WordPress的正确.htaccess文件
[英]Proper .htaccess file for WordPress
问题描述
I client of mine just got hacked on his WordPress site. 
我的客户刚在他的WordPress网站上被黑。 No tbeing to familiar with WordPress or the proper usage of WordPress assocaited .htaccess files I have one simple question. 不用熟悉WordPress或WordPress关联的.htaccess文件的正确用法,我有一个简单的问题。
Does this look proper? 这看起来合适吗? For some reason I'm thinking the Rewrite Cond for the wp-content, wp-admin, and wp-include shouldn't be there. 出于某种原因,我认为对于wp-content,wp-admin和wp-include的重写条件不应该存在。 Are these important? 这些重要吗? The site seems to work fine without them I'm just not very sure if they have anything to do with WordPress vulnerabilities. 没有他们,该网站似乎可以正常运行,但我不确定他们是否与WordPress漏洞有关。
Options +FollowSymLinks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.mydomain.com [NC]
RewriteRule ^(.*)$ http://mydomain.com/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} ^wp-content.*
RewriteCond %{REQUEST_FILENAME} ^wp-admin.*
RewriteCond %{REQUEST_FILENAME} ^wp-include.*
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
AddHandler php-legacy .php
And here is the new .htaccess I wrote to replace the one up top 这是我写的新的.htaccess,以取代上面的一个
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
<files wp-config.php>
order allow,deny
deny from all
</files>
# directory browsing
Options All -Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Any tips tricks or suggestions on hardening a wordpress .htaccess would be greatly appreciated. 任何技巧或建议,以加强WordPress的。htaccess的将不胜感激。 Thanks for your time! 谢谢你的时间!
1 个解决方案
解决方案1
0 已采纳 2014-01-03 21:49:52
You can copy the .htaccess to your computer and then delete it from your server after doing this go to settings and then select permalink settings after this select default if it is selected then select another one of the options click save and then after select default and then again save after this go back to what type you had it set to ... From what I have seen and read this creates a new .htaccess file onto the server so you can check this and if all works well then you can keep the new one if you find things go a little wrong then revert back.. 您可以将.htaccess复制到您的计算机,然后在转到设置后将其从服务器中删除,然后在此选择默认值(如果已选择)之后选择永久链接设置,然后选择另一个选项,单击保存,然后在选择默认值和然后再次保存,然后返回到您将其设置为哪种类型...从我所看到和阅读的内容中,这将在服务器上创建一个新的.htaccess文件,因此您可以检查此文件,如果一切正常,则可以保留该文件。新的,如果您发现问题出了点问题,请恢复原状。
First of all I would open the config file and then use this website to create a new salt keys https://api.wordpress.org/secret-key/1.1/salt/ 首先,我将打开配置文件,然后使用此网站创建一个新的盐键https://api.wordpress.org/secret-key/1.1/salt/
This forces any one logged in to be kicked out and re login.. 这将强制任何登录的人被踢出并重新登录。
Also if you think your wordpress site was hacked it would be a good idea to change the database password for your mysql... After doing this change this in the config.php and then you have at least got any logged in user out and changed database passwords ... 另外,如果您认为您的wordpress网站被黑客入侵,则最好更改mysql的数据库密码。在此之后,请在config.php中进行更改,然后至少要有登录用户并进行更改数据库密码...
Hope this helps 希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.