I have a wordpress site which is acting strange lately. It seems like the database is spontaneously rolling back a few hours from time to time. I have noticed it happen at least four times.
When I updated to wordpress 3.5, after a short time, maybe 30-60 minutes I noticed the nag to upgrade was back. I ran the upgrade a second time, even though I was certain that I had already upgraded.
I added a new category and changed a widget on one of my sidebars, only to find that my changes were gone the next day and I had to redo them.
I added a post yesterday, linked to it in various places and then returned several hours later to find the post missing. I rewrote the post from memory and put it back on the site.
This morning when I went to the site, the original post was back and the one that I had recreated from memory was gone. The post's id number was the same as the previous day. I think there was also a draft post that disappeared and reappeared as well.
One last clue which may or may not be related is that when I go to a page on the blog that should generate a 404 message I get a single piece of text which says: "defaced by t3ll0" I noticed this recently, within the last few weeks. I'm not sure how long it has been like that.
I ran Sucuri Scanner, and it found no evidence of malware. Any suggestions of how to troubleshoot this? Could this be a problem with my database rather than wordpress?
UPDATE: It appears that the primary problem I was noticing was because of two versions of the site being up simultaneously. The DNS settings had not been updated to the new site. I'm still investigating if the site was hacked.
You got hacked. "defaced by t3ll0" is the clue. Someone has control of your site and your hosting account.
Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC for spyware that may have grabbed your login and password.
http://sitecheck.sucuri.net/ is a good resource, but it scans for malware and not accounts that were hacked and are not being used to distribute malware or have spam links.
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You have not applied security may be at number of places.
1. File permissions, folder permissions.
2. Upload folder permissions.
3. Execute permissions.
Now, if you are not a developer how would you check for these vulnerabilities?
I am suggesting you to take a backup of your DB(Export it). Get rid of the existing WP core and reinstall it from fresh.
Delete all plugins and install them all from fresh sources.
If you have used a custom theme then get the backed up version of it and delete the current one as there is a deface to it.
And you can check for a lot of vulnerabilities with plugins like this: http://wordpress.org/extend/plugins/better-wp-security/
Rename your administrator account. Harden your password. Remove write permission from .htaccess and wp-config.php file.
Related
I have an issue with my WordPress site.
My website is generating adult pages which is not present on our website/database or server. It is showing in google search result like this for example siteurl.com/en/aarp-dating (around 500 pages google crawled) we have checked all our database and found around 30 new tables are automatically created and while we delete it after sometime it restore automatically.
How can I find the malicious code on my server/pages or what kind of problem is this?
Thanks in advance !!
Download the full installation, then compare the files' checksums with a clean backup or a fresh installation of the same WP + Plugins + Theme versions.
Most important: find out how they infected your site and close that hole or you will be back at square one in a short time after you've uploaded a clean backup. Check the Access Logs, filter out known IP addresses of you and your users, and look at the rest, especially POST requests. Also make sure to check the FTP-logs and (if you have ssh access to your host) auth logs to make sure that your/your coworkers' machines/passwords haven't been compromised.
Also make sure you don't miss any extra individual files or plugins that shouldn't be there.
You cannot trust what you see in the backend at this point, so check the database directly for new users you don't know and users with privileges they shouldn't have. Comparing with a recent backup can help.
Since it's not clear how long your site has been infected, I wouldn't trust recent backups (or any, really) either. Set up a fresh install after you found and fixed the entry point, then manually (or with a script, but be careful not to transfer back doors) transfer content to the clean install.
Use Wordfence Security Plugin & scan for infected core files of wordpress.
Use Sucuri plugin.
Also, desactivate ALL of your plugin and install a basic theme of wordpress before.
I’m using the latest version of Wordpress (4.7.4).
I have something very weird going on in my Dashboard. Not sure when this started.
Can’t say for sure it started with the latest version of Wordpress or not.
My Dashboard became completely useless.
It’s like it’s showing me a flashback of a Dashboard from a few days or hours ago:
Comments I’ve deleted in the Dashboard (hitting “trash”) are suddenly back there, awaiting my moderation.
Plugins I’ve deactivated or even deleted are all back there and according to Dashboard still running (while in my FTP folder they’re certainly gone).
The plugin page cannot be trusted anymore as it shows some plugins are activated that aren’t and vice versa. I have to check on my actual website to confirm which ones are running.
Updates aren’t shown correctly. Once I’ve updated a plugin, a few minutes later it shows me again that there’s a new update.
As you can tell it’s all pretty much the same phenomenon.
It’s as if I’m seeing an older version of my Dashboard.
Not sure what else is broken.
The only other thing I noticed is that even on my actual blog I still see a comment. Blog post says “1 comment”, but the actual comment doesn’t show up.
At first, this all sounds like a “cache problem”.
But I’ve already turned off all caching:
No caching plugin installed
Turned off server caching via htaccess
Disabled leverage browser caching
Emptied my own browser cache
Other things I tested:
Turn off all plugins.
Switch to the standard Wordpress theme “Twenty Twelve”
I tried WP_DEBUG, but nothing related shows up.
I researched the internet, but nobody has described a similar problem, so I suppose this is not a common Wordpress issue.
The issue remains.
Unfortunately I’m not a developer and don’t know too much about the Wordpress codex etc.
But to me it sounds that the mistake is definitely not in the plugin or theme folder.
The problem is that I’ve reached the point where I really cannot turn off plugins via Dashboard properly anymore. It’s so annyoing!
My questions are:
Is it safe to assume that this is related to the Wordpress core
files?
What files exactly are in “charge of” the Dashboard?
Should I just try to re-download the newest Wordpress version and replace a few files (if so which ones)?
Should I do a clean Wordpress re-install or would that be too drastic?
Any other suggestions?
EDIT:
Additionally I tried now:
I manually downloaded the newest version of Wordpress and did just as
described on the Wordpress.org website. I manually replaced wp-admin,
wp-include folders and all root files. The issue remains...
The way my Dashboard is right now, I really can’t use it.
Please advice!
I contacted my host service again.
They just gave me the same line to insert into my .htaccess file and I told them I already tried it and it didn't work.
I then showed them my .htaccess file and they deleted the whole part that concerned their server caching.
Now server caching is completely off and everything works again.
Still not sure why this previously never caused issues.
In the end, it had nothing to do with Wordpress.
I hope this answer will help people who run into similar problems.
I’m working on a wordpress site, it’s almost finished.
Left it lying on the server for a few weeks after the launch to gather user feedback, and now ready to make some minute adjustments.
Loe and behold, can’t login.
Going to parentsauxassembleesgenerales.org/wp-admin won’t show me the admin page, but will instead redirect.
Sure enough, I had an automatic update to 3.8.2 on April 9 that seems to coincide with the admin access being gone.
Contrary to most redirect errors for login pages after an automatic update on forums, the exact url it redirects to is not actually a valid url.
You see others reporting the url they are redirected to as being:
http://www.domain.org/wp-login.php/?redirect_to=http%3A%2F%2Fwww.domain.org%2Fwp-admin%2F&reauth=1
But mine displays: http://www.parentsauxassembleesgenerales.org-login.php/?redirect_to=http%3A%2F%2Fwww.parentsauxassembleesgenerales.org%2Fwp-admin%2F&reauth=1
And is therefore missing three characters: “/wp” to be identical to the other bugs I saw reported. Needless to say, I still tried all the fixes recommended elsewhere, namely:
(using FTP, Softaculous, dowload of WP 3.8.1 and 3.8.2 from wordpress.org, and PHPmyAdmin)
1- deactivating, renaming, removing plugins, theme, both plugins and theme
2- adding lines of code to wp-config
3- looking at the database to make sure the site url and home url were the right ones and the same
4- updating key files like wp-login.php with a fresh version straight out of a vanilla install.
5- moving the content and wp-config to a fresh install (only recreated the problem).
I’m sort of confused at Softaculous (wp install script in cPanel) for asking if you want automatic updates, but still enabling the small automatic updates (3.8.1 to 3.8.2 or 3.8.3) even if you don’t check the box for automatic updates. I don’t, and never will, want automatic updates on my wordpress: too many plugins and themes have a lag to the wordpress core deployment schedule. (I now know I can just add a line to wp-config.php, but the Softaculous interface could be clearer about the automatic update deal).
Am now in contact with the hosting service to look at solutions such as emptying webcache, restoring from their own weekly backups, their own diagnosis of the faulty redirect route, etc.
I’m looking for a solution that will do one of the following:
help me know what causes the redirect error so I can target the problem-solving
help me regain access to wp-admin login and the dashboard
I found the issue.
Despite deactivating the plugins, one of the plugins had caused a problem in the DB which remained even when deactivated, removed or renamed. Had to clean up the relevant redirects in the DB with PhpMyAdmin.
The plugin was Velvet Blues Update URLs, which was recommended for a very small move I was doing (moving the dev version of the site up one folder on the server file system).
I hadn't used this plugin before, but it seemed straightforward enough.
Not.
I usually migrate sites using UpDraftPlus with the pro addon for migration, which works fairly well, but felt longer than it needed to be for a one-folder-up move.
Not.
The search and replace feature on UpDraftPlus that covers both for file/folder locations and for urls is without compare, and even for what it was supposed to do, Velvet Blues Update URLs didn't deliver on its promise.
I have website (thebyandby.com) that got hacked several weeks ago. The problem is, the description on Google is showing a spam description for viagra and one the most popular posts (when linked to from Google) goes to a spam website.
The site is a WordPress website so I reinstalled the theme and made sure everything was updated. There are only two plugins installed, Akismet and Google Analytics. I don't think the plugins could be effected but I am not sure. The problem was still there so I checked when Google last indexed my site and it was after I had reinstalled my theme. I checked for malware from Google Webmaster and it said it didn't find any malware. I ran grep -r "viagra" on my entire web directory and nothing was found. I really don't know what else to do. Could this be a database problem?
Yes, it could well be that you have content in the database which is compromised. After all, that's where all the pages and posts are stored. Does your hosting company provide a tool like phpMyAdmin for browsing and editing the database?
But equally, if you have only reinstalled the theme then there are a lot more core WordPress files that could have been compromised by the hacker. Given that you are having problems, it would be well worth doing a complete reinstall of the WordPress files. Just make sure you keep a copy of your wp-config file, as you will need to copy that back. Also make sure you reinstall the same version of WordPress that you currently have.
But you know what: It may save you time in the long-run to just export all your posts and pages from within WordPress and then wipe the hacked site completely and install the whole thing from scratch. You can open the export file in any decent editor and once you've got your head around the XML structure, you can delete any rubbish that the hacker put there. I guess this option depends on how much content you had already put up on the site and how readily you could reconfigure the new site to match the old one.
Of-course if you have a full files and database backup from before the hacker got there, then you have an easy option that avoids all this grief ;-)
My wordpress has been working fine (it is updated), and then this morning I got a warning from google about visiting my site. When I clicked on the details I got the message below. I went and disabled my comments all together. Deleted plugins that I think might have caused it. I am unsure what else to do. I need help to should I do now? Thank you for your time to hear my case!
What happened when Google visited this site?
Of the 7 pages we tested on the site over the past 90 days, 7 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-07, and the last time suspicious content was found on this site was on 2012-03-07.
Malicious software is hosted on 1 domain(s), including happynewyear.osa.pl/.
This site was hosted on 1 network(s) including AS29873 (BIZLAND).
You need to be sure you completely clean your site to fix the hack, i.e. replace all core WP files and folders, check theme files for php code and links, etc. Replacing plugins and disabling comments is not enough.
Use http://sitecheck.sucuri.net/ and see FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host. Change all passwords. Scan your own PC. You may need to consider changing web hosts, too, in order to find a more secure host.
You will find many tips there about Wordpress hack, how to clean it, ...
Many Wordpress Tips After Hack
But you will get many different tips about it ... just try to do your best with this website and using Google is the best way to clean it.
The important thing to remember is that any and every PHP file and all of the stored procedures of the database are now contaminated and need to be deleted. If any passwords were stored in the clear (such as login passwords) you'll need to change them too.
Once you've wiped all of those, you'll need to install a fresh copy of WordPress - and let this be a lesson to you to keep your WordPress up-to-date and not have as few plugins as possible on your site.
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.