Cannot see changes in Wordpress in FTP client and vice versa - wordpress

I am having some problems with Wordpress 3.7. I think they may be related and have something to do with a file ownership/rights issue but I am completely stuck.
I am using the default theme and I have uploaded a new header image
several times through the WP admin interface. Now that I am happy
with the image, I want to delete the old images. Firebug tells me
they are in [my wp root]/wp-content/uploads/2014/01. However, in my
FTP client, this directory is not visible. I only see [my wp
root]/wp-content/uploads/2013
.
When I log into the Wordpress admin interface, it tells me I should upgrade to 3.8. When I tell it to go ahead and give it my FTP credentials, it begins but gets stuck at "Verifying the unpacked files…". I get no error messages and when I give up and leave the page, there are no reports about a failed update. It just keeps showing me the "please update" message.
I am using the default theme and want to change style.css. I cannot do this in the theme editor, it tells me I have to make the file writable first, even after I give all the theme files 777 access in my FTP client (which probably is not a good idea). If I edit the file offline instead and then upload it via FTP, this doesn't have any effect. I can even delete the entire file and still nothing changes at the frontend.
I have tried to create a child theme through the FTP client but it does not show up in the WP backend.
The site is on a shared hosting platform. I can't find the details at the moment but it's a fairly regular setup (Linux, Apache, MySQL). I am testing in Firefox and caching is turned off. If I log out, and log back in again: same problems.
It is almost as if I am FTP-ing the wrong computer but I am really not. What am I missing?

Problem solved. I finally asked my hosting provider and as it turns out they had adjusted a few settings, making them too restrictive.

Related

WP site keeps getting hacked for a cryptojacker - How to find the leak?

I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
I've installed a clean WP installation on the server, with clean files and a clean DB.
reinstalled the plugins clean
I have All In One WP Security & Firewall plugin for file scanning, firewall, hide inlog page, etc.
Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
Your log files (of the web server) e.g. /var/log/nginx/access.log with the nginx web server will tell you who it was. Look for the change date/time of the assets.php file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php (or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php which usually works (but may hinder updates, so it's a temporary solution). If you are not root on the server (shared hosting) perhaps chmod 444 filetobeattacked.php could work.
I had same issue before. It might be the wordpress core files.
Delete all files except wp-content, then download and replace it with the new wordpress files.
Search for 'autofaucet.org' inside wp-content, and remove if necessary.
Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
Export database files and searcg for 'autofaucet.org' and remove if any item found.

WordPress site impacted with redirect injection

I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?
The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way
Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.
Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.

How do I set MAMP PRO permissions for localhost?

I am using MAMP PRO for local development on WordPress and have to constantly change permissions, depending on whether I'm working the files, or from the WordPress dashboard. Surely there must a catch all permissions settings that will allow access for both?
If I set the Owner to me 'Storm', I can freely edit the files in sublime, without getting prompted to allow access when I save, but then some things in the WP dashboard don't work (such as updating plugins, where I get prompted to enter FTP details)
If I set the Owner to _www, I can update plugins freely, but then I get prompted to allow access when I save files.
This is really frustrating. What is the correct way to set permissions so I never get prompted locally? I have tried the suggestion on a similar question but when I try make to make all files writable, it doesn't change the boxes (see the message in the image, which says that you can't change boxes with dashes in them)
You might want to run the webserver as Storm instead of www[1], ie. the same user as the one you're editing files with (due to the way WordPress checks permissions).
[1] See General in the main window of MAMP.

Mirroring a Wordpress *configuration* between local and remote

Ok, so I'm familiar with creating local Wordpress builds, and have been chugging along happily with the technique outlined in Smashing's MAMP-based article. My question goes a step beyond this.
The article is great for developing generic themes, but when developing sites (not necessarily blogs) based in Wordpress, for me at least, it's a little painful come launch day.
I have to go back in and reconfigure the server's Wordpress to match what I've already done locally. Settings have to be entered again, plugins need be installed again, menus recreated, and css will have to be altered to reference the unique classes/id's Wordpress generates for posts/pages/custom taxonomies…sometimes things are missed in the process. What I want to know is this:
Is there an easy way to automate cloning or mirroring the build on my local machine to the remote server?
Even if you have to just LMGTFY me, that would help. I don't exactly know what I should be searching for. Searches dealing with 'mirroring wordpress configuration' and 'cloning wordpress configuration' returns tutorials on moving content, which I know how to do.
If it helps, I'm running OSX 10.6.8 with xcode dev tools, git, ruby, node, and homebrew. All of my live servers have ssh access as well as ftp, and I build with the most current versions of Wordpress.
Here are some easy steps to follow:
Download and install the WP Migrate DB plugin.
Go to Tools > WP Migrate DB and fill-in the blank fields(New address (URL), New file path and optionally check/uncheck the other options). Click on Export Database and save the export file to your computer.
Make a .zip archive with ALL of your files(the /wp-admin, /wp-content, /wp-includes directories and all files in the root directory).
Upload that file to your production server, where you want your WordPress site to reside.
Go to your cPanel(or use the unzip command through SSH) File Manager(or any other alternative that you might have) and unzip the file that you just uploaded.
If you don't already have a Database set-up on your production server - create one through the hosting control panel(for cPanel, it would be Creating a mySQL database in cPanel, for plesk it would be Plesk 7 Tutorial: Creating a database, for anything else, just google it up, or try your hosting's FAQ). Remember/write-down your Database Name, Database User and Password.
Edit the wp-config.php file and change the values for the DB_NAME, DB_USER, DB_PASSWORD and optionally DB_HOST - but this is usually localhost - if that doesn't work try asking your web host, or if you have phpMyAdmin, log-in to it and look at the very top of the page - in this case the DB_HOST would be localhost.
After you've done all of that, log-in to your DB administration tool(most of the time this would be phpMyAdmin, but it could be something else as well) and upload the database export file that you save to your computer in step 2. Note: If your hosting hasn't provided you with a DB administration tool, I would suggest that you upload the phpMiniAdmin(click on the "Download latest version" link and save the file to your computer) script to your production server. Then go to that script(if your website is located at http://example.com/, go to http://example.com/phpminiadmin.php) and enter your DB details. On top of that page, you will see an import link. Click on it and upload your DB export file. Note 2: phpMiniAdmin doesn't support gzip-compressed files, so if you did check the Compress file with gzip option in step 2, you will have to re-do that step with this option unchecked.
Log-in to your site and go to Settings > Permalinks in order to update your permalink structure.
Check the permissions of the /wp-content/uploads and /wp-content/plugins directories - make sure that you will be able to upload images and plugins without any problems.
That's pretty much it. It might seem like a lot, but I follow this process for almost every site that I upload to production servers and it can take me as less as a bit under 10 minutes to do all of that(considering that I usually use custom MySQL commands, instead of the WP Migrate DB plugin - I should probably start using it :) ). Once you get used to the process and you don't encounter any low-quality web hostings, you should be perfectly fine with these steps.
Note: Since you used ssh as one of your tags, I assume that you usually have ssh access to the production server. If you don't I'm still assuming that you have a cPanel access(if that's not true and you can't unzip files on the server, then upload all files manually via FTP client, instead of doing steps 3 and 4).
I guess the only way is to copy the database or part of it.
What I do is to copy the relevant tables and modify manually the site URLs in table options. There are only 2. There is also a nice plugin velvet-blues-update-urls to modify all links, after the site URLs are set manually to be able to access the backend, in case posts are also copied.
Next, copy all theme directory files to the same directory in the site, assuming you are using the same theme.
Both processes can be automated with a PHP script.
I am not sure this is what you want, but hope this helps.
Not sure that this is exactly what you need, but to move a site you can use the built in Wordpress "export" and "import" options. As far as I remember there was an option when importing to change URL's and the import would change a few things for you.
Even if this does not answer your exact question, hope it helps.

WordPress - Theme changes overwritten by GoDaddy

Greetings and thanks in advance for your feedback. Now I realize that this isn't GoDaddy tech support but I'm asking the question here before I step into those murky, black waters.
Scenario: I edit the CSS and various templates for the default template via Appearance > Editor. All looks and performs great. I hand off to my client. She reports back that after adding a new post the customizations are overwritten and the default theme files are restored! She claims that GoDaddy told her that its "on my end."
Nonsense, right? There is no relation between adding a post and updating theme files, right?
This is the second time this has occurred - the first time we assumed GoDaddy had backups of the customized files (not). At least with the second occurrence, I had a local backup.
Any ideas or suggestions?
either that or the wordpress install has been upgraded, if your theme folder is still using the default then it will be overwritten by wordpress on upgrade..
if so change your default theme folder to something else...
then edit the css file and give it a new name...
Use FTP and a text editor to edit the theme files directly and check their permissions. I think the changes are not taking effect because you've got file permission problems, and as soon as the client forces a reload of the site, she sees the unchanged files again.
And if you're using a Windows server, consider changing to Linux. GoDaddy has lots of problems with Wordpress on Windows, from permission problems to permalinks. You can change to a Linux server in a few hours: Switching Your Hosting Account Operating System - GoDaddy Help Center

Resources