站长百科 | 数字化技能提升教程 数字化时代生存宝典
首页
数字化百科
电子书
建站程序
开发
服务器
办公软件
开发教程
服务器教程
软件使用教程
运营教程
热门电子书
WordPress教程
宝塔面板教程
CSS教程
Shopify教程
导航
程序频道
推广频道
网赚频道
人物频道
网站程序
网页制作
云计算
服务器
CMS
论坛
网店
虚拟主机
cPanel
网址导航
WIKI使用导航
WIKI首页
最新资讯
网站程序
站长人物
页面分类
使用帮助
编辑测试
创建条目
网站地图
站长百科导航
站长百科
主机侦探
IDCtalk云说
跨境电商导航
WordPress啦
站长专题
网站推广
网站程序
网站赚钱
虚拟主机
cPanel
网址导航专题
云计算
微博营销
虚拟主机管理系统
开放平台
WIKI程序与应用
美国十大主机
编辑“
WordPress:Htaccess for subdirectories
”
人物百科
|
营销百科
|
网赚百科
|
站长工具
|
网站程序
|
域名主机
|
互联网公司
|
分类索引
跳转至:
导航
、
搜索
警告:
您没有登录。如果您做出任意编辑,您的IP地址将会公开可见。如果您
登录
或
创建
一个账户,您的编辑将归属于您的用户名,且将享受其他好处。
反垃圾检查。
不要
加入这个!
== The Problem == ==问题== On computer filesystems, files and directories have a set of permissions assigned to them that specify who can read, edit or execute each file. This permissions system is one of the basic concepts that provide security for your web site. A default WordPress installation comes with permissions settings for its files and folders (i.e. directories) that can be regarded as [[WordPress:Changing File Permissions|very secure]]. However, there is a trade-off between security and functionality: Some wordpress plugins require more lenient security settings for the directories they read from or write to in order to work properly. 电脑文件系统中的文件和目录都有一组权限,规定谁可以阅读,编辑或者执行每个文件。权限系统是保护你的网站的基本安全措施。默认的WordPress安装,配有文件和文件夹(例如目录)的权限,这些文件和文件夹[[WordPress:Changing File Permissions|非常安全]]。然而安全性和功能性之间有个平衡:有的wordpress插件需要所阅读或者所写的文件的安全措施,较为宽松,这样插件可以运行得当。 == An Example == == 例子 == The [http://www.soderlind.no/archives/2006/01/03/imagemanager-20/ ImageManager plugin] provides a sophisticated interface for uploading, editing and managing image files for WordPress. It writes to and reads from a base image directory which can be set up in the plugin's options panel. This directory needs to be world-writeable (chmod 777) in order to work properly. However, any directory whose permissions have been set to '777' present a (real) security hole: a malicious visitor could upload a script to that directory and hack your site. [http://www.soderlind.no/archives/2006/01/03/imagemanager-20/ 图像管理器插件]提供了功能较多的界面,用来为WordPress上传,编辑和管理图像文件。这个插件在插件的选项面板中设置的图像目录中阅读和编写基本的图像。各种语言都可以编写这个目录,这样目录才能够正确运行(chmod 777)。然而,任何权限设置为'777'的目录,显示了一个(真正的)安全漏洞:邪恶的访客可以向那个目录上传一个脚本并且攻击你的站点。 == The Question == == 问题== How can you secure your WordPress installation while still enjoying the extended functionality that WordPress plugins provide? 在享受WordPress插件提供的广泛的功能时,你安装保护安装的WordPress? == Securing individual directories with .htaccess == == 使用.htaccess保护单个的目录== One possible solution for this problem is provided by .htaccess. You can add a .htaccess file to any directory that requires lenient permissions settings (such as 760, 766, 775 or 777). You can prevent the execution of scripts inside the directory and all its sub-directories. You can also prevent any files other than those of a certain type to be written to it. .htaccess提供了一种解决问题的方法。你可以向任何需要较宽松的权限设置(如760,766,775或者777)的目录,添加.htaccess文件。你可以阻止目录和所有的子目录中的,脚本的运行。你也可以禁止除了某个类型之外的其它文件的写权限。 The following snippet of code prevents any files other than .jpeg, .jpg, .png. or .gif to be uploaded to the directory: 下面是一小片代码,阻止除了.jpeg, .jpg, .png. 或者 .gif的任何文件,上传到目录上: <pre> <Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files> </pre> <pre> <Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files> </pre> The following code will prevent .pl, .cgi or .php scripts from being executed; instead, they will display as plain text inside the browser window: 下面的代码阻止运行.pl, .cgi 或者 .php 脚本;这些脚本会在浏览器窗口中显示为纯文本: <pre> AddType text/plain .pl AddType text/plain .cgi AddType text/plain .php </pre> <pre> AddType text/plain .pl AddType text/plain .cgi AddType text/plain .php </pre> Here's another way to display scripts as plain text instead of executing them: 下面还有一种方式,可以较脚本显示为纯文本,不用运行这些脚本: <pre> RemoveHandler cgi-script .pl .py .cgi </pre> <pre> RemoveHandler cgi-script .pl .py .cgi </pre> The following code categorizes all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command (removes the ability to execute scripts), which also means -FollowSymLinks. 下面的代码,为带有某个扩展名的所有文件分类,这样这些文件就归属-ExecCGI命令的权限(就不能够运行脚本),也意味着-FollowSymLinks。 <pre style="font-size: 0.92em;"> AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI </pre> <pre style="font-size: 0.92em;"> AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI </pre> ''Please note:'' From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Try less permissive settings like 766, then 775 and only use 777 if necessary. Make sure that the .htaccess file itself has a chmod of 644. ''请注意:''从安全的角度来看,即使是少量的包含,对于world-writeable目录,也是可取的。试试较低的权限设置,如766,755,如果必要的话,就使用777。确定.htaccess文件自身的权限是644。 == Further Reading == == 深入阅读 == [[WordPress:Changing File Permissions]] (WordPress Codex) [[WordPress:UNIX Shell Skills#chmod and file permissions|chmod and file permissions]] (WordPress Codex) [ chmod tutorial] [[WordPress:Changing File Permissions|更改文件权限]] (WordPress Codex) [[WordPress:UNIX Shell Skills#chmod and file permissions|chmod 和文件权限]] (WordPress Codex) [ chmod 指南] [http://tips-scripts.com/block_traffic Blocking traffic to your web site] (Tips & Scripts.com) [http://httpd.apache.org/docs/1.3/howto/htaccess.html Apache Tutorial: htaccess files] (Apache Server Documentation) [http://httpd.apache.org/docs/2.0/howto/auth.html Authentication, Authorization and Access Control] (Apache Server Documentation) [http://www.askapache.com/docs/2.0/mod/mod_access.html#allow The allow, deny and order directives] (Apache Server Documentation) [http://www.securityfocus.com/infocus/1368 Hardening htaccess] Robert Hansen, SecurityFocus [http://www.askapache.com/htaccess/apache-htaccess.html The ultimate htaccess Guide] (askapache.com) [http://tips-scripts.com/block_traffic 阻止你的站点的流量] (Tips & Scripts.com) [http://httpd.apache.org/docs/1.3/howto/htaccess.html Apache 指南: htaccess 文件] (Apache 服务器文件) [http://httpd.apache.org/docs/2.0/howto/auth.html 授权,授权和权限控制] (Apache服务器文件) [http://www.askapache.com/docs/2.0/mod/mod_access.html#allow The allow, deny and order directives] (Apache 服务器文件) [http://www.securityfocus.com/infocus/1368 Hardening htaccess] Robert Hansen, SecurityFocus [http://www.askapache.com/htaccess/apache-htaccess.html The ultimate htaccess Guide] (askapache.com) === Relevant Forum Threads === === 相关的论坛主题 === [http://wordpress.org/support/topic/93343 Securing 777 directories] (WordPress forum) [http://wordpress.org/support/topic/95881 Using .htaccess to secure 777 directories] (WordPress forum) [http://wordpress.org/support/topic/28085 Preventing hot-linking with .htaccess] (WordPress forum) [http://www.soderlind.no/forum/viewtopic.php?id=255 Using htaccess to secure image directory] (ImageManager forum) [http://wordpress.org/support/topic/93343 保护 777 目录] (WordPress 论坛) [http://wordpress.org/support/topic/95881 使用.htaccess 保护777 目录] (WordPress 论坛) [http://wordpress.org/support/topic/28085 使用.htaccess阻止热点链接] (WordPress 论坛) [http://www.soderlind.no/forum/viewtopic.php?id=255 使用htaccess 保护图像目录] (图像管理器论坛)
摘要:
请注意,您对站长百科的所有贡献都可能被其他贡献者编辑,修改或删除。如果您不希望您的文字被任意修改和再散布,请不要提交。
您同时也要向我们保证您所提交的内容是您自己所作,或得自一个不受版权保护或相似自由的来源(参阅
Wordpress-mediawiki:版权
的细节)。
未经许可,请勿提交受版权保护的作品!
取消
编辑帮助
(在新窗口中打开)
