wordpress漏洞_轻松发现WordPress漏洞
wordpress 漏洞
As a developer or design professional, one of the biggest benefits of building your sites on WordPress is that in most cas you are building your code on a proven platform which has been fortified over time. Unfortunately when it comes to curity, there’s no such thing as a fully hack-proof system. Fortunately though when it comes to curing both yours and your clients systems, there are a few WordPress vulnerability scanners which can help you spot errors before they get out of hand.
作为开发⼈员或设计专家,在WordPress上构建⽹站的最⼤好处之⼀是,在⼤多数情况下,您是在经过验证的平台上构建代码的,⽽该平台已逐步得到加强。 不幸的是,在安全性⽅⾯,还没有完全防⿊客攻击的系统。 幸运的是,在保护您和您的客户端系统⽅⾯,有⼀些WordPress漏洞扫描程序可以帮助您在错误失控之前发现错误。
It is important to note that while this guide is primarily intended urs, the techniques can still be applied urs. For tho unfamiliar with the differences between the two offerings, has a guide to clarify the differences. urs will have less power when using the tools, but they technically will still work.
重要的是要注意,尽管本指南主要针对⽤户,但该技术仍可以应⽤于⽤户。 对于不熟悉这两种产品之间差异的⽤户, 会提供指南以阐明差异。 ⽤户使⽤这些⼯具时将具有较少的功能,但从技术上讲,它们仍然可以使⽤。
Although trusting generic online scanners is questionable at best, a new breed of Open Source curity tools allow developers and other tech savvy professionals to test their code against exploits with ea. While the tools have a bit of a learning curve, learning the basics of penetration testing tools can help keep you ahead of most digital threats.
尽管对通⽤在线扫描仪的信任最多是有问题的,但新型的开源安全⼯具可以使开发⼈员和其他精通技术的专业⼈员轻松地测试其代码是否受到攻击。 尽管这些⼯具有⼀定的学习曲线,但是学习渗透测试⼯具的基础知识可以帮助您领先于⼤多数数字威胁。
WordPress专⽤⼯具 (WordPress Specific Tools)
WP扫描 (WP Scan)
is an Open Source tool for Linux and Mac OSX which is a Swiss Army Knife for attacking virtually any WordPress install. Key features include the ability to pull ur names from the WordPress databa, scan the plugins which are being ud by a specified website, and also e which themes are installed on a rver. WP Scan also integrates with known vulnerability databas so that the sof
tware can filter results to only show code which is susceptible to attack.
是适⽤于Linux和Mac OSX的开源⼯具,它是攻击⼏乎所有WordPress安装程序的瑞⼠军⼑。 关键功能包括能够从WordPress数据库中提取⽤户名,扫描指定⽹站正在使⽤的插件以及查看服务器上安装了哪些主题的功能。 WP Scan还与已知的漏洞数据库集成在⼀起,因此该软件可以过滤结果以仅显⽰容易受到攻击的代码。
Although WP Scan is a powerful tool, the installation process can be difficult if you don’t already have Ruby installed on your system. This applies greatly to CentOS systems – the default Linux distro of many hosts – due to the operating system not having all the required libraries. Fortunately by using Ubuntu or MacOSX you can greatly simplify the process. If you are a complete Linux novice, WP Scan comes pre-installed on multiple curity centric Linux distributions, a listing can be found on the project website.
尽管WP Scan是功能强⼤的⼯具,但是如果您的系统上尚未安装Ruby,则安装过程可能会很困难。 由于操作系统没有所有必需的库,因此这在很⼤程度上适⽤于CentOS系统(许多主机的默认Linux发⾏版)。 幸运的是,通过使⽤Ubuntu或MacOSX,您可以⼤⼤简化此过程。 如果您是Linux的新⼿,那么WP Scan已预装在多个以安全性为中⼼的Linux发⾏版中,可以在项⽬⽹站上找到列表。
成本 (Plecost)
is an Open Source WordPress fingerprinting tool which can analyze the plugins installed on a specified WordPress system along with the common WordPress vulnerabilities and exposures (CVE)
codes if applicable. Since Plecost is a Python script, installing it is as simple as adding the files to your rver and then following the instructions on the project website.
是⼀个开源WordPress指纹识别⼯具,可以分析安装在指定WordPress系统上的插件以及常见的WordPress漏洞和披露(CVE)代码(如果适⽤)。 由于Plecost是Python脚本,因此安装它就像将⽂件添加到服务器然后按照项⽬⽹站上的说明⼀样简单。
Although this tool is limited to only showing vulnerabilities in installed plugins, the CVE code integration makes Plecost a notable tool becau it provides the urs with instant feedback as to how to exploit outdated software on the rver.
尽管此⼯具仅限于仅显⽰已安装插件中的漏洞,但CVE代码集成使Plecost成为著名的⼯具,因为它为⽤户提供了有关如何利⽤服务器上过时软件的即时反馈。
Since Plecost is a collection of Python scripts, installation is fairly simple, and you can run the utility on Windows, Mac OSX and Linux/Unix systems as long as they have Python installed and configured.
由于Plecost是Python脚本的集合,因此安装⾮常简单,只要安装并配置了Python,就可以在Windows,Mac OSX和Linux / Unix系统上运⾏该实⽤程序。
通⽤漏洞⼯具 (General Vulnerability Tools)
While this guide is primarily focud around your WordPress installs, as WordPress is only a single component of your rver, knowing how to u general purpo penetration testing tools is also vital to protecting your system from hackers.
虽然本指南主要针对您的WordPress安装,但由于WordPress只是服务器的单个组件,因此了解如何使⽤通⽤渗透测试⼯具对于保护系统免受⿊客攻击也⾄关重要。
尼克托 (Nikto)
is a general purpo vulnerability scanner which scans for outdated software, configuration files, hidden directories and much more. By default, Nikto is intended for testing your own rvers as the tool runs rapidly and would likely trigger red flags with many intrusion detection systems. If needed, an extension is available to make it stealthier, however for basic tests of your own rvers, this likely isn’t necessary.
是通⽤漏洞扫描程序,可扫描过时的软件,配置⽂件,隐藏⽬录等。 默认情况下,Nikto⽤于测试您⾃⼰的服务器,因为该⼯具运⾏Swift,并且可能会在许多⼊侵检测系统中触发危险信号。 如果需要,可以使⽤扩展名使其更隐秘,但是对于您⾃⼰的服务器的基本测试,可能没有必要。
Aside from just gathering information, Nikto also can brute force authentication ctions of the targeted website, allowing you to ensure your website urs are following curity best practices. Since the tool can run on any system which
supports Perl, it works on virtually any Linux and Unix system along with MacOSX. Nikto also can be configured to run on Windows, however, tho systems need to have ActiveState Perl or Strawberry Perl installed.
除了收集信息之外,Nikto还可以对⽬标⽹站进⾏暴⼒认证部分,以确保您的⽹站⽤户遵循最佳安全做
法。 由于该⼯具可以在⽀持Perl的任何系统上运⾏,因此它⼏乎可以与MacOSX⼀起在任何Linux和Unix系统上运⾏。 Nikto也可以配置为在Windows上运⾏,但是,这些系统需要安装ActiveState Perl或Strawberry Perl。
Wikto (Wikto)
is a tool primarily intended for Windows environments, which stands out from most of the tools on this list becau of its ea of u. While the program is for Windows systems, it still includes powerful features such as: fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/respon monitoring.
是主要⽤于Windows环境的⼯具,由于其易⽤性⽽在此列表中的⼤多数⼯具中脱颖⽽出。 尽管该程序是针对Windows系统的,但它仍包含强⼤的功能,例如:模糊逻辑错误代码检查,后端矿⼯,⾕歌辅助⽬录挖掘和实时HTTP请求/响应监视。
The killer feature of this tool is centralized Google Hacking integration. While this is technically nothing more than using Google arches to uncover nsitive information, Wikto simplifies the process by allowing you to import databas of known queries into the program. From there you can automatically run queries against sites and view the results with minimal effort on your end.
该⼯具的杀⼿级功能是集中式Google Hacking集成。 尽管从技术上讲,这仅是使⽤Google搜索来发现敏感信息,但Wikto允许您将已知查询的数据库导⼊程序,从⽽简化了流程。 从那⾥,您可以⾃动进⾏针对站点的查询并以最⼩的努⼒查看结果。
掌握安全最佳实践 (Staying On Top of Security Best Practices)
Although curity is a vast and complex field, you can protect your websites from tools such as the vulnerability scanners mentioned in this guide by following trends from the and by following the advice from the .
尽管安全性是⼀个⼴阔⽽复杂的领域,但是您可以通过遵循趋势以及遵循的建议,来保护您的⽹站免受诸如本指南中提到的漏洞扫描程序之类的⼯具的侵害。
wordpress 漏洞
