Wordpress 远程管理员重置密码漏洞补丁 [英] Patch for Wordpress Remote Admin Reset Password Vulnerability

问题描述

该漏洞记录在此处.该补丁应该是1行替换 记录在 此处 的第 190 行/2.8/wp-login.php -新补丁应该是这样的(检查第 118 行) - 我的问题是 - 这个补丁够吗?如果没有，有什么建议吗?

The vulnerability is documented here. The patch is supposedly a 1-line replace as documented here in line 190 of branches/2.8/wp-login.php - the new patch should look this (check line 118) - my question is - is this patch enough? If not, any suggestions?

推荐答案

据我所知，补丁关闭了那个特定的漏洞.但是，我在我管理的每个 WP 站点上采取的另一个基本安全措施是删除管理员"用户，理想情况下，任何用户的用户名都不要与其显示名称相同.这将安全性加倍，因为坏人必须猜测用户名，并找出破解密码的方法.

As I understand it, the patch closes that particular hole. However, another basic security measure I take on every WP site I administrate is to delete the "admin" user, and ideally never have any users' usernames be the same as their display names. That doubles the security in that bad guys have to guess the usernames, as well as figure out a way to hack the passwords.

通过在 WordPress + 安全性上进行搜索，您可以找到许多额外的安全措施，但我一直坚持更改用户名、在安装时更改数据库表名称以及基本权限内容.到目前为止，这运行良好，在 WP 升级期间没有必要进行大量额外的维护，而某些更严格的安全措施则需要这些.

There are a lot of additional security measures you can find by doing a search on WordPress + security, but I have stuck with changing usernames, altering the db table names on install, and basic permissions stuff. That's worked well so far, without the ton of additional upkeep necessary during WP upgrades that some of the more intense security measures require.

这篇关于Wordpress 远程管理员重置密码漏洞补丁的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！