Title: Filesystem Unlocker Author: duke_justice Published: 2016 年 3 月 9 日 Last modified: 2016 年 3 月 9 日 --- 搜尋外掛 這個外掛**並未在最新的 3 個 WordPress 主要版本上進行測試**。開發者可能不再對這個 外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。 ![](https://s.w.org/plugins/geopattern-icon/filesystem-unlocker.svg) # Filesystem Unlocker 由 [duke_justice](https://profiles.wordpress.org/duke_justice/) 開發 [下載](https://downloads.wordpress.org/plugin/filesystem-unlocker.zip) * [詳細資料](https://tw.wordpress.org/plugins/filesystem-unlocker/#description) * [使用者評論](https://tw.wordpress.org/plugins/filesystem-unlocker/#reviews) * [安裝方式](https://tw.wordpress.org/plugins/filesystem-unlocker/#installation) * [開發資訊](https://tw.wordpress.org/plugins/filesystem-unlocker/#developers) [技術支援](https://wordpress.org/support/plugin/filesystem-unlocker/) ## 外掛說明 I created this plugin because I am tired of having my WordPress sites being hacked. It is used to completely lock the filesystem with the help of a bash script. The said script is external from the website and ran via cron so you need cron access to make this work. Otherwise, this plugin is useless to you. This plugin has a known bug. See FAQs. ## 安裝方式 1. Upload the plugin files to the `/wp-content/plugins/filesystem-unlocker` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the ‘Plugins’ screen in WordPress 3. Use the left menu Filesystem Unlocker to configure the plugin (this has to be done before configuring and cron’ing scripts) 4. You need to put the folowing script somewhere on your filesystem, elsewhere then in the webserver’s directory. It needs to be run with the webserver’s privileges or a higher privilege that can chmod files in the webserver’s directory. 5. Edit the script to match your users, passwords, database prefixes, paths and the like. 6. Minimaly, cron a job that runs this script every minute of everyday 7. Ideally, cron this job to run only when you are EFFECTIVELY playing in your ftp. You are sleeping from 10pm to 6am ? Then don’t run the script. It won’t unlock your filesystem if it’s not ran. But then, you need an additionnal script to be ran the minute after you go to sleep to ensure the ftp is locked in the scenario where there was “time left in the parking meter” when your cron stop to execute. The script in step 4 goes as follows: ``` #!/bin/bash #################################################################################################### # You NEED to edit the folowing strings # #################################################################################################### # # # -uuser : -uYourMySQLUser... ex.: -umarc # # -ppassword : -pYourUserSPassword... ex.: -pabracadabra # # MySQLDatabaseName : Your MySQL database name... ex.: datab1f32 # # wpTablePrefix__ : Your wordpress installation table prefixes... ex.: wp_prefix123__ # # /path/to/public_html : the path to your webserver's root document... ex.: /home/user/public_html # # # #################################################################################################### #################################################################################################### # Note on the choice of the path to be locked... # #################################################################################################### # # # The above mention of /path/to/public_html may or may not be accurate in the case your WordPress # # installation is not at the root of your webserver's tree. But take into account I suggest you # # lock your WHOLE filesystem because if you choose to lock only your WordPress's files, any hacker # # being "ethical" as they are, will write outside of your "locked zone" and exploit your webserver.# # Thus, I STRONGLY suggest you lock your WHOLE filesystem. # # # # Should you choose otherwise, you could adapt the above # # /path/to/public_html # # with # # /path/to/public_html/wordpress/install/path # # # #################################################################################################### timetolock=$(mysql -uuser -ppassword -se "select option_value from MySQLDatabaseName.wpTablePrefix__options where option_name='filesystem_unlocker_plugin_options'"); isitlockedalready=$(mysql -uuser -ppassword -se "select option_value from MySQLDatabaseName.wpTablePrefix__options where option_name='filesystem_unlocker_plugin_lock_state'"); if [ $timetolock -gt 0 ] && [ $isitlockedalready -eq 1 ] then find /path/to/public_html -type d -exec chmod 755 {} \; && find /path/to/public_html -type f -exec chmod 644 {} \; mysql -uuser -ppassword -se "update MySQLDatabaseName.wpTablePrefix__options set option_value = 0 where option_name='filesystem_unlocker_plugin_lock_state'"; fi if [ $timetolock -eq 0 ] && [ $isitlockedalready -eq 0 ] then find /path/to/public_html -type d -exec chmod 555 {} \; && find /path/to/public_html -type f -exec chmod 444 {} \; mysql -uuser -ppassword -se "update MySQLDatabaseName.wpTablePrefix__options set option_value = 1 where option_name='filesystem_unlocker_plugin_lock_state'"; fi if [ $timetolock -gt 0 ] && [ $isitlockedalready -eq 0 ] then mysql -uuser -ppassword -se "update MySQLDatabaseName.wpTablePrefix__options set option_value = option_value-1 where option_name='filesystem_unlocker_plugin_options'"; fi ``` The optional script in step 7 goes as follows: ``` #!/bin/bash #################################################################################################### # You NEED to edit the folowing strings # #################################################################################################### # # # -uuser : -uYourMySQLUser... ex.: -umarc # # -ppassword : -pYourUserSPassword... ex.: -pabracadabra # # MySQLDatabaseName : Your MySQL database name... ex.: datab1f32 # # wpTablePrefix__ : Your wordpress installation table prefixes... ex.: wp_prefix123__ # # /path/to/public_html : the path to your webserver's root document... ex.: /home/user/public_html # # # #################################################################################################### #################################################################################################### # Note on the choice of the path to be locked... # #################################################################################################### # # # The above mention of /path/to/public_html may or may not be accurate in the case your WordPress # # installation is not at the root of your webserver's tree. But take into account I suggest you # # lock your WHOLE filesystem because if you choose to lock only your WordPress's files, any hacker # # being "ethical" as they are, will write outside of your "locked zone" and exploit your webserver.# # Thus, I STRONGLY suggest you lock your WHOLE filesystem. # # # # Should you choose otherwise, you could adapt the above # # /path/to/public_html # # with # # /path/to/public_html/wordpress/install/path # # # #################################################################################################### find /path/to/public_html -type d -exec chmod 555 {} \; && find /path/to/public_html -type f -exec chmod 444 {} \; mysql -uuser -ppassword -se "update MySQLDatabaseName.wpTablePrefix__options set option_value = 1 where option_name='filesystem_unlocker_plugin_lock_state'"; ``` ## 常見問題集 I use a captcha, database backup or “the like” plugin that needs to write to the filesystem. Will it be locked as well ? Yes it will. And these plugins will “break”. Such scripts are rarely made for writing elsewhere then the webserver’s directories. As such, you could midofy the lock script to get it to unlock a specific directory after having locked them all. But what would be the point? A hacker could then use this to hack your site anyways. Can I still use my “the like” plugins with this locking script ? Yes you could. Either you get them to write elsewhere (then the webserver’s directories) and make sure that they won’t update with their respective author’s updates or you do this another way since you have cron (thus shell) access. My advice : don’t open a door. Hackers like opened doors. Change the way you do things and you’ll get results you never had…. Security and protection. Who can unlock the filesystem ? By default, only people with edit_posts permissions and up can do this. This being because if you can edit a post, well, you could need to upload a picture to put into your post. Are there any known bugs ? No known bugs exist at this time. Please notify any and all bugs to the support forums on the plugin’s page. ## 使用者評論 這個外掛目前沒有任何使用者評論。 ## 參與者及開發者 以下人員參與了開源軟體〈Filesystem Unlocker〉的開發相關工作。 參與者 * [ duke_justice ](https://profiles.wordpress.org/duke_justice/) [將〈Filesystem Unlocker〉外掛本地化為台灣繁體中文版](https://translate.wordpress.org/projects/wp-plugins/filesystem-unlocker) ### 對開發相關資訊感興趣? 任何人均可[瀏覽程式碼](https://plugins.trac.wordpress.org/browser/filesystem-unlocker/)、 查看 [SVN 存放庫](https://plugins.svn.wordpress.org/filesystem-unlocker/),或透過 [RSS](https://plugins.trac.wordpress.org/log/filesystem-unlocker/?limit=100&mode=stop_on_copy&format=rss) 訂閱[開發記錄](https://plugins.trac.wordpress.org/log/filesystem-unlocker/)。 ## 變更記錄 #### 1.1 * Transformed all admin pages request into admin_url( $path, $scheme ) instead of hardcoding paths. #### 1.0 * Initial release ## 中繼資料 * 版本 **1.0** * 最後更新 **10 年前** * 啟用安裝數 **10+** * WordPress 版本需求 ** 4.0.0 或更新版本 ** * 已測試相容的 WordPress 版本 **4.4.34** * 語言 * [English (US)](https://wordpress.org/plugins/filesystem-unlocker/) * 標籤: * [filesystem](https://tw.wordpress.org/plugins/tags/filesystem/)[ftp](https://tw.wordpress.org/plugins/tags/ftp/) [lock](https://tw.wordpress.org/plugins/tags/lock/)[security](https://tw.wordpress.org/plugins/tags/security/) * [進階檢視](https://tw.wordpress.org/plugins/filesystem-unlocker/advanced/) ## 評分 這個項目尚無任何評論記錄。 [Your review](https://wordpress.org/support/plugin/filesystem-unlocker/reviews/#new-post) [查看全部使用者評論](https://wordpress.org/support/plugin/filesystem-unlocker/reviews/) ## 參與者 * [ duke_justice ](https://profiles.wordpress.org/duke_justice/) ## 技術支援 使用者可在技術支援論壇提出意見反應或使用問題。 [檢視技術支援論壇](https://wordpress.org/support/plugin/filesystem-unlocker/)