[{"data":1,"prerenderedAt":78},["ShallowReactive",2],{"navigation":3,"posts-undefined-WordPress-0-999":20},[4,8,12,16],{"title":5,"path":6,"stem":7},"首页","\u002F","00.index",{"title":9,"path":10,"stem":11},"文章","\u002Fposts","01.posts",{"title":13,"path":14,"stem":15},"动态","\u002Fmoments","02.moments",{"title":17,"path":18,"stem":19},"关于","\u002Fabout","09.about",[21],{"id":22,"title":23,"body":24,"class":58,"cover":58,"coverSize":58,"date":59,"description":30,"draft":60,"extension":61,"hideComments":60,"location":58,"meta":62,"navigation":63,"path":64,"readingTime":65,"seo":70,"sitemap":71,"stem":72,"tags":73,"time":58,"weather":58,"__hash__":77},"posts\u002Fposts\u002F2024\u002F20240327.wordpress-hacked.md","记录一次 WordPress 被恶意代码注入的问题",{"type":25,"value":26,"toc":55},"minimark",[27,31,34,42,52],[28,29,30],"p",{},"今天发现之前帮一个客户维护的服务器流量近期一直比较高，是平常的几十倍。看了下请求，都是一些奇奇怪怪的 URL，并且甚至还能返回 200。访问看了下，是一些别的产品的营销页，看了下请求来源，也都是一些营销机器人。",[28,32,33],{},"初步怀疑是客户 WordPress 的管理员密码被撞库了，然后 WordPress 本身又有一些漏洞导致代码文件被改了。上去看了下，发现篡改了很多文件。",[28,35,36,37,41],{},"后续就是将 WordPress 的代码恢复成之前的版本，清理了一些不用的管理员账号，并且把剩下唯一的管理员密码重新修改了。然后在 ",[38,39,40],"code",{},"Apache"," 上把流量较高的一些请求的路由和 UA 做了限制，直接禁止访问降低带宽。",[43,44,49],"pre",{"className":45,"code":47,"language":48},[46],"language-text","RewriteCond %{HTTP_USER_AGENT} (DataForSeoBot|SemrushBot) [NC,OR]\nRewriteCond %{REQUEST_URI} ^\u002Fgodsend\u002F [NC]\nRewriteRule .* - [F]\n","text",[38,50,47],{"__ignoreMap":51},"",[28,53,54],{},"后面流量就恢复正常了。",{"title":51,"searchDepth":56,"depth":56,"links":57},2,[],null,"2024-03-27",false,"md",{},true,"\u002Fposts\u002F2024\u002Fwordpress-hacked",{"text":66,"minutes":67,"time":68,"words":69},"2 min read",1.225,73500,245,{"title":23,"description":30},{"loc":64},"posts\u002F2024\u002F20240327.wordpress-hacked",[74,75,76],"技术","DevOps","WordPress","8M8kF_xksYyDPkt3CFRWkUA01rl8UzgjELJTcjEXnVY",1777580271237]