So I've been trying to make several changes to a custom WordPress theme which introduces an entire overhaul of the Dashboard. I keep finding little issues with the original theme that I need to fix (not properly checking for duplicate posts when you import new ones, post metadata not getting stored correctly, posts not getting sorted into their proper categories, etc.)
As I've been working with this I've needed to look at and modify the database countless times to either see what the theme is doing to the database or fix things it screwed up. Unfortunately I was unable to install phpMyAdmin so I've been making changes by directly typing SQL and inserting it into the theme in appropriate places, then having the script die() so I can see the output of my SQL.
Suddenly it hit me that I could find a plugin which integrates phpMyAdmin functionality into WordPress. So I installed wp-phpMyAdmin.
Everything seems to be going well until I try to actually DO anything. I can view the tables, view the rows, and look at everything. But when I try to edit a row or delete a row I get redirected to a 404 error, saying that whichever part of phpMyAdmin I happened to be accessing (for example, tbl_row_action.php) doesn't exist. If I go directly to these pages without submitting the form to edit or delete a row then they work just fine and I receive an error message that my SQL query was blank.
Has anyone else experienced this? I really can't figure out exactly why or where it's sending a 404. It's absolutely ridiculous.
EDIT - A little further information:
I've learned that I only get a 404 error when phpMyAdmin calls sql.php with the sql_query parameter set
EDIT (again) - One further update:
I only get the 404 error when sql_query contains a valid query. Looking through sql.php (I haven't spent TOO much time looking, mind you) I do notice that it seems to parse the query and determine if you're SELECTing, DROPing, DELETEing, etc. so they can check your user permissions. It may be related to this parsing code.
The following queries did not give me a 404:
test
SELECT test
SELECT test FROM test
SELECT test FROM post_meta
DELETE
DROP
DROP test
The following gave me a 404:
SELECT * FROM test
SELECT * FROM post_meta
DELETE FROM
DELETE FROM test
DELETE FROM post_meta
DROP TABLE
DROP TABLE test
MORE EDITS -
So at the very top of sql.php I placed this line of code:
die("Test");
It doesn't die when I make the bad queries listed above. It goes straight to the 404 message. Clearly this is something to do with WordPress's redirect script and not with phpMyAdmin
FINAL EDITS -
I've done a lot more research and been grep'ing the heck out of WordPress.
I highly suspect that I am having this issue as the result of some new WordPress security feature. Older versions of WordPress apparently used to allow SQL to be input into URL's, which posed a HUGE security risk. As a result it's understandable that they wouldn't allow SQL to be passed through URL's now. Just before the template the value of is_404() is being set to true. It's being set within WP::parse_request() (which is called by WP::main() which is called by wp() which is called within wp-blog-header.php)
Any time there is a suspected SQL query ANYWHERE in the requested URI, I get kicked to a 404 page. I would like to change this behavior while making as few modifications to WordPress core as possible. I need someone who is really good with WordPress to help me here. I presume an answer exists involving the $wp_rewrite variable, which contains a multitude of URL rewrite rules.
PROBLEM FINALLY DISCOVERED -
For anyone interested who finds this post or was following it or simply had similar issues, I finally located the source of the 404 errors. It didn't lie with WordPress at all. The problem fell to mod_security, an Apache module which prevents any requests that look suspicious (including those with SQL in the request URI)
Always remember to set your mod_security settings properly.
WordPress shouldn't be interfering with phpMyAdmin, since the plugin loads it in a isolated iframe.
As one of his specifications for the project he wants ONLY WordPress installed on his server...
The plugin is, nonetheless, still phpMyAdmin (albeit 'wrapped' in the WordPress UI). In other words, you've already installed it ;)
...to avoid the hassle of updating and maintaining other software...
'Software' can be a dangerous term when talking web-apps - that's not to say don't use it at all, but for some it can conjure up thoughts of blue screens and runtime errors ;)
In other words, just stress that PMA is simply a collection of files on the server - it has no database of it's own, it's effectively stateless, and removal is as simple as RMD /phpmyadmin.
...he wants to be able to make all necessary administrative changes from the WordPress Dashboard
Despite the points I've already made, if it is absolutely essential that there is database management access within the dashboard, I'm about to write a quick alternative that uses phpMiniAdmin instead (that's how I stumbled on this question oddly!), and I'd be happy to share it for you to try out.
As #molnarm pointed out in the comments, why not just removed phpMyAdmin and connect to MySQL over SSH, using something like MySQL Workbench or Sequel Pro.
You would have a much easier and faster way to interact with MySQL and could delete the nightmare that is phpMyAdmin.
Related
I've transferred my wordpress website from a shared hosting to a linux VPS.
Everything is working fine instead of one thing. I'm getting realy weird pages for editing posts/pages.
I'm not sure how to name it and can't find anything on google about it, so I hope someone here can send me in the right direction.
Screenshot
At a quick glance, looks like a browser caching issue. Try the following:
Clear browser cache/cookies etc. and restart the browser/PC
Check with a different browser
Depending on how you migrated (transferred) the site, it is possible that all files did not get transferred fully and/or the database did not get imported fully. If 1. and 2. above fail, delete everything from the VPS and try again.
I'm sure when you check the network tab or console in inspect element on chrome, you will receive a lot of 404 errors because it is not able to load the required files for some reason.
What you can try is to add define('CONCATENATE_SCRIPTS', false) into your wp-config.php file. What this does is load all the javascript files individually, instead of one concatenated file.
Question: Are you using the same domain on your VPS? Or are you accessing the site on your VPS through a different domain? If so, you might want to update your database to correspond with the domain you're testing with now. Because this can cause strange behavior as well.
I want to dispaly post of non ssl wordpress site to my ssl site but while displaying images it gives mix content warning in console.
How to solve it pls help.
Solution 1 :
This is the simplest fix. If an asset (image, script, etc.) is hard-coded into a plugin or theme, change it from http://example.com/assets/logo.png to https://example.com/assets/logo.png.
Typically, this is most useful when including assets from other servers, like Google scripts, API scripts, or iframes.
Before doing this, however, you need to make sure the HTTPS version is available. If loading an asset from a site that doesn't have HTTPS enabled, it's probably best to remove the reference entirely (i.e. comment out or delete) or to save the asset to your own server and change the source to load via your site instead.
Solution 2:
References to your images are stored in your database, both in the wp_posts and wp_postmeta tables (in a standard install. You might have given your tables a prefix, but locating them should in any case be doable).
Since you mentioned using phpMyAdmin I guessed you are able editing the contents of your database with this tool.
Via phpMyAdmin you could manually locate and change the urls pointing to your images (removing the 'wp' part). But as this might be quite a few database entries, replacing all in one go is a more convenient decision.
I myself have had satisfactory results by
exporting the complete database as a .sql file through the phpMyAdmin export option.
editing this file with a text editor (converting the incorrect urls to the correct ones, make a backup copy first in case anything goes wrong, never forget the backup!)
deleting all database tables (for the wp install you're trying to correct)
importing the edited .sql file
wordprees print_thumbnail function is working correctly on testing server but it's not working on online server and giving wrong image path such as */var/www/vhosts/vinehospitality.co.za/httpdocs//wp-content/uploads/2011/12/slide-10-108048_56x56.jpg*.
So kindly help me to get proper url.
Link of website: http://vinehospitality.co.za.plesk15.wadns.net
Same problem is found in hosted on this server.
Regards
Neeraj
Not only did it work, it was SO MUCH easier for me.
Simply, delete whatever custom link you have in Media Settings. If you don't have one just put anything there..
Then save, again, put back the original path you have before, save.
Worked!
Somehow it seems wordpress reads the wrong values when you move servers and you don't resave media settings.
POSSIBLE FIX 2
Look, I've seen this problem on other threads and on other websites and no one gave information that helped most of the people with this issue, so since I somehow got my broken site to work, perhaps it will help the others who did not get their problem solved.
Here's a little background... I needed to move a wordpress site located on a dev server to the live server. They were different domain names of course. First of all, I should have followed Moving Wordpress instructions and updated the site url before I exported the database, but... I didn't because I'm obviously too cool for instructions.
In order to transfer the site, I zipped up the files and transferred them to the new server and unzipped them. Then I edited wp-config and pointed it to the new database.
I used phpmyadmin to export the old database and I imported it to the new database.
Then I ran a query on the wp_posts table to do a string replace on the guid field and replace all instances of the old domain name with the new domain name.
Then I checked in wp_options and changed 2 records to replace the old domain name with the new one. I think they were something like siteurl and home.
Everything seemed to be working fine except the theme was mangling the img urls, prefixing them with the absolute filepath.
I figured I must have missed some records in the database that give the print_thumbnail function whatever information it needs to output the right url for the img's src attribute.
I thought if I could change a setting somewhere and change it back, maybe wordpress would automatically fix the issue for me, and I was lucky.
I played around with several settings and what finally worked was:
I went to Media Settings and I unchecked Organize my uploads into month- and year-based folders -- I don't know if this had much to do with the fix.
I also changed the Store uploads in this folder to something like wp-content/uploads2. I never created that folder, but I just wanted to get it to overwrite whatever was controlling that value.
I checked the site again and there was a change to the html source... now, it didn't even give the img tags a src value... it was just like <img src title="blah blah" />, so I figured I was on the right track.
So then I went back and changed Store uploads in this folder setting and left it blank as it was originally.
After I did that, the img src values were correct.
Hope this saves someone some time.
Also, I should note, I played around with altering the file permissions for the wp-content directory. I wish I hadn't. I get the gist of file permissions, but I tend to try not to fool with them if I don't have to. Using Filezilla is a pain to change the file permissions because it takes forever. Unfortunately, as most clients, this one had a prior affiliation with their web host and refused to take my advice and host their site on a VPS that would be cheaper and allow me to use SSH and get work done much easier. I wonder if there's a fast way to chmod multiple files without ssh, I should look into that.
Cheers,
Will
Will's approach fixed the error for me, and was in fact the only answer that worked. This question is posted hundreds of times, so I figured I'd summarize the answer in short. I'll post the answer first and the research details after.
Login to WordPress
Goto Settings > Media
In "Uploading Files", modify the "Store uploads in this folder" to "http://www.yourdomain.com/wp-content/uploads2"
Notice the "2" added to the folder-name
Delete any entries in "Full URL path to files"
Save changes
Now your site should already show some images again
Do all this again but now change it back to "http://www.yourdomain.com/wp-content/uploads"
Save changes
This finally worked for me.
Gathering from other sources, this occurs mostly after moving a website from one location to another. Other fixes I did prior to this:
Within MySQL, replace the old URL in the GUID values in "wp_posts" to the new URL
Change "chmod" settings (it you never had any prior issues, don't)
Many other answers to this issue included changing chmod to give access to the files, which didn't do anything but crash the website. Other solutions would've been to change the code entirely to use a different function. I figured it's not broken, just missing a setting. Turns out that was the fact.
It worked for the domain http://www.in1week.nl, which runs on a modded DeepFocus template by ElegantThemes.com. The theme uses "timthumb" in the function "print_thumbnail()", which may have caused the issue. This reset the value needed to use the function.
I faced the same problem and had to look around a lot in search of an answer. After my host moved servers, thumbnails weren't appearing on the home page and category pages. Looking up the source showed me that the path generated for the thumbnails was incorrect. Instead of http://.. in the image paths, I was seeing absolute file paths in the server, such as /home/..
Couple of solutions that seemed to have worked for others did not work for me.
What did not work:
Changing permissions of wp-content/uploads and all the directories under it.
Changing media settings and again reverting back to original settings.
Using 'the_post_thumbnail' instead of 'print_thumbnail' function helped the thumbnails come back, but I am no programmer and could not figure out how to make the_post_thumbnail function work exactly as it was working with print_thumbnail
What worked:
In my many searches, I read someone saying that the problem was fixed by correcting the path for 'et_images_temp_folder' in the database. I ignored this for a while since I did not understand what it meant. Later, I searched wp_options table and found that it had the following entry.
option_name: et_images_temp_folder
option_value: /home/painteds/public_html/darter/wp-content/uploads/et_temp
When the servers were moved my home dir was changed from /home to /home3 Perhaps print_thumbnail was searching for /home folder, and was malfunctioning when it could not find it. Updating the database with the new value fixed the problem for me.
I got a problem that's driving me up the wall: I made a Wordpress Blog, using the Gantry framework for layout en several different widgets and plugins. Everything works fine in FF, Safari, and Chrome, but trying to open the site with IE 8 the browser crashes or in the best cases I get a message that the tab has been closed and reopened due to an error; after which the site is loaded fine. I try finding out what happens during the opening of the page, but the debug panel of IE doesn't point out any error!
Does anybody have clue on what the problem might be?
The website is: http://www.danielevecchiotti.it/
I suffered from the same attack today, so I investigated a bit:
That injection is done through the hole in one of the plugins, most likely through the outdated contact-form-7 plugin. Check if you have this folder in your wp-content/plugins directory - even if it is not activated in Wordpress, the very presence of it there is a potential security threat as the attacker can use the direct URL of the plugin faulty file to access it.
(source: http://wewatchyourwebsite.com/wordpress/2011/11/wordpress-websites-infected-through-outdated-contact-form-7-plugin)
Patching the hole: if you use this plugin, update it to the latest version which is not vulnerable. If you don't use it and just keep it deactivated (like I did), you can remove it at all.
It is also a good idea to prevent people from accessing your plugins directly. You can create a wp-content/plugins/.htaccess with the following content:
<Files *.php>
deny from all
</Files>
This might not work with every configuration, but usually plugins are only accessed in the code, not with HTTP calls so that shouldn't do harm to visitors' experience.
Restoring your site: If you don't have backup of your *.php files to restore them all from by overwriting your current ones, you need to search for every file containing the string specific to the malicious code, e.g. "eva1fYlbakBcVSir". Then you need to edit all those files - for every file, remove a long line from it's end.
Or if you're proficient with command line and, say, perl, you can build a regular expression to do the work for you.
What was the purpose of the attack? Obviously there were links to some Java plugin added to your site's pages by those code snippets. The plugin added is believed to be the following: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278
However, I didn't manage yet to decipher the injected code fully - it's very well messed up and the reverse engineering is hard. So I can't tell for sure that apart from showing that Java plugin to visitors the exploit was doing nothing like reading users' passwords or removing some files (unlikely, but possible).
I can't find any information about that as well, looks like nobody traced the consequences fully yet.
Please share if you know more.
I finally found the problem: the site has been HACKED!
I noticed the index.php and wp-blog-header.php files modified on a strange date and time. Downloading the two files I found they had been compromised: a whole section of unreadable code had been added. Uploading the original PHP files the above problem was solved.
It seems that using the define('RELOCATE') command is a convenient tool to perform site development using a local database and webserver, then to upload into production. Otherwise, its necessary to perform SQL REPLACE commands to update all the URLs in the posts, media and other content.
The Wordpress codex specifically states that it must be removed, but occasionally after removing, the links revert back to the dev server. Is there a reason for removal? it doesn't seem that security should be the issue, perhaps performance?
Thanks,
Jonathan
The reason you remove it is because define('RELOCATE',true); will point every visitor of your site to the admin login.
If you are still getting re-directed to the dev server then you need to re-configure your database.