一个WordPress5的wp-login.php和xmlrpc.php被攻击的解决方法

最初发表于: 2020-02-18 12:07:11

在wp-login.php的同目录下, 新建一个control.php, 内容如下

<?php
//设置文件后缀
$suffix = 'bak';

//当前状态检测
$xmlrpc_checked = file_exists('xmlrpc.php') ? 'checked' : '';
$wplogin_checked = file_exists('wp-login.php') ? 'checked' : '';

/**
 * 接口数据返回
 * @param string    $code 状态码
 * @param string     $msg 提示信息
 * @param array    $data 数据
 * @return mixed
 */
function echo_json($code = 0, $msg = '', $data = array())
{
    $arr = [
        'code' => $code,
        'msg' => $msg,
        'data' => $data
    ];
    echo json_encode($arr, JSON_UNESCAPED_SLASHES);
    exit;
}

/**文件处理 */
function change_file($file_ori, $file_bak, $action)
{
    $file_start = $action ? $file_bak : $file_ori;
    $file_end = $action ? $file_ori : $file_bak;

    $msg = $action ? '已打开' : '已关闭';
    $msg .= " $file_ori";

    if (!file_exists($file_start)) {
        echo_json(400, '未找到程序文件');
    } else {
        if (rename($file_start, $file_end)) {
            echo_json(200, $msg);
        } else {
            echo_json(400, '文件操作失败');
        }
    }
}

/**主进程 */
function main()
{
    if (isset($_GET['obj']) && isset($_GET['action'])) {
        $obj = $_GET['obj'];
        $action = $_GET['action'];

        global $suffix;

        //原文件名
        $file_ori = "$obj.php";
        //备份文件名
        $file_bak = "$file_ori.$suffix";

        //文件操作
        change_file($file_ori, $file_bak, $action);
    }
}

/**开始 */
main(); //激活主进程
?>

<!DOCTYPE html>
<html lang="zh-CN">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>WordPress登录控制</title>
    <link rel="stylesheet" href="//static.class4ever.com/weui/v2.1.3/weui.min.css">
</head>

<body>
    <div class="page">
        <div class="weui-form">
            <div class="weui-form__text-area">
                <h2 class="weui-form__title">WordPress登录控制</h2>
            </div>
            <div class="weui-form__control-area">
                <div class="weui-cells__group weui-cells__group_form">
                    <div class="weui-cells weui-cells_form">
                        <div class="weui-cell weui-cell_switch">
                            <div class="weui-cell__bd">允许 wp-login.php</div>
                            <div class="weui-cell__ft">
                                <input class="weui-switch" type="checkbox" name="wp-login" <?= $wplogin_checked ?>>
                            </div>
                        </div>
                        <div class="weui-cell weui-cell_switch">
                            <div class="weui-cell__bd">允许 xmlrpc.php</div>
                            <div class="weui-cell__ft">
                                <label for="switchCP" class="weui-switch-cp">
                                    <input id="switchCP" class="weui-switch-cp__input" type="checkbox" <?= $xmlrpc_checked ?> name="xmlrpc">
                                    <div class="weui-switch-cp__box"></div>
                                </label>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>
</body>
<script src="//static.class4ever.com/jquery/jquery-3.4.1.min.js"></script>
<script>
    $(document).ready(function() {
        const arr = ['wp-login', 'xmlrpc']
        $.each(arr, function(k, v) {
            //监听组
            $('[name="' + v + '"]').change(function() {
                //记录本对象
                let _self = $(this)
                //关闭按钮防止重复点击
                _self.attr('disabled', true)
                //当前状态
                let val = _self.prop('checked')
                //关闭或打开
                let action = val ? 1 : 0

                //ajax操作
                $.get('control.php', {
                    obj: v,
                    action: action
                }, function(res) {
                    res = JSON.parse(res)
                    if (res.code !== 200) { //失败时退回状态
                        _self.prop('checked', !val)
                    }

                    //重新启用本按钮
                    _self.attr('disabled', false)
                })
            })
        })
    })
</script>

</html>

运行本文件的界面如下

在你不用wp-login.php登录的时候, 可以把它关闭; xmlrpc也如此.