WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [Plugin: WP Security Scan] "Welcome to WP, please install your blog" (21 posts)

  1. Roy
    Member
    Posted 6 years ago #

    Just fooling around with this plugin in my test site. I installed the latest version, activated the plugin, ran the check, all worked fine. Then my eye fell on the suggestion to change the wp_ suffix for tables, so I gave it ago and changed them to tst_. The report said that all changes were successfull except two wpau_ plugin tables which I had to change manually. So when I decided to see if the site was still up, I got the screen that I had to install WP and then I got a password. Very funny! So now the site is a completely fresh and new WP installation without theme, posts or anything.

    That wouldn't have been funny if it was a live site!

    http://wordpress.org/extend/plugins/wp-security-scan/

  2. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    That happened because you didn't read the instructions.

    Before running this script:

    * wp-config must be set to writable before running this script.
    * the database user you're using with WordPress must have ALTER rights

    This is printed directly above the "Start Renaming" button. You didn't ensure that wp-config.php is writable. Therefore, WordPress had no way of knowing that the prefix had changed. If you don't want to/can't make it writable, you can change the file manually like when you initially install WordPress.

  3. Roy
    Member
    Posted 6 years ago #

    1) I thought it had, but I can't access my control panel from work to check;
    2) My user has too many rights was a remark that came from the initial check.

    But just for my understanding, did the installation break over the two plugin tables that couldn't be renamed? I didn't get more errors than that. Should I have edited them manually before continuing to work in the WP admin?

  4. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    Nothing happened from the two plugin tables that couldn't be automatically renamed other then obviously that plugin wouldn't work.
    Had you ensured the wp-config was writable, or changed it by hand, WordPress would have worked fine. This can still be done. Even installing the fresh copy of WordPress won't overwrite your old tables. All you would need to do is change it in wp-config and you'll see your old WordPress.

  5. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    As for your database user having too many rights, that's a security precaution. Ideally, the database user WordPress runs as would have only just enough rights, in the event that it's compromised. For instance, you wouldn't want that user to be able to create new databases or delete databases.
    This isn't always something that you can change, depending on your hosting provider.

  6. Roy
    Member
    Posted 6 years ago #

    You said as much, but I only realised during my stroll downtown during lunchbreak, but the only thing that happened is that my wp-config points to a no-long-existing database. Editing that by hand will probably suffice. I can only try that when back home.

    Even installing the fresh copy of WordPress won't overwrite your old tables.

    Just one more question, (for me and people as stupid as myself). WP immediately prompted to install, so I did. Undoubtely new wp_ tables were created. That doesn't change anything to the wp-config story, right? Change it and let hackers make their injections in not-used wp_ tables (or just delete them again).

    And this is why I have a test site. I only learn by trial and ERROR :-)

  7. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    Your database is not "no longer existing" unless you removed it.
    Neither WordPress nor my plugin can remove a database.
    I'm not sure what you mean by wp-config story, or about the not used wp-tables.

    When you used the auto table name changing functionality of the plugin, but failed to read the line telling you to ensure your wp-config.php is writable, the plugin was unable to change the wp-config.php along with your table names. When you browse to your website, one of the first things that happens is that WordPress checks wp-config.php to see what the table name prefix is, then it checks to see if any tables by that prefix are in the database. This is how it knows whether or not WordPress has been installed. Since your prefix in wp-config.php didn't match the ones in the database, WordPress had no way of knowing they existed. When you went through the installation, it created new tables in the database. However, it would not have overwritten your original tables. They should still be there. If you change wp_ to tst_ or whatever you changed the table names to, then your website should show up.
    Just a comment... for your benefit and for anyone else reading this... if you change the wp-config.php permissions to writable, please make sure you don't forget to change it back, just like with any other file that you temporarily make writable.

  8. Roy
    Member
    Posted 6 years ago #

    That was exactly what I tried to say :-)

    And I suppose that when I check my database now, I'll notice that I have both wp_ and the same tables with tst_ prefix (since I reinstalled WP).

    -And don't answer this question if I take too much of your time, but how is changing the prefix safer. Of course, in all WP installations the tables have the same name, but the databases don't, so it is (relatively) easy for a hacker to access the database directly other than by exploiting WP?

  9. Roy
    Member
    Posted 6 years ago #

    Michael, one more question about your plugin.

    When I click on "scanner" I get a red line for my themes folder. It is Chmodded 555 and you recommend 755. Is it just red because my chmod is not the same? 555 Is 'better' than 755, right? If nobody can put anything in the folder, not even myself. Or...?

  10. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    You're correct. It's in red because it isn't exactly the recommended setting. A later release will show green if it <= the recommended setting.

  11. Roy
    Member
    Posted 6 years ago #

    Perhaps three colours:
    1 red: unsave
    2 green: recommended
    3 yellow: even better

    Something like that. I'll stick to my Chmods for now.

    Thank you again for your quick answer.

  12. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    Well the problem with that is that while the recommended settings are ideal for 99% of people, different people have different needs, as well as different server setups.

  13. Roy
    Member
    Posted 6 years ago #

    Naturally.

    Say, but since you're online anyway, I'm struggling with this:
    .htaccess ../.htaccess 0644 755.
    A little more of the path would be nice. I have several htaccess' but I can't find the 644 one!

    [edit] I found the one, somehow it wasn't on top of the files, but somewhere around the bottom.

  14. Roy
    Member
    Posted 6 years ago #

    Michael, I know I'm nagging again, but I do have another question.
    I change the file permissions of the wp_config, change the database prefix and wp_config and without doing anything, the chmod is back to what it was. Is this a feature of your plugin, or some weird thing of my host? (The latter would explain some things.)

  15. Roy
    Member
    Posted 6 years ago #

    Pfff, I'm done. If you follow instructions, this plugin works like a charm. I also used the occasion to change usernames and passwords of the database users (not using the plugin of course) which wasn't very funny since my host has some strange demands for passwords so I messed up a couple of times. But all came out just fine in the end.

  16. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    The path starts at the same root for each file/directory. Remember, .htaccess files are hidden from many file explorers, including ls at the command line. Only your hosting company can tell you how to see it from your control panel, from the command line just type ls -a.

    I'm not sure what you mean by back to what it was, but I assume as is well.

    If you change your database user and/or database password, just make sure you change it in wp-config.php also. I'm assuming that since you aren't having a problem that you've done that (the site would have a hard time coming up otherwise).

    I'm glad I was able to help you. You asked good questions. Feel free to mark this thread as resolved :)

  17. Roy
    Member
    Posted 6 years ago #

    I can see the htaccess in my control panel's "file manager". Files are listed alphabetically most of the time, but the htaccess just was somewhere at the bottom for no particular reason. But since there are htaccess's in several folder, it would be nice if your plugin would give a little more of the path than just ../../.htaccess (something like ../wp-admin/.htaccess or whereever it is).

    Regarding the wp-config, this is a funny thing. My control panel doesn't use the numbers so I hope I give them correctly here, but all my config files were at 644 (yesterday I worked on five installations), I changed them to 666 to use your plugin (double checked after the initial mess of course) and when I use your plugin to change the prefixes, the chmod mysteriously went back to 644. This is of course a nice security feature and I wondered if your plugin does that or that my host has something of standard chmods for certain files (or whatever way of doing this).

    And well, the fuss with the database users and passwords was mostly that after an hour I found out that my passwords had to start with a letter and nothing else and I used your password creator to make them, so most of them simply weren't accepted (and I didn't get a message of that).

    Trial and error :-)

  18. Michael Torbert
    WordPress Virtuoso
    Posted 6 years ago #

    It's listed at the bottom because it's .htaccess, as opposed to htaccess.extension or filename.htaccess.

    The path origin for all of the files are the same, from the root of WordPress. That goes for .htaccess as well. Having said that, you should chmod them all to the appropriate permissions.

    It's impossible for WP Security Scan to chmod your files or directories. A current version will have functionality to do it for you, but the current version does not.

    MySQL is finicky about choosing your password. Some people find that out the hard way:) Now that you bring that up, I should probably include a notice in the plugin not to use the password generator for MySQL passwords. It's great for Unix (FTP) passwords, WordPress passwords, or most anything else though.

  19. wireless
    Member
    Posted 6 years ago #

    @ Gangleri

    I changed them to 666 to use your plugin (double checked after the initial mess of course) and when I use your plugin to change the prefixes, the chmod mysteriously went back to 644.

    Ive had this problem before for another reason and found if the perms returned back to to what they were when you think youve changed them - then it could be the Group / owner of the file/folder not being assigned to the correct setting . The only way to check is by using something like filezilla and to correct it depends on your access to the files . Like me if youve got root access you can change them using something like WinSCP or simply ask the techies at your hosting company to correct them.

    Hope that helped
    Graham

  20. cruth
    Member
    Posted 6 years ago #

    Sometimes I get nutty reading "techy stuff" as some ( but not all ) people seem to get so archane. Sorry, just frustrated. You find a problem, so how do you fix it? Does anyone know how to solve these two issue?

    "Before running this script:

    (1) * wp-config must be set to writable before running this script.
    (seems easy enough, but the next one is unclear)

    (2) * the database user you're using with WordPress must have ALTER rights" (HOW does one change ALTER right?)

    Thanks a mill.

  21. bryanxcole
    Member
    Posted 5 years ago #

    I attempted to change my wp_ as well, and now the whole thing is down. I made all the changes and followed all the steps correctly and now my blog reads:

    Fatal error: Call to undefined function wp() in /home/content/b/r/y/bryanxcole/html/wp-blog-header.php on line 14

    I don't understand what happened.

Topic Closed

This topic has been closed to new replies.

About this Topic