Security is an interesting topic, with a lot of shades of grey. WordPress developers take security very seriously, but as with any other system, there are potential security issues that may arise and there is always a tradeoff between security and convenience. We will go through some common things you can do to keep your WordPress installation secure.

安全问题是个有趣的问题，有许多不同的级别。WordPress开发者认真地对待这个问题，但是与其它的系统相似，可能会产生一些潜在的安全问题，而且安全和便利使用之间通常有一个权衡。我们会讨论一些常见的关于安全安装WordPress的注意事项。

What is security? Fundamentally, security is not about perfectly uncrackable systems, which might well be impossible to find and/or maintain. Security has more to do with trust and responsiveness. For example, a trusted host runs a stable, patched branch of their webserver (be it Apache, IIS, or whatever). They should tell you this, test their configuration themselves, and let you determine it for yourself. An untrusted host does not apply patches when they are released and does not tell you what server versions they are running.

什么是安全？基本上来说，安全不是关于关于极好的，不会毁坏的系统，非常难以发现和/或者维护。安全与信任和响应性的相关性更大。例如，一个可以信赖的主机运行了网络服务器的一个稳定的，patched分支（如Apache，IIS，或者其它的）。主机会通知你有这些分支，同时测试配置，让你自己决定选择哪个。一个不可以信赖的主机，在发行的时候，不会应用patches，也不会通知你主机在运行哪个服务器版本。

Several themes run through this guide:

几个主题处理这个指南：

1. Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.

1. 限制访问:做出明智的选择，有效地遏制一些怀有恶意的人访问一些内容。

1. Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.

1. 牵制政策:如果一个怀有恶意的人，发现了你的安装中的一个缺陷，你的系统必须要经过设置来使得他在你的系统中可能做的破坏，降低到最小的值。

1. Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.

1. 知识:保存文件备份，每个一段时间，就要查看WordPress安装的状态，给更改的内容附上文件证明会帮助你了解你的WordPress安装。

Vulnerabilities on your computer

你的电脑的弱点

Make sure the computers you use to post to WordPress are free of spyware, malware, adware, and virus infections; and are running secure, stable versions of your applications. For example, none of the following makes the slightest difference if there is a keylogger on your PC.

要确定你用来发表WordPress的电脑，没有spyware,malware,adware,也不会收到病毒的攻击；在安全，稳定地运行你的应用软件。例如，如果你的个人电脑上有一个keylogger，下面的任何内容都不会有什么意义。

Vulnerabilities in the WordPress package itself

WordPress软件包自身的弱点

WordPress could have vulnerabilies as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen.

由于程序编写的方式，WordPress自身拥有缺陷，会使攻击者传送HTTP arguments，破坏的URI命令行，形式输入，等等，这些都会导致不好情况的发生。

There are two ways to deal with this problem: 有两种方法，可以处理这个问题：

1. Keep up to date with the latest WP version: The WordPress developers do not maintain security patches for older WordPress versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie.

1. 保持最新的 WP 版本: WordPress开发者对于旧的版本的WordPress，不保持安全patches。一旦一个新的WP版本发行了，或者WP中的缺陷得到了解决，那么在公众域中肯定能够找到解决缺陷的信息，这使得旧的版本更容易地被袭击，设置被一个简单的脚本kiddie袭击。

1. Report bugs: If you find what you think is a bug, report it -- See WordPress:Submitting_Bugs. You might have uncovered a vulnerability, or a bug that could lead to one. If you think you have found a serious security flaw email security@wordpress.org with the information first.

1. 报告程序缺陷:如果你找到了一个你认为的程序缺陷，报告一下—请看看提交_程序缺陷。你可能发现了一个缺陷，或者发现了一个程序缺陷可能会导致WordPress缺陷。如果你发现了一个严重的安全隐患，发送电子邮件到security@wordpress.org。

Server vulnerabilities

服务器缺陷

The webserver running WordPress, the database with the WordPress data, PHP and any other scripting/programming language used for plugins or helper apps could have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server, database, scripting interpreter, or make sure you are using a trusted host that takes care of these things for you.

运行WordPress的服务器，装有WordPress数据，PHP，和其它的用于插件或者有帮助的应用软件中的脚本/变成会有缺陷。因此，要确定你运行一个安全，稳定的网络服务器，数据库，脚本注释器版本，或者确定你正在使用一个可以信赖的主机，这个主机为你处理这些事情。

It should also be mentioned that if you're on a shared server (one that hosts other people besides yourself) if someone else is compromised, then it's very likely you could be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

同时注意，如果你位于一个共享的服务器上（除了你之外，这个服务器还会托管其他的人）。如果其他人妥协了，即使及遵循了这个指南中的每个步骤，你也可能会妥协。要确定问问你的[1]他们采取了什么安全防御措施。

Network vulnerabilities

网络缺陷

The network on both ends -- the WordPress server side and the client network side -- should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. A busy Internet cafe where you are sending passwords in cleartext over an unencrypted wireless connection is not a trusted network (The following article describing how to secure your email when using a wireless connection in a public place can be extended as a way of securely accessing you blog over ssh tunnels). Your host should be making sure that their network is not poisoned by hackers, and you should do the same. Network vulnerabilities allow passwords to be intercepted via sniffers and other sorts of havoc (such as man-in-the-middle attacks) to happen.

网络有两个末端 -- WordPress 服务器端和客户网络端—应该得到信任。这意味着更新防火墙 rules on your home router同时要注意你是来自于哪个网络。你在一个繁忙的网吧中，在cleartext中以无线连接的连接方式，发送未加密的密码，不是 可以信任的网络。(以下的文章描述了，当你在一个公共场所使用无线连接，可以被扩充为通过ssh tunnels 访问你的博客的安全方式，怎样保护你的电子邮件)。你的主机应该确定黑客不能接近它们的网络，同时你也要确定。网络的缺陷使得密码能够被sniffers和其它形式的havoc截取（例如man-in-the-middle袭击）。

Passwords

密码

Some vulnerabilities can be avoided by good security habits. An important element of this are passwords: do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password. This is particularly important if you do not rename the administrator account. In that case half the puzzle is already solved for malicious users as they know what username will give them significant privileges to edit files and databases. The Automatic Password Generator can be helpful in generating reasonably complex passwords.

安全使用的好习惯能够避免一些网络缺陷。其中一项重要的安全措施就是密码：不要使用你自己的姓名来作为密码，不要使用字典中的一个单词作为密码（任何语言的单词），不要使用一个四个字符串的数字来作为你的密码。你使用密码的目的是使得搜索范围尽可能大，因此使用数字和大小写的混合体，会使得在数据上破解一个密码变得更加困难。如果你没有重新命名管理员帐户，设置好密码，尤为重要。没有重新命名管理员帐户的话，还有恶意的用户已经知道了谜底的一半，他们知道哪个用户名，能够使得他们拥有特权，来编辑文件和数据库。 密码自动产生器 对于产生复杂而合理的密码，非常有用。

File permissions

文件权限

Some of WordPress' cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.

WordPress的一些非常酷的功能，在于能够使网络服务器编写一些文件。然而，允许应用软件拥有编写文件的权限，是一件非常危险的事情，特别在一个公共使用的环境下。

It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

出于安全方面的考虑，最好尽可能地禁止文件使用权限，当你需要让出编写权限的时候，再放松一些限制，或者当你要创建一个特别的文件夹，需要放松权限，就如上传图像的时候，你可以放松文件的使用权限。

Here is one possible permission scheme.

下面是一个可能存在的权限方案。

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.

你的用户应该拥有并且可以编写所有的文件。任何文件需要WordPress的编写权限，应该由网络服务器使用的用户帐户共同拥有。

• / -- the root Wordpress directory: all files should be writable only by your user account.

• / --WordPress目录的根：只有你的用户帐户可以编写所有的文件。

• • EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you

• • 例外 .htaccess如果你想要WordPress自动地为你产生编写规则。

• /wp-admin/ -- the WordPress administration area: all files should be writable only by your user account.

• /wp-管理/ --WordPress管理区：只有你的用户帐户可以编写所有的文件。

• /wp-includes/ -- the bulk of WordPress application logic: all files should be writable only by your user account.

• /wp-includes/ --WordPress application logic的大部分：只有你的用户帐户可以编写所有的文件。

• /wp-images/ -- image files used by WordPress: all files should be writable only by your user account.

• /wp-图像/ --WordPress使用的图像文件：只有你的用户帐户可以编写所有的文件。

• /wp-content/ -- variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).

• /wp-内容/ --用户支持的不同的内容：开发者有意让所有的（主人/用户，小组和公众）来编写内容。

• • /wp-content/themes/ -- theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account

• • /wp-内容/主题/ --主题文件。如果你想要使用内置的主题编辑器，所有的文件都要被组合起来，而且是可写的。如果你不想使用内置的主题编辑器，只有你的用户帐户可以编写所有的文件。

• • /wp-content/plugins/ -- plugin files: all files should be writable only by your user account.

• • /wp-内容/插件/ --插件文件：只有你的用户帐户可以编写所有的文件。

• • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

• • /wp-内容/下面其它的目录，应该由任何需要这些目录的插件/主题，使这些目录备有文件证明。权限可能有所不同。

• If you have shell access to your server, you can change file permissions recursively with the following command:

• 如果对于服务器，你有shell权限，你可以使用下面的命令行，递归地更该文件权限：

For Directories
find [your path here] -type d -exec chmod 755 {} \;
For Files
find [your path here] -type f -exec chmod 644 {} \;

关于目录
找到 [这儿你的路径] –输入 d -exec 文件权限 755 {} \;
关于文件
找到 [这儿你的路径] –输入 f -exec 文件权限 644 {} \;

You have to omit to use this command for /wp-includes/.

你需要避免为/wp-includes/使用这个命令行。

Database security

数据库安全

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one of WordPress installation, this makes it that much harder to alter your other blogs.

如果你在同一个服务器上运行多个博客，考虑使得不同的用户在不同的数据库上管理这些博客，这种做法是明智的。当执行初始的WordPress 安装的时候，最好能够完成上述的执行任务。这是一个牵制的策略：如果一名入侵者，成功地破解了WordPress的安装，更改你的其它博客，就会更难。

If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.

如果你自己管理MySQL，要保证你了解MySQL的配置和MySQL不需要的功能（例如接受远程TCP链接）已经取消了。请看看Secure MySQL 数据库设计上面详细的介绍。

Securing wp-admin

保护 wp-管理

You can greatly enhance the security of your blog by adding additional access control to your /wp-admin/ folder using the AskApache Password Protection plugin. This plugin also secures your /wp-login.php file, and all files in your /wp-includes/ and /wp-content/ folders.

使用AskApache 密码保护插件给你的/wp-管理/文件夹添加权限控制，你可以大大地提高博客的安全性。插件也保护你的/wp-login.php文件，和你的/wp-includes/ 和/wp-内容/ 文件夹中的所有的文件。

Adding server-side password protection to /wp-admin/ adds a 2nd layer of protection around your blog's admin area, login, and files. This forces an attacker or bot to attack this 2nd layer of protection instead of your actual admin files. Most of the time WordPress attacks are carried out autonomously by a malicious software bot.

给/wp-管理/添加server-side密码保护，会在博客的管理界面，登录，和文件中添加第二层保护。这使得袭击者或者bot袭击这个第二层的保护而不是真正的管理文件。大多数时间里，针对WordPress是由一个恶意的软件bot带来的。

The most common attacks against a WordPress blog usually fall into 2 categories.

针对WordPress博客的最常见的袭击，可以分为两类：

1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilites. These include old/outdated plugins and software.

1. 向你的服务器发送特别制作的HTTP，拥有特别的exploit 有效载荷，处理特别的缺陷。这些包含旧的/过时的插件和软件。

1. Attempting to gain access to your blog by using "brute-force" password guessing.

1. 通过"强行破解"密码，试图使用你的博客。

By adding a 2nd layer of protection around these important files you force the attackers to have to break through that before they can even attempt to attack your main /wp-admin/. This protection uses Basic HTTP Authentication, the password is passed over the network uuencoded as plain text, not encrypted. The main benefit of this protection is in denying access to your servers files and alerting you to an attack against your blog before the attack reaches your /wp-admin/ doorstep.

在那些重要的文件上添加第二层的密码，你可以迫使袭击者先击破第一层密码，才能够试图击破主要的/wp-管理/。这个保护使用基本的 HTTP 证明,密码在网络上传播，像纯文本那样没有编码，没有加密。这种保护的主要好处在于，否认访问你的服务器文件而且在一个袭击到达你的/wp-管理/ 之前，使你警惕这个袭击。

The ultimate implementation of this "2nd layer" password protection is to require an HTTPS SSL encrypted connection for your /wp-admin/ directory, so that all communications and sensitive data is encrypted.

这个"第二层"密码保护的最终执行，需要为你的/wp-管理/目录准备一个HTTPS SSL 加密连接，这样所有的交流内容和敏感的数据都得到了加密。

SSL Encryption Security

SSL 加密安全

You can secure and encrypt all of your communication and important WordPress cookies using the Admin-SSL plugin. Works with Private and Shared SSL.

使用Admin-SSL 插件，你可以给你的交流内容和重要的WordPress cookies 保护和加密。与保密的和分享的SSL协作。

Plugins

插件

Security Plugins

安全插件

The WP Security Scan Plugin can be downloaded at WP Security Scan. While this helps tremendously to protect your WordPress installation, you still need to maintain good passwords, check plugins and themes before installing them, and keep good backups of your files and database in the event that you do get hacked.

可以在WP 安全 扫描上添加WP安全扫描插件。虽然这个插件能够极大地保护你的WordPress安装，你需哎哟维护好的密码，在安装主题和插件之前，对其进行检查，同时要保存好文件和数据库备份，以防止你被黑客袭击后的情况发生。

Plugins that need write access

需要写权限的插件

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.

如果一个插件需要编写WordPress文件和目录的权限，请阅读代码来确定插件是合法的，或者和某个你信任的人一起检查插件。可能存在的检查地点是支持论坛 和IRC Channel。

Code execution plugins

Code execution plugins

As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack.

如我们所叙述的，加强WordPress的一个目的是，使得WordPress在遭受袭击的时候，能够承受损害。允许任意的PHP或者其它的代码在数据库中的文章中执行的插件，有效地放大了一次成功袭击可能产生的损害。

A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.

避免使用这种插件的一个方法是使用自定义网页模板，这种模板命名函数。只有当你在WordPress内部编辑文件的时候，部分这样的安全措施才能起作用。

Security through obscurity

通过隐匿获得安全

Security through obscurity is typically thought to be an unsound primary strategy. However, there are areas in WordPress where obscuring a bit could help with security:

通过隐匿得到安全，一般被看做是一种不佳的初级策略。然而，在WordPress中，有些区域，隐匿一点，能够起到作用。

1. Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin.

1. 不要为你正在运行的WordPress版本登广告：: 如果你正在运行一个旧的版本的WordPress，上面拥有众所周知的缺陷，那么你将这个信息公之于众，是不明智的。为什么不将WordPress的整个版本隐匿起来呢？即使能够尽可能快地更新软件包，新版本的发行与你的更新之间会有一些拖延的时间，潜在方面，这些时间，能够足够让一个怀有恶意的人来执行一次袭击。然而， 然而，编辑去除WordPress给它的版本做广告的地方，是非常麻烦的。最好的方法还是，要确定你正在运行最新的版本。一种更加简单的方法可以实现这一点 替换WP-版本插件。

1. Rename the administrative account: You can do this in the MySQL command-line client with a command like update tableprefix_users set user_login='newuser' where user_login='admin';, or by using a MySQL frontend like WordPress:phpMyAdmin.

1. 重新命名管理帐户:用一个命令行，如update tableprefix_users set user_login='newuser' where user_login='admin';,或者使用一个MySQL frontend like WordPress:phpMyAdmin，可以在MySQL 命令行client中重新命名管理帐户。

Data backups

数据文件备份

Backup your data regularly, including your MySQL databases (see Backing Up Your Database). Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.

定期地备份你的数据，包括你的MySQL数据库（请看看备份你的数据库）。数据完整性对于可信任的文件备份至关重要。给文件备份加密，给每个备份的文件保存一个独立的MD5 hashes记录。而且/或者在只读媒体（如CD-R）上放置文件备份，来增强你的信心，相信你的数据不会被干扰。

A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.

一个安全的文件备份策略包括，在一个可以信任的位置上，保存整个WordPress安装（包括WordPress核心文件和你的数据库）的一套按时的snapshots。设想一个站点制作每周的snapshots。这样的一种策略，意味着如果一个站点在5月1日，收到了安全方面的威胁，但是这种威胁在5月12日，才探测到了，站点的拥有者会有一个收到安全威胁之前的文件备份，这个备份能够帮助重新建立一个站点，也许还有拥有一个站点受到安全威胁之后的文件备份，这个备份能够帮助判断站点是怎样收到安全威胁的。

Logging

Logging

It is possible to log all $POST variables sent to WordPress. Standard Apache logs do not offer much help with dealing with security forensics.

将所有的$POST变数log 发送到WordPress是可能的。标准的Apache logs对于处理安全讨论，没有提供多少帮助。

• Mod_Security - Logs and Prevents using Apache
• Plugin that logs using WP

• Mod_Security - Logs and Prevents 使用 Apache
• Plugin that logs using WP