WordPress:Htaccess for subdirectories

The Problem[ ]

問題[ ]

On computer filesystems, files and directories have a set of permissions assigned to them that specify who can read, edit or execute each file. This permissions system is one of the basic concepts that provide security for your web site. A default WordPress installation comes with permissions settings for its files and folders (i.e. directories) that can be regarded as very secure. However, there is a trade-off between security and functionality: Some wordpress plugins require more lenient security settings for the directories they read from or write to in order to work properly.

電腦文件系統(tǒng)中的文件和目錄都有一組權限，規(guī)定誰可以閱讀，編輯或者執(zhí)行每個文件。權限系統(tǒng)是保護你的網(wǎng)站的基本安全措施。默認的WordPress安裝，配有文件和文件夾（例如目錄）的權限，這些文件和文件夾非常安全。然而安全性和功能性之間有個平衡：有的wordpress插件需要所閱讀或者所寫的文件的安全措施，較為寬松，這樣插件可以運行得當。

An Example[ ]

例子[ ]

The ImageManager plugin provides a sophisticated interface for uploading, editing and managing image files for WordPress. It writes to and reads from a base image directory which can be set up in the plugin's options panel. This directory needs to be world-writeable (chmod 777) in order to work properly. However, any directory whose permissions have been set to '777' present a (real) security hole: a malicious visitor could upload a script to that directory and hack your site.

圖像管理器插件提供了功能較多的界面，用來為WordPress上傳，編輯和管理圖像文件。這個插件在插件的選項面板中設置的圖像目錄中閱讀和編寫基本的圖像。各種語言都可以編寫這個目錄，這樣目錄才能夠正確運行（chmod 777）。然而，任何權限設置為'777'的目錄，顯示了一個（真正的）安全漏洞：邪惡的訪客可以向那個目錄上傳一個腳本并且攻擊你的站點。

The Question[ ]

問題[ ]

How can you secure your WordPress installation while still enjoying the extended functionality that WordPress plugins provide?

在享受WordPress插件提供的廣泛的功能時，你安裝保護安裝的WordPress？

Securing individual directories with .htaccess[ ]

使用.htaccess保護單個的目錄[ ]

One possible solution for this problem is provided by .htaccess. You can add a .htaccess file to any directory that requires lenient permissions settings (such as 760, 766, 775 or 777). You can prevent the execution of scripts inside the directory and all its sub-directories. You can also prevent any files other than those of a certain type to be written to it.

.htaccess提供了一種解決問題的方法。你可以向任何需要較寬松的權限設置（如760，766，775或者777）的目錄，添加.htaccess文件。你可以阻止目錄和所有的子目錄中的，腳本的運行。你也可以禁止除了某個類型之外的其它文件的寫權限。

The following snippet of code prevents any files other than .jpeg, .jpg, .png. or .gif to be uploaded to the directory: 下面是一小片代碼，阻止除了.jpeg, .jpg, .png. 或者 .gif的任何文件，上傳到目錄上：

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
   order deny,allow
   deny from all
</Files>

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
   order deny,allow
   deny from all
</Files>

The following code will prevent .pl, .cgi or .php scripts from being executed; instead, they will display as plain text inside the browser window:

下面的代碼阻止運行.pl, .cgi 或者 .php 腳本；這些腳本會在瀏覽器窗口中顯示為純文本：

AddType text/plain .pl
AddType text/plain .cgi
AddType text/plain .php

AddType text/plain .pl
AddType text/plain .cgi
AddType text/plain .php

Here's another way to display scripts as plain text instead of executing them:

下面還有一種方式，可以較腳本顯示為純文本，不用運行這些腳本：

RemoveHandler cgi-script .pl .py .cgi

RemoveHandler cgi-script .pl .py .cgi

The following code categorizes all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command (removes the ability to execute scripts), which also means -FollowSymLinks.

下面的代碼，為帶有某個擴展名的所有文件分類，這樣這些文件就歸屬-ExecCGI命令的權限（就不能夠運行腳本），也意味著-FollowSymLinks。

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

Please note: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Try less permissive settings like 766, then 775 and only use 777 if necessary. Make sure that the .htaccess file itself has a chmod of 644.

請注意:從安全的角度來看，即使是少量的包含，對于world-writeable目錄，也是可取的。試試較低的權限設置，如766，755，如果必要的話，就使用777。確定.htaccess文件自身的權限是644。