What are Common Commands to Update WordPress Using WP-CLI?

WP-CLI is a very handy set of commands. You can run anything that you would run in wp-admin on a WordPress site but from the command line. Useful commands which WP-CLI employs to keep WordPress core updated plugins including the default themes which come with WordPress.

Continue reading “What are Common Commands to Update WordPress Using WP-CLI?”

Troubleshooting: Too Many Redirects

The error “too many redirects” means that the website keeps being redirected between different addresses in a way that will never complete. Often this is the result of competing redirects, one trying to force HTTPS (SSL) and another redirecting back to HTTP (non-SSL), or between www and non-www forms of the URL.

Continue reading “Troubleshooting: Too Many Redirects”

Reset Your WordPress Admin Password

Whether its a hacked site or a lost password, you may find that you are locked out of your WordPress Admin control panel. If you’ve forgotten your password or don’t have access to the email address that the “Lost your password?” link sends to, you still have one more option to access it. Through the database!  WordPress’ database stores all WordPress username, encrypted passwords, and the user’s email address and thus can be edited through a database client like phpMyAdmin. In this tutorial, we’ll be showing you how to edit the email address and change your user’s password.

Continue reading “Reset Your WordPress Admin Password”

How To Change Website Name in WordPress

You may have noticed, when transferring a website, that the URL is still stuck on the old site even though you have changed the virtual host file to reflect the new domain name. Or you may see the URL entirely greyed out in your WordPress portal. This mismatch can happen if you can’t change the URL within WordPress to reflect the new site name. In this tutorial, we will show you how to change the URL through the database.

Step 1: Enter the Database

If you don’t have your database credentials you can certainly grab them from your wp-config.php file, usually located in /var/www/html. Copy your username and password, you’ll need these to enter phpMyAdmin.

/** MySQL database username */
define('DB_USER', 'yourusername');
/** MySQL database password */
define('DB_PASSWORD', 'userpassword');

If you Ubuntu 14.XX and higher, you can visit https://yourhostname.com/phpmyadmin and enter your database username and password copied from your wp-config.php. CentOS users can usually go to their WHM panel and type in “phpMyAdmin” into the search bar for a shortcut into their database.  With specialty platforms like Managed WordPress or Cloud Sites check with your support team to locate your phpMyAdmin instance.

Step 2: Find the WP_Options Table

Once you’ve entered phpMyAdmin, click on your database name on the left, in this case, ours is named 929368_kittens.In WordPress' database the wp-options table has the siteurl and home row needed to change the URL.

Locate wp_options, afterwards you’ll see rows on the right hand side.  The home and site_url row is needed as we will be changing these values to the new website name.

Note:
Search home or siteurl in the Filter rows: in the search box to these entries if not readily visible.

Select Edit in the row of siteurl and home to edit the URL, including “http” or “https” (if you already have an SSL on the domain name). Once you’ve changed your URL, select GO to save your changes.

In a WordPress database change the URL by editing the siteurl and home row.

Step 3: Update DNS

Your WordPress instance is now set to your new URL!  If you haven’t done so already, you may need to set your A record to your new IP address or clear your browser’s cache to visit your new URL.

Changing the domain name within WordPress is simple enough but sometimes code within an nginx.conf or .htaccess file can also direct a site back to the old domain name. It should also be noted that sometimes a plugin, theme or database can be referenced or hardcoded to read an old domain name.  For either problem, the Velvet Blue’s plugin or WP-CLI’s search and replace command cater to the issue.  Our Managed WordPress platform performs name changes automatically from our control panel, as well as core updates.  Check out how our Managed WordPress product can streamline your work.

WordPress Exploit – AMP Plugin

AMP for WP -Accelerated Mobile Pages allows your site to be faster for mobile visitors. Along with last week’s report, the AMP plugin has also been added to the list exploited. The AMP for WP plugin was reported on October 20, 2018, by its developers. Luckily, the newest version, 0.9.97.20, of this plugin has patched for their known security flaws. This exploit has the means of putting 100,000+ users at potential risk, so its best to check if you are utilizing this plugin. In this tutorial, we will be checking if you use this plugin. Along with updating, we will also show you how to check if your site for compromises.

In the vein of the WP GDPR plugin exploit, the AMP hack allows code vulnerability to make site-wide changes. Bots scan for sites using the AMP plugin and use an XSS security bug to create a new user that has admin-like privileges. The vulnerable versions’ (below 0.9.97.20) code didn’t cross check to see if registered users had the permissions to perform some actions. With administrative like privileges a hacker can hide their code within your WordPress files to use to take over your website. Additionally, they can upload files, update plugins, read files, and inject posts.

Identify If You Use AMP for WP

By logging into your WordPress backend you can easily see if you are subject to this exploit.

Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.
Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.
Step 3: Scroll down through any installed plugins to see if you have Accelerated Mobile Pages within your list, followed by its version. Any version below 0.9.97.20 is still vulnerable and you’ll have to perform a few actions to protect yourself.
The Plugins section in WordPress will allow you to see if you are utilizing AMP.

Upgrade AMP – Accelerated Mobile Pages

Note: It’s recommended to backup your website before pushing any updates.

Step 1: Follow the steps above in the section “Identify If You Use AMP for WP” to login and locate your Plugins menu.

Step 2: Locate Accelerated Mobile Pages. If you are running an outdated version you’ll see a message providing you a link to update. Click “update now” to automatically update to the latest version.

 

In the WordPress backend click the "update now" link to protect yourself from the AMP hack.

Have You Been Hacked?

A site hack is possible even without noticing any visual differences to your site. For a closer inspection below are some of the characteristics of the AMP exploit.

  • Characteristics of the AMP hack:
  • External Calls to sslapis.com
  • New creation of WordPress admin user “supportuuser”
  • Post injections
  • Registered user can manipulate code
  • Code vulnerability in ajax hooks
    • ampforwp_save_steps_data
    • wp_ajax_ampforwp_get_licence_activate_update
    • wp_ajax_ampforwp_deactivate_license
    • wp_ajax_ampforwp_save_installer
    • wp_ajax_amppb_export_layout_data
    • wp_ajax_amppb_save_layout_data
    • wp_ajax_ampforwp_get_image

If have identified your site is compromised from above characteristics, you’ll want to remedy it immediately since other sites on the same server can potentially be affected.

  • Liquid Web customer can purchase a Malware Clean Up package
  • Manually remove the code from the infected files
  • Restore from a backup dated before October 20, 2018 (keep in mind this will still have the old version and your site will still be in danger).

As time goes by, more plugins will give way to more vulnerabilities but there are some proactive steps to ensure your site’s security. For insight into ways of protecting your WordPress site look into our article on the subject, The Best Ways to Protect Your WordPress Site.

 

WordPress GDPR Plugin Exploit – All You Need To Know

As of November 9, 2018, the WP GDPR Compliance plugin has been exploited by hackers. This plugin aids e-commerce site owners in compliance with European privacy standards. Since the very nature of GDPR is to protect the personal data and privacy of EU citizens, it should be tended to as soon as possible to avoid a costly cleanup. WP GDPR Compliance is also known for working in conjunction with many forms including Contact Form 7, Gravity Forms, and WordPress Comments.

The main characteristic of this hack is the addition of new users, users with admin privileges. These administrative users have full access to your WordPress site. With Admin users a hacker can alter your site without your knowledge, including making rouge pages or selling your visitor’s information.

This article shows WP GDPR users how to:

 

If you are familiar with how to log in to your WordPress backend you can easily see if you are using this plugin.

Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.

Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.

Step 3: Scroll down through any installed plugins to see if WP GDPR Compliance is within your list.  On this screen, you’ll be able to see the version of the plugin to the right of the plugin name. Any version less than 1.4.3 is vulnerable and should be updated.

Indentify if you are vulnerable to WP GDPR by locating the plugins menu in WordPress.

Note:
Documented evidence shows an inactive GDPR plugin is not vulnerable to the exploit.

 

Although this is a severe exploit, it is easy to patch and protect yourself by performing a simple update.

Step 1: Follow the steps above in the section “How to Identify if you use the WP GDPR plugin” to login and locate your Plugins menu.

Step 2: Afterwards, find WP GDPR Compliance, if you are running an outdated version you’ll see a message letting you know you can update. Selecting the “update now” link will automatically upgrade to the newest version.

Update the WP GDPR plugin to avoid a hacked WordPress site.

 

There is a couple of routes for identifying this hack, listed below, but you can also use the Wordfence Security Scanner or our read our blog article on the subject of exploitation.

Indicators of Compromise include the following characteristics:

  • Creation of new users with Admin privileges
  • A database user in the wp-users table named t2trollherten and t3trollherten
  • URL’s inserted into the code have seen as pornmam.com
  • Installation of the 2MB Autocode plugin, executed by WP-Cron via WooCommerce’s woocommerce_plugin_background_installer
  • The wp_options table within your database has an entry starting with 2mb_autocode or default_role  is set to anything other than “subscriber”
  • Recent edits to the wp-super-cache/wp-cache.php file
  • Creation of a backdoor file, /wp-content/uploads/…/wp-upd.php
  • Incoming IPs from:
    • 109.234.39.250
    • 109.234.37.214
    • 195.123.213.91
    • 46.39.65.176

 

If you deduced your site is compromised from previously mentioned characteristics, then you’ll want to remedy it immediately since other sites on the same server can be affected.

  • Liquid Web customer can purchase a Malware Clean Up package
  • Manually remove the code from the infected files
  • Restore from a backup dated before November 8, 2018 (keep in mind this will still have the old version, and your site will still be in danger)

 

Setup a Development Environment for CentOS using cPanel

Editing a website’s code is often needed to update a site, but doing this to the live website could create downtime and other unwanted effects. Instead, its ideal to create an environment especially for developing new ideas.  In this tutorial, we will explore creating a development site specifically for CentOS servers.

As a warning, this is advanced technical work. It’s possible to make mistakes and cause downtime on your live domain. If you are not 100% confident, it may be a good idea to hire a system admin or developer to copy the domain for you.

Pre-flight

Step 1: Continue on to back up the cPanel account, just in case you have any issues while creating your development environment:

/scripts/pkgacct [username] --backup /home/temp/

Step 2: After creating a backup, you will create a copy the database of the main domain, otherwise known as the primary domain.

mysqldump [database_name] > /home/temp/backup.[database_name].sql

Step 3: Create the new dev domain in WHM. This domain name will be a subdomain of the primary domain. Creating a subdomain is one of the first steps in designing your development environment. We prefer to use, dev.[domain].com, the same domain name but with “dev” in front of it for clarity. Do be sure to note all the information, like the username and password. If you are not familiar with how to create a new account, see the following tutorial.

Step 4: Once you’ve created the subdomain within your cPanel you’ll copy the files from the main document root to the newly created dev document root. The document root is the location where your website’s files.

Use the following command to find the document root for either domain. Replace “exampledomain.com” with the primary and development domains for determining the location of document root for each.

whmapi1 domainuserdata domain=[exampledomain.com] | grep -i documentroot

Step 5: After locating the document roots we will copy the files from the primary domain over to the development environment. Insert the document roots into this next command.

rsync -avh /document/root/of/the/primary/domain/ /document/root/of/the/new/dev/domain

Step 6: Next you will need to state the correct ownership of the dev domain’s files and directories, as the previous username will be in place. The ‘dev_username’ will be the given/chosen when you created the new account. The following command will change the ownership for you.

chown -R [dev_username]: /home/[dev_username]

Step 7: After changing file ownership, create a new database and database user for the dev domain. Be sure to notate this information including the password set. Our documentation on the creating a new database will walk you through this necessary process.

Step 8: Once you’ve created the new database its user, you can start copying the original database into the newly created database.

mysql [new_database_name] < /home/temp/backup.[database_name].sql

Step 9: Copying over the database is the bulk of the work, but you’ll still need to edit the configuration files for your domain. Typically, some files need to access the database and will accomplish this via the database user and password. The file that contains these credentials needs to be updated to have the database, database user, and password you created in step 8 of this tutorial. If unsure of the location of these files talking with a developer may be helpful. If you are working with a WordPress site, you can continue onto the next section. Otherwise, if you have updated your dev configuration files with your new database info continue onto step 10.

Editing WordPress Configurations
Fortunately, WordPress is one of the most commonly used content management systems. WordPress is easy to configure we’ll provide a short tutorial on how to change the database and database user in the wp-config.php. First, move to the new document root. cd /document/root/to/the/dev/domain

There you will edit the wp-config.php with your favorite text editor such as vim or nano. nano wp-config.php

In the wp-config.php file, you will see a section that looks like the below. From there you will edit the highlighted characters with the information you used to create the database in the tutorial. // ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'new_database_name');
/** MySQL database username */
define('DB_USER', ‘new_database_user');
/** MySQL database password */
define('DB_PASSWORD', 'password');

In the database, clear all mentions of the original domain and replace them with the dev domain. For example with WordPress, in the _options table you need to change two entries of ‘home’ and ‘siteurl’. These can be quickly changed using WP-ClI, which is a is a command line tool for interacting with and managing WordPress sites. To install WP-CLI follow these instructions and continue onto the next step. If you do have a WordPress website, once you have installed WP-CLI you will want to run the following commands: su - [dev_username] cp public_html
wp option update siteurl https://dev.domain.com
wp option update home https://dev.domain.com
exit

Sometimes plugins or themes mention the original domain in the database. If some parts of the dev domain are not working, particularly plugins or themes, you may need to contact a developer to see if the original domain name is still active in the database. After replacing the names using WP-CLI, you’ll have officially created a dev domain.

Step 10: To complete this tutorial you have two choices: add an A record to your DNS view your dev site online or edit your local hosts file to view solely on your computer. For our Liquid Web customers feel free to contact The Most Helpful Humans™ with questions you may have in setting up a development environment.

 

 

Setup a Development Environment in Ubuntu

Often we want to edit our domain’s code, but on a production website, this can be dangerous. Making changes to the production site would not only allow all of the Internet to see unfinished changes but could also cause errors to display. As a workaround, we’ll create a testing domain or “dev” domain to work out any bugs and changes to the site.

As a warning, this is advanced technical work. It’s possible to make mistakes and cause downtime on your live domain. If you are not 100% confident, it may be a good idea to hire a system admin or developer to copy the domain for you.

Continue reading “Setup a Development Environment in Ubuntu”

Migration to Managed WooCommerce

Liquid Web is here to support your migration needs into our Managed WooCommerce Hosting platform. Whether you are migrating from an external or internal source, our in-house team of migration experts transforms the data migration process into a simple task. To ensure the smoothest and best possible data transfer, we have a quick overview and a few points for your consideration.

 

Our first step includes taking a copy of your live site (known as the origin site) and migrating it over to our Managed WooCommerce Hosting platform. Rest assured, when performing the migration, the only changes made to the site will be to assist in the movement. Within this timeframe, it is advised to avoid making changes or updates to the site as it will extend the migration timeline and could result in data loss. Changes and updates are included but not limited to themes, designs, contents, products, blog posts or WordPress versions. The initial sync process should result in no downtime for your live site.

Once the initial sync is complete, our Migration Specialists perform a series of basic tests to the site. During this time, our team will send information on ways to test out your new site to ensure that all aspects have carried over correctly and are in working order. Before going live, it is essential to take the time to thoroughly review your site and if at any point you do find a discrepancy our specialist is there to assist.

The third and most exciting step is the push to go live. We will coordinate the best date and time for the final sync of your site. This last sync will ensure the latest data on orders, products, and customers transfers to your new server. Upon completion of the final sync, you will be asked to update the staging domain’s name and DNS record. With a little DNS propagation time, you will begin to see the new site populate!

With the updating of DNS and the site name, you are now entirely done with the migration process. In subsequent steps, we will create a ticket with our Product Team to connect your store to our partnered applications, Glew and Jilt. Credentials to these valued applications will be sent out in an email, after which, our product team can suggest performance optimization methods to get the most out of your eCommerce store.

 

Knowing the details behind the migration process aligns us with our next step in creating a migration request from your Liquid Web control panel! Once completed, our Migration Specialists will be in touch to schedule the migration and answer any questions you may have.