spidersilk
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Making two directory listings visibleThanks – that did the trick!
It did need a bit of modification for the fact that this site has two different password-protected directories – in case anyone else is in that situation, the change I made was as follows:
In the part where it says:
# If requested URL-path does not start with "/library/" RewriteCond %{REQUEST_URI} !^/library/I changed it to:
RewriteCond %{REQUEST_URI} !^(/1010d_notes|/2050a_notes)
where “1010d_notes” and “2050a_notes” are the names of the two directories. So basically, separate them with | and put brackets around them.BTW, sorry for the very belated reply – I thought I’d replied quite a while back to say thank you, and only just recently realized that I hadn’t.
Forum: Fixing WordPress
In reply to: Wp .htaccess is hacked for the 2nd timeThanks – I’ll keep looking.
I have also found out since that whatever script they uploaded has altered or replaced every .htaccess file of every site under that FTP account, not just the one WordPress blog. That includes a Drupal multisite with about 40 domains on it, and probably another 30 sites or so of all different kinds. D-:
Now I don’t even know for certain if it even started with the WordPress blog, or somewhere else. The script could be anywhere…
Forum: Fixing WordPress
In reply to: Wp .htaccess is hacked for the 2nd timeThanks for your response.
I can restore the database easily, and the plugins, themes, etc., and I’ve already restores the core WP files from a freshly downloaded copy. But I don’t think there is any recent backup of the uploads folder. 🙁
The confusing thing is, there didn’t appear to be any other files in there with recent modification dates, other than the .htaccess file, and a small handful of photos, which I checked out and they were all actual photos from a recent blog post. So I can’t figure out where they could have uploaded any sort of shell script… Is there some way it could not be visible via FTP?
I did find eventually that there were two copies of thumb.php in two themes I wasn’t using – can this exploit work with a non-active theme file? I’m now in the process of deleting every theme other than the two core ones and the one the site actually uses (which does not use any thumbnailer script).
Forum: Fixing WordPress
In reply to: Wp .htaccess is hacked for the 2nd timeOK, I’ve tried a few more times manually replacing my .htaccess file with a new one, and even tried copying out the text shown on the BPS settings page for the secure .htaccess file and pasting it into my .htaccess file manually.
But the same thing happens each time: it works very briefly, so that the first load of any admin page shows up properly (with its CSS styling intact, which is not the case when the link redirection is happening), but then as soon as I click on a link, submit a form or load any other page, even in a separate tab, the link redirection is back.
And then when I go to check the .htaccess page again, it has always been restored to its plain BEGIN WordPress / END WordPress state. Except when I used the secure .htaccess code, and then it still showed the commented lines in that, but had stripped out all the active lines for some reason. So something appears to be stripping out all code from the .htacess file for some reason.
But the weird thing is, it’s NOT replacing it with the redirect code it originally had – that no longer seems to be present anywhere, but it must be, because the links are still redirecting.
I’m totally confused. And it probably doesn’t help that it’s now 4:30 am and I’ve been working on this for 2.5 hours. I’m going to try and get some sleep and hope maybe someone who knows more about this than I do will have answered by tomorrow…
Forum: Fixing WordPress
In reply to: Wp .htaccess is hacked for the 2nd timeA WP site I maintain has just been hit with the .htaccess hack, and I’m having trouble getting rid of it.
I haven’t been able to find any of those thumbnailer scripts, either in any of my plugins or in my active theme. It might be somewhere in an inactive theme, though, if that could work – still checking through those.
What I have done is replaced the bad .htaccess file with a new vanilla one, checked to make sure there were no other files anywhere on the site with recent dates (there weren’t, except for some photos in the uploads folder, but I checked all of those and they were actual photos that were in a blog post), changed all passwords, re-uploaded all WP core files, and installed Bulletproof Security.
But I’m still having problems. Everything seemed briefly OK when I first replaced the .htacess file, but then halfway through configuring BPS, suddenly all the links in the admin started redirecting to the attack site again (http://shugarmail.in/inox/).
So I checked the .htaccess file again to see if had already been replaced again – but it hadn’t been! The .htaccess file looks fine now, but links are still redirecting to the attack site, and I’m not sure how this is happening. The problem seemed to come back when I installed BPS for some reason.
Right now, I can manually get to pages like BPS’s settings if I copy and paste the link into the browser’s address bar instead of clicking on it – if I click on any link, it sends me to the attack site. But I can’t actually save any changes from any page in the admin – that just sends me to the attack site as well.
I can’t figure out how it could still be redirecting links when the .htaccess file is now back to its original state (i.e. nothing in it but the BEGIN WordPress / END WordPress lines), and no other files appear to have been modified. I didn’t spot any other .htaccess files elsewhere in the site when I was going through it… Is there some other way this could be happening?
Forum: Plugins
In reply to: [Just One Category] [Plugin: Just One Category] Stopped working with WP 3.1Unfortunately that does not seem to work in 3.2.1 – I just tried it, and the subcategory posts are still showing up in the parent categories. Making the change didn’t generate any errors or anything – it just didn’t seem to have any effect.
Forum: Installing WordPress
In reply to: Upgraded to 3.1.1, now no posts showing upOh, duh – there are apparently a ton of posts saying that that plugin is broken as of 3.1, never mind 3.1.1! 🙁
The weird thing is, I could have sworn this site was running 3.1 and the plugin still worked then, but possibly I somehow missed an upgrade? Usually I’m pretty prompt about installing them… Strange. Oh well.
Forum: Installing WordPress
In reply to: Upgraded to 3.1.1, now no posts showing upAha! Found the problem – I was using the just-one-category plugin to make parent categories show only the posts that were specifically in the parent category, and not those in subcategories (because students looking for announcements that pertain to the whole course don’t need to see the announcements for every separate tutorial within it). And apparently that plugin doesn’t work with 3.1.1 – because I deactivated it as an experiment, and voila, now everything shows up again.
I’ve reported the plugin as broken with 3.1.1, and the system prompted me to make a separate forum post in the plug-ins category – not sure if I can just change the category and tag of this one or not. But if I can’t, I’ll put a link in that post back to this one so I don’t have to duplicate it.
Forum: Installing WordPress
In reply to: Upgraded to 3.1.1, now no posts showing upTried that – didn’t help. I also tried editing and resaving categories to see if that did anything, but it didn’t.
Forum: Installing WordPress
In reply to: [Plugin: WP Security Scan] No admin access anymoreSame thing with 2.8.4, but the solution at the beconfused.com site worked – with the one complication that since I didn’t have phpMyAdmin access for this particular blog, I had to write a short PHP script to execute the updates.
Forum: Fixing WordPress
In reply to: comments_template() not working on main pageWell, I poked around a bit further, and I think I found the answer, but it’s not a good answer. 🙁
In wp-includes/comment-template.php it says (on line 619):
* Will not display the comments template if not on single post or page, or if
* the post does not have comments.And indeed, there is code in there that checks to make sure you are on either single or page before allowing the function to execute. So apparently, the inability to have comments on the index page is hard-coded into WordPress itself and not something that can be changed by anything one can do in a template. I suppose this must be new in recent versions, because I found several references to being able to use comment_template() on the index page when searching. I don’t know why they would change something like that.
So since comments on the main page was a non-negotiable demand on the part of the client I’m doing this site for, I have to either see if there’s a plug-in that will do it, or alternatively edit the comment-template.php file (and remember to re-edit every time I upgrade WP, which sounds like a headache and a half), or switch to something other than WordPress. But since that last would be heresy, I’m hoping one of the other two options works out. :-/
Forum: Plugins
In reply to: [Plugin: is_human()] Can’t seem to get this to work – or do anything at allI also tried directly e-mailing the developer, but it bounced. I’m thinking this plugin is probably no longer supported, and we should just try something else instead.
Forum: Fixing WordPress
In reply to: comments_template() not working on main pageThe comments.php file is the same as it was in the original theme, apart from a couple of minor formatting changes, and works on the single post page – but the index page doesn’t appear to be calling it.
Forum: Plugins
In reply to: [Plugin: ShareThis] Security risks with Share ThisUnfortunately, using an older version doesn’t appear to be possible in WP 2.5. All it shows on the plug-in page is a notice saying you have to upgrade – there’s no option to activate the plug-in. 🙁
Forum: Fixing WordPress
In reply to: Restricting users to posting in specific categoriesEr… I don’t think that’s going to do what I want. It sounds like it would make all the TAs have access to the same set of categories.
I need them each to be able to only post to their *own* category — i.e. each of them would have one category into which they can post, which no one else can post to except the site admin.
Is that possible?