I am no longer able to access the admin panel of a Wordpress site. 2 days ago I added a plugin, loaded some new content, and things were working fine. The client loaded some regular blog posts, and today, it no longer works.
First of all, the error itself:
I go to URL: mydomain.com/wp-admin, the browser redirects to: mydomain.com/wp-login.php?redirect_to=http%3A%2F%2Fmydomain.com%2Fwp-admin%2F&reauth=1
The error message says:
Not Found
The requested URL /mother/18/readf.php was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to
use an ErrorDocument to handle the request.
What I know so far:
Nothing in .htaccess redirects to mother/18/readf.php
A search of similar errors gives a lot of results where urls within normal sites seem hijacked to sell antidepressants, viagra, etc. When I say normal sites I mean that there are sites that do logistics,
https://www.google.com.ar/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=mother//readf.php&safe=off&nfpr=1&start=10
https://www.google.com.ar/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=mother//readf.php&safe=off&nfpr=1&start=10
Disabling all plugins doesn't help (I renamed the plugins folder and then tried to log into the admin).
Searching the database for readf.php or mother doesn't show anything obvious.
The client claims to only have made changes to content since yesterday, when the site admin was still working. (Yes, claims... they have superadmin access, so this might not be true).
Has anyone come across this issue? Any ideas on what I can look for next?
Sounds like you got hacked. Time to fix it right the first time, or you will get hacked again. You need to replace all core WP files/folders (except wp-config.php and wp-content), but scan the uploads folder and theme for exploit code and modified files or added files, like readf.php. Replace all plugins, too.
Also scan the database for eval code and added administrators. (See "My Site was Hacked" below).
Change all host, FTP and WordPress passwords in the process. Scan your own PC for malware that might have grabbed logins and passwords.
Tell your web host you got hacked; and consider changing to a more secure host.
Carefully follow FAQ - My Site Was Hacked at WordPress.org.
Then take a look at the recommended security measures in Hardening WordPress and Brute Force Attacks at WordPress.org.
Related
Background:
I have a WordPress website that lives in a Google Cloud-based load balanced environment, and as I work through getting CI/CD setup I elected to isolate one of the servers so that my team could properly run through isolated testing. Since the website is on a regular domain (www.mybusiness.com), I created a duplicate database from our production DB and pointed the isolated server at this new test database. From there, I updated both the 'siteurl' and 'home' values with the isolated server's IP address in my wp_options table, and from there I can access my isolated WordPress site by simply using the URL. However, this is where things get frustrating: the login page simply refreshes after a successful login attempt, while blatantly incorrect login attempts with invalid credentials properly return user login error messages.
After countless hours searching the Internet, Stack, and elsewhere, I've found that the most common solutions are either:
Clear your browser's cookies / cache.
Try logging in with completely different devices (other cell phones, laptops) to confirm it's not a device or local browser-cache issue.
Deactivate and test each plugin,
Confirm your 'siteurl' and 'home' values are correct.
Test your .htaccess file to confirm that's not the problem.
Clear your user's WordPress 'session_tokens' meta_key value.
Revert back to an older / default WordPress theme to confirm if it's a theme problem
Run WordPress's built-in DB repair tool.
Create new WordPress salts and swap them in inside the wp-config.php file.
Enable the 'WP_DEBUG' constant to see if anything in the error logs pops up.
Test non-HTTPS versions of 'siteurl' and 'home'.
After trying all of the above, nothing seems to work: reverting to an older theme (twentynineteen) still presents the same login page refresh issue, and I've gone through every plugin on the server to see if deactivating one or all of them creates a solution - none seem to be the root cause. Error, mysql, and auth logs are also maddeningly clean.
Interestingly, if I add a trailing slash to my IP address-based 'home' and 'siteurl' value, from 'https://11.11.11.11' to 'https://11.11.11.11/' I do successfully get to the correct internal landing page (https://11.11.11.11/landing-page/) - however it just displays a 404 with the basic white screen.
Current WordPress version: 5.4.7
This leaves me with a few questions:
Is this a file permissions issue somewhere? Are there any key WordPress files in which permissions could create this effect?
Would Apache or anything VPC be in play here? I checked out our Apache .conf files, but those don't seem to be the suspect.
Should we look into a WordPress upgrade knowing we're a bit behind with 5.4.7?
Thank you in advance for the help!
I was given a PHP project based on a WordPress site. The thing is, I can't access the wp-admin panel. I saw a lot of questions about that on StackOverflow, but I couldn't find an answer to mine.
Login to WordPress is done through wp-config.php with the MySQL settings (I can see it because when I put wrong credentials I cannot access to the project's internal pages).
I was told I can access to the wp-admin panel by adding wp-admin to the URL. There is no wp-login.php file as it is an automatic login.
Actually when I put in my URL http://localhost:9999/html/pages/wp-admin (which is the location of my folder wp-admin), I just get the list of subfolders.
I connect well with an administrator account (in the database it is written wp_capabilities | a:1:{s:13:"administrator";b:1;}) however when I test with the current_user_can('administrator') function, I am not considered as admin.
Can you help me by directing me to where to look?
As per my comment to the original question, it could seem that you're missing some core files or functionality in your WordPress application. One way to solve this is to "manually" update your WordPress.
How to manually update WordPress: https://www.wordfence.com/learn/how-to-manually-upgrade-wordpress-themes-and-plugins/
I will also mention that it is generally a bad thing that your website directory is accessible through the browser display. The reason for this is that it will be easy for people with malicious intent to look for security breaches.
One way to prevent this is to edit your .htaccess file to include the following:
Options -Indexes
I recently obtained a domain and website through bluehost. They have Wordpress installed and I am unable to figure out how to bypass it so I can code old school. I would really rather learn Wordpress but don't know where to start.
So two questions:
1.
what wordpress files are blocking me from the site recognizing the usual Default page's code? (I create test html in Default which is bypassed somehow and will only show Wordpress default page in progress; my code is not overwritten; just ignored?)
2.
I'd be happy to learn myself, but don't know a good resource. Went to Wordpress site and they have free webpage I can play with. Should I just get the free one in order to learn whats what...or is that going to be dumbed down and different than having it installed in webhost site?
I am a fairly advanced programmer and feel that I should be able to pick this up rather quickly if I can only get past this first hurdle.
Thank you for any information or suggestions.
What loads by default at a domain (ex: www.yoursite.com) is controlled by the web server which uses a configurable list of filenames like index.html, index.php, Default.aspx etc. You can learn more about how that works here.
Normally, your web host will allow you to have some control over that list, and the precedence one file takes over another when the web server refers to the list. Perhaps you have an administrative interface or dashboard control which allows you to configure this for your site. If not, you'll have to contact support at your web host to have changes made to that list.
1) Nothing is blocking you from seeing a page on your web server at a specific address, only from allowing one page or another to be what loads by default at the root web address, as explained above. If you have FTP access to your website directory, and can upload a file there, you can still browse directly to it, even though the WordPress installation's default page is showing up at your root web address. Just enter the specific file name in your browser, and you will browse to that page, ex: www.mysite.com/somepageicreated.html
2) Learning is always good either way, but you either want to learn to make WordPress sites or you want to learn to make your own websites. I'll assume WordPress for now, since you mentioned a preference for that platform. Just remember though: working with WordPress sites is not making your own website, it is changing a WordPress template to be as close as possible to what you want your website to be. This may or may not suit your requirements.
Playing with a free example from WordPress can be very useful for picking up the basics. Once you've played there for awhile and feel a bit more aware of how things work, take what you've learned and apply it to shaping your own site into what you'd like. Just remember to always create a backup of anything you mess with, so you can always return to an earlier state if you really mess things up good :)
Good luck!
I am really new to Drupal and playing around with this existing Drupal site.
I did a FTP transfer of all the files to my local computer directory. I currently got it on a Vagrant box and I can access the site via http://192.168.56.101/html.
I can do http://192.168.56.101/html/anything-but-user and it brings me to the proper area on the site. However I can't do localhost/html/user, because it redirects me to the website URL rather than the local URL.
I tried clearing the cache (with Drush). I scanned all files in the system and changed the web url to the local URL [not sure if I need to do any other command], and I can't seem to find anything in the .htaccess files that would lead me to this.
The href="/user I would greatly appreciate any advice or help in figuring out this solution.
--UPDATED
There was a module called "Secure Pages" that was causing the user and registration links to be locked and static to prevent redirects to phishing sites. I had to disable this module using "drush pm-disable securepages" in the terminal.
Some typical items you may want to check:
Check if you get the same problem using another browser. If with another browser it works, then it is pretty sure a cookie problem. To solve that, delete the cookie in the browser where you have the problem.
Make sure "clean urls" is enabled. Refer to "https://drupal.stackexchange.com/questions/165029/clean-url-leads-to-duplicate-url-after-migration-to-another-hosting/165044?s=1%7C3.9647#165044" for more details on that.
Make sure the value of "base_url" is set correctly (in your settings.php).
If module Secure Pages is enabled, then try to (at least temporary) disable that moduel to see if it helps.
Apparently, there was a mod called "SecurePages" that was causing the URLs to be static to prevent someone from changing them and redirecting users to a phishing site.
We built a website for a client using Wordpress. We used a testing server which always works well. Wordpress was hosted as a subdomain, i.e. http://wordpress.ourcompany.com. I have direct and full access to the server. In the etc/apache2/sites-available directory the file describing the site in question uses the final name http://clientsite.com as ServerName, our temporary subdomain (under which we have been building) is a ServerAlias.
When we were almost ready, we of course asked the client (who already had a website) for their domain login. We changed the DNS like always. It resolved, the site worked well. Although Wordpress kept redirecting (of course) to the subdomain-variant, we could enter the site with the full domain.
Now comes the culprit. I changed the Wordpress settings (siteurl and home) to match the new site. The front-end works brilliantly. However, the back-end is unreachable as long as the settings are in this way. The login page shows up, but just redirects back to itself. If I simply change the Wordpress settings (in the options table) I can log back in, but we want to rid the subdomain necessity (of course).
Things I've already tried (I'm not one to easily ask of your time):
Clear .htaccess
Clear my cache & cookies
Different computer, different browser etc.
Change only the home and not the blogurl value. Sadly, this corrupts some plug-ins
Remove all plugins
Comment some lines as instructed in the wp-login file
Naturally, everything I could find on codex.wordpress
Set the admin cookie path
So, brilliant collective mind that is Stack Overflow, what did I do wrong? DNS? Wordpress settings? Thank you in advance.
You need to go into the settings on the live server and change the URL's to the current site. You'll have to do this by accessing the database directly. It's the wp-options table, and there are 2 entries where the url's are the value. Update those. That should fix the looping.
I found an answer today : the user in the database didn't had the right permissions. You can look up in the error log if there are lines that indicates this.
I also had tried before : removing all content from htacess, reinstalling wordpress etc.