A-A+

保持WordPress的安全 打补丁升级

2009年09月09日 WordPress 暂无评论 阅读 1 次
2009年9月5日由马特发布。
 

一切防患于未然,以往的疏忽我们无法挽回,但对于博客真正的好建议是什么呢呢?现在经常做一些升级打补丁工作将来会节省后来的大量工作。

现在就有一种蠕虫围绕老版本的WordPress(未经常打补丁的方式)进行攻击,这种特殊的病毒,很聪的:它先注册一个帐户,再利用一个安全漏洞(年初已出修复补丁),以便评估代码可以通过固定链接结构的直接执行,使自己变成管理员,然后在你查看用户页他使用JavaScript来隐藏自身,接着干完坏事后清理干净自己的手脚所留痕迹后,悄然消失,不认真查看不会注意到隐藏在它插入到您的垃圾邮件和恶意软件的旧帖子。

这个手法很新颖,但策略老套。这个蠕虫病毒在“清理”阶段露出了手脚:它并不能将自己完全隐藏好,博主因此注意到他的链接遭到破坏,于是进一步查看并发现了其他的危害。老的蠕虫病毒可能会做一些孩子气的事情,比如搞坏你的网站外观;新的蠕虫则比较安静,只有当他们搞乱了,或者 Google 提示你的网站含有病毒或者恶意软件的时候,才会注意到。

我讲到这里不是要吓唬你,但强调这一点是提醒已经发生过,并且将很可能再次发生。

一切防范于未然。升级并不麻烦,并且 WordPress 社区已经做到了实现一键升级。相反,修复被黑的网站则非常痛苦。升级是给你吃维生素,修复被黑站点是做心脏修复手术。 (这可是真正的成本,又及。) 

在当前2.8.4版本的WordPress,可以免疫于该病毒。(之前的版本也一样)如果你曾考虑过升级但尚未动手,现在是时候了。如果你已经升级到最新版本,请检查一下你的朋友的博客,或者你所阅读的博客,看看他们是否需要你的关心帮助。一切防范于未然。 

每当蠕虫泛滥时,每个人都成为安全专家和兜售三种建议:狗皮膏药,俱乐部方案和真正的解决方案。你可能会马上选择狗皮膏药,因为这个办法最简单。这种方案总是说,隐藏你的 WordPress 版本信息就万事大吉。哈哈,病毒的开发者也这么认为。病毒的 1.0 版本或许会检查版本号,2.0 就可以测试版本了,版本号可以去死了。版本号方法是无稽之谈。

第二个建议是俱乐部的解决方案,要阐明这个问题,我这里引用 Mark Pilgrims 7年前关于垃圾评论的文章,那时候 WordPress 还没有出现

关于这些方法很有趣的事情,从博弈论的角度来说,他们都是俱乐部的解决方案,而不是LoJack的解决方案(LoJack 是一种著名的汽车防盗系统)。有两种基本方法保护盗窃汽车:俱乐部(盾牌、车辆报警器、或其他类似的东西),和 LoJack。俱乐部方案并不能防护下决心偷你的汽车的贼(钻锁、取掉方向盘非常容易)。但它可以有效防护想要偷一俩汽车(不一定非偷你的那俩),因为贼在匆忙之间,总是会攻击最弱的目标,摘树上最低的水果。只要不是人人都拥有它,俱乐部方案就有效;但如果人人都拥有,偷车贼偷取任何一辆汽车的难度都相同,他们就会根据其他因素进行考虑,你的汽车被偷的概率就和别人一样了。俱乐部方案并不能震慑盗贼,而只是是他做了偏转。
俱乐部博客安全解决方案可能是简单的(如增加.htaccess文件)或极其复杂的(比如双认证),并且能有效工作,尤其是针对已经公开的漏洞。俱乐部方案能有效工作,比如使用健壮或者足够复杂的登陆密码,没有人会反对这些。(另外一个俱乐部方案是使用用户较少的软件,就像软件声称它更加完美、安全。这也是为什么 BeOS 比 Linux 更安全的原因,啊啊啊。)
 

在汽车世界中,如果有人能将汽车商店全部整车偷走,那么俱乐部方案就毫无意义了。俱乐部的制造商值得幸庆,这种事情从未发生。然而,在网上和软件行业,这种事情却每日都有。真正有用的,只有一个真正的解决方案。我们唯一能够承诺保持你的博客安全性的办法是,在现在和未来不断保持升级。

WordPress 社区每天都有数百人在阅读它的核心代码、审查代码、更新代码,并且关注你的博客安全,因此我们每隔数周发布更新,来保证你的博客远离坏人,尽管这让人看起来似乎我们的软件并不完美。我不是千里眼,我无法预测将来会有什么样的垃圾评论发布者、黑客、骇客、骗子等会拜访你的博客,但我们已经会尽一切努力,让 WordPress 确保安全。我们已经对核心代码和一键升级插件做了升级。如果我们发现被破坏,我们会发布修复。请务必升级,这是我们唯一可以互相帮助的途径。

 原文:

How to Keep WordPress Secure

Posted September 5, 2009 by Matt. Filed under Development, Security.

A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.

Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.

The second type of advice is Club solutions; to illustrate, I’ll quote from Mark Pilgrim’s excellent essay on spam 7 years ago, before WordPress even existed:

The really interesting thing about these approaches, from a game theory perspective, is that they are all Club solutions, not Lojack solutions. There are two basic approaches to protecting your car from theft: The Club (or The Shield, or a car alarm, or something similar), and Lojack. The Club isn’t much protection against a thief who is determined to steal your car (it’s easy enough to drill the lock, or just cut the steering wheel and slide The Club off). But it is effective protection against a thief who wants to steal a car (not necessarily your car), because thieves are generally in a hurry and will go for the easiest target, the low-hanging fruit. The Club works as long as not everyone has it, since if everyone had it, thieves would have an equally difficult time stealing any car, their choice will be based on other factors, and your car is back to being as vulnerable as anyone else’s. The Club doesn’t deter theft, it only deflects it.

Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex password for your login — no one would recommend against that. (Another club solution is switching to less-used software on the assumption or more like the software’s claim that it’s perfect and more secure. This is why BeOS is more secure than Linux, ahem.)

In the car world, if someone figured out how to teleport entire cars to chop shops, The Club wouldn’t be so useful anymore. Luckily for manufacturers of The Club, this hasn’t happened. Online and in the software world, though, the equivalent happens almost daily. There is only one real solution. The only thing that I can promise will keep your blog secure today and in the future is upgrading.

WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

给我留言

Copyright © 浩然东方 保留所有权利.   Theme  Ality 07032740

用户登录