I have an issue in a WordPress site on Hostgator where the htaccess file keeps disappearing. Before you get all, "Check your plugins, dummy" I have the same install of this site running on a completely separate Hostgator account and it's running fine. Furthermore, I have a local instance which, again, is running fine. So if it was a plugin, the issue would be replicated on the other instances, but it's not.
My suspicion is someone who has access to the hosting account is tampering with it. While that sounds paranoid, I can't rule anything out because htaccess files don't just delete themselves.
The bandaid fix has been to just reset permalinks once the site goes down. Annoying, but simple. What might be even neat would be to set my server 404 page to a php script that, when accessed, hits an endpoint I set up in WordPress to programmatically flush the rewrite rules, thus restoring the htaccess page, and then the 404 tries to forward them on again. However, the suggestions on how to do this say putting the error page definitions in the htaccess page. Which doesn't do me much good if the htaccess page is being deleted.
How stupid is this idea? Please let me know in comments.
I'm open to other solutions, but I'm waiting on my hosting support to figure out how the file is being deleted because I assume others with the account info of tampering.
Related
I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?
The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way
Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.
Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.
Someone is changing my wordpress site URL to their ad spam URL. I changed it from php my admin and it was fixed, the hacker inserted a java script to every wordpress post and pages to redirect all posts and pages to their ad page, I deleted all of them. Then I installed wordfence security plugin, scanned the entire website, found some malicious codes and deleted everything. Then I changed my cpanel and wordpress password. I am using my own VPS so I also changed my root password, but still just after 12-24 hours, I can see that the wordpress site URL has been changed. I fix it and again it becomes changed.
I have mentioned what I have done, what else I can do to prevent this? Please any suggestion will be appreciated...
Your website has most probably been exploited, and the exploit is still active, as a backdoor for that Hacker..
I would check the access logs for your web requests, and especially POST requests!
which might show where is the hacker logging in via.. some Theme or Plugin that was exploited most probably.
If your web host does daily backups, it might even be worth reverting back to previous days to remove any changes... -- remember if you revert back any posts/changes from that day onwards will disappear.
I'm facing a problem with the following website: https://www.rhythmandstrums.ie/
When I open the "www" version of it: https://www.rhythmandstrums.ie/ I get a bugged website, failing to open stylesheets and possibly other file sources, whereas if I open the website without the "www", everything works as expected: https://rhythmandstrums.ie/
Some considerations:
This website is hosted in a Wordpress Multisite, so it shares the same configuration files as other websites, none of the other websites have this issue. So I was wondering if this could be a problem with redirection, although, again, none of the other websites have this problem and they share the same config files (including server block settings and such, it is in nginx).
I have checked the DNS values and nameservers and everything looks fine (I took base from all the other websites that were set up in the same way, I can post a screenshot if it might be of help).
This error also seems to happen in the Wordpress backend, with the admin dashboard not being able to load parts of plugins, it seems like it is looking where it doesn't exist.
I have replaced instances of the www version of the url in the database, as I do with other websites as well, but that didn't seem to fix the issue.
I have cleared cache a few times (both in the cache plugin and manually in the nginx server - manually deleting the contents of the cache folder), and since this has been going for a long time, I don't know if this is cache related, but any suggestion is highly appreciated. Again, all the configs, included the cache plugin settings are the same for all the other websites in the network, which none are having this issue.
If I inspect the console when I'm accessing both versions of the website, www and non-www it seems like it's trying to pull information from different locations, but I can't figure out why it's doing that.
Guys, I hope this was not confusing, but let me know if you you would like to see screenshots or other info that might be relevant. Thanks so much in advance, I really appreciate it.
I have a client who has asked me to start working on their Wordpress site. The admin page is broken and I do not have access to the database yet (I am trying to track down the previous people who worked on it). It is quite messy, I know.
What I am doing now is migrating peices over to a new wordpress site using Wamp server just to get it functional, but I am wondering if the solution is simpler than that. Ideally, I would just fix the the login, but I have minimal Wordpress experience and don't know where to start.
Here is the website: http://fundafighter.com
If you go to http://fundafighter.com/wp-admin you'll notice that it is broken. I reroutes to "login-2", which I don't think is normal. So far I haven't found any folder with that title...
I would log into the site via FTP, check the wp-config.php file for any redirects for wp-login.php. Then, check the .htaccess file for the same. Remove any references.
If you get that page working, and you need to reset the password, I would follow this tutorial through phpMyAdmin:
https://codex.wordpress.org/Resetting_Your_Password#Through_phpMyAdmin
I want to disable comments site-wide on a Wordpress site, but I keep getting this one annoying problem.
I've looked around and all of the results are for older versions of Wordpress. I have a fresh install of Wordpress 4.0 onto a namecheap hosting server.
When I try to disable comments in Settings > Discussion by unchecking the box and clicking on the submit button below, I get redirected to a page that says:
You don't have permission to access /wp/wp-admin/options.php on this
server.
Additionally, a 404 Not Found error was encountered while trying to
use an ErrorDocument to handle the request.
One suggestion from a few threads from 5-7 years ago was to modify the .htaccess and permissions. I tried, it still is returning the same error. Those suggestions were for older, less secure versions of Wordpress, so I'm thinking there should be a different workaround for 4.0. I also for some reason don't have SSH access to the server, probably because of some stupid namecheap / cpanel restriction.
I went ahead and contacted namecheap directly and they corrected it quickly - I don't think there's anything you can do. Specifically, they said:
We have whitelisted Mod Security rule which has been triggered. Please try preform necessary actions one more time.
Hope that helps.
Check your Privileges of wordpress database users.
Check also file & folder permission.
( a folder permission 755 and file permission 644 )