十年网站开发经验 + 多家企业客户 + 靠谱的建站团队
量身定制 + 运营维护+专业推广+无忧售后,网站问题一站解决
使用IP屏蔽当然不太好用,所以你可以尝试使用nginx的http_referer方式进行屏蔽,效果会比较好一些。
成都创新互联公司是一家集网站建设,弥勒企业网站建设,弥勒品牌网站建设,网站定制,弥勒网站建设报价,网络营销,网络优化,弥勒网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。
关于写法,你可以写成如下样式:
if ($http_referer ~* "") { access_log off; return 444; }
将其放在nginx配置文件的location段落下。记得保存配置文件后使用nginx -s reload才能生效!如果需要详细帮助可以看下 网页链接
另外使用wp网站的话建议使用插件HIDE MY WP进行网站重要目录的过滤和隐藏。
1.用 WPScan 测试 WordPress 中易受攻击的插件和主题
WPScan 是一个 WordPress 黑盒安全扫描软件,用 Ruby 写成,它是专门用来寻找已知的 WordPress 的弱点的。它为安全专家和 WordPress 管理员提供了一条评估他们的 WordPress 站点的途径。它的基于开源代码,在 GPLv3 下发行。
2.下载和安装 WPScan
在我们开始安装之前,很重要的一点是要注意 wpscan 不能在 Windows 下工作,所以你需要使用一台 Linux或者 OS X 的机器来完成下面的事情。如果你只有 Windows 的系统,拿你可以下载一个 Virtualbox 然后在虚拟机里面安装任何你喜欢的 Linux 发行版本。
WPScan 的源代码放在 Github 上,所以需要先安装 git(LCTT 译注:其实你也可以直接从 Github 上下载打包的源代码,而不必非得装 git )。
sudo apt-get install git
git 装好了,我们就要安装 wpscan 的依赖包了。
sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3
把 wpscan 从 github 上 clone 下来。
git clone
现在我们可以进入这个新建立的 wpscan 目录,通过 bundler 安装必要的 ruby 包。
cd wpscan
sudo gem install bundler bundle install --without test development
现在 wpscan 装好了,我们就可以用它来搜索我们 WordPress 站点潜在的易受攻击的文件。wpcan 最重要的方面是它能列出不仅是插件和主题,也能列出用户和缩略图的功能。WPScan 也可以用来暴力破解 WordPress —— 但这不是本文要讨论的内容。
3.更新 WPScan
ruby wpscan.rb --update
列举插件
要列出所有插件,只需要加上 “--enumerate p” 参数,就像这样:
ruby wpscan.rb --url http(s):// --enumerate p
或者仅仅列出易受攻击的插件:
ruby wpscan.rb --url http(s):// --enumerate vp
下面是一些例子:
| Name: ukiscet
| Location: http://********点抗 /wp-content/plugins/akismet/
| Name: audio-player
| Location: http://********点抗 /wp-content/plugins/audio-player/
|
| * Title: Audio Player - player.swf playerID Parameter XSS
| * Reference:
| * Reference:
| * Reference:
| * Fixed in: 2.0.4.6
| Name: bbpress - v2.3.2
| Location: http://********点抗 /wp-content/plugins/bbpress/
| Readme: http://********点抗 /wp-content/plugins/bbpress/readme.txt
|
| * Title: BBPress - Multiple Script Malformed Input Path Disclosure
| * Reference:
| * Reference:
| * Reference:
| * Reference:
|
| * Title: BBPress - forum.php page Parameter SQL Injection
| * Reference:
| * Reference:
| * Reference:
| * Reference:
| Name: contact
| Location: http://********点抗 /wp-content/plugins/contact/
4.列举主题
列举主题和列举插件差不多,只要用"--enumerate t"就可以了。
ruby wpscan.rb --url http(s):// --enumerate t
或者只列出易受攻击的主题:
ruby wpscan.rb --url http(s):// --enumerate vt
例子的输出:
| Name: path
| Location: http://********点抗 /wp-content/themes/path/
| Style URL: http://********点抗 /wp-content/themes/path/style.css
| Description:
| Name: pub
| Location: http://********点抗 /wp-content/themes/pub/
| Style URL: http://********点抗 /wp-content/themes/pub/style.css
| Description:
| Name: rockstar
| Location: http://********点抗 /wp-content/themes/rockstar/
| Style URL: http://********点抗 /wp-content/themes/rockstar/style.css
| Description:
|
| * Title: WooThemes WooFramework Remote Unauthenticated Shortcode Execution
| * Reference:
| Name: twentyten
| Location: http://********点抗 /wp-content/themes/twentyten/
| Style URL: http://********点抗 /wp-content/themes/twentyten/style.css
| Description:
5.列举用户
WPscan 也可以用来列举某个 WordPress 站点的用户和有效的登录记录。攻击者常常这么做——为了获得一个用户清单,好进行暴力破解。
ruby wpscan.rb --url http(s):// --enumerate u
列举 Timthumb 文件
关于 WPscan ,我要说的最后一个功能是列举 timthub (缩略图)相关的文件。近年来,timthumb 已经成为攻击者眼里的一个常见目标,因为无数的漏洞被找出来并发到论坛上、邮件列表等等地方。用下面的命令可以通过 wpscan 找出易受攻击的 timthub 文件:
ruby wpscan.rb --url http(s):// --enumerate tt
可以使用微信支付,
微信支付是腾讯公司的支付业务品牌,
微信支付提供公众号支付、APP支付、扫码支付、刷卡支付等支付方式。
零钱支付是微信支付的一种方式,另外也可以从银行卡支付。
1. SUCURI
SUCURI is one of the most popular free website malware and security scanner. You can do a quick test for malware, blacklisting status, injected SPAM, and defacements.
SUCURI also helps to clean and protect your website from online threats and works on any website platforms, including WordPress, Joomla, Magento, Drupal, phpBB, etc.
2. Qualys
SSL Server Test by Qualys is essential to scan your website for SSL/TLS misconfiguration and vulnerabilities. It provides an in-depth analysis of your https:// URL including expiry day, overall rating, cipher, SSL/TLS version, handshake simulation, protocol details, BEAST, and much more.
As a best practice, you should run the Qualys test after making any SSL/TLS related changes.
3.Quttera
Quttera check website for malware and vulnerabilities exploits.
It scans your website for malicious files, suspicious files, potentially suspicious files, PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.
4.Intruder
Intruder is a powerful cloud-based vulnerability scanner to find weaknesses in the entire web application infrastructure. It is enterprise-ready and offers government bank-level security scanning engine without complexity.
Its robust security checks include identifying:
Missing patches
Misconfigurations
Web application issues such as SQL injection cross-site scripting
CMS issues
Intruder saves you time by prioritizing results based on their context as well as proactively scanning your systems for the latest vulnerabilities. It also integrates with major cloud providers (AWS, GCP, Azure) as well as Slack Jira.
You can give Intruder a try for 30 days for free.
5. UpGuard
UpGuard Web Scan is an external risk assessment tool that uses the publicly available information to grade.
Test results are categorized into the following groups.
Website risks
Email risks
Network security
Phishing and Malware
Brand protection
Good to get a quick security posture of your website.
6.SiteGuarding
SiteGuarding helps you to scan your domain for malware, website blacklisting, injected spam, defacement, and much more. The scanner is compatible with WordPress, Joomla, Drupal, Magento, osCommerce, Bulletin, and another platform.
SiteGuarding also helps you to remove malware from your website, so if you are site is affected by viruses, they will be useful.
7.Observatory
Mozilla recently introduced observatory , which helps a site owner to check various security elements. It validates against OWASP header security, TLS best practices and performs third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, etc.
8.Web Cookies Scanner
Web Cookies Scanner is a free all-in-one security tool suitable for scanning web applications. It is capable of searching vulnerabilities and privacy issues on HTTP cookies, Flash applets, HTML5 localStorage, and sessionStorage, Supercookies, and Evercookies. The tool also offers a free URL malware scanner and an HTTP, HTML, and SSL/TLS vulnerability scanner.
To use this tool, you just need to enter your site’s full domain name and click on Check! After a while, you’ll get a full vulnerabilities report, showing a detail of all issues found and an overall privacy impact score.
You can use the on-demand service for free with no restrictions, or you can subscribe for a free trial of a fully automated RESTful API with different plans, which offer between 100 and unlimited API scans per month.
9.Detectify
Fully supported by ethical hackers, the Detectify domain and web application security service offers automated security and asset monitoring, being able to detect more than 1500 vulnerabilities.
Its vulnerability scanning capacity includes OWASP Top 10, CORS, Amazon S3 Bucket, and DNS misconfigurations. The Asset Monitoring service continuously monitors subdomains, searching for hostile takeovers and alerting if anomalies are detected.
Detectify offers three pricing plans: Starter, Professional, and Enterprise. All of them start with a 14-day free trial, which you can take without using a credit card.
10.Probely
Probely provides a virtual security specialist that you can add to your development crew, security team, DevOps, or SaaS business. This security specialist will scan your web application and find all of its vulnerabilities. You can think of Probely as a family doctor that gives you periodic diagnostics and tells you what to do to fix any issue.
It is a tool mainly built for developers, letting them be more independent when it comes to security testing. Its API-First development approach assures that any features will be first available on the API version of the service. It has many pricing plans, including a free one with basic scanning capacity.
11.Pentest-Tools
The website vulnerability scanner is one of a comprehensive set of tools offered by Pentest-Tools that comprise a solution for information gathering, web application testing, CMS testing, infrastructure testing, and SSL testing. In particular, the website scanner is designed to discover common web application vulnerabilities and server configuration issues.
The company offers a Light version of the tool, which performs a passive web security scan. It is capable of detecting many vulnerabilities, including insecure cookie settings, insecure HTTP headers, and outdated server software. You can perform up to 2 free, full scans of your website to get a comprehensive assessment. The results will tell you about vulnerabilities such as local file inclusion, SQL injection, OS command injection, XSS, between others.
This document is mainly from the below URL...Just changed a few picture(from my testing).