堆栈内存溢出
  简体   繁体   English

WordPress - 如何阻止未登录用户访问特定文件或目录?

[英]WordPress - How to block Access to specific files or directories for users that are not logged in?

 原文  2021-07-13 08:15:00       php/ wordpress/ block

问题描述

On my WordPress web site hundreds of login attempts by bots are observed.在我的 WordPress 网站上,观察到机器人进行了数百次登录尝试。
They try to log in with user name that do exist in the system.他们尝试使用系统中确实存在的用户名登录。

I want to stop this!我想阻止这一切!

I found out, that these bots get the information about existing users from the URL mydomain.de/wp-json/wp/v2/users/我发现,这些机器人从 URL mydomain.de/wp-json/wp/v2/users/ 获取有关现有用户的信息

So I tried to block access to these files with the following code I found in other articles:因此,我尝试使用在其他文章中找到的以下代码来阻止对这些文件的访问:

    add_filter( 'rest_authentication_errors', function( $result ) {
        // If a previous authentication check was applied,
        // pass that result along without modification.
        if ( true === $result || is_wp_error( $result ) ) {
            return $result;
        }

        // No authentication has been performed yet.
        // Return an error if user is not logged in.
        if ( ! is_user_logged_in() ) {
            return new WP_Error(
                'rest_not_logged_in',
                __( 'You are not currently logged in.' ),
                array( 'status' => 401 )
            );
        }
     
        // Our custom authentication check should have no effect
        // on logged-in requests
        return $result;
    });

With this, all those login attacks stopped.这样,所有这些登录攻击都停止了。

But unfortunately this also stoped my addon CONTACT FORM 7 from working!但不幸的是,这也阻止了我的插件 CONTACT FORM 7 工作! I use this as a contact form for users that are not logged in. The addon tries to access /wp-json/contact-form-7/v1/contact-forms/9589/feedback and this is blocked by the code.我将其用作未登录用户的联系表单。该插件尝试访问 /wp-json/contact-form-7/v1/contact-forms/9589/feedback,但这被代码阻止。

How cat I avoid this?我如何避免这种情况? Users that are not logged in should be able to use the web site.未登录的用户应该能够使用该网站。 The should only be blocked from getting these "internal informations" from /wp-json/wp/v2/users/ and alike.应该只阻止从 /wp-json/wp/v2/users/ 等获取这些“内部信息”。

Thanks in advance.提前致谢。

1 个解决方案

解决方案1
 0  2021-07-14 10:19:54

Solved with addon用插件解决

WP Cerber Security WP Cerber 安全

which is able to block all rest api calls except for certain name-spaces like contact-form-7.它能够阻止除某些名称空间(如 contact-form-7)之外的所有其余 api 调用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 WordPress:只有登录用户才能访问文件-服务器本身 - Wordpress: Only logged in users can access files - and the server itself 如何阻止特定的IP访问wordpress网站 - how to Block specific IP to access the wordpress website 显示特定类别以仅在WordPress中登录用户 - Show specific categories to logged in users only in WordPress WordPress重定向(如果未登录)并尝试访问特定的子网站 - Wordpress redirect if not logged in and try to access specific subsite PHP:如何阻止对文件的直接URL访问,但仍允许登录用户下载文件? - PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users? Wordpress:如何隐藏对未登录用户的评论? - Wordpress: How to hide comments to non logged users? Wordpress如何存储已登录的用户? - How does Wordpress store users that are logged in? 如何将下载限制为仅登录 Wordpress 的用户 - How to restrict downloads only to users logged in Wordpress 如何避免Wordpress中未登录用户的无休止重定向? - How to avoid endless redirection for not logged users in wordpress? Wordpress - 如何找到从未登录的用户? - Wordpress - How to find users that never logged in?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM