內容簡介
RONIN47 為使用 Google AMP Technology 的 WordPress 網站提供安全保護。
除了其他功能外,RONIN47 檢查是否位於管理區且是否有人嘗試透過 "?author" 參數存取作者名稱,並在此情況下重新導向到另一個網頁。
黑客可以透過附加查詢命令 /?author=1(例如 example.com/?author=1)找到你在WordPress中的用戶名,進而立刻重新導向到作者網頁,例如 example.com/author/catherine。
如果黑客找不到你的用戶名,他們就不會嘗試猜測你的密碼,減輕了你的伺服器負擔。
RONIN47 也封鎖 WordPress JSON REST Endpoints。當你訪問 example.com/wp-json/wp/v2/users/1 時會清楚看到你的用戶名。這是因為 WordPress 預設公開某些 REST APIs,這使得任何人都可以透過 JSON 列舉用戶。
啟用此外掛後,你的網站將返回以下訊息(如果你再次訪問相同的連結):{“code”:”rest_no_route”,”message”:”No route was found matching the URL and request method.”,”data”:{“status”:404}}
當你嘗試登入時,不會看到任何可能指示密碼或使用者名稱錯誤的錯誤。反而會看到以下訊息:「Something is wrong! Are you a legit user?」
RONIN47 隱藏除管理員以外其他使用者的 WordPress 核心更新通知,同時移除管理儀表板左上角的 WordPress.org 徽標和連結。
由於安全性,RONIN47 可以在使用者管理儀表板(users.php)中顯示額外的 ID 欄位。
RONIN47 以軟性方式防止許多 XSS 代碼注入,並在使用 Google Chrome 瀏覽你的網站時禁用 FLoC 網頁追蹤。
當你使用 Google Chrome 時,你的瀏覽器很可能會追蹤你訪問的網站,並且所有數據是透過聯邦學習的群體整合 (FLoC) 收集。
透過阻止無來源 (No-Referrer) 的請求,RONIN47 大大減少留言垃圾,而且這種反垃圾方法不需要更改 .htaccess 檔案,因此可以在 Ngynx 和 Apache 伺服器中運作。
支援
如需社群支援,請使用 WordPress.org 論壇,網址為 https://wordpress.org/support/plugin/ronin47。如果你發現錯誤或有建議可以改進程式碼功能,可以透過電子郵件聯繫我們,電子郵件地址為 [email protected]。
外掛標籤
開發者團隊
原文外掛簡介
RONIN47 helps to secure your WordPress website when using Google AMP Technology.
Among other things, RONIN47 checks if you are not in the admin area and whether someone is trying to access the author name via the “?author” parameter and if so, it will redirect to another webpage.
Hackers can find your username in WordPress by appending the query /?author=1 as in example.com/?author=1 which will immediately redirect to your author webpage like example.com/author/catherine
If hackers cannot find your username, they will not Brute-Force your Login page trying to guess your password and that means less load on your server.
RONIN47 also blocks WordPress JSON REST Endpoints. When you visit example.com/wp-json/wp/v2/users/1 you will see your username in plain sight. This happens because WordPress exposes certain REST APIs by default and this allows anyone to enumerate the users via JSON.
After activating this plugin, your website will return the following message (if you visit the same link again): {“code”:”rest_no_route”,”message”:”No route was found matching the URL and request method.”,”data”:{“status”:404}}
Whenever you try to log in, you will not see any errors that may indicate the wrong password or the wrong username. You will see instead the following message: “Something is wrong! Are you a legit user?”.
RONIN47 hides Core Update Notices from all users except Admin and also removes the WordPress.org logo and links on the top left corner of the Admin dashboard.
For security reasons, RONIN47 is able to show Users ID with an extra column on Users Admin dashboard (users.php).
RONIN47 prevents many XSS code injections with a soft approach and also disables FLoC web tracking on your website, when your visitors browse it using Google Chrome.
When using Google Chrome, your browser will most probably track the websites that you visit and all the data is collected through the Federated Learning of Cohorts, FLoC.
Greatly reduces comments’ spam by blocking No-Referrer Requests and this anti-spam method does not require any changes to be made to the .htaccess file, which means that it will work in both Ngynx and Apache servers.
Support
Please, use the WordPress.org forums for community support at https://wordpress.org/support/plugin/ronin47 and if you spot a bug or if you have a suggestion to improve the code functionality, you can contact us at [email protected]
