I want to have one Drupal copy to maintain, but a lot of sites running from that copy.
I'm using cPanel to create users and add bandwidth and disk space limits, therefor I need to place uploads within the cPanel user's home dir.
A user's site config should not be viewable by other users, therefor I do believe I need to use some kind of suExec or suPHP.
This is the guide I've tried following: http://drupal.org/node/1274642
Basically I have a frontend where a user enters a subdomain and then via a cPanel API I create a user for that subdomain and add limits for bandwidth and disk space.
Can anyone help creating this setup?
I've been thinking about making a symlink from /home/dp1234/public_html to /path/to/drupal/copy, but then everyone would be able to view the setting files in Drupal's sites folder - I think?
I keep getting weird permission problems. I got it working a couple of times but all of the sudden it didn't work.
Any help would be greatly appreciated! Thanks!
So I finally figured out why it wasn't working.
It was an Apache configuration thing that was checked true: [x] SymLinksIfOwnerMatch
I unchecked that and finally everything started to work!
Related
I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?
The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way
Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.
Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.
I have an issue with my WordPress site.
My website is generating adult pages which is not present on our website/database or server. It is showing in google search result like this for example siteurl.com/en/aarp-dating (around 500 pages google crawled) we have checked all our database and found around 30 new tables are automatically created and while we delete it after sometime it restore automatically.
How can I find the malicious code on my server/pages or what kind of problem is this?
Thanks in advance !!
Download the full installation, then compare the files' checksums with a clean backup or a fresh installation of the same WP + Plugins + Theme versions.
Most important: find out how they infected your site and close that hole or you will be back at square one in a short time after you've uploaded a clean backup. Check the Access Logs, filter out known IP addresses of you and your users, and look at the rest, especially POST requests. Also make sure to check the FTP-logs and (if you have ssh access to your host) auth logs to make sure that your/your coworkers' machines/passwords haven't been compromised.
Also make sure you don't miss any extra individual files or plugins that shouldn't be there.
You cannot trust what you see in the backend at this point, so check the database directly for new users you don't know and users with privileges they shouldn't have. Comparing with a recent backup can help.
Since it's not clear how long your site has been infected, I wouldn't trust recent backups (or any, really) either. Set up a fresh install after you found and fixed the entry point, then manually (or with a script, but be careful not to transfer back doors) transfer content to the clean install.
Use Wordfence Security Plugin & scan for infected core files of wordpress.
Use Sucuri plugin.
Also, desactivate ALL of your plugin and install a basic theme of wordpress before.
I have never used wordpress before, My boss has given me access to a site which was created using wordpress. then He asked me how I am going to make sure I don't break the site accidentally, I told him I would create a backup on my local computer so that all my changes can be restored if I mess up.
I have the wordpress dashboard up. How do I back up EVERYTHING, I hear there are two separate things I need to back up? someone please help me.
PS: I don't think he would like me to do this with out the use of additional plugins.
There are two separate things:
Your website database. Simply export all the MySQL tables from the database, which is dedicated to your site.
The site files, everything you've got under WordPress folder, /wp-includes, /wp-content, /wp-admin directories and all files.
This should do it all. You can test on your localhost to make sure it's everything that's necessary.
You can backup your WordPress either from your hosting account (preferable) or from your WP dashboard.
You need to backup two things - all the files (the root of your Wordpress installation) and the database for your WP installation.
Since you only have access to the dashboard, you have to use plugin for this.
Two of my favorite free backup plugins are:
BackupWordpress - https://wordpress.org/plugins/backupwordpress/
BackWPup - https://wordpress.org/plugins/backwpup/
They are intuitive and easy to work with, so you shouldn't have issues.
If you go to the dashboard go to "tools" in the left toolbar. Select "export". On the export page you can report that you want to export "all content". This will get you the items that you need from the server.
Then you need to install wordpress to your machine. You can download that from: https://wordpress.org/download/
Once you have that on your machine you also need a local server to run it and test it. I like WAMP, but it partially depends on your operating system. I suggest the following video to get you up to speed on how to get the localhost set up and running: https://www.youtube.com/watch?v=snFzbPm_RUE
Hope this helps!
I'm in the progress of setting up a development and live development environment for some basic projects I'm working on. Ideally I want git to push changes from the development server to the live site. However I want each version to use the exact same database so the posts and content are identical at all times.
Obviously the Site URL is set to only the live site so the development site's links don't work. If I overrode the site url in the wp-config.php file of each and used .gitignore to ignore both wp-config.php files would this be enough for this to work or is there something else I'm missing?
I'm posting in the hope somebody has tried it before me and that might have any answers to problems I encounter now or in the future.
Thanks in advance, Ollie
Make sure you add the .gitignore entry before changing and committing the wp-config.php.
Once you update wp-config.php, it's going to go through and update URLs in the database. Since WordPress is stateless - to say there is no session management, there is no way of tracking if a database has been swapped.
Lastly, WordPress uses a MySQL database, which wouldn't be versioned unless you went through a lot of work to do so. Aside from wp-config.php, there aren't any other stored references of what the site's URLs should be.
I am currently working on a WordPress project on a remote IIS server. I consider myself well versed in the use of WordPress, however, most of my previous projects have been on Apache servers and I am really running into problems on the IIS server.
I have contacted the host, and made sure that I have the correct file permissions. However, I cannot upload files or edit themes/plugins from the WordPress backend.
For example, when I use the WordPress theme editor panel, I make changes in the text, but when I click save there is no "Your changes have been saved message" and the file is just reverted to what it was before.
When I try to upload an image inside a post, I receive the following message:
The uploaded file could not be moved to C:\xxx\wwwroot\xxx.com\www\dev/wp-content\uploads.
I notice the slash to the right of dev is incorrect, but I cannot figure out how to change this. I have tried defining this in the wp-config file with several different variations with no luck. For example, I have tried adding define('UPLOADS', '\wp-content\uploads') and I have also tried using the absolute path.
Does anyone have any idea how I can fix this? I need to get this squared away as soon as possible, but I am not sure where to go from here. Any advice is appreciated.
Thank you for reading.
.
.
.
Edit
I have tried altering the "upload_path" via wp-admin/options.php with no success, and the following results:
When I try the absolute path, C:\xxx\wwwroot\xxx.com\www\dev\wp-content\uploads, I get the following
The uploaded file could not be moved to C:\xxx\wwwroot\xxx.com\www\dev\wp-content\uploads.
When I try wp-content\uploads in the "upload_path", I get the following
The uploaded file could not be moved to C:\xxx\wwwroot\xxx.com\www\dev/wp-content\uploads.
Chris's Blog » Wordpress upload permissions on IIS 7 Fix or Google for the IIS6 fix:
...You need to give the IUSR account Read/Write/Modify permission on
your wp-content folder.... and you need to give the IIS_IUSRS group
Read permissions on your “C:\Windows\Temp” folder.
See 10 Reasons Why Not to Host Your Wordpress Blog on a Windows/IIS Platform
you need to give php temp dir full permissions (iusr) (network service) c:\winnt\temp is the default upload dir before it moves to the wp site so this has to be set
in php admin (in iis applet) u can change the temp dir if your not liking the fact its in your NOS dir
next issue u will have is max_fileupload size also in php admin
iis works great best if your the admin of the server to quickly make the needed changes