User Tools

Site Tools

Trace: zededitor mysql_cnf wordpress
wordpress

This is an old revision of the document!

Common Wordpress Issues

Wordpress Permissions

Replace ${WP_ROOT} with the directory location of wordpress. If you are already in the wp document root, replace with a dot . 

find ${WP_ROOT} -exec chown :apache {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;

Changing Site URL

Check the current URL, first select the database with the 'use' command (eg. use live_database;): 

SELECT * FROM wp_options WHERE option_name = 'siteurl' OR option_name = 'home' ;
Now we can update the URL: 
UPDATE wp_options SET option_value = 'http://notes.lukeslinux.co.uk' WHERE option_name = 'siteurl' OR option_name = 'home';

.htaccess rewrite

Used for permalinks 

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^/?(wp-admin/|wp-login\.php) https://mysite.com%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]

wp-config FTP

define('FS_METHOD', 'direct');
define('FTP_BASE', '/var/www/vhosts/example.com/httpdocs/');
define('FTP_CONTENT_DIR', '/var/www/vhosts/example.com/httpdocs/wp-content/');
define('FTP_PLUGIN_DIR ', '/var/www/vhosts/example.com/httpdocs/plugins/');
#define('FTP_PUBKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa.pub');
#define('FTP_PRIKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa');
define('FTP_USER', 'FTPusername');
define('FTP_PASS', 'FTPpassword');
define('FTP_HOST', 'localhost');
define('FTP_SSL', false);

Auto Install Plugins (without FTP/FTPs details)

vim /var/www/vhost/website/wp-config.php 

define('FS_METHOD', 'direct');

XMLRPC

To prevent xmlrpc attacks add the following to a .htaccess 

<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

What is an xmlrpc attack?

xml-rpc can use system.multicall - this can be used to execute multiple methods inside a single request. This allows applications to pass multiple commands with one http request.
This means that potential bots and hackers can use the system.multicall method to guess 100's or 1000's of passwords with a single http request
Hackers can attempt thousands of password attempts with just a 3-4 http request. These requests bypass security tools designed to block brute force attempts. These requests will have 1 entry per request in the log file.

NOTE: WordPress, Drupal and most content management systems support XML-RPC.
It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages


JetPack

This wordpress plugin does come with xmlrcp.php protection from brute force.
Note: This is SITE specific and will note cover system wide wordpress sites.
If you are a hosting reseller then you will want to add something similar to the code below, this code allows the wordpress IP range (current IP range) and denies potential attacks: 

<files xmlrpc.php="">
Order Deny,Allow
Deny from all
Allow from 192.0.64.0/18
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</files>

Jet pack: https://wordpress.org/plugins/jetpack/

wordpress.1457024045.txt.gz · Last modified: 2024/05/23 07:26 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki