{"id":2935,"date":"2026-05-28T20:27:02","date_gmt":"2026-05-28T20:27:02","guid":{"rendered":"https:\/\/www.areaweb.sk\/?p=2935"},"modified":"2026-05-29T19:19:10","modified_gmt":"2026-05-29T19:19:10","slug":"wordpress-bezpecnost-12-chyb-majitelu-webu","status":"publish","type":"post","link":"https:\/\/www.areaweb.sk\/cs\/wordpress-bezpecnost-12-chyb-ktore-robia-majitelia-webov\/","title":{"rendered":"WordPress bezpe\u010dnost: 12 chyb, kter\u00e9 d\u011blaj\u00ed majitel\u00e9 web\u016f"},"content":{"rendered":"

WordPress poh\u00e1\u0148a viac ako tretinu webov na internete \u2013 a pr\u00e1ve preto je \u010dast\u00fdm cie\u013eom hackerov. \u00datoky neprich\u00e1dzaj\u00fa len na ve\u013ek\u00e9 firmy; automatizovan\u00e9 boty skenuj\u00fa tis\u00edce str\u00e1nok denne a h\u013eadaj\u00fa zn\u00e1me diery v pluginoch, slab\u00e9 hesl\u00e1 a zastaran\u00e9 jadro. Tento \u010dl\u00e1nok zhrnie 12 naj\u010dastej\u0161\u00edch ch\u00fdb<\/strong>, ktor\u00e9 robia majitelia webov, a ako sa im vyhn\u00fa\u0165.<\/p>\n\n\n\n

Bezpe\u010dnos\u0165 nie je jednorazov\u00e9 nastavenie. Je to n\u00e1vyk: aktualiz\u00e1cie, monitoring, z\u00e1lohy a obmedzenie pr\u00edstupov. Ak e\u0161te nem\u00e1\u0161 z\u00e1lohy, za\u010dni \u010dl\u00e1nkom Automatick\u00e1 z\u00e1loha WordPress<\/a>.<\/p>\n\n\n\n

12 nej\u010dast\u011bj\u0161\u00edch bezpe\u010dnostn\u00edch chyb<\/h2>\n\n\n\n

1. Slab\u00e9 nebo opakovan\u00e9 hesla<\/h3>\n\n\n\n

Heslo \u201eadmin123\u201c alebo rovnak\u00e9 heslo pre FTP, datab\u00e1zu a WordPress je najr\u00fdchlej\u0161ia cesta k napadnutiu. Pou\u017e\u00edvaj spr\u00e1vcu hesiel, minim\u00e1lne 16 znakov a dvojfaktorov\u00e9 overenie (2FA)<\/strong> pre v\u0161etk\u00fdch editorov.<\/p>\n\n\n\n

2. Neaktualizovan\u00e9 jadro, t\u00e9my a pluginy<\/h3>\n\n\n\n

Ka\u017ed\u00e1 neaktualizovan\u00e1 verzia je potenci\u00e1lna diera. Zapni automatick\u00e9 minor updaty jadra, raz t\u00fd\u017edenne skontroluj pluginy a pred v\u00e4\u010d\u0161ou aktualiz\u00e1ciou urob z\u00e1lohu. Na produkcii najprv testuj na staging \u2013 viac v WordPress staging<\/a>.<\/p>\n\n\n\n

3. Predvolen\u00fd pou\u017e\u00edvate\u013e \u201eadmin\u201c<\/h3>\n\n\n\n

Boti sk\u00fa\u0161aj\u00fa prihl\u00e1senie ako u\u017e\u00edvate\u013e admin<\/code>. Vytvor nov\u00e9ho administr\u00e1tora s in\u00fdm loginom a \u00fa\u010det admin zma\u017e alebo zme\u0148 rolu.<\/p>\n\n\n\n

4. XML-RPC a REST API bez obmedzenia<\/h3>\n\n\n\n

XML-RPC sa zneu\u017e\u00edva na brute-force \u00fatoky. Ak nepou\u017e\u00edva\u0161 vzdialen\u00fa aplik\u00e1ciu na publikovanie, vypni ho (plugin Disable XML-RPC nebo firewall). Obmedz aj po\u010det pokusov o prihl\u00e1senie.<\/p>\n\n\n\n

5. \u017diadne z\u00e1lohy nebo z\u00e1lohy len na hostingu<\/h3>\n\n\n\n

Hosting m\u00f4\u017ee zlyha\u0165, \u00fato\u010dn\u00edk m\u00f4\u017ee zmaza\u0165 s\u00fabory aj datab\u00e1zu. Automatick\u00e9 z\u00e1lohy na extern\u00fd disk (Google Drive, Dropbox) s\u00fa must-have. Over obnovu aspo\u0148 raz ro\u010dne \u2013 z\u00e1loha, ktor\u00fa nevie\u0161 obnovi\u0165, neexistuje.<\/p>\n\n\n\n

6. Pr\u00edli\u0161 ve\u013ea plugin\u016f od nezn\u00e1mych autorov<\/h3>\n\n\n\n

S\u0165ahuj len z ofici\u00e1lneho repozit\u00e1ra nebo overen\u00fdch zdrojov. P\u0159ed in\u0161tal\u00e1ciou zkontroluj d\u00e1tum poslednej aktualiz\u00e1cie, po\u010det in\u0161tal\u00e1ci\u00ed a recenzie. Nepou\u017e\u00edvan\u00e9 pluginy vyma\u017e, nevyp\u00ednaj ich roky.<\/p>\n\n\n\n

7. Ch\u00fdbaj\u00faci SSL a vyn\u00faten\u00e9 HTTPS<\/h3>\n\n\n\n

Bez HTTPS s\u00fa prihlasovacie \u00fadaje a cookies odosielan\u00e9 otvorene. Nastav Let’s Encrypt<\/strong> certifik\u00e1t a v WordPress prepni URL na https \u2013 n\u00e1vod v SSL na WordPress<\/a>.<\/p>\n\n\n\n

8. S\u00fabor wp-config.php a .htaccess s chybn\u00fdmi pr\u00e1vami<\/h3>\n\n\n\n

Pr\u00e1va 644 pro s\u00fabory a 755 pro prie\u010dinky s\u00fa \u0161tandard. Nikdy ned\u00e1vaj 777. Skry\u0165 wp-config mimo public_html, ak to hosting umo\u017e\u0148uje.<\/p>\n\n\n\n

9. \u017diadna ochrana formul\u00e1rov a koment\u00e1rov<\/h3>\n\n\n\n

Spam a boti za\u0165a\u017euj\u00fa server. Pou\u017eij reCAPTCHA, hCaptcha, Turnstile alebo Antispam Bee \u2013 porovnanie v Google reCAPTCHA vs Akismet<\/a>.<\/p>\n\n\n\n

10. Zdie\u013ean\u00e9 FTP a admin pr\u00edstupy<\/h3>\n\n\n\n

Ka\u017ed\u00fd, kto mal kedyko\u013evek FTP heslo, je riziko. Men hesl\u00e1 po odchode spolupracovn\u00edka. Pre administr\u00e1ciu pou\u017e\u00edvaj samostatn\u00fd \u00fa\u010det, nie zdie\u013ean\u00fd \u201einfo@\u201c. Obmedzenie pr\u00edstupu pod\u013ea IP popisujeme v povolenie pr\u00edstupu pod\u013ea IP<\/a>.<\/p>\n\n\n\n

11. \u017diadny firewall ani skenovanie<\/h3>\n\n\n\n

Pluginy Wordfence, Solid Security nebo firewall na \u00farovni hostingu blokuj\u00fa podozriv\u00e9 po\u017eiadavky. Zapni aspo\u0148 z\u00e1kladn\u00e9 pravidl\u00e1 a e-mailov\u00e9 upozornenia na zmeny v jadre.<\/p>\n\n\n\n

12. Ignorovanie logov a upozornen\u00ed<\/h3>\n\n\n\n

Ak hosting po\u0161le e-mail o podozrivom traffici, nereaguj \u201enesk\u00f4r\u201c. Zkontroluj pr\u00edstupov\u00e9 logy, nezn\u00e1me admin \u00fa\u010dty a s\u00fabory v uploads (PHP by tam nemalo by\u0165).<\/p>\n\n\n\n

Bezpe\u010dnostn\u00ed checklist na t\u00fdden<\/h2>\n\n\n\n