In order to ensure the security of WordPress, the process of continuous testing, enhancement, monitoring and improvement is needed. WordPress administrators can handle the following points to protect websites: From confirming that your password meets certain criteria to strengthening PHP, these processes can greatly help you operate a compact and clean ship. One tendency to ignore is exposed backups and unreferenced files. According to best practices, these files may pose security risks that you can easily manage.
WordPress uses directories to organize information. All pages and media are in this structure. In a typical installation, this structure is similar to var \/ www \/ HTML \/ WordPress \/ WP content. Web servers, including those hosting WordPress websites, are typically configured to provide clients with all files in a specific directory. There are several exceptions, such as PHP files. However, if the client requests, the web server may accept it unless the administrator explicitly blocks access. This is usually a good thing because it is a way to provide visitors with web related files, such as CSS files, JS files, and images. However, this also means that files that you don’t want the public to see, such as backups and unreferenced files, can be provided unconsciously.
What are backup and unreferenced files? As can be seen from the name, backup and unreferenced files are usually backups of specific files generated when editing files such as configuration files, or actual backups of full backups. Understanding what these backup files are and how to create them is the first step to solving the problem. There are many reasons why you need to edit word press files. However, if you edit files on the WordPress site instead of backing them up first, you need to spend some time. A missing semicolon may cause website downtime!
Of course, these errors can easily occur, so it is not recommended to edit the file directly on the production web server. According to best practices, you must first test or dump changes to the server. Only after thorough and successful testing can changes be moved to real-time \/ production servers. But in real life, best practices are not always followed. This is especially true with small changes. The process of ing, changing and testing files in real time is much longer than that on the server. We’re all there.
Editing on a real-time server is very easy. If you like SSH client and VI (or improved version, VIM), you can do some amazing things. After connecting to the server and navigating to the directory, first back up the file (such as wp-config.php.bak) and edit the real-time file to make sure everything is correct, which is full of arrogance. However, the backup files left in the folder (just in case) can eventually bring a lot of pain and suffering. Anyone can , and the whole configuration can be ed as plain text. In addition, many word press administrators may not know that if you use a file editor such as VIM to edit a file, it may automatically generate backup, restore, and lock files. VIM creates these files to resume operations if VIM conflicts or terminates unexpectedly. This is undoubtedly a valuable feature, but it also means that accidental backup files may be scattered around the website, waiting for someone to visit, and end up unexpectedly with backup files.
Marzahn
Backups of entire directories that are kept in public folders can also be compromised by branching. Backing up the WordPress website is important, but it must be performed safely without new security risks. This will be discussed in more detail in the second half of this article. Typical examples of backup files include modified configuration files, PHP files, or earlier versions of other source code, automatic or manual backups in the form of compressed archives such as. Zip,. GZ, or. Tar.gz archives. Instead, an unreferenced file is a file that is in the wrong location and is placed in a location that does not belong to the file because of configuration or design decisions.
What are the risk factors? Accidentally accessed backups and unreferenced files may reveal sensitive information. Depending on the file, sensitive data may contain configuration parameters or source code that help malicious users better understand how the website works, making it easy to attack the website. In some cases, an attacker can control the entire WordPress installation, and the password may be leaked. There are several ways for others to find the remaining files on the web server. Some methods require some technical expertise, but others are as simple as Google search, so the exposure risk is high. If you’re not sure if there are any files left on the server, read on and learn how to search and find files before others.
On the WordPress website, there are several different ways to find backup and unreferenced files, as well as backup and unreferenced files. As the server owner, you can gain an advantage by processing more directly. This section starts with the tools that can be used to search and delete these files and describes these different tools. Then, let’s take a look at how the curious cat finds backup and unreferenced files on the server. When looking for backup files left on the web server, you can use one of three methods (or more). The easiest way is to install a plug-in to monitor file changes. Alternatively, you can use command-line tools such as find to find the remaining backup files in the file system, or you can use a technology called fuzzing to find the backup files.
The file integrity monitoring solution of WordPress, a file integrity monitoring plug-in, can easily monitor file changes on Web servers and warn when additions, deletions or changes are detected. You can do this using the site file change monitor plug-in. The plug-in obtains the fingerprint in the directory and compares it with the subsequent fingerprint. Its working principle is the same as the checksum, so it is very safe and reliable. The file integrity monitor can be particularly effective if you are unfamiliar with all the directories used by WordPress. Another important advantage of the plug-in is that monitoring is automated and there is no need to remember to check files. The plug-in will execute automatically.
Now let’s look at how to use the find command to find the backup file. The following command looks for multiple file extensions commonly used when creating backup files:\/ Var \/ www type F \ – o-name \
. 2 \
If not, backup is of no value. As mentioned in the article, saving backup files on the word press website can be very dangerous because it prevents the listing of backup files. Therefore, you must always use a test or dump environment to perform changes before pushing them to a live \/ production server. By default, most managed word press accounts are provided with the preparation environment. You can also use software such as local to start the WordPress instance on your PC. However, if you choose to keep the backup files on the web server, ideally, it is best not to keep the backup files in the directory that the web server is configured to provide. Also, configure WordPress file permissions to prohibit access to web server users. Even if the configuration is wrong, the web server cannot provide the file to the client requesting the file. It is recommended to use additional measures to encrypt all database backups and ensure that web server users cannot access the encryption key.
