WordPress:Htaccess for subdirectories
The Problem[ ]
问题[ ]
On computer filesystems, files and directories have a set of permissions assigned to them that specify who can read, edit or execute each file. This permissions system is one of the basic concepts that provide security for your web site. A default WordPress installation comes with permissions settings for its files and folders (i.e. directories) that can be regarded as very secure. However, there is a trade-off between security and functionality: Some wordpress plugins require more lenient security settings for the directories they read from or write to in order to work properly.
电脑文件系统中的文件和目录都有一组权限,规定谁可以阅读,编辑或者执行每个文件。权限系统是保护你的网站的基本安全措施。默认的WordPress安装,配有文件和文件夹(例如目录)的权限,这些文件和文件夹非常安全。然而安全性和功能性之间有个平衡:有的wordpress插件需要所阅读或者所写的文件的安全措施,较为宽松,这样插件可以运行得当。
An Example[ ]
例子[ ]
The ImageManager plugin provides a sophisticated interface for uploading, editing and managing image files for WordPress. It writes to and reads from a base image directory which can be set up in the plugin's options panel. This directory needs to be world-writeable (chmod 777) in order to work properly. However, any directory whose permissions have been set to '777' present a (real) security hole: a malicious visitor could upload a script to that directory and hack your site.
图像管理器插件提供了功能较多的界面,用来为WordPress上传,编辑和管理图像文件。这个插件在插件的选项面板中设置的图像目录中阅读和编写基本的图像。各种语言都可以编写这个目录,这样目录才能够正确运行(chmod 777)。然而,任何权限设置为'777'的目录,显示了一个(真正的)安全漏洞:邪恶的访客可以向那个目录上传一个脚本并且攻击你的站点。
The Question[ ]
问题[ ]
How can you secure your WordPress installation while still enjoying the extended functionality that WordPress plugins provide?
在享受WordPress插件提供的广泛的功能时,你安装保护安装的WordPress?
Securing individual directories with .htaccess[ ]
使用.htaccess保护单个的目录[ ]
One possible solution for this problem is provided by .htaccess. You can add a .htaccess file to any directory that requires lenient permissions settings (such as 760, 766, 775 or 777). You can prevent the execution of scripts inside the directory and all its sub-directories. You can also prevent any files other than those of a certain type to be written to it.
.htaccess提供了一种解决问题的方法。你可以向任何需要较宽松的权限设置(如760,766,775或者777)的目录,添加.htaccess文件。你可以阻止目录和所有的子目录中的,脚本的运行。你也可以禁止除了某个类型之外的其它文件的写权限。
The following snippet of code prevents any files other than .jpeg, .jpg, .png. or .gif to be uploaded to the directory: 下面是一小片代码,阻止除了.jpeg, .jpg, .png. 或者 .gif的任何文件,上传到目录上:
<Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files>
<Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files>
The following code will prevent .pl, .cgi or .php scripts from being executed; instead, they will display as plain text inside the browser window:
下面的代码阻止运行.pl, .cgi 或者 .php 脚本;这些脚本会在浏览器窗口中显示为纯文本:
AddType text/plain .pl AddType text/plain .cgi AddType text/plain .php
AddType text/plain .pl AddType text/plain .cgi AddType text/plain .php
Here's another way to display scripts as plain text instead of executing them:
下面还有一种方式,可以较脚本显示为纯文本,不用运行这些脚本:
RemoveHandler cgi-script .pl .py .cgi
RemoveHandler cgi-script .pl .py .cgi
The following code categorizes all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command (removes the ability to execute scripts), which also means -FollowSymLinks.
下面的代码,为带有某个扩展名的所有文件分类,这样这些文件就归属-ExecCGI命令的权限(就不能够运行脚本),也意味着-FollowSymLinks。
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Please note: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Try less permissive settings like 766, then 775 and only use 777 if necessary. Make sure that the .htaccess file itself has a chmod of 644.
请注意:从安全的角度来看,即使是少量的包含,对于world-writeable目录,也是可取的。试试较低的权限设置,如766,755,如果必要的话,就使用777。确定.htaccess文件自身的权限是644。
Further Reading[ ]
深入阅读[ ]
WordPress:Changing File Permissions (WordPress Codex)
chmod and file permissions (WordPress Codex)
[ chmod tutorial]
更改文件权限 (WordPress Codex)
chmod 和文件权限 (WordPress Codex)
[ chmod 指南]
Blocking traffic to your web site (Tips & Scripts.com)
Apache Tutorial: htaccess files (Apache Server Documentation)
Authentication, Authorization and Access Control (Apache Server Documentation)
The allow, deny and order directives (Apache Server Documentation)
Hardening htaccess Robert Hansen, SecurityFocus
The ultimate htaccess Guide (askapache.com)
阻止你的站点的流量 (Tips & Scripts.com)
Apache 指南: htaccess 文件 (Apache 服务器文件)
授权,授权和权限控制 (Apache服务器文件)
The allow, deny and order directives (Apache 服务器文件)
Hardening htaccess Robert Hansen, SecurityFocus
The ultimate htaccess Guide (askapache.com)
Relevant Forum Threads[ ]
相关的论坛主题[ ]
Securing 777 directories (WordPress forum)
Using .htaccess to secure 777 directories (WordPress forum)
Preventing hot-linking with .htaccess (WordPress forum)
Using htaccess to secure image directory (ImageManager forum)
保护 777 目录 (WordPress 论坛)
使用.htaccess 保护777 目录 (WordPress 论坛)
使用.htaccess阻止热点链接 (WordPress 论坛)
使用htaccess 保护图像目录 (图像管理器论坛)