內容簡介
簡介
請查看 Trac 票券20140。
跨站腳本(XSS)攻擊和「午餐時間襲擊」等攻擊,可以讓攻擊者「偷走」登錄會話,並可以作為已認證的使用者進行操作,而不需要知道該使用者的密碼。
此外掠奪者可能會嘗試通過做以下一個或多個動作來掌握永久訪問權限的使用者:
將掠奪者的密碼設置為他們選擇的密碼
更改掠奪者的電子郵件
建立新的使用者
將他們的角色更改為升級特權
此外,該外掛通過提示使用者輸入密碼,以阻止攻擊者對這些問題中的任何一個進行操作。
注意事項
當然,預設情況下,WordPress 允許管理員使用安裝任意外掛和主題的功能,以及通過內置編輯器編輯現有的外掛/主題。這些權限使得上述解決方案失效。即使這些權限被某些使用者設置,它們也將受到保護。這個外掛的重點不是將以上這些功能進行密碼保護,但是這件事也許會在以後的某個時候得到考慮。
外掛作者建議,在您的網站的 wp-config.php 文件中添加以下內容:
define( 'DISALLOW_FILE_MODS', true );
詳細操作請參考 https://codex.wordpress.org/Editing_wp-config.php#Disable_plugin_and_Theme_Update_and_Installation。
如果您在使用這個外掛的時候遇到了問題,或者想要提出一些新特性的想法,請使用Github 討論區。
您能幫助嗎?
是的!歡迎您提供幫助。您可以選擇下面的任何一個選項:
使用此外掛並報告任何問題。
尋找一個未指派的問題,並開始進行相应回報的工作(請向 develop 分支提交 PR)。
如果您擅長於無障礙設計方面的知識,我們也歡迎您提出任何建議或改善方式。如果您在使用時遇到任何無障礙問題,也請您向我們報告。
特別感謝
特別感謝 Human Made 的 Require Password 外掛(由 Jenny Wong 撰寫)為本外掛提供靈感。
開發者團隊
原文外掛簡介
Context
Please see Trac Ticket 20140.
XSS attacks and ‘lunch time raid’ attacks, among others, can allow an attacker to ‘steal’ a log-in session, and act as an authenticated user without knowing that user’s password.
The aim of this plugin is to prevent that user from being able to engineer permanent access to the site. They may attempt to do this by doing one or more of the following:
Setting the password of the hijacked user to one of their choosing
Changing the e-mail of the hijacked user
Creating a new user
Changing the role of their account to escalate privileges
The plugin prevents the attacker from doing any of these by prompting them for the user’s password.
Caveat
Of course by default WordPress allows adminstrative users the ability to install arbitrary plugins and themes, and edit existing plugins/themes through in-built editors. These freedoms render the above solution impotent. It is outside of the immediate scope of this plugin to password protect those features, though it may be considered at later date.
It’s the advice of the plugin author that you should disable such features in your site’s wp-config.php by adding:
define( 'DISALLOW_FILE_MODS', true );
as outlined in https://codex.wordpress.org/Editing_wp-config.php#Disable_plugin_and_Theme_Update_and_Installation.
To report bugs or feature requests, please use Github issues.
Can I Help?
Yes! Please do!. You could do either of the following:
Use the plugin and report any issues.
Find an unassigned issue and start working on it (please make PRs to the develop branch).
If you have an expertise in accessibility I would welcome any suggestions or improvements. Or if you encounter any issues regarding accessibility please do report these.
A special thanks
A special thanks to Human Made whose Require Password plugin (written by Jenny Wong) served as an inspiration for this plugin.
