and Login Page)

Password protect WordPress admin area

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows them to try their hacking tricks or run DDoS attacks.

通常,黑客可以无限制地请求您的wp-admin文件夹和登录页面。 这使他们可以尝试其黑客技巧或运行DDoS攻击。

You can add additional password protection on a server-side level, which will effectively block those requests.


Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

请按照我们的分步说明进行操作,以了解如何密码保护WordPress admin(wp-admin)目录

[Back to Top ↑]

[ 返回页首↑ ]

禁用目录索引和浏览 (Disable Directory Indexing and Browsing)

Disable directory browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.


Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

其他人还可以使用目录浏览来查看您的文件,复制图像,查找目录结构以及其他信息。 这就是为什么强烈建议您关闭目录索引和浏览的原因。

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

您需要使用FTP或cPanel的文件管理器连接到您的网站。 接下来,在您网站的根目录中找到.htaccess文件。 如果您在此处看不到它,请参考我们的指南, 了解为什么在WordPress中看不到.htaccess文件

After that, you need to add the following line at the end of the .htaccess file:


Options -Indexes

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

不要忘记将.htaccess文件保存并上传回您的站点。 有关此主题的更多信息,请参阅有关如何在WordPress中禁用目录浏览的文章。

[Back to Top ↑]

[ 返回页首↑ ]

在WordPress中禁用XML-RPC (Disable XML-RPC in WordPress)

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

WordPress 3.5默认情况下启用XML-RPC,因为它有助于将WordPress网站与Web和移动应用程序连接。

Because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.


For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.


But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.


This is why if you’re not using XML-RPC, then we recommend that you disable it.


There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.


Tip: The .htaccess method is the best one because it’s the least resource intensive.


If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.


[Back to Top ↑]

[ 返回页首↑ ]

自动注销WordPress中的空闲用户 (Automatically log out Idle Users in WordPress)

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

登录的用户有时可能会偏离屏幕,这带来了安全风险。 有人可以劫持他们的会话,更改密码或更改其帐户。

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

这就是为什么许多银行和金融站点都会自动注销非活动用户的原因。 您也可以在WordPress网站上实现类似的功能。

You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.

您将需要安装并激活非活动注销插件。 激活后,访问设置»非活动注销页面以配置插件设置。

Logout idle users

Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.

只需设置持续时间并添加注销信息即可。 不要忘记单击“保存更改”按钮来存储您的设置。

[Back to Top ↑]

[ 返回页首↑ ]

将安全性问题添加到WordPress登录屏幕 (Add Security Questions to WordPress Login Screen)

Add security question on login screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.


You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

您可以通过安装WP安全问题插件来添加安全问题。 激活后,您需要访问设置»安全问题页面来配置插件设置。

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.


[Back to Top ↑]

[ 返回页首↑ ]

扫描WordPress中的恶意软件和漏洞 (Scanning WordPress for Malware and Vulnerabilies)

Malware scanning

If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.


However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan. You can use your WordPress security plugin, or use one of these malware and security scanners.

但是,如果您看到网站访问量或搜索排名突然下降,则可能需要手动运行扫描。 您可以使用WordPress安全插件,也可以使用以下恶意软件和安全扫描器之一

Running these online scans is quite straight forward, you just enter your website URLs and their crawlers go through your website to look for known malware and malicious code.


Now keep in mind that most WordPress security scanners can just scan your website. They cannot remove the malware or clean a hacked WordPress site.

现在请记住,大多数WordPress安全扫描程序只能扫描您的网站。 他们无法删除恶意软件或清理被黑客入侵的WordPress网站。

This brings us to the next section, cleaning up malware and hacked WordPress sites.


[Back to Top ↑]

[ 返回页首↑ ]

修复被黑的WordPress网站 (Fixing a Hacked WordPress Site)

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.


Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

清理WordPress网站可能非常困难且耗时。 我们的第一个建议是让专业人士来照顾它。

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

黑客在受影响的网站上安装了后门程序 ,如果这些后门程序没有正确修复,则您的网站可能会再次遭到黑客攻击。

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

允许像Sucuri这样的专业安全公司修复您的网站将确保您的网站可以安全再次使用。 它还将保护您免受将来的任何攻击。

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.


[Back to Top ↑]

[ 返回页首↑ ]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.


If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

如果您喜欢这篇文章,请订阅我们的YouTube频道 WordPress视频教程。 您也可以在TwitterFacebook上找到我们。

翻译自: https://www.wpbeginner.com/wordpress-security/

