久久精品水蜜桃av综合天堂,久久精品丝袜高跟鞋,精品国产肉丝袜久久,国产一区二区三区色噜噜,黑人video粗暴亚裔

WordPress:Htaccess for subdirectories

來(lái)自站長(zhǎng)百科
Fludlen討論 | 貢獻(xiàn)2008年8月16日 (六) 14:55的版本
(差異) ←上一版本 | 最后版本 (差異) | 下一版本→ (差異)
跳轉(zhuǎn)至: 導(dǎo)航、? 搜索

The Problem[ ]

問(wèn)題[ ]

On computer filesystems, files and directories have a set of permissions assigned to them that specify who can read, edit or execute each file. This permissions system is one of the basic concepts that provide security for your web site. A default WordPress installation comes with permissions settings for its files and folders (i.e. directories) that can be regarded as very secure. However, there is a trade-off between security and functionality: Some wordpress plugins require more lenient security settings for the directories they read from or write to in order to work properly.

電腦文件系統(tǒng)中的文件和目錄都有一組權(quán)限,規(guī)定誰(shuí)可以閱讀,編輯或者執(zhí)行每個(gè)文件。權(quán)限系統(tǒng)是保護(hù)你的網(wǎng)站的基本安全措施。默認(rèn)的WordPress安裝,配有文件和文件夾(例如目錄)的權(quán)限,這些文件和文件夾非常安全。然而安全性和功能性之間有個(gè)平衡:有的wordpress插件需要所閱讀或者所寫(xiě)的文件的安全措施,較為寬松,這樣插件可以運(yùn)行得當(dāng)。

An Example[ ]

例子[ ]

The ImageManager plugin provides a sophisticated interface for uploading, editing and managing image files for WordPress. It writes to and reads from a base image directory which can be set up in the plugin's options panel. This directory needs to be world-writeable (chmod 777) in order to work properly. However, any directory whose permissions have been set to '777' present a (real) security hole: a malicious visitor could upload a script to that directory and hack your site.

圖像管理器插件提供了功能較多的界面,用來(lái)為WordPress上傳,編輯和管理圖像文件。這個(gè)插件在插件的選項(xiàng)面板中設(shè)置的圖像目錄中閱讀和編寫(xiě)基本的圖像。各種語(yǔ)言都可以編寫(xiě)這個(gè)目錄,這樣目錄才能夠正確運(yùn)行(chmod 777)。然而,任何權(quán)限設(shè)置為'777'的目錄,顯示了一個(gè)(真正的)安全漏洞:邪惡的訪(fǎng)客可以向那個(gè)目錄上傳一個(gè)腳本并且攻擊你的站點(diǎn)。

The Question[ ]

問(wèn)題[ ]

How can you secure your WordPress installation while still enjoying the extended functionality that WordPress plugins provide?

在享受WordPress插件提供的廣泛的功能時(shí),你安裝保護(hù)安裝的WordPress?

Securing individual directories with .htaccess[ ]

使用.htaccess保護(hù)單個(gè)的目錄[ ]

One possible solution for this problem is provided by .htaccess. You can add a .htaccess file to any directory that requires lenient permissions settings (such as 760, 766, 775 or 777). You can prevent the execution of scripts inside the directory and all its sub-directories. You can also prevent any files other than those of a certain type to be written to it.

.htaccess提供了一種解決問(wèn)題的方法。你可以向任何需要較寬松的權(quán)限設(shè)置(如760,766,775或者777)的目錄,添加.htaccess文件。你可以阻止目錄和所有的子目錄中的,腳本的運(yùn)行。你也可以禁止除了某個(gè)類(lèi)型之外的其它文件的寫(xiě)權(quán)限。

The following snippet of code prevents any files other than .jpeg, .jpg, .png. or .gif to be uploaded to the directory: 下面是一小片代碼,阻止除了.jpeg, .jpg, .png. 或者 .gif的任何文件,上傳到目錄上: 

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
   order deny,allow
   deny from all
</Files>

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
   order deny,allow
   deny from all
</Files>

The following code will prevent .pl, .cgi or .php scripts from being executed; instead, they will display as plain text inside the browser window:

下面的代碼阻止運(yùn)行.pl, .cgi 或者 .php 腳本;這些腳本會(huì)在瀏覽器窗口中顯示為純文本: 

AddType text/plain .pl
AddType text/plain .cgi
AddType text/plain .php

AddType text/plain .pl
AddType text/plain .cgi
AddType text/plain .php

Here's another way to display scripts as plain text instead of executing them:

下面還有一種方式,可以較腳本顯示為純文本,不用運(yùn)行這些腳本: 

RemoveHandler cgi-script .pl .py .cgi

RemoveHandler cgi-script .pl .py .cgi

The following code categorizes all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command (removes the ability to execute scripts), which also means -FollowSymLinks.

下面的代碼,為帶有某個(gè)擴(kuò)展名的所有文件分類(lèi),這樣這些文件就歸屬-ExecCGI命令的權(quán)限(就不能夠運(yùn)行腳本),也意味著-FollowSymLinks。 

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

Please note: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Try less permissive settings like 766, then 775 and only use 777 if necessary. Make sure that the .htaccess file itself has a chmod of 644.

請(qǐng)注意:從安全的角度來(lái)看,即使是少量的包含,對(duì)于world-writeable目錄,也是可取的。試試較低的權(quán)限設(shè)置,如766,755,如果必要的話(huà),就使用777。確定.htaccess文件自身的權(quán)限是644。

Further Reading[ ]

深入閱讀[ ]

WordPress:Changing File Permissions (WordPress Codex)

chmod and file permissions (WordPress Codex)

[ chmod tutorial]

更改文件權(quán)限 (WordPress Codex)

chmod 和文件權(quán)限 (WordPress Codex)

[ chmod 指南]

Blocking traffic to your web site (Tips & Scripts.com)

Apache Tutorial: htaccess files (Apache Server Documentation)

Authentication, Authorization and Access Control (Apache Server Documentation)

The allow, deny and order directives (Apache Server Documentation)

Hardening htaccess Robert Hansen, SecurityFocus

The ultimate htaccess Guide (askapache.com)





阻止你的站點(diǎn)的流量 (Tips & Scripts.com)

Apache 指南: htaccess 文件 (Apache 服務(wù)器文件)

授權(quán),授權(quán)和權(quán)限控制 (Apache服務(wù)器文件)

The allow, deny and order directives (Apache 服務(wù)器文件)

Hardening htaccess Robert Hansen, SecurityFocus

The ultimate htaccess Guide (askapache.com)


Relevant Forum Threads[ ]

相關(guān)的論壇主題[ ]

Securing 777 directories (WordPress forum)

Using .htaccess to secure 777 directories (WordPress forum)

Preventing hot-linking with .htaccess (WordPress forum)

Using htaccess to secure image directory (ImageManager forum)





保護(hù) 777 目錄 (WordPress 論壇)

使用.htaccess 保護(hù)777 目錄 (WordPress 論壇)

使用.htaccess阻止熱點(diǎn)鏈接 (WordPress 論壇)

使用htaccess 保護(hù)圖像目錄 (圖像管理器論壇)