redis rogue_如何保护自己免受Rogue WordPress插件的侵害

redis rogue

Before installing software on your computer, you would probably do a bit of research on the software before loading it on your system. Since the traditional software world has a handful of established vendors, vetting out bad software is relatively easy.

在将软件安装到计算机上之前,您可能需要对软件进行一些研究。 由于传统软件世界中只有少数几家成熟的供应商,因此审核劣质软件相对容易。

redis rogue_如何保护自己免受Rogue WordPress插件的侵害

WordPress plugins are often a little more difficult to screen because traditional antivirus programs can’t detect web exploits. Instead users are often forced to rely on their gut or sparse comments on the web to figure out if code is safe to use.

WordPress插件通常很难筛选,因为传统的防病毒程序无法检测到Web漏洞。 取而代之的是,用户经常*依靠自己的直觉或网上稀疏的注释来判断代码是否可以安全使用。

The best option to ensure the security of WordPress plugins you use is to audit the code by hand. For most people, this time commitment is a bit excessive. By following a couple of common sense measures, you can protect yourself from many malicious WordPress plugins.

确保您使用的WordPress插件安全的最佳选择是手工审核代码。 对于大多数人来说,这个时间投入有点过分。 通过采取一些常识性措施,您可以保护自己免受许多恶意WordPress插件的侵害。

使用安全扫描仪 (Using Security Scanners)

Although most security threats can’t be controlled with automated tools, using a quality web security scanner is a great way to compliment common sense security measures. SitePoint mentioned a few security plugins in their article on managed WordPress Hosting pros and cons which are worth looking at. In particular Wordfence and Sucuri SiteCheck are both solid tools which can help you spot malware which isn’t visible to the average user.

尽管大多数安全威胁无法使用自动化工具进行控制,但是使用高质量的Web安全扫描程序是补充常识性安全措施的好方法。 SitePoint在他们有关托管WordPress托管利弊的文章中提到了一些安全性插件,值得一看。 特别是WordfenceSucuri SiteCheck都是可靠的工具,可以帮助您发现普通用户看不到的恶意软件。

超越评论 (Going Beyond Reviews)

While the WordPress Plugin Directory and many WordPress Plugin sites offer user reviews, this feature isn’t reliable for a couple of reasons.


The first reason is that reviews on the WordPress Plugin Directory are often sparse and the reviews often only have star ratings rather than actual user comments. Additionally, reviews on company websites aren’t trustworthy because the developer has ample opportunity to manipulate the ratings.

第一个原因是WordPress插件目录上的评论通常很少,并且评论通常只有星级,而不是实际的用户评论。 此外,公司网站上的评论不值得信赖,因为开发人员有足够的机会来操纵评分。

If you are looking for credible reviews, then you should check out independent plugin marketplaces such as Envato Market or BinPress as they are the vendors which stand out. Just make sure you pay attention to user comments which detail why they gave a product the rating they did.

如果您正在寻找可信的评论,则应查看独立的插件市场,例如Envato MarketBinPress,因为它们是与众不同的供应商。 只要确保您注意用户评论,其中详细说明了他们为什么给产品打分。

Aside from relying on reviews, have a look at the plugin website and look at the support forums to get an idea of the attentiveness of the developer and quality of their code. Look to see if they have a professional support ticket system, and also try contacting the developer if you have concerns about their offering.

除了依靠评论之外,还可以查看插件网站和支持论坛,以了解开发人员的专心程度及其代码质量。 请查看他们是否具有专业的支持票证系统,如果对他们的产品有疑问,请尝试与开发人员联系。

You also should try Googling the developer’s information to see if they have a negative reputation across the Internet.


While these steps aren’t foolproof, they are much better than making a blind purchase.


当好的插件变坏时 (When Good Plugins Turn Bad)

Although screening plugins up front is a must for any WordPress user, even great plugins can become neglected overtime. Sometimes you might buy a plugin from reputable developer who charges for a subscription, or you might buy a plugin for a flat rate. Either way, development shops come and go. Even some of the best plugins are discontinued over time.

尽管对于任何WordPress用户而言,预先筛选插件都是必须的,但即使是出色的插件也可能会被忽略。 有时,您可能会从信誉良好的开发商那里购买插件,该开发商会收取订阅费用,或者您可能会以固定价格购买插件。 无论哪种方式,开发商店来来往往。 随着时间的流逝,即使是一些最好的插件也已停产。

If you can find a reliable plugin, the next step is making sure that it’s updated to keep pace with all major WordPress revisions. Whenever a major security update comes out, you should check the plugin changelog. Just because a plugin loads in WordPress doesn’t mean that it’s safe to use.

如果您可以找到可靠的插件,则下一步是确保已对其进行更新以与所有主要的WordPress版本保持同步。 每当出现重大安全更新时,都应检查插件更改日志。 仅仅因为在WordPress中加载了插件并不意味着它可以安全使用。

As the WordPress Handbook states, major releases are shown by a change in the first two numbers. A jump from 3.6 to 3.7 is more significant than a jump from 3.6.1 to 3.6.2. A ‘major’ release means that backwards compatibility can be (and usually is) broken. ‘Minor’ updates (updates with a third number) only address critical bugs and aren’t likely to break your plugins functionality.

WordPress手册所述,主要版本由前两个数字的变化表示。 从3.6跳到3.7比从3.6.1跳到3.6.2更重要。 “主要”版本意味着向后兼容性可能(并且通常)被破坏。 “次要”更新(使用第三个数字进行更新)仅解决了关键错误,并且不太可能破坏您的插件功能。

While a plugin can function for an extended period of time, you should always check the plugin website or WordPress codex every time a major WordPress update is released.


Even if the plugin works by default, the developer might announce technical issues and bugs on their website which can be dangerous to your WordPress install. In most cases the plugin will continue working if it is safe, but it never hurts to exercise caution.

即使该插件在默认情况下正常运行,开发人员也可能会在其网站上宣布技术问题和错误,这可能会对您的WordPress安装造成危险。 在大多数情况下,如果安全的话,该插件将继续工作,但谨慎行事不会有任何伤害。

不要忘记常识的重要性 (Don’t Forget the Importance of Common Sense)

The best way to protect your WordPress install from security threats is to cut down your reliance on plugins all together. Only use plugins when they add tangible value to your install, and avoid them when they do tasks you can do yourself.

保护您的WordPress安装不受安全威胁的最好方法是减少对插件的依赖。 仅当插件为您的安装添加有形价值时才使用插件,而当插件执行您可以自己完成的任务时避免使用它们。

Using a plugin to edit your .htaccess file or relying on a plugin to insert AdSense code into your blog is not the best use of your resources. Plugins which enable complex functionality not included in WordPress, such as paywalls and forums are a good use.

使用插件编辑.htaccess文件或依靠插件将AdSense代码插入博客中并不是最好的资源利用方式。 启用WordPress中未包含的复杂功能的插件(如付费墙和论坛)是很好的用法。

As with your workstation, aimlessly adding software can result in poor performance. Learning how to tweak WordPress yourself allows you to keep your site secure without missing out on useful features.

与工作站一样,漫无目的地添加软件可能会导致性能降低。 学习如何自己调整WordPress,可以使您的网站保持安全,而不会错过有用的功能。


redis rogue