I realize there is other threads on this topic but there solutions and problems are different from mine.
Im able to login to wp-admin correctly
All seems normal but the abilty to (add plugin) or theme or anything has been wiped.
you can look at plugins but there is no way to add a new one.
Same goes for widgets, and themes.
Also.
You cant access things like update core.
you just get a default message
Sorry, you are not allowed to access this page.
Iv checked the mysql database and all seems fine.
With the user_meta and users
Iv deleted all plugins
Iv deleted all themes.
There is no issue with Wp memory
its basically just a default install of wordpress at this point.
Im not sure what could be causing this.
Any suggestions?
Related
I have a site with a static home page which is just one of the pages. Ive been working on the site for several weeks. Today, when I went to clear the cache to see if some links were updated, the home page switched to displaying Posts (which is the other setting under the Settings->Reading) I went to settings and sure enough display Posts is checked. No one else, that I know of has the password to this site. Does anyone know why this happened or how I can prevent it from happeneing again?
There are so many variables to consider, but it has to be a direct database manipulation. So:
Someone did in fact change it, but no one knows who
A plugin or theme changed it. Unlikely, but certainly possible. Search your plugins/theme changelog and/or support threads for similar reported issues
One thing you could do is install the plugin Stream. This logs all (well, nearly every) database manipulation and tells you when, where, and who. This way, if it happens again, you can immediately pinpoint it.
I am managing a wordpress site. Recently, I have trouble with the login system. Even though I give the right username and password, it give me the login page again and again, instead of redirect me to the dashboard.
The solution that I usually do is dropping all the tables in the database and import them again. It temporary fixes the problem. But the problem still have possibility to exist.
Anybody know what the problem exactly is?
WordPress login issue, when you have 100% correct username and password, and it does not give you username/password incorrect error, but it just takes you back to login form... it is mostly due to some security measure by some plugin or theme. Most probably a plugin, could by JetPack's security feature, or any other security plugin like Bulletproof Security Plugin & AIO Security (as was the case in OP's situation.)
To make sure if that is the plugin, or which plugin, I suggest a quick work around, ftp/ssh to your server and rename plugins folder as plugins-old, and create new blank folder plugins for now.. and try to login now... this time if you can login perfectly, then it is some plugin, most probably security related plugin, now you can go back to ftp and restore the plugins folder, and then you will have to activate/disable one by one to see which plugin might be the issue.
I have faced this issue many times in the past and above approach has always helped me get it fixed.
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
Recently I got to know that my Wordpress site is automatically updating itself when a new version of Wordpress is available. I know that this automatic feature is available in
Wordpress since sometimes back. But I have some questions about this
1) Can this be risky in any case?
2) Doesn't it a matter the way how we have installed Wordpress? (e.g plugins and security settings)
3) Does Wordpress have a way to recover our website if anything happen?
4) Don't they keep any backup before do the update?
Could you please give me your answers to the above?
I'll answer each of your questions to the best of my knowledge:
1) Can this be risky in any case?
The automatic updates are mostly security updates. Though you can never be 100% sure it doesn't break anything, security updates don't deprecate functions or change much on how the CMS works. This means that nearly every plugin and theme can still use the same functions without issue.
2) Doesn't it a matter the way how we have installed Wordpress? (e.g plugins and security settings)
This ofcourse matters, to some extend. But if a site is working in Wordpress 3.8.3, it will still work in Wordpress 3.8.4. If a site however uses functions that will be deprecated, you might have problems when upgrading from 3.8 to 3.9. However, major updates aren't done automatically, and still need to be done manually, giving you the opportunity to make a backup beforehand.
3) Does Wordpress have a way to recover our website if anything happen?
No, it doesn't. You CAN however turn of the automatic updates. But, as stated at question 1, the risks aren't very big with the security updates.
4) Don't they keep any backup before do the update?
No they don't. It is your own responsibility to keep backups of your website.
I hope this answers your questions. If something is unclear, please let me know in the comments, and I'll look into it for you.
If your themes and plugins use functions from Codex then I think your are much safer. Make sure the plugins and themes are using functions to get directories and URI's through functions defined by Codex, what I mean to say is:
use: get_template_directory_uri();
instead of xyz.com/wp-content/themes or even home_url('/wp-content/themes'); and other things like that.
yes sometime it can create a mess and it won't allow to admin to login.
most command questions asked are
Can't login after automatic update
login failed after wordpress update.
here is a very quick fix for all of them.
http://onl9class.com/solved-cant-login-after-wordpress-update/
Here is all answer of your questions, please check below:
1. Can this be risky in any case?
The automatic updates are good for security purpose but some times it will break our function work in website because some plugin developer will not update own code according to wp updates so it would be good you can manually updates all things after checking plug-ins compatibility with new version.
2. Doesn't it a matter the way how we have installed Wordpress?
No it always matter, because some times wordpress core developer changes the function and they will be depreciate in new version so it would be good, always take backup of website and manually do the updates.
3. Does Wordpress have a way to recover our website if anything happen?
No, but you can install wp plugin and schedule it to take backup in each week.so you can at-least get the latest backup of website. I always use the back up plugin in my websites.
4. Don't they keep any backup before do the update?
No they don't take backup of website. but wp always show notification when you start update please take backup.
Thanks
How does one completely remove a plugin from WordPress?
I have deleted the plugin via WordPress admin and then reinstalled, problem persists.
I see 8 records in cmsoptions table referencing the offending plugin. Since WP Admin drags to a grinding crawl with the plugin active, and for weeks the plugin was working just fine, I have to conclude that the problem exists due to the plugin references in the DB.
If anyone has the inside word on completely obliterating a plugin from WP, please do share.
The the options API (http://codex.wordpress.org/Options_API) is open to the plugin to store whatever data it wishes (under whatever name it wishes). You'd have to search the plugin code to see what it is storing (and how) in order to get rid of the offending data.
The issue isn't with WordPress, it's with the plugin. WordPress is a framework and can't take responsibility for whatever gets built on top of it (ie plugins). It's like blaming a hammer for a poorly built house.