WordPress網(wǎng)站遇到來源于http://site.ru的惡意掃描器，怎么屏蔽？

使用IP屏蔽當(dāng)然不太好用，所以你可以嘗試使用nginx的http_referer方式進(jìn)行屏蔽，效果會(huì)比較好一些。

成都創(chuàng)新互聯(lián)公司是一家集網(wǎng)站建設(shè),彌勒企業(yè)網(wǎng)站建設(shè),彌勒品牌網(wǎng)站建設(shè),網(wǎng)站定制,彌勒網(wǎng)站建設(shè)報(bào)價(jià),網(wǎng)絡(luò)營銷,網(wǎng)絡(luò)優(yōu)化,彌勒網(wǎng)站推廣為一體的創(chuàng)新建站企業(yè)，幫助傳統(tǒng)企業(yè)提升企業(yè)形象加強(qiáng)企業(yè)競爭力?？沙浞譂M足這一群體相比中小企業(yè)更為豐富、高端、多元的互聯(lián)網(wǎng)需求。同時(shí)我們時(shí)刻保持專業(yè)、時(shí)尚、前沿，時(shí)刻以成就客戶成長自我，堅(jiān)持不斷學(xué)習(xí)、思考、沉淀、凈化自己，讓我們?yōu)楦嗟钠髽I(yè)打造出實(shí)用型網(wǎng)站。

關(guān)于寫法，你可以寫成如下樣式：

if ($http_referer ~* "") {? access_log off; return 444;? ?}

將其放在nginx配置文件的location段落下。記得保存配置文件后使用nginx? -s? reload才能生效！如果需要詳細(xì)幫助可以看下?網(wǎng)頁鏈接

另外使用wp網(wǎng)站的話建議使用插件HIDE MY WP進(jìn)行網(wǎng)站重要目錄的過濾和隱藏。

怎樣用 wpscan，nmap 和 nikto 掃描和檢查一個(gè) wordpress 站點(diǎn)的安全性

1.用 WPScan 測試 WordPress 中易受攻擊的插件和主題

WPScan?是一個(gè) WordPress 黑盒安全掃描軟件，用 Ruby 寫成，它是專門用來尋找已知的 WordPress 的弱點(diǎn)的。它為安全專家和 WordPress 管理員提供了一條評(píng)估他們的 WordPress 站點(diǎn)的途徑。它的基于開源代碼，在 GPLv3 下發(fā)行。

2.下載和安裝 WPScan

在我們開始安裝之前，很重要的一點(diǎn)是要注意 wpscan 不能在 Windows 下工作，所以你需要使用一臺(tái)?Linux或者 OS X 的機(jī)器來完成下面的事情。如果你只有 Windows 的系統(tǒng)，拿你可以下載一個(gè) Virtualbox 然后在虛擬機(jī)里面安裝任何你喜歡的 Linux 發(fā)行版本。

WPScan 的源代碼放在 Github 上，所以需要先安裝 git（LCTT 譯注：其實(shí)你也可以直接從 Github 上下載打包的源代碼，而不必非得裝 git ）。

sudo apt-get install git

git 裝好了，我們就要安裝 wpscan 的依賴包了。

sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3

把 wpscan 從 github 上 clone 下來。

git clone

現(xiàn)在我們可以進(jìn)入這個(gè)新建立的 wpscan 目錄，通過 bundler 安裝必要的 ruby 包。

cd wpscan

sudo gem install bundler bundle install --without test development

現(xiàn)在 wpscan 裝好了，我們就可以用它來搜索我們 WordPress 站點(diǎn)潛在的易受攻擊的文件。wpcan 最重要的方面是它能列出不僅是插件和主題，也能列出用戶和縮略圖的功能。WPScan 也可以用來暴力破解 WordPress —— 但這不是本文要討論的內(nèi)容。

3.更新 WPScan

ruby wpscan.rb --update

列舉插件

要列出所有插件，只需要加上 “--enumerate p” 參數(shù)，就像這樣：

ruby wpscan.rb --url http(s):// --enumerate p

或者僅僅列出易受攻擊的插件：

ruby wpscan.rb --url http(s):// --enumerate vp

下面是一些例子：

| Name: ukiscet

| Location: http://********點(diǎn)抗 /wp-content/plugins/akismet/

| Name: audio-player

| Location: http://********點(diǎn)抗 /wp-content/plugins/audio-player/

|

| * Title: Audio Player - player.swf playerID Parameter XSS

| * Reference:

| * Reference:

| * Reference:

| * Fixed in: 2.0.4.6

| Name: bbpress - v2.3.2

| Location: http://********點(diǎn)抗 /wp-content/plugins/bbpress/

| Readme: http://********點(diǎn)抗 /wp-content/plugins/bbpress/readme.txt

|

| * Title: BBPress - Multiple Script Malformed Input Path Disclosure

| * Reference:

| * Reference:

| * Reference:

| * Reference:

|

| * Title: BBPress - forum.php page Parameter SQL Injection

| * Reference:

| * Reference:

| * Reference:

| * Reference:

| Name: contact

| Location: http://********點(diǎn)抗 /wp-content/plugins/contact/

4.列舉主題

列舉主題和列舉插件差不多，只要用"--enumerate t"就可以了。

ruby wpscan.rb --url http(s):// --enumerate t

或者只列出易受攻擊的主題：

ruby wpscan.rb --url http(s):// --enumerate vt

例子的輸出：

| Name: path

| Location: http://********點(diǎn)抗 /wp-content/themes/path/

| Style URL: http://********點(diǎn)抗 /wp-content/themes/path/style.css

| Description:

| Name: pub

| Location: http://********點(diǎn)抗 /wp-content/themes/pub/

| Style URL: http://********點(diǎn)抗 /wp-content/themes/pub/style.css

| Description:

| Name: rockstar

| Location: http://********點(diǎn)抗 /wp-content/themes/rockstar/

| Style URL: http://********點(diǎn)抗 /wp-content/themes/rockstar/style.css

| Description:

|

| * Title: WooThemes WooFramework Remote Unauthenticated Shortcode Execution

| * Reference:

| Name: twentyten

| Location: http://********點(diǎn)抗 /wp-content/themes/twentyten/

| Style URL: http://********點(diǎn)抗 /wp-content/themes/twentyten/style.css

| Description:

5.列舉用戶

WPscan 也可以用來列舉某個(gè) WordPress 站點(diǎn)的用戶和有效的登錄記錄。攻擊者常常這么做——為了獲得一個(gè)用戶清單，好進(jìn)行暴力破解。

ruby wpscan.rb --url http(s):// --enumerate u

列舉 Timthumb 文件

關(guān)于 WPscan ，我要說的最后一個(gè)功能是列舉 timthub （縮略圖）相關(guān)的文件。近年來，timthumb 已經(jīng)成為攻擊者眼里的一個(gè)常見目標(biāo)，因?yàn)闊o數(shù)的漏洞被找出來并發(fā)到論壇上、郵件列表等等地方。用下面的命令可以通過 wpscan 找出易受攻擊的 timthub 文件：

ruby wpscan.rb --url http(s):// --enumerate tt

最近打算用WordPress WooCommerce搭建一個(gè)商城，可以用微信支付嗎

可以使用微信支付，

微信支付是騰訊公司的支付業(yè)務(wù)品牌,

微信支付提供公眾號(hào)支付、APP支付、掃碼支付、刷卡支付等支付方式。

零錢支付是微信支付的一種方式，另外也可以從銀行卡支付。

11款 掃描網(wǎng)站安全的免費(fèi)在線工具

1. SUCURI

SUCURI ?is one of the most popular free website malware and security scanner. You can do a quick test for malware, blacklisting status, injected SPAM, and defacements.

SUCURI also helps to clean and protect your website from online threats and works on any website platforms, including WordPress, Joomla, Magento, Drupal, phpBB, etc.

2. Qualys

SSL Server Test ?by Qualys is essential to scan your website for SSL/TLS misconfiguration and vulnerabilities. It provides an in-depth analysis of your https:// URL including expiry day, overall rating, cipher, SSL/TLS version, handshake simulation, protocol details, BEAST, and much more.

As a best practice, you should run the Qualys test after making any SSL/TLS related changes.

3.Quttera

Quttera ?check website for malware and vulnerabilities exploits.

It scans your website for malicious files, suspicious files, potentially suspicious files, PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.

4.Intruder

Intruder ?is a powerful cloud-based vulnerability scanner to find weaknesses in the entire web application infrastructure. It is enterprise-ready and offers government bank-level security scanning engine without complexity.

Its robust security checks include identifying:

Missing patches

Misconfigurations

Web application issues such as SQL injection cross-site scripting

CMS issues

Intruder saves you time by prioritizing results based on their context as well as proactively scanning your systems for the latest vulnerabilities. It also integrates with major cloud providers (AWS, GCP, Azure) as well as Slack Jira.

You can give Intruder a try for 30 days for free.

5. UpGuard

UpGuard Web Scan ?is an external risk assessment tool that uses the publicly available information to grade.

Test results are categorized into the following groups.

Website risks

Email risks

Network security

Phishing and Malware

Brand protection

Good to get a quick security posture of your website.

6.SiteGuarding

SiteGuarding ?helps you to scan your domain for malware, website blacklisting, injected spam, defacement, and much more. The scanner is compatible with WordPress, Joomla, Drupal, Magento, osCommerce, Bulletin, and another platform.

SiteGuarding also helps you to remove malware?from your website, so if you are site is affected by viruses, they will be useful.

7.Observatory

Mozilla recently introduced? observatory , which helps a site owner to check various security elements. It validates against OWASP header security, TLS best practices and performs third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, etc.

8.Web Cookies Scanner

Web Cookies Scanner ?is a free all-in-one security tool suitable for scanning web applications. It is capable of searching vulnerabilities and privacy issues on HTTP cookies, Flash applets, HTML5 localStorage, and sessionStorage, Supercookies, and Evercookies. The tool also offers a free URL malware scanner and an HTTP, HTML, and SSL/TLS vulnerability scanner.

To use this tool, you just need to enter your site’s full domain name and click on Check! After a while, you’ll get a full vulnerabilities report, showing a detail of all issues found and an overall privacy impact score.

You can use the on-demand service for free with no restrictions, or you can subscribe for a free trial of a fully automated RESTful API with different plans, which offer between 100 and unlimited API scans per month.

9.Detectify

Fully supported by ethical hackers, the? Detectify ?domain and web application security service offers automated security and asset monitoring, being able to detect more than 1500 vulnerabilities.

Its vulnerability scanning capacity includes OWASP Top 10, CORS, Amazon S3 Bucket, and DNS misconfigurations. The Asset Monitoring service continuously monitors subdomains, searching for hostile takeovers and alerting if anomalies are detected.

Detectify offers three pricing plans: Starter, Professional, and Enterprise. All of them start with a 14-day free trial, which you can take without using a credit card.

10.Probely

Probely ?provides a virtual security specialist that you can add to your development crew, security team, DevOps, or SaaS business. This security specialist will scan your web application and find all of its vulnerabilities. You can think of Probely as a family doctor that gives you periodic diagnostics and tells you what to do to fix any issue.

It is a tool mainly built for developers, letting them be more independent when it comes to security testing. Its API-First development approach assures that any features will be first available on the API version of the service. It has many pricing plans, including a free one with basic scanning capacity.

11.Pentest-Tools

The website vulnerability scanner is one of a comprehensive set of tools offered by? Pentest-Tools ?that comprise a solution for information gathering, web application testing, CMS testing, infrastructure testing, and SSL testing. In particular, the website scanner is designed to discover common web application vulnerabilities and server configuration issues.

The company offers a Light version of the tool, which performs a passive web security scan. It is capable of detecting many vulnerabilities, including insecure cookie settings, insecure HTTP headers, and outdated server software. You can perform up to 2 free, full scans of your website to get a comprehensive assessment. The results will tell you about vulnerabilities such as local file inclusion, SQL injection, OS command injection, XSS, between others.

This document is mainly from the below URL...Just changed a few picture（from my testing）.