內容簡介
這個外掛的目的是使用標準安全實務建議來加強 WordPress 的驗證。現在,該外掛通過以下方式提高 WordPress 驗證的安全性:
強制使用未被破解的密碼
該外掛防止使用出現在數據泄露中的密碼。每當有人登錄 WordPress 網站時,它會使用 Have I been pwned? API 來驗證他們的密碼。如果他們的密碼出現在數據泄露中,該外掛將禁止他們登錄,直到他們重設密碼為止。
默認情況下,僅對具有“管理員”角色的帳戶進行這一級別的強制執行。您可以從設置頁面更改哪些角色的密碼需要強制執行。對於沒有密碼強制執行的角色,當他們使用已破解的密碼登錄時,該外掛將顯示警告。
此外,未被破解的密碼執行還包括在某人重設或更改其密碼時。也就是說,在這些情況下,使用未被破解的密碼是強制的。只要該外掛能夠聯繫 API,就永遠無法重設或更改密碼。
使用更強的密碼雜湊
該外掛還使用bcrypt和Argon2哈希函數加密密碼。這些是 PHP 中可用的最強大的哈希函數。Argon2 在 PHP 7.2 中開始提供原生支持,但是該外掛還可以使用 WordPress 5.2 中引入的 libsodium 兼容層在舊版本的 PHP 上加密密碼。
您無需採取任何措施將密碼哈希轉換為更強的加密標準。該外掛會在安裝完畢後的下一次登錄時負責轉換它。如果您決定刪除該外掛,則您的密碼將繼續運作並保持加密,直到您重設密碼。
值得注意的是,僅在發生數據泄露的情況下,使用更強的哈希函數才具有重要意義。更強的密碼哈希函數使解密從數據泄露中的密碼變得更加困難。這與未被破解的密碼執行結合使用,將有助於確保這些密碼永遠不會被解密。(或至少需要大量努力。)
外掛標籤
開發者團隊
原文外掛簡介
Important Notice: This plugin is no longer supported on wordpress.org. Please open issues on GitHub.
The goal of this plugin is to shore up the WordPress authentication using standard security practice recommendations. At this time, the plugin improves WordPress authentication by doing the following:
Enforcing uncompromised passwords
This plugin prevents someone from using passwords that have appeared in data breaches. Whenever someone logs into a WordPress site, it’ll verify their password using the Have I been pwned? API. If their password appeared in a data breach, the plugin will prevent them from logging in until they reset their password.
By default, this level of enforcement is only done on an account that has the “administrator” role. You can change which roles have their passwords enforced from the settings page. For people that have a role where there’s no password enforcement, the plugin will show a warning when they log in with a compromised password.
The enforcement of uncompromised password also extends to when someone resets or changes their password. That said, in those situations, using an uncompromised password is mandatory. Someone will never be able to reset or change their password to one that’s appeared in a security breach. (As long as the plugin is able to contact the API.)
Using stronger password hashing
The plugin also encrypts passwords using either the bcrypt and Argon2 hashing functions. These are the strongest hashing functions available in PHP. Argon2 is available natively starting with PHP 7.2, but the plugin can also encrypt passwords on older PHP versions using the libsodium compatibility layer introduced in WordPress 5.2.
You don’t have to do anything to convert your password hash to a stronger encryption standard. The plugin will take care of converting it the next time that you log in after installing the plugin. If you decide to remove the plugin, your password will continue working and remain encrypted until you reset it.
It’s also worth noting that using a stronger hashing function is only important in the advent of a data breach. A stronger password hashing function makes decrypting the passwords from the data breach a lot harder to do. This combined with the enforcement of uncompromised passwords will help ensure that those passwords are never decrypted. (Or at least without significant effort.)
