I'm working for a company that is using Wordpress MU to supplement other functions on a member site. We have a user signup process that creates the appropriate Wordpress MU users and blogs on signup, but I'm having real trouble figuring out how to log someone in to a WP blog from outside of Wordpress itself. The documentation these methods seem to be non-existent or just too obtuse for me.
In the abstract I know how to do it: Take user info, set the same cookie that Wordpress would set itself. Done. It is, however, not this simple.
Has anyone done this successfully before?
I've been able to log people into Wordpress, however I'm was running inside Wordpress. (I was inside a theme)
Basically, the tough part is getting all the hashes correct, because Wordpress uses a set of defined security hashes in the config file to create the cookie. Ideally you should be able to copy and paste the functions that Wordpress uses.
Yes Wordpress documentation for security sucks, but that is what you get in a Open Source application, not stellar documentation.
What you are looking for is the wp_set_auth_cookie function in the /wp-includes/pluggable.php file. You should look into what the do_action()s actually do, but you should be able to simply replace all the constants with the correct values, and you'll have a function that can port anywhere on the domain.
Hey, it's not so tough task, once you are using correct instruments ;)
Try XML-RPC
Related
I need to edit the existing GA code on our WordPress website with a different code and i intend to do the same by using add header/footer script plugin but i don't know if that will replace the present code. I tried to find the same on the server to change via FTP (as with our magento site) but was unsuccessful, can anybody update me on the same please?
You should be able to edit this via the admin itself. If you use as plugin like this https://wordpress.org/plugins/google-analytics-for-wordpress/
Otherwise, to edit GA, is not in the files itself, but within the admin. I would look within your admin, there is a lot of resource out there with wordpress integrations. You should almost never need to look in the code to find this. (that's the purpose of wordpress). I couldn't exactly say where yours is, but take a look at all your wordpress plugins/integrations and configurations.
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
Currently I am developing a site in Opencart. For the blog, I am using Wordpress but my client does not want two different login sections for opencart and wordpress. Is it possible to redirect a user from the admin of wordpress to OpenCart and vice versa using a link without them having to enter a password each time?
Please advise. Your valuable suggestion will help me to sort out this problem.
This is possible by adding a simple plugin, which defines the needed (pluggable) login functions.
http://codex.wordpress.org/Pluggable_Functions
Basically, rather than logging into WP directly, you'd write the pluggable functions that authenticates the user using OpenCart's details. (Note that hooks allow you to make the login form redirect straight to the latter, too.)
Look for an existing plugin or module that does this. It would be surprising if none exist already.
I have recently updated a plain html website for a music festival into wordpress. All is fine and beautifulllllll(!), except for one thing. People who apply for the courses are supposed to pay for a deposit, and when they do so they should receive a confirmation email that includes a URL for the future payment of the rest of the course fee.
With the old site, we used to have something like:
http://www.mysite.com/coursefee.php?amount=10&refno=1234&name=John
The coursefee.php file used the $_GET method to create a form that would lead to the payment service (with the right amount to be paid, the correct reference number, ASO). The problem is that if I use the same configuration in wordpress.... well, things don't work. Wordpress uses url parameters as query parameters and I really don't know how to go around this issue.
Any ideas?
Thanks!!!!!
Did you check the path to your coursefee.php files is in the wordpress root directory ?
This php file is not part of Wordpress core, so if you have the standard .htaccess file, you should access it directly without initializing WordPress.
I have been tasked with creating an API for retrieving and adding content to Wordpress from a flash application and legacy CMS (non-PHP). My plan is to utilise the existing default xmlrpc endpoint and add any additional functionality by creating a plugin which hooks into xmlrpc_methods.
A previous attempt had been made by another developer based on the following code:
http://blog.5ubliminal.com/posts/remote-control-wordpress-blog-xmlrpc-api/
This code looks unwieldy and poorly documented to me and my preference would be to use this approach:
http://kovshenin.com/archives/custom-xml-rpc-methods-in-wordpress/
I would be grateful if anyone with experience in this area could confirm that:
I will be able to distinguish between separate blogs in an MU installation when both retrieving and posting data via XMLRPC
I will be able to retrieve and post to custom fields
writing a plugin is the way to go.
We do not have the option of using Wordpress 3 as it is still in Beta and we are under time pressure.
I would greatly appreciate appreciate any input / advice.
Many thanks,
I've worked with WordPress' XMLRPC system before (using a WP-Hive installation with multiple separate blogs similar to a WPMU set-up). The new approach you're using is definitely simpler and easier to implement (I tried the 5ubliminal one as well the first time).
Whether or not you can distinguish between separate blogs in a MU installation depends entirely on how you build your handler function. You can build it to distinguish the separate blogs, to only function on specific blogs, or to treat the entire system as a single WordPress site. It's all up to you.
By "handler function" I mean a custom function you define to handle XMLRPC requests that call a specific, custom method (not necessarily the default WordPress methods). For example, I use XMLRPC in all my plug-ins to report back installation progress and errors -
each plug-in makes an XMLRPC call to a custom handler (method) on my server.
Yes, you can retrieve and post to custom fields.
Absolutely writing a plug-in is the way to go. The only other options are to change core files (BAD idea) or to build it into your theme, in which case it could ONLY be used on MU sites using that theme. Build it as a site-wide MU plug-in that can be controlled on a site-by-site basis by the global admin.
Wordpress XMLRPC offers various functionalities which can be harvested easily. I have used IXR_Library to parse the XML requests/responses. Currently with very small piece of code i can easily posts, fetch, edit and delete Posts in Wordpress based blogs either self hosted or on wordpress.com sites.
http://www.hurricanesoftwares.com/wordpress-xmlrpc-posting-content-from-outside-wordpress-admin-panel/ (reference)
When you have multiple blogs hosted via MU you will need site ID of all those blogs which will become the first parameter for $params (in our case 0 should be replaced with site_id).
In the reference i gave above you will see the option to fetch and post to all created custom fields (unfortunately, you can't create custom fields on the fly from my script)
You are welcome to write a WP plugin to do all of this, be my guest and let me know if you need my help. I have used the same technique to post to blogger, tumblr, Wordpress and Posterous using their API's. I hope this helps.