{"id":4542,"date":"2026-02-05T19:45:59","date_gmt":"2026-02-05T16:45:59","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/wordpress-guvenli-giris-mimarisi-2fa-ip-kisitlama-recaptcha-ve-xml-rpc-korumasi\/"},"modified":"2026-02-05T19:45:59","modified_gmt":"2026-02-05T16:45:59","slug":"wordpress-guvenli-giris-mimarisi-2fa-ip-kisitlama-recaptcha-ve-xml-rpc-korumasi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/wordpress-guvenli-giris-mimarisi-2fa-ip-kisitlama-recaptcha-ve-xml-rpc-korumasi\/","title":{"rendered":"WordPress G\u00fcvenli Giri\u015f Mimarisi: 2FA, IP K\u0131s\u0131tlama, reCAPTCHA ve XML\u2011RPC Korumas\u0131"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#WordPress_Giris_Ekrani_Neden_En_Kritik_Saldiri_Noktaniz\"><span class=\"toc_number toc_depth_1\">1<\/span> WordPress Giri\u015f Ekran\u0131 Neden En Kritik Sald\u0131r\u0131 Noktan\u0131z?<\/a><\/li><li><a href=\"#Guvenli_Giris_Mimarisi_Nasil_Dusunulmeli\"><span class=\"toc_number toc_depth_1\">2<\/span> G\u00fcvenli Giri\u015f Mimarisi Nas\u0131l D\u00fc\u015f\u00fcn\u00fclmeli?<\/a><\/li><li><a href=\"#Iki_Faktorlu_Dogrulama_2FA_Paroladan_Sonraki_Ilk_Gercek_Bariyer\"><span class=\"toc_number toc_depth_1\">3<\/span> \u0130ki Fakt\u00f6rl\u00fc Do\u011frulama (2FA): Paroladan Sonraki \u0130lk Ger\u00e7ek Bariyer<\/a><ul><li><a href=\"#WordPress_Icin_2FA_Turleri\"><span class=\"toc_number toc_depth_2\">3.1<\/span> WordPress \u0130\u00e7in 2FA T\u00fcrleri<\/a><\/li><li><a href=\"#2FAyi_Kimler_Icin_Zorunlu_Kilmalisiniz\"><span class=\"toc_number toc_depth_2\">3.2<\/span> 2FA\u2019y\u0131 Kimler \u0130\u00e7in Zorunlu K\u0131lmal\u0131s\u0131n\u0131z?<\/a><\/li><li><a href=\"#2FA_Kurulurken_Sik_Yapilan_Hatalar\"><span class=\"toc_number toc_depth_2\">3.3<\/span> 2FA Kurulurken S\u0131k Yap\u0131lan Hatalar<\/a><\/li><\/ul><\/li><li><a href=\"#IP_Kisitlama_Yonetici_Paneline_Kim_Nereden_Ulasabilir\"><span class=\"toc_number toc_depth_1\">4<\/span> IP K\u0131s\u0131tlama: Y\u00f6netici Paneline Kim, Nereden Ula\u015fabilir?<\/a><ul><li><a href=\"#IP_Kisitlama_Senaryolari\"><span class=\"toc_number toc_depth_2\">4.1<\/span> IP K\u0131s\u0131tlama Senaryolar\u0131<\/a><\/li><li><a href=\"#WordPresste_Basit_IP_Kisitlama_Ornekleri\"><span class=\"toc_number toc_depth_2\">4.2<\/span> WordPress\u2019te Basit IP K\u0131s\u0131tlama \u00d6rnekleri<\/a><\/li><li><a href=\"#Dinamik_IP_Kullanicilarinda_IP_Kisitlama_Nasil_Yonetilir\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Dinamik IP Kullan\u0131c\u0131lar\u0131nda IP K\u0131s\u0131tlama Nas\u0131l Y\u00f6netilir?<\/a><\/li><\/ul><\/li><li><a href=\"#reCAPTCHA_ve_Bot_Korumasi_Brute-Force_Trafigini_Erken_Elemek\"><span class=\"toc_number toc_depth_1\">5<\/span> reCAPTCHA ve Bot Korumas\u0131: Brute-Force Trafi\u011fini Erken Elemek<\/a><ul><li><a href=\"#Hangi_reCAPTCHA_Surumu_Hangi_Senaryoda\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Hangi reCAPTCHA S\u00fcr\u00fcm\u00fc, Hangi Senaryoda?<\/a><\/li><li><a href=\"#Captcha_Ayarlarinda_Dikkat_Edilmesi_Gerekenler\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Captcha Ayarlar\u0131nda Dikkat Edilmesi Gerekenler<\/a><\/li><\/ul><\/li><li><a href=\"#XMLRPC_Neden_Bu_Kadar_Saldiri_Aliyor_ve_Ne_Yapmalisiniz\"><span class=\"toc_number toc_depth_1\">6<\/span> XML\u2011RPC Neden Bu Kadar Sald\u0131r\u0131 Al\u0131yor ve Ne Yapmal\u0131s\u0131n\u0131z?<\/a><ul><li><a href=\"#XMLRPC_Uzerinden_Yapilan_Saldirilar\"><span class=\"toc_number toc_depth_2\">6.1<\/span> XML\u2011RPC \u00dczerinden Yap\u0131lan Sald\u0131r\u0131lar<\/a><\/li><li><a href=\"#XMLRPCyi_Tamamen_Kapatabilir_misiniz\"><span class=\"toc_number toc_depth_2\">6.2<\/span> XML\u2011RPC\u2019yi Tamamen Kapatabilir misiniz?<\/a><\/li><li><a href=\"#XMLRPC_Icin_Pratik_Koruma_Katmanlari\"><span class=\"toc_number toc_depth_2\">6.3<\/span> XML\u2011RPC \u0130\u00e7in Pratik Koruma Katmanlar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Tum_Bilesenleri_Bir_Araya_Getirmek_Ornek_Giris_Mimarileri\"><span class=\"toc_number toc_depth_1\">7<\/span> T\u00fcm Bile\u015fenleri Bir Araya Getirmek: \u00d6rnek Giri\u015f Mimarileri<\/a><ul><li><a href=\"#Senaryo_1_Kucuk_Isletme_Sitesi_Paylasimli_Hosting_Uzerinde_WordPress\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Senaryo 1: K\u00fc\u00e7\u00fck \u0130\u015fletme Sitesi (Payla\u015f\u0131ml\u0131 Hosting \u00dczerinde WordPress)<\/a><\/li><li><a href=\"#Senaryo_2_WooCommerce_Magazasi_VPS_Uzerinde_Nginx_PHPFPM\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Senaryo 2: WooCommerce Ma\u011fazas\u0131 (VPS \u00dczerinde Nginx + PHP\u2011FPM)<\/a><\/li><li><a href=\"#Senaryo_3_Ajans_veya_Multi-Site_Yapi_Tek_Sunucuda_Onlarca_WordPress\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Senaryo 3: Ajans veya Multi-Site Yap\u0131 (Tek Sunucuda Onlarca WordPress)<\/a><\/li><\/ul><\/li><li><a href=\"#Sunucu_ve_Panel_Katmanini_Unutmayin\"><span class=\"toc_number toc_depth_1\">8<\/span> Sunucu ve Panel Katman\u0131n\u0131 Unutmay\u0131n<\/a><\/li><li><a href=\"#Ozet_ve_Sonraki_Adimlar_Giris_Kapinizi_Gercekten_Kapatmak\"><span class=\"toc_number toc_depth_1\">9<\/span> \u00d6zet ve Sonraki Ad\u0131mlar: Giri\u015f Kap\u0131n\u0131z\u0131 Ger\u00e7ekten Kapatmak<\/a><\/li><\/ul><\/div>\n<h2><span id=\"WordPress_Giris_Ekrani_Neden_En_Kritik_Saldiri_Noktaniz\">WordPress Giri\u015f Ekran\u0131 Neden En Kritik Sald\u0131r\u0131 Noktan\u0131z?<\/span><\/h2>\n<p>WordPress sitelerin b\u00fcy\u00fck \u00e7o\u011funlu\u011funda sald\u0131r\u0131lar\u0131n ba\u015flad\u0131\u011f\u0131 yer ayn\u0131d\u0131r: <strong>giri\u015f ekran\u0131<\/strong>. wp-login.php, \/wp-admin\/ ve XML-RPC u\u00e7 noktalar\u0131, botnet\u2019lerin ve otomatik ara\u00e7lar\u0131n s\u00fcrekli yoklad\u0131\u011f\u0131 birer kap\u0131 gibidir. Parola tahmin sald\u0131r\u0131lar\u0131, \u00e7al\u0131nt\u0131 \u015fifrelerle yap\u0131lan giri\u015f denemeleri ve XML-RPC \u00fczerinden \u00e7oklu brute-force istekleri, neredeyse her sitenin loglar\u0131nda g\u00f6r\u00fclen klasik vakalar.<\/p>\n<p>DCHost taraf\u0131nda y\u00fczlerce WordPress sitesinin loglar\u0131n\u0131 incelerken hep ayn\u0131 tabloyu g\u00f6r\u00fcyoruz: Normal ziyaret\u00e7i trafi\u011finin birka\u00e7 kat\u0131 kadar wp-login.php ve xmlrpc.php iste\u011fi. \u00dcstelik bu isteklerin \u00f6nemli k\u0131sm\u0131, ger\u00e7ek kullan\u0131c\u0131 de\u011fil, IP\u2019leri s\u0131k s\u0131k de\u011fi\u015fen botlardan geliyor. Parolan\u0131z ne kadar g\u00fc\u00e7l\u00fc olursa olsun, sadece \u015fifreye g\u00fcvenmek bug\u00fcn i\u00e7in yeterli de\u011fil. \u0130htiyac\u0131m\u0131z olan \u015fey, <strong>\u00e7ok katmanl\u0131 bir g\u00fcvenli giri\u015f mimarisi<\/strong>.<\/p>\n<p>Bu yaz\u0131da WordPress i\u00e7in pratik ama sa\u011flam bir giri\u015f g\u00fcvenli\u011fi tasarlayaca\u011f\u0131z. Odakta d\u00f6rt temel bile\u015fen var: <strong>\u0130ki Fakt\u00f6rl\u00fc Do\u011frulama (2FA)<\/strong>, <strong>IP k\u0131s\u0131tlama<\/strong>, <strong>reCAPTCHA \/ bot korumas\u0131<\/strong> ve <strong>XML\u2011RPC sertle\u015ftirmesi<\/strong>. Bunlar\u0131 tek tek anlatmakla kalmay\u0131p, sonunda hepsini bir araya getirerek k\u00fc\u00e7\u00fck i\u015fletmelerden y\u00fcksek trafikli WooCommerce ma\u011fazalar\u0131na kadar uygulanabilir mimari \u00f6rnekleri \u00fczerinden ge\u00e7ece\u011fiz.<\/p>\n<h2><span id=\"Guvenli_Giris_Mimarisi_Nasil_Dusunulmeli\">G\u00fcvenli Giri\u015f Mimarisi Nas\u0131l D\u00fc\u015f\u00fcn\u00fclmeli?<\/span><\/h2>\n<p>G\u00fcvenli giri\u015f, tek bir ayar veya eklentiden ibaret de\u011fil; tam anlam\u0131yla bir <strong>mimari<\/strong> konusu. \u0130yi bir mimarinin birka\u00e7 temel \u00f6zelli\u011fi olmal\u0131:<\/p>\n<ul>\n<li><strong>\u00c7ok katmanl\u0131<\/strong> olmal\u0131 (tek bariyer k\u0131r\u0131ld\u0131\u011f\u0131nda sistem d\u00fc\u015fmemeli).<\/li>\n<li><strong>Kullan\u0131c\u0131 deneyimini<\/strong> tamamen yok etmemeli (s\u00fcrekli engellenen ger\u00e7ek kullan\u0131c\u0131, g\u00fcvenlikten nefret eder).<\/li>\n<li><strong>Y\u00f6netilebilir<\/strong> olmal\u0131 (IP listelerini, 2FA kurallar\u0131n\u0131 ve captcha ayarlar\u0131n\u0131 g\u00fcncelleyebilmelisiniz).<\/li>\n<li><strong>Sunucu altyap\u0131n\u0131zla uyumlu<\/strong> olmal\u0131 (<a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> veya dedicated \u00fczerinde farkl\u0131 imkanlar\u0131n\u0131z var).<\/li>\n<\/ul>\n<p>DCHost altyap\u0131s\u0131nda g\u00f6rd\u00fc\u011f\u00fcm\u00fcz ba\u015far\u0131l\u0131 WordPress kurulumlar\u0131nda ortak bir yakla\u015f\u0131m var: Giri\u015f g\u00fcvenli\u011fi sadece WordPress eklentilerine b\u0131rak\u0131lm\u0131yor, <strong>sunucu katman\u0131<\/strong> (web sunucusu, WAF, g\u00fcvenlik duvar\u0131, fail2ban vb.) ile birlikte ele al\u0131n\u0131yor. Bu yakla\u015f\u0131m\u0131 detayland\u0131ran daha geni\u015f bir kontrol listesi ar\u0131yorsan\u0131z, <a href=\"https:\/\/www.dchost.com\/blog\/wordpress-guvenlik-sertlestirme-kontrol-listesi-dosya-izinleri-salt-keys-xml-rpc-ufw-fail2ban-nasil-tatli-tatli-kurulur\/\">WordPress g\u00fcvenlik sertle\u015ftirme kontrol listemizi<\/a> de inceleyebilirsiniz.<\/p>\n<h2><span id=\"Iki_Faktorlu_Dogrulama_2FA_Paroladan_Sonraki_Ilk_Gercek_Bariyer\">\u0130ki Fakt\u00f6rl\u00fc Do\u011frulama (2FA): Paroladan Sonraki \u0130lk Ger\u00e7ek Bariyer<\/span><\/h2>\n<p>2FA, giri\u015fte iki farkl\u0131 kan\u0131t istemek anlam\u0131na gelir: <em>bildi\u011finiz bir \u015fey<\/em> (parola) + <em>sahip oldu\u011funuz bir \u015fey<\/em> (telefon uygulamas\u0131, donan\u0131m anahtar\u0131, SMS vb.). WordPress taraf\u0131nda bu, y\u00f6netici hesab\u0131 ele ge\u00e7irilse bile sald\u0131rgan\u0131n hesab\u0131 kullanmas\u0131n\u0131 zorla\u015ft\u0131ran en \u00f6nemli katmanlardan biridir.<\/p>\n<h3><span id=\"WordPress_Icin_2FA_Turleri\">WordPress \u0130\u00e7in 2FA T\u00fcrleri<\/span><\/h3>\n<p>Genel olarak WordPress\u2019te \u00fc\u00e7 tip 2FA yakla\u015f\u0131m\u0131 g\u00f6r\u00fcyoruz:<\/p>\n<ul>\n<li><strong>TOTP tabanl\u0131 uygulamalar<\/strong>: Google Authenticator, Authy, 1Password vb. ile 30 saniyede bir de\u011fi\u015fen tek kullan\u0131ml\u0131k kodlar. En pratik ve g\u00fcvenli y\u00f6ntemlerden biridir.<\/li>\n<li><strong>SMS \/ e-posta kodlar\u0131<\/strong>: Kolay olsa da SMS\u2019in g\u00fcvenlik zaaflar\u0131 ve e-postan\u0131n gecikme ihtimali nedeniyle genelde yedek kanal olarak \u00f6nerilir.<\/li>\n<li><strong>WebAuthn \/ FIDO2 anahtarlar\u0131<\/strong>: G\u00fcvenlik anahtar\u0131 (YubiKey vb.) veya cihaz\u0131n biyometrik sens\u00f6rleri ile do\u011frulama. Kurumsal ortamlarda olduk\u00e7a g\u00fc\u00e7l\u00fc bir \u00e7\u00f6z\u00fcmd\u00fcr.<\/li>\n<\/ul>\n<h3><span id=\"2FAyi_Kimler_Icin_Zorunlu_Kilmalisiniz\">2FA\u2019y\u0131 Kimler \u0130\u00e7in Zorunlu K\u0131lmal\u0131s\u0131n\u0131z?<\/span><\/h3>\n<p>Ger\u00e7ek d\u00fcnyada her kullan\u0131c\u0131ya 2FA zorunlu tutmak bazen pratik olmayabiliyor. Bu y\u00fczden rollere g\u00f6re bir strateji geli\u015ftirmek mant\u0131kl\u0131:<\/p>\n<ul>\n<li><strong>Y\u00f6netici (Administrator)<\/strong>: 2FA kesinlikle zorunlu olmal\u0131.<\/li>\n<li><strong>Edit\u00f6r ve Ma\u011faza Y\u00f6neticisi<\/strong>: \u0130\u00e7erik ve sipari\u015f \u00fczerinde yetkisi olan herkese 2FA tavsiye, m\u00fcmk\u00fcnse zorunlu.<\/li>\n<li><strong>M\u00fc\u015fteri \/ Abone<\/strong>: \u0130ste\u011fe ba\u011fl\u0131 b\u0131rak\u0131labilir, ancak y\u00fcksek g\u00fcvenlik gerektiren alanlarda (\u00f6r. B2B portal) \u00f6nerilir.<\/li>\n<\/ul>\n<p>Bir\u00e7ok g\u00fcvenlik eklentisi ve 2FA \u00e7\u00f6z\u00fcm\u00fc, rol bazl\u0131 2FA politikas\u0131n\u0131 destekliyor. B\u00f6ylece hem g\u00fcvenli\u011fi art\u0131r\u0131p hem de destek y\u00fck\u00fcn\u00fc makul seviyede tutabilirsiniz.<\/p>\n<h3><span id=\"2FA_Kurulurken_Sik_Yapilan_Hatalar\">2FA Kurulurken S\u0131k Yap\u0131lan Hatalar<\/span><\/h3>\n<ul>\n<li><strong>Yedek kod \u00fcretmemek<\/strong>: Telefon bozuldu\u011funda veya uygulama silindi\u011finde, yedek kod yoksa siteye giremeyen bir\u00e7ok y\u00f6netici g\u00f6rd\u00fck. \u0130lk kurulumda mutlaka yedek kodlar\u0131 al\u0131p g\u00fcvenli bir yerde saklay\u0131n.<\/li>\n<li><strong>T\u00fcm admin\u2019ler i\u00e7in ayn\u0131 cihaz\u0131 kullanmak<\/strong>: Tek bir telefonla t\u00fcm admin hesaplar\u0131n\u0131 do\u011frulamak, ekibin b\u00fcy\u00fcd\u00fc\u011f\u00fc noktalarda ciddi bir risk olu\u015fturur.<\/li>\n<li><strong>\u201cRemember this device\u201d \u00f6zelli\u011fini abartmak<\/strong>: \u00c7ok uzun s\u00fcreli hat\u0131rlama s\u00fcresi ayarlamak, 2FA\u2019n\u0131n etkinli\u011fini azalt\u0131r.<\/li>\n<\/ul>\n<p>2FA tek ba\u015f\u0131na bile giri\u015f g\u00fcvenli\u011fini dramatik \u015fekilde art\u0131r\u0131r. Ancak bot\u2019lar\u0131, brute-force denemelerini ve a\u011f seviyesindeki riskleri d\u00fc\u015f\u00fcn\u00fcnce, bunun ilk ad\u0131m oldu\u011funu unutmamak gerekiyor.<\/p>\n<h2><span id=\"IP_Kisitlama_Yonetici_Paneline_Kim_Nereden_Ulasabilir\">IP K\u0131s\u0131tlama: Y\u00f6netici Paneline Kim, Nereden Ula\u015fabilir?<\/span><\/h2>\n<p>2FA kullan\u0131c\u0131 hesab\u0131n\u0131 korur; IP k\u0131s\u0131tlama ise <strong>giri\u015f y\u00fczeyini daralt\u0131r<\/strong>. \u00d6zellikle y\u00f6netim paneline eri\u015fen ki\u015fi say\u0131s\u0131 az ise, IP k\u0131s\u0131tlama muazzam etkili bir y\u00f6ntemdir.<\/p>\n<h3><span id=\"IP_Kisitlama_Senaryolari\">IP K\u0131s\u0131tlama Senaryolar\u0131<\/span><\/h3>\n<ul>\n<li><strong>Sabit IP\u2019li ofis\/ev<\/strong>: \/wp-admin ve wp-login.php sadece belirli IP\u2019lerden eri\u015filebilir hale getirilir.<\/li>\n<li><strong>VPN \u00fczerinden eri\u015fim<\/strong>: \u00c7al\u0131\u015fanlar \u00f6nce kurumsal VPN\u2019e ba\u011flan\u0131r, y\u00f6netici paneli sadece bu VPN a\u011f\u0131ndan eri\u015filebilir olur.<\/li>\n<li><strong>\u00dclke\/\u015fehir bazl\u0131 k\u0131s\u0131tlama<\/strong>: Siteniz tamamen T\u00fcrkiye odakl\u0131ysa, giri\u015f noktas\u0131na sadece T\u00fcrkiye IP\u2019lerinden eri\u015fim izni verebilirsiniz.<\/li>\n<\/ul>\n<p>DCHost \u00fczerinde kendi VPS\u2019inizi kullan\u0131yorsan\u0131z, Nginx\/Apache konfig\u00fcrasyonuyla veya sunucudaki g\u00fcvenlik duvar\u0131 (ufw, firewalld, iptables\/nftables) \u00fczerinden olduk\u00e7a esnek IP k\u0131s\u0131tlama kurallar\u0131 yazabilirsiniz. Bu konuyu t\u00fcm sunucu eri\u015fimi perspektifinden ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-nasil-saglanir-kapiyi-acik-birakmadan-yasamanin-sirri\/\">VPS sunucu g\u00fcvenli\u011fi rehberimiz<\/a> de yol g\u00f6sterici olabilir.<\/p>\n<h3><span id=\"WordPresste_Basit_IP_Kisitlama_Ornekleri\">WordPress\u2019te Basit IP K\u0131s\u0131tlama \u00d6rnekleri<\/span><\/h3>\n<p>Apache \u00fczerinde \u00e7al\u0131\u015fan bir WordPress sitesinde, .htaccess ile wp-login.php eri\u015fimini s\u0131n\u0131rland\u0131rmak yayg\u0131n bir y\u00f6ntemdir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;Files wp-login.php&gt;\n  Order Deny,Allow\n  Deny from all\n  Allow from 1.2.3.4\n  Allow from 5.6.7.8\n&lt;\/Files&gt;\n<\/code><\/pre>\n<p>Nginx taraf\u0131nda ise benzer mant\u0131kla location bazl\u0131 allow\/deny kurallar\u0131 tan\u0131mlayabilirsiniz. Daha geli\u015fmi\u015f yap\u0131larda, <strong>fail2ban + Nginx rate limiting<\/strong> kombinasyonu ile hem IP k\u0131s\u0131tlama hem de sald\u0131r\u0131 an\u0131nda otomatik engelleme yap\u0131labilir. Bu yap\u0131y\u0131 detayl\u0131 \u015fekilde anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/nginx-rate-limiting-ve-fail2ban-ile-wp-login-php-ve-xml-rpc-brute-force-saldirilarini-nasil-saksiya-alirsin\/\">Nginx rate limiting ve fail2ban rehberine<\/a> mutlaka g\u00f6z at\u0131n.<\/p>\n<h3><span id=\"Dinamik_IP_Kullanicilarinda_IP_Kisitlama_Nasil_Yonetilir\">Dinamik IP Kullan\u0131c\u0131lar\u0131nda IP K\u0131s\u0131tlama Nas\u0131l Y\u00f6netilir?<\/span><\/h3>\n<p>Bir\u00e7ok i\u015fletme sabit IP kullanm\u0131yor, ekip \u00fcyeleri evden, mobil internetten ba\u011flan\u0131yor. Bu durumda iki yakla\u015f\u0131m \u00f6ne \u00e7\u0131k\u0131yor:<\/p>\n<ul>\n<li><strong>Dar IP whitelist yerine \u00fclke bazl\u0131 filtre + 2FA<\/strong>: \u00d6zellikle tek \u00fclkede hizmet veriyorsan\u0131z mant\u0131kl\u0131.<\/li>\n<li><strong>K\u00fc\u00e7\u00fck bir VPN altyap\u0131s\u0131 kurmak<\/strong>: Y\u00f6netici paneline sadece VPN a\u011f\u0131na atanm\u0131\u015f IP blo\u011fundan eri\u015fim izni verirsiniz.<\/li>\n<\/ul>\n<p>DCHost taraf\u0131nda kendi VPS\u2019inizde k\u00fc\u00e7\u00fck bir WireGuard\/OpenVPN kurulumu yaparak, WordPress y\u00f6netim trafi\u011fini VPN \u00fczerinden ge\u00e7irmeniz olduk\u00e7a m\u00fcmk\u00fcn. B\u00f6ylece web sunucusunda yaln\u0131zca bu VPN IP aral\u0131\u011f\u0131na izin verip geri kalan t\u00fcm y\u00f6netici isteklerini bloklayabilirsiniz.<\/p>\n<h2><span id=\"reCAPTCHA_ve_Bot_Korumasi_Brute-Force_Trafigini_Erken_Elemek\">reCAPTCHA ve Bot Korumas\u0131: Brute-Force Trafi\u011fini Erken Elemek<\/span><\/h2>\n<p>reCAPTCHA, invisible captcha, hCaptcha ve benzeri \u00e7\u00f6z\u00fcmler, <strong>insan ile bot\u2019u ay\u0131rmaya<\/strong> \u00e7al\u0131\u015fan servislerdir. WordPress\u2019te \u00f6zellikle \u015fu formlara uygulanmalar\u0131 kritik:<\/p>\n<ul>\n<li>Giri\u015f formu (wp-login.php)<\/li>\n<li>Kay\u0131t formu (user registration)<\/li>\n<li>\u015eifre s\u0131f\u0131rlama formu<\/li>\n<li>\u0130leti\u015fim ve yorum formlar\u0131<\/li>\n<\/ul>\n<p>E\u011fer 2FA ve IP k\u0131s\u0131tlama kuruluysa, captcha\u2019y\u0131 daha \u00e7ok <strong>\u201cg\u00fcr\u00fclt\u00fc azalt\u0131c\u0131\u201d<\/strong> olarak d\u00fc\u015f\u00fcnebilirsiniz. Bot\u2019lar\u0131n \u00e7ok b\u00fcy\u00fck k\u0131sm\u0131, captcha\u2019y\u0131 ge\u00e7emedi\u011finde hemen ba\u015fka hedefe y\u00f6nelir.<\/p>\n<h3><span id=\"Hangi_reCAPTCHA_Surumu_Hangi_Senaryoda\">Hangi reCAPTCHA S\u00fcr\u00fcm\u00fc, Hangi Senaryoda?<\/span><\/h3>\n<ul>\n<li><strong>reCAPTCHA v2 (Ben robot de\u011filim kutucu\u011fu)<\/strong>: En yayg\u0131n, kullan\u0131c\u0131ya bazen g\u00f6rsel do\u011frulama \u00e7\u0131kar\u0131yor.<\/li>\n<li><strong>reCAPTCHA v2 invisible<\/strong>: G\u00f6ze daha az \u00e7arp\u0131yor, sadece \u015f\u00fcpheli durumlarda challenge g\u00f6steriyor.<\/li>\n<li><strong>reCAPTCHA v3<\/strong>: Kullan\u0131c\u0131ya challenge g\u00f6stermeden puanlama yap\u0131yor. Kendi e\u015fik de\u011ferlerinizi belirlemeniz gerekiyor.<\/li>\n<\/ul>\n<p>Giri\u015f formu gibi kritik noktalarda, kullan\u0131c\u0131 deneyimi ile g\u00fcvenlik aras\u0131nda denge kurmak \u00f6nemli. Bazen invisible reCAPTCHA + 2FA kombinasyonu, hem kullan\u0131labilirlik hem g\u00fcvenlik a\u00e7\u0131s\u0131ndan g\u00fczel bir orta yol sunuyor.<\/p>\n<h3><span id=\"Captcha_Ayarlarinda_Dikkat_Edilmesi_Gerekenler\">Captcha Ayarlar\u0131nda Dikkat Edilmesi Gerekenler<\/span><\/h3>\n<ul>\n<li><strong>Her forma koymak zorunda de\u011filsiniz<\/strong>: \u00d6zellikle y\u00f6neticiler i\u00e7in zaten IP k\u0131s\u0131tlama ve 2FA kullan\u0131yorsan\u0131z, ek captcha yaln\u0131zca nadir durumlarda devreye al\u0131nabilir.<\/li>\n<li><strong>Yanl\u0131\u015f pozitifler<\/strong>: Baz\u0131 kullan\u0131c\u0131lar\u0131n s\u00fcrekli captcha\u2019ya tak\u0131lmas\u0131 d\u00f6n\u00fc\u015f\u00fcm kayb\u0131 yaratabilir; \u00f6zellikle kay\u0131t veya \u00f6deme ak\u0131\u015f\u0131nda buna dikkat edin.<\/li>\n<li><strong>Performans ve gizlilik<\/strong>: \u00dc\u00e7\u00fcnc\u00fc taraf scriptleri sayfa y\u00fcklenme s\u00fcresini etkiler. Ayr\u0131ca KVKK \/ GDPR taraf\u0131nda \u00e7erez ve izleme politikalar\u0131n\u0131z\u0131 da g\u00fcncellemeniz gerekebilir.<\/li>\n<\/ul>\n<p>Captcha, tek ba\u015f\u0131na mucize \u00e7\u00f6z\u00fcm de\u011fildir; ama 2FA ve IP k\u0131s\u0131tlama ile birle\u015fti\u011finde sald\u0131rganlar\u0131n maliyetini ciddi bi\u00e7imde art\u0131r\u0131r ve \u00e7o\u011funu daha giri\u015f kap\u0131s\u0131na gelmeden y\u0131ld\u0131r\u0131r.<\/p>\n<h2><span id=\"XMLRPC_Neden_Bu_Kadar_Saldiri_Aliyor_ve_Ne_Yapmalisiniz\">XML\u2011RPC Neden Bu Kadar Sald\u0131r\u0131 Al\u0131yor ve Ne Yapmal\u0131s\u0131n\u0131z?<\/span><\/h2>\n<p><strong>xmlrpc.php<\/strong>, WordPress\u2019in uzaktan y\u00f6netim, pingback, baz\u0131 mobil uygulamalar ve entegrasyonlar i\u00e7in kulland\u0131\u011f\u0131 eski bir arabirimdir. G\u00fcncel d\u00fcnyada REST API yayg\u0131nla\u015ft\u0131k\u00e7a, XML\u2011RPC\u2019ye ger\u00e7ek ihtiya\u00e7 azald\u0131, ancak sald\u0131r\u0131 y\u00fczeyi olarak \u00f6nemi maalesef artt\u0131.<\/p>\n<h3><span id=\"XMLRPC_Uzerinden_Yapilan_Saldirilar\">XML\u2011RPC \u00dczerinden Yap\u0131lan Sald\u0131r\u0131lar<\/span><\/h3>\n<ul>\n<li><strong>Brute-force multi-call sald\u0131r\u0131lar\u0131<\/strong>: Tek bir istek i\u00e7inde onlarca kullan\u0131c\u0131\/parola kombinasyonu denenebilir; bu da klasik wp-login.php brute-force\u2019undan daha verimli hale getirir.<\/li>\n<li><strong>DDoS amplifikasyon<\/strong>: Pingback \u00f6zelli\u011fi kullan\u0131larak ba\u015fka sitelere sald\u0131r\u0131 yap\u0131labilir.<\/li>\n<li><strong>Bilgi s\u0131zd\u0131rma<\/strong>: Baz\u0131 yanl\u0131\u015f yap\u0131land\u0131rmalarda, sistem hakk\u0131nda fazladan bilgi al\u0131nmas\u0131na yol a\u00e7abilir.<\/li>\n<\/ul>\n<h3><span id=\"XMLRPCyi_Tamamen_Kapatabilir_misiniz\">XML\u2011RPC\u2019yi Tamamen Kapatabilir misiniz?<\/span><\/h3>\n<p>E\u011fer a\u015fa\u011f\u0131dakileri kullanm\u0131yorsan\u0131z XML\u2011RPC\u2019yi %100 kapatmak \u00e7o\u011fu zaman g\u00fcvenli ve mant\u0131kl\u0131d\u0131r:<\/p>\n<ul>\n<li>Eski WordPress mobil uygulamalar\u0131<\/li>\n<li>Baz\u0131 uzak yay\u0131n ara\u00e7lar\u0131<\/li>\n<li>XML\u2011RPC\u2019ye ba\u011fl\u0131 \u00f6zel entegrasyonlar<\/li>\n<\/ul>\n<p>\u00c7o\u011fu modern sitede bu \u00f6zellikler devre d\u0131\u015f\u0131, o y\u00fczden xmlrpc.php\u2019yi engellemek ciddi yan etki yaratm\u0131yor. E\u011fer emin de\u011filseniz, \u00f6nce log\u2019lar\u0131 inceleyip xmlrpc.php\u2019ye gelen isteklerin kayna\u011f\u0131n\u0131 ve amac\u0131n\u0131 analiz edin. Zaten bu dosyaya gelen isteklerin b\u00fcy\u00fck \u00e7o\u011funlu\u011funun sald\u0131r\u0131 ama\u00e7l\u0131 oldu\u011funu g\u00f6receksiniz.<\/p>\n<h3><span id=\"XMLRPC_Icin_Pratik_Koruma_Katmanlari\">XML\u2011RPC \u0130\u00e7in Pratik Koruma Katmanlar\u0131<\/span><\/h3>\n<ul>\n<li><strong>Sunucu seviyesi engelleme<\/strong>: Nginx\/Apache konfig\u00fcrasyonu ile xmlrpc.php\u2019ye eri\u015fimi tamamen kapatmak veya sadece belirli IP\/\u00fclkelere izin vermek.<\/li>\n<li><strong>WAF \/ ModSecurity kurallar\u0131<\/strong>: XML\u2011RPC \u00fczerinden gelen \u015f\u00fcpheli istekleri imza tabanl\u0131 olarak engellemek.<\/li>\n<li><strong>fail2ban entegrasyonu<\/strong>: XML\u2011RPC \u00fczerinden art arda ba\u015far\u0131s\u0131z giri\u015f yapan IP\u2019leri otomatik ban\u2019lemek.<\/li>\n<\/ul>\n<p>XML\u2011RPC, WordPress g\u00fcvenlik sertle\u015ftirmesinde \u00f6zel ba\u015fl\u0131k a\u00e7\u0131lmas\u0131 gereken bir konu. Bu dosyan\u0131n y\u00f6netimini, <a href=\"https:\/\/www.dchost.com\/blog\/wordpress-guvenlik-sertlestirme-kontrol-listesi-dosya-izinleri-salt-keys-xml-rpc-ufw-fail2ban-nasil-tatli-tatli-kurulur\/\">g\u00fcvenlik sertle\u015ftirme kontrol listemizde<\/a> de ayr\u0131nt\u0131l\u0131 olarak ele ald\u0131k; oradaki \u00f6nerileri sunucu taraf\u0131ndaki firewall ve WAF ayarlar\u0131n\u0131zla birlikte uygulad\u0131\u011f\u0131n\u0131zda, XML\u2011RPC kaynakl\u0131 g\u00fcr\u00fclt\u00fcn\u00fcn ciddi oranda azald\u0131\u011f\u0131n\u0131 g\u00f6receksiniz.<\/p>\n<h2><span id=\"Tum_Bilesenleri_Bir_Araya_Getirmek_Ornek_Giris_Mimarileri\">T\u00fcm Bile\u015fenleri Bir Araya Getirmek: \u00d6rnek Giri\u015f Mimarileri<\/span><\/h2>\n<p>Teoriyi prati\u011fe d\u00f6n\u00fc\u015ft\u00fcrmek i\u00e7in birka\u00e7 ger\u00e7ek\u00e7i senaryo \u00fczerinden gidelim. Buradaki \u00f6rnekler, DCHost \u00fczerinde s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz WordPress kullan\u0131m \u015fekillerine dayan\u0131yor.<\/p>\n<h3><span id=\"Senaryo_1_Kucuk_Isletme_Sitesi_Paylasimli_Hosting_Uzerinde_WordPress\">Senaryo 1: K\u00fc\u00e7\u00fck \u0130\u015fletme Sitesi (Payla\u015f\u0131ml\u0131 Hosting \u00dczerinde WordPress)<\/span><\/h3>\n<p>Durum: K\u00fc\u00e7\u00fck bir i\u015fletmenin kurumsal sitesi ve basit bir blogu var. Y\u00f6netici say\u0131s\u0131 1\u20132, sabit IP yok, site payla\u015f\u0131ml\u0131 hosting \u00fczerinde.<\/p>\n<p>\u00d6nerilen giri\u015f mimarisi:<\/p>\n<ul>\n<li><strong>2FA<\/strong>: T\u00fcm y\u00f6netici hesaplar\u0131 i\u00e7in TOTP tabanl\u0131 2FA zorunlu.<\/li>\n<li><strong>IP k\u0131s\u0131tlama<\/strong>: Sabit IP olmad\u0131\u011f\u0131 i\u00e7in, \u00fclke bazl\u0131 k\u0131s\u0131tlama + g\u00fcvenlik eklentisindeki brute-force koruma aktif.<\/li>\n<li><strong>reCAPTCHA<\/strong>: Giri\u015f formu ve \u015fifre s\u0131f\u0131rlama formuna invisible reCAPTCHA eklenmi\u015f.<\/li>\n<li><strong>XML\u2011RPC<\/strong>: Kullan\u0131lmad\u0131\u011f\u0131 i\u00e7in tamamen kapat\u0131lm\u0131\u015f.<\/li>\n<\/ul>\n<p>Bu senaryoda, sunucu katman\u0131nda \u00e7ok geli\u015fmi\u015f firewall kurallar\u0131 yazamasan\u0131z bile, WordPress i\u00e7i eklentilerle bile giri\u015f g\u00fcvenli\u011fini olduk\u00e7a g\u00fc\u00e7l\u00fc bir hale getirebilirsiniz. Yine de log tutma, yedekleme ve panel eri\u015fimi gibi konular\u0131 da ciddiye almal\u0131s\u0131n\u0131z. \u00d6zellikle payla\u015f\u0131ml\u0131 hosting taraf\u0131nda WordPress g\u00fcvenli\u011fini daha genel olarak ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/paylasimli-hostingde-wordpress-guvenligi-eklentiler-waf-2fa-ve-yedekler\/\">bu rehberi<\/a> de okumak i\u015finizi kolayla\u015ft\u0131racakt\u0131r.<\/p>\n<h3><span id=\"Senaryo_2_WooCommerce_Magazasi_VPS_Uzerinde_Nginx_PHPFPM\">Senaryo 2: WooCommerce Ma\u011fazas\u0131 (VPS \u00dczerinde Nginx + PHP\u2011FPM)<\/span><\/h3>\n<p>Durum: Y\u00fcksek trafikli bir WooCommerce ma\u011fazas\u0131, kampanya d\u00f6nemlerinde yo\u011fun giri\u015f denemeleri ve bot trafi\u011fi ya\u015f\u0131yor. Site, DCHost \u00fczerinde y\u00f6netilen veya kendi y\u00f6netti\u011finiz bir VPS\u2019te \u00e7al\u0131\u015f\u0131yor.<\/p>\n<p>\u00d6nerilen giri\u015f mimarisi:<\/p>\n<ul>\n<li><strong>2FA<\/strong>: T\u00fcm y\u00f6netici ve ma\u011faza y\u00f6neticisi hesaplar\u0131nda zorunlu; m\u00fc\u015fteriler i\u00e7in iste\u011fe ba\u011fl\u0131.<\/li>\n<li><strong>IP k\u0131s\u0131tlama<\/strong>: \/wp-admin ve wp-login.php yaln\u0131zca belirli y\u00f6netici IP bloklar\u0131ndan eri\u015filebilir; di\u011fer IP\u2019ler i\u00e7in 403 d\u00f6nd\u00fcr\u00fcl\u00fcyor.<\/li>\n<li><strong>reCAPTCHA<\/strong>: Giri\u015f ve kay\u0131t formlar\u0131nda invisible reCAPTCHA; \u00f6deme sayfas\u0131nda ise m\u00fcmk\u00fcn oldu\u011funca sade ak\u0131\u015f, gerekirse yaln\u0131zca \u015f\u00fcpheli durumda challenge.<\/li>\n<li><strong>XML\u2011RPC<\/strong>: Sunucu seviyesinde kapal\u0131; sadece gerekiyorsa belirli IP\u2019lere a\u00e7\u0131lm\u0131\u015f.<\/li>\n<li><strong>Rate limiting + fail2ban<\/strong>: wp-login.php ve XML\u2011RPC i\u00e7in istek say\u0131s\u0131 s\u0131n\u0131rland\u0131r\u0131lm\u0131\u015f; k\u0131sa s\u00fcrede \u00e7ok istek atan IP\u2019ler otomatik ban\u2019leniyor.<\/li>\n<\/ul>\n<p>Bu senaryoda art\u0131k sadece WordPress i\u00e7inde de\u011fil, do\u011frudan <strong>web sunucusu ve g\u00fcvenlik duvar\u0131 \u00fczerinde<\/strong> de kurallar koyabiliyorsunuz. Bu da sald\u0131r\u0131lar\u0131 <em>uygulama katman\u0131na bile ula\u015fmadan<\/em> durdurabilmenizi sa\u011fl\u0131yor. Y\u00fcksek trafikli WordPress \/ WooCommerce sitelerinde PHP-FPM ayarlar\u0131ndan MySQL optimizasyonuna kadar t\u00fcm y\u0131\u011f\u0131n\u0131 ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/wordpress-icin-sunucu-tarafi-optimizasyon-php-fpm-opcache-redis-ve-mysql-ile-neyi-ne-zaman-nasil-ayarlamalisin\/\">sunucu taraf\u0131 optimizasyon rehberi<\/a>ni de bu mimariyle birlikte d\u00fc\u015f\u00fcnmenizi \u00f6neririz.<\/p>\n<h3><span id=\"Senaryo_3_Ajans_veya_Multi-Site_Yapi_Tek_Sunucuda_Onlarca_WordPress\">Senaryo 3: Ajans veya Multi-Site Yap\u0131 (Tek Sunucuda Onlarca WordPress)<\/span><\/h3>\n<p>Durum: Bir ajans veya b\u00fcy\u00fck bir i\u015fletme, tek VPS veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a> \u00fczerinde onlarca WordPress sitesini bar\u0131nd\u0131r\u0131yor. Her sitenin birden \u00e7ok y\u00f6neticisi var.<\/p>\n<p>\u00d6nerilen giri\u015f mimarisi:<\/p>\n<ul>\n<li><strong>Merkezi politika<\/strong>: T\u00fcm sitelerde zorunlu 2FA, minimum parola standartlar\u0131 ve g\u00fcvenlik eklentisi politikas\u0131 belirlenmi\u015f.<\/li>\n<li><strong>Sunucu seviyesi koruma<\/strong>: Nginx\/Apache\u2019de global wp-login.php ve xmlrpc.php koruma kurallar\u0131 + fail2ban filtreleri tan\u0131ml\u0131.<\/li>\n<li><strong>IP k\u0131s\u0131tlama<\/strong>: Ajans i\u00e7i IP bloklar\u0131 i\u00e7in panel eri\u015fimi daha esnek, d\u0131\u015f IP\u2019lere daha kat\u0131.<\/li>\n<li><strong>reCAPTCHA<\/strong>: \u00d6zellikle spam tehdidi olan sitelerde (blog, portal) zorunlu; sade kurumsal sitelerde gerekti\u011fi \u00f6l\u00e7\u00fcde.<\/li>\n<\/ul>\n<p>Bu yap\u0131lar i\u00e7in giri\u015f g\u00fcvenli\u011fi kadar <strong>yedekleme ve felaket senaryosu<\/strong> da kritik. Sadece sald\u0131r\u0131y\u0131 engellemek de\u011fil, olas\u0131 bir ihlal durumunda h\u0131zl\u0131 geri d\u00f6n\u00fc\u015f yapmak zorundas\u0131n\u0131z. Bu noktada <a href=\"https:\/\/www.dchost.com\/blog\/wordpress-yedekleme-stratejileri-paylasimli-hosting-ve-vpste-otomatik-yedek-ve-geri-yukleme\/\">WordPress yedekleme stratejileri rehberimiz<\/a> ile giri\u015f g\u00fcvenli\u011fi mimarinizi mutlaka birlikte planlay\u0131n.<\/p>\n<h2><span id=\"Sunucu_ve_Panel_Katmanini_Unutmayin\">Sunucu ve Panel Katman\u0131n\u0131 Unutmay\u0131n<\/span><\/h2>\n<p>WordPress giri\u015f g\u00fcvenli\u011fi ne kadar iyi olursa olsun, <strong>bar\u0131nd\u0131\u011f\u0131 panel hesab\u0131 ve sunucu<\/strong> zay\u0131fsa, sald\u0131rgan farkl\u0131 bir kap\u0131dan i\u00e7eri girebilir. cPanel \/ DirectAdmin hesab\u0131n\u0131zda parola + 2FA kullanm\u0131yorsan\u0131z, FTP veya panel eri\u015fimi ele ge\u00e7irilmi\u015f bir sald\u0131rgan, WordPress\u2019inizin t\u00fcm g\u00fcvenlik katmanlar\u0131n\u0131 baypas edebilir.<\/p>\n<p>Bu y\u00fczden:<\/p>\n<ul>\n<li>Hosting panelinizde mutlaka <strong>2FA ve IP k\u0131s\u0131tlama<\/strong> kullan\u0131n.<\/li>\n<li>SSH eri\u015fimi olan VPS\u2019lerde parola de\u011fil <strong>SSH anahtar\u0131<\/strong> ile giri\u015f yap\u0131n.<\/li>\n<li>Sunucu firewall\u2019\u0131n\u0131z\u0131 (ufw\/firewalld\/nftables) aktif ve s\u0131k\u0131 tutun.<\/li>\n<\/ul>\n<p>Bu konuyu, uygulama (WordPress) katman\u0131ndan ba\u011f\u0131ms\u0131z, genel bir hesap g\u00fcvenli\u011fi bak\u0131\u015f\u0131yla ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/cpanel-hesap-guvenligi-sertlestirme-rehberi-2fa-ip-kisitlama-ve-yetki-yonetimi\/\">cPanel hesap g\u00fcvenli\u011fi sertle\u015ftirme rehberimiz<\/a> ve <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/\">VPS sunucu g\u00fcvenli\u011fi yaz\u0131m\u0131z<\/a> ile birlikte okuman\u0131z\u0131 \u00f6zellikle tavsiye ederiz.<\/p>\n<h2><span id=\"Ozet_ve_Sonraki_Adimlar_Giris_Kapinizi_Gercekten_Kapatmak\">\u00d6zet ve Sonraki Ad\u0131mlar: Giri\u015f Kap\u0131n\u0131z\u0131 Ger\u00e7ekten Kapatmak<\/span><\/h2>\n<p>WordPress\u2019te g\u00fcvenli giri\u015f mimarisi kurmak, tek seferlik bir ayar yapmak de\u011fil; <strong>\u015firketinizin g\u00fcvenlik politikas\u0131na g\u00f6m\u00fclmesi gereken bir disiplin<\/strong>. Bu yaz\u0131da d\u00f6rt temel ta\u015f\u0131 ele ald\u0131k:<\/p>\n<ul>\n<li><strong>2FA<\/strong> ile kullan\u0131c\u0131 hesaplar\u0131n\u0131 g\u00fc\u00e7l\u00fc bir ikinci bariyerle korumak,<\/li>\n<li><strong>IP k\u0131s\u0131tlama<\/strong> ile y\u00f6netici kap\u0131s\u0131na gelebilen ki\u015fi ve a\u011flar\u0131 daraltmak,<\/li>\n<li><strong>reCAPTCHA \/ bot korumas\u0131<\/strong> ile g\u00fcr\u00fclt\u00fc yapan bot trafi\u011fini erken safhada elemek,<\/li>\n<li><strong>XML\u2011RPC sertle\u015ftirmesi<\/strong> ile s\u0131k kullan\u0131lan bir sald\u0131r\u0131 y\u00fczeyini kontrol alt\u0131na almak.<\/li>\n<\/ul>\n<p>Pratikte atabilece\u011finiz ad\u0131mlar \u015f\u00f6yle olabilir:<\/p>\n<ol>\n<li>\u0130lk 1 g\u00fcn i\u00e7inde: T\u00fcm admin hesaplar\u0131nda 2FA zorunlu hale getirin, xmlrpc.php\u2019ye gelen istekleri log\u2019larda inceleyip gerekiyorsa kapat\u0131n.<\/li>\n<li>\u0130lk 1 hafta i\u00e7inde: IP k\u0131s\u0131tlama senaryonuzu netle\u015ftirin (sabit IP, VPN veya \u00fclke bazl\u0131 filtre) ve reCAPTCHA\u2019y\u0131 en az\u0131ndan giri\u015f + \u015fifre s\u0131f\u0131rlama formlar\u0131nda devreye al\u0131n.<\/li>\n<li>\u0130lk 1 ay i\u00e7inde: Sunucu firewall\u2019\u0131, fail2ban, WAF kurallar\u0131 ve yedekleme stratejisiyle giri\u015f mimarinizi tamamlay\u0131n.<\/li>\n<\/ol>\n<p>DCHost olarak WordPress sitelerinin sadece h\u0131zl\u0131 de\u011fil, ayn\u0131 zamanda <strong>g\u00fcvenli<\/strong> \u00e7al\u0131\u015fmas\u0131 i\u00e7in hem altyap\u0131 hem de bu tarz mimari rehberler \u00fcretmeye devam ediyoruz. Mevcut sitenizin giri\u015f g\u00fcvenli\u011fini g\u00f6zden ge\u00e7irmek, payla\u015f\u0131ml\u0131 hosting\u2019den daha izole bir VPS veya dedicated mimariye ge\u00e7mek ya da ajans\u0131n\u0131z i\u00e7in \u00e7ok siteli bir yap\u0131 planlamak istiyorsan\u0131z, ekibimizle birlikte mevcut durumunuzu analiz edip size uygun bir WordPress g\u00fcvenli giri\u015f mimarisi tasarlamaktan memnuniyet duyar\u0131z.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 WordPress Giri\u015f Ekran\u0131 Neden En Kritik Sald\u0131r\u0131 Noktan\u0131z?2 G\u00fcvenli Giri\u015f Mimarisi Nas\u0131l D\u00fc\u015f\u00fcn\u00fclmeli?3 \u0130ki Fakt\u00f6rl\u00fc Do\u011frulama (2FA): Paroladan Sonraki \u0130lk Ger\u00e7ek Bariyer3.1 WordPress \u0130\u00e7in 2FA T\u00fcrleri3.2 2FA\u2019y\u0131 Kimler \u0130\u00e7in Zorunlu K\u0131lmal\u0131s\u0131n\u0131z?3.3 2FA Kurulurken S\u0131k Yap\u0131lan Hatalar4 IP K\u0131s\u0131tlama: Y\u00f6netici Paneline Kim, Nereden Ula\u015fabilir?4.1 IP K\u0131s\u0131tlama Senaryolar\u01314.2 WordPress\u2019te Basit IP K\u0131s\u0131tlama \u00d6rnekleri4.3 Dinamik IP Kullan\u0131c\u0131lar\u0131nda [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4543,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-4542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=4542"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4542\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/4543"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=4542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=4542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=4542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}