I have a security question. I gave the WordPress admin access to someone for a series of changes. Could he use the shell or any other way to infiltrate the server and access other hosts on server?
By default, any user that logs in with administrative permissions can access the WordPress plugin and theme editors, and change any theme or plugin file on your site in real-time.
– From https://wordpress.org/support/article/editing-files/
That, in theory, leaves your server open to arbitrary code execution. You might consider mitigating this default vulnerability by reviewing trellis's approach of locking down the root user, and bedrock's must-use-plugin-autoloader.
(It's very cool, you define your plugins in a composer.json file. Here's the magic sauce of that.)
"installer-paths": {
"web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin", "roots/wp-stage-switcher"],
"web/app/plugins/{$name}/": ["type:wordpress-plugin"],
"web/app/themes/{$name}/": ["type:wordpress-theme"]
},
That prevents "writing" new code to the theme/plugin folders outside the context of a theme deploy, and so elides the concern of WP admins writing whatever code they like.
(However, if you're assuming a malicious admin, you might be in need of social as much as technologica approaches.)
Short Answer:
No
Long Answer:
This kind of credentials can be used only from wordpress instance.
He can modify some lines of code by using a custom plugin but he cant go outside the theme folder.
Some plugin can modify the wp-config.php but no more.
By settings you can negate the GUI Plugin installation, so only the server administrator via FTP can install them.
In general, this credentials can modify only file of that wordpress installation because there are present on that Wordpress-DB
None can access via ftp/ssh because he needs user/password and IP of that server.
I am developing a CMS based on wordpress multi-site approach. So far i have 5 languages and i have created a site for each language.
Idea is when a user go to
www.mydomian.com/uk - displays English version.
www.mydomian.com/es - displays Spanish version.
www.mydomian.com/fr - displays French version.
Now I have reached localisation of my theme. As mentioned in theme developer handbook, i am aware of theme localisation functions and other options in wordpress. But i am confused, how would I inform my theme to load translations based on site which user is selected. for eg. if user is browsing www.mydomian.com/es theme should load all spanish translations.
Please let us know the best options for this.
Every site you add in WordPress multi-site has its own "Site Language" setting, so you don't need to set the locale from your URL pattern. The correct theme translations will be loaded automatically for each site just based on its settings.
If you didn't set the language when you added each site then go into each site's settings and change the field labelled "WPLANG" to "es_ES" and "fr_FR" respectively.
The site settings are found under My Sites > Network Admin > Sites then click edit under the site you want, and then select the "Settings" tab.
Or jump to: wp-admin/network/site-settings.php?id=<siteId> if you know the site ID number.
The site settings screen for multi-site isn't as user friendly as the standalone settings page. There is no dropdown menu for the available languages, so be sure to enter the locale code correctly.
It doesn't matter what you've chosen as your multi-site subdirectory or subdomain patterns just note that the codes you're using in your example are not the official WordPress locale codes.
Spanish is es_ES (not es)
French is fr_FR (not fr):
British English is en_GB (not uk)
I'm having a very simple problem. I'm new to WordPress and I'm trying to install a plugin.
Everyone says there's a "plugins" option on the sidebar-menu in the admin panel, but I don't see one! I've looked for it in all the sub-menus too.
Whenever I try to search for this problem, I get results about creating a plugin to show on the admin menu.
Anyway, how can I get the plugins menu to show up?
The issue is almost certainly related to one of two things:
1) You don't have permissions (are you logged in as admin?)
OR
2) The theme (or a plugin) has disabled the plugins menu.
After you've checked to be sure that you are an administrator, then you should attempt to view this page:
http://www.yourdomain.com/wp-admin/plugins.php (replacing www.yourdomain.com with your site's domain name).
If it's accessible, then it's time to start exploring the theme (which theme are you using?) and possibly some of the plugins that might have disabled the menu item.
FYI, the method to remove dashboard menu items is covered here: http://www.wprecipes.com/how-to-remove-menus-in-wordpress-dashboard
If you did double check your file permissions (i.e. 755 for folders and 644 for wordpress files on Linux), please consider editing your wp-config.php file and change
define('DISALLOW_FILE_MODS',true);
to
define('DISALLOW_FILE_MODS',false);
The Add New option in Plugins menu will show up, also if you have internet connection, possible updates will be shown up.
This what I found looking for the same problem, I guess this is your situation also:
If your site is hosted on WordPress.com:
Plugins: Plugins are tools used to extend the functionality of the WordPress platform. However, they are only applicable to self-hosted blogs and web sites using the WordPress.org software. Plugins are not permitted here at WordPress.com for various security reasons.
On wordpress.com hosted sites, you don't have permission to install plugins. You must have an own wordpress installation to do that.
I found this post searching for help with a similar issue with a self-hosted WordPress installation -- in this case it was a site that a friend had paid someone to make, but then took them off the work and asked me to help out.
There were several regular menu options missing -- it turned out to be down to a plugin called Admin Menu Editor that the previous web guy had installed to limit the options available to my friend, so they wouldn't mess with things.
In this case I could access the options for Admin Menu Editor by going to http://www.example.com/wp-admin/options-general.php?page=menu_editor
In one of my cases it turned out to be strictly file permission thing so apache users could not access the plugins directory.
I have never seen that problem before. However, try either expanding all the current menu items to see if "plugins" are listed there, or try deactivating some/all of your plugins to see if one of the plugins are conflicting somehow and making your plugins menu not display.
I know this is an old question but I hit this problem at work recently with a WordPress site I inherited that had been originally developed by an external company. I tracked it down to the roles assigned to the user account. The "admin" account I had been given was actually assigned a restricted role that didn't have permission to access most of the settings.
Fortunately, I have access to the database so I was able to modify the assigned role directly. The default database prefix in WordPress is wp but you may need adjust these steps according to your own database.
First, find the user_id in the wp_users table for the account you want to modify and then run the following SQL against your WordPress database.
UPDATE wp_usermeta SET meta_value = "a:1:{s:13:""administrator"";b:1;}" WHERE user_id = {your_user_id} AND meta_key = "wp_capabilities";
UPDATE wp_usermeta SET meta_value = "10" WHERE user_id = {your_user_id} AND meta_key = "wp_user_level";
The next time you log in with that user account it should now have administrator privileges.
If you are using the multisite feature of Wordpress you will only see the plugins menu if you are super admin.
In the menu go to "My Sites" at the top of the page then click "Network Admin". (If you do not have this option you are not super admin.) Under "Network Admin" click "Dashboard" and then the plugins menu will appear. In your Network settings you can enable plugins for the sites.
The issue I was having was even trickier: No one was super admin. I fixed this by overwriting the "is_super_admin" function (simply returning true always) and then editing the settings as needed, before removing the overwrite again.
If you install a local WordPress the Plugins sub menu will not appear for any of the sites you work. Click My Sites area at the top of the page then click Network Admin and then click Dashboard. The Plugins sub menu will appear there. Then install new plugins and use it on sites on which you are working.
Good luck.
For me, changing lines in wp-config.php worked. I changed:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
to
define('DISALLOW_FILE_EDIT', false);
define('DISALLOW_FILE_MODS', false);
There might be a couple of reasons for the same. Some of them are:-
Reason 1 - When the website is hosted on wordpress.com
Reason 2 - When the user is logged in with a non-admin account
Reason 3 - When the WordPress website/blog is a part of a multi-site-network and the network admin has disabled the plugin menu
Reason 4 - Plugins Conflict
I am trying to develop a bilingual site based on WordPress (bilingual sites in Quebec are a necessary reality). The problem is I find automated translators (i.e. Google Translate) do not get the context right.
I noticed during a WordPress install (with Fantastico) I can select the folder where WordPress would live. Would it possible to have set up like:
public_html
|-index.html
|-english_site
|-wordpress install for english
|-french_site
|-wordpress install for french
Is it feasable to have both WordPress installs hook into the same database and media uploads? Or is there a better way to avoid automated translators?
I'd definitely recommend, WPML plugin for handling multilingual sites.
One admin area, every bit of content can have multiple hand crafted translations. Including pages, posts, menus etc. Plugins also get translated if they contain the relevant translation files.
Also supports sub domains, so you could do french.yourdomain.com or yourdomain.com (english / default).
Just notice that if you install any multilingual plugin, you should NOT have multiple WordPress instances. Multilingual plugins use a single WP install to serve several languages.
The language-directories structure that you see in the URL is a virtual thing. You shouldn't have real directories on the server. WordPress should be installed in the root path, not in a language directory.
If you're looking to serve languages from different domains (or subdomains), have a look at this FAQ for how to setup on your DNS and Apache.
I need to set up Drupal 6 as a multilanguage site.
1 installation, several language versions = several domains, i.e.
English at englishsite.com
French at frenchsite.com
German at germansite.com.
I've found a Tutorial that suggest that you need access to server's http.conf - this is quite unlikely on shared hosting.
Is it really neccesary?
Maybe You can set it up with .htaccess or any other way.
Namely: what should I do to have such a configuration working ?
(after setting Language negotiation to Domain name only on .../admin/settings/language/configure)
According to what I've found this could resolved in at least 2 ways.
Admin interface
Make the domains point to the Drupal directory in the hosting account admin interface (what is equivalent to http.conf edit suggestion from the tutorial)
Symbolic links
Replace the domain-specific directories with symbolic links to the Drupal directory (in Unix-based systems), i.e.
ln -s <drupalDirectory> <domainDirectoryName>