My friend asked me to help him with his site on wordpress, he lost the wp admin panel password.
But he didn't loose the mysql login information so sirst i thought about changing the password right through phpmyadmin. I get in phpmyadmin and saw that password looks a little bit strange, like this $P$BUKCBYLJ.MmLPqlzZTw4P/rLnR.omZ.
This article helped me to create password that looks the same as passwords that already existed in mysql db passwords, so i put it in my admin's user_pass field.
But i'm still unable to log in.
Actually, when i try to access /wp-admin/, i see no standard wordpress login page
I see this
And when i fail to log in it gives me 401 and shows this page
Is it ok? What the difference between situations when standard login page shows and when this authentication alert box shows ?
Anyway, all I can think of is:
1) Online password hasher gives me wrong password,
2) You see, this authentication box says "please use your control panel password", so i think the site uses some other passwords, not passwords that are in it's db. Is it possible?
Thanks in advance!
You are seeing a Basic HTTP Authentication prompt, which is not part of WordPress - it is being sent by your webserver (likely Apache or Nginx). This provides an additional layer of security against brute force attacks as you need to "log in" to the web server before you can authenticate against WordPress.
The passwords for Basic Authentication are typically stored in .htpasswd files, and defined either in an .htaccess file or your webserver's configuration. Refer to this guide for some more information on how this is set up.
You will need to reset the Basic Authentication password in the .htpasswd file, or remove it entirely, before you can log into WordPress. Once you access the WordPress login prompt you can use the password that you have set for the user you want to login as. Options for resetting your WordPress password via SQL, phpMyAdmin, FTP, and the WP CLI can be found in the article Resetting Your Password on the WordPress site.
Related
I have lose administrator password, due to multiple try the email got blocked. I have added new Administrator to the Database using SQL Queries and I am able to login but I am unable to see the dashboard.
See here
WordPress didn't show the option to visit dashboard, it show the username and logout option nothing else.
You can change password of your old admin. Go to wp_user table in database and change admin password there.
I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.
To reproduce:
Login to WordPress and then log back out. Close that particular tab,
but keep Chrome open.
Create a dump file of the browser memory.
Open the dump file and search for the password, you will then see it present in clear text.
How can I prevent this from happening?
Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?
Ref: https://cwe.mitre.org/data/definitions/316.html
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
I've got a production site with three users, two of which are admins. None are able to log in with their password; They get "Sorry, unrecognized username or password. Have you forgotten your password?" We ARE able to log in by requesting a new password and getting a temporary login key, so I'm able to access the administration pages and look at the unhelpful logs, but of course this is not sustainable.
I've tried:
logging in on various devices
clearing the cache
running update.php
adding a $cookie_domain in settings.php
checking the database to make sure the users exist (they do, with hashed passwords)
My .htaccess file reroutes all traffic to https://www.
Core is Drupal 7.59.
Any thoughts?
I was using the Drupal 7 module "Hide Node Field." When I deactivated that module, user logins began working again. I will file a bug report with the Hide Node Field developers.
I have a live site (example.com). Instead of making changes and finding bugs when the public can view the site, I decided to setup a staging webiste. I followed the directions for setting it up here.
It appears to have worked, when I go to staging.example.com everything is there. But when I try to login staging.example.com/wp-admin.php it keeps giving
ERROR: Invalid username. Lost your password?
I tried my normal password and the password I used to create the new database.
What did I do wrong or what step did I miss? How can I add a new user to the staging account? I checked wp-config.php and believe I have the DB_NAME, DB_USER and DB_PASSWORD correct.
This is browser caching and cookies.
Try to open the page in anonymous window or another browser, or fully clear your cache and cookies
staging.example.com/wp-admin.php
This path does not exist, you need go to
staging.example.com/wp-admin/
When you need to create new user with database - you can open the database with phpMyadmin, and create user in the table wp_users. The password field must be left blank, and then go to the wp-login.php and recover the password to setup new one.
Please read the whole question before saying duplicate.There are similar but this is different.
I have a website that users can post ads. Its written by using ASP.NET. So
If a user post an ad it should go through a review path.( Involving an admin )
eg: User posting an ad. Then admin log to his admin page and review the ad and then give the approve.
I developed it within the same solution file. Currently I put this page in a folder. To access it user have to type
www.test.com/admin/review.aspx
manually. Because that page is not linked from the main website. And this admin user doesn't have a user account in user account table. Note that whole site is secured with SSL.
So admin has to enter a password to enter this page. This password is hard coded( Not getting from the DB ).
So am I using the right approach? Can a hacker attack to this page?
I dont want search engines to index this page. Also what about this hard coded password method? Is it a secure way?
Is it a good way to implement this page in this domain? I have different domains for this website end with .org and .info etc. Can I use such to access my admin page?
Tell me the best and secured approach to do this. Thank you very much.
A hardcoded password is never a good idea:
Developers of the website will know the admin password for all deployments of the application.
If the password is discovered by an attacker, it cannot be easily changed.
Pre-production versions of the app will carry the same admin password as live versions.
The security of the admin page should be be based on the fact the URL is hidden. URLs are hard to keep secret as they're stored in browser and proxy logs, they are emailed, and are leaked in the referer header if links are followed or resources are used from other domains (e.g. JQuery).
Hiding the page from search engines is a good idea, however do so via the use of meta tags, not robots.txt, as robots can be viewed by anybody to determine the location of your secret pages.
Use established security methods to make your admin functionality secure:
Implement TLS/SSL so all acces is over HTTPS to mitigate Man-In-The-Middle attacks.
Implement account/IP lockout after a number of incorrect password guesses.
Use two factor authentication (e.g. Google Authenticator) to mitigate phishing attacks.
Store passwords in a DB or outsource your authentication to e..g Open ID.
If storing passwords in your DB, hash and salt them and use a slow algorithm such as bcrypt, scrypt or PDKDF2 with the highest number of iterations you can get away with.