Nov 8 2020

WordPress media upload error – Unable to create directory uploads

If you get this error when trying to upload media it is likely folder permission are not set to 755 or for me it was the wrong path was in WordPress after a recent upgrade. The permissions will require you to log into Cpanel or whatever you use to mange your hosting, then change permissions and ensure it applies to sub folders too.

The answer for me was before version 3.5 was to login to WordPress as admin, in the left side go to SETTINGS then MEDIA. There is an area that states “store uploads in this folder.” I had to change this to wp-content/uploads instead of the long path name that was present.

They have removed it from the admin area for some reason. Now you will need to either use a plugin or make changes to wp-config.php file. Otherwise they will likely be stored in this structure by default: /wp-content/uploads/year/month


Mar 20 2019

WordPress Site Address Reset

If you have changed your site address in the settings and possibly crashed your site, you can fix this in cPanel. It may be that you had a typo or perhaps an SSL that is not set up correctly. If you added “s” to the address like below, the site will crash if it is not set up correctly for SSL.

Site changed from http to https

To recover your site by fixing the above changes, log into your cPanel for the site. Once there, open “phpMyAdmin.” Open the database for your site. If there is more than one database you may have to go into each one until you find the one associated with the site you made changes to. Open the “wp_options” inside of that. You should see the “siteurl” and can change it back by choosing to edit it. Save and it should be back online.


Jan 26 2019

Fix WordPress 5 Publishing Failed Issue

After updating to WordPress 5 I could no longer publish and was seeing this:

I logged into the WordPress Dashboard and went to Setting-> Permalinks. Mine were set to “Plain” and I switched it to “Post Name” to fix. I am unsure if the setting was set to “Plain” for previous updates. I did not dig into why this happened, just needed a quick fix.


Dec 24 2015

WordPress core dump files

Core dump files WordPressA couple of weeks after I launched a new blog, I noticed four ‘core’ files named core.2801, core.4065 etc. in its directories. The files seemed harmless, but had rather large size (several megabytes).

What are core dump files?

A quick Google search turned up a lot of complicated pages explaining the problem, but none that could actually suggest a fix.

A web developer suggested that the core files were a result of lots of buffer being dumped. This is typical of excessive resource usage and/or error reporting. Core dumps contain reports of working memory of a software when it has crashed. In short, core dump files are caused by a crashing software component. Instead of trying to get rid of core files, you should worry about what caused these errors.

You can safely delete these files. Although there is GDB to open and analyze core files, not many would actually understand anything. WordPress is tested thoroughly before each release, hence it is unlikely a fault caused by WP.

Prevent core dump files

You can delete core files without any worry – it does not contain data useful to anyone but developers and hosting company itself.

Incompatibilities arising out of Apache, MySQL, PHP etc could cause core dumps. Google version number of these software along with the terms “incompatibility WordPress”.

If possible, use only plugins written by experienced developers. New developers may not adhere to the best coding practices. A poorly coded plugin could cause core dumps.

Upgrade WordPress plugins to the latest version. Regarding the problem on the new blog, I found that I had uploaded a older versions of a couple of plugins.

Disable plugins. You can start out by disabling all the heavy plugins and enabling them one by one, during which time you should watch blog directory, wp-admin etc. for core files. If a plugin does not trigger core files, activate another and test. Repeat the process until all plugins have been activated or the culprit has been found.

The core dumps could also have been due to WP. The most usual cause of a core dump is because of running out of memory on your server – if you’re on a shared host, ask to be moved to a different node. If you’re on a VPS/Dedicated Server, up your memory a little and the problem should stop.
Plugins that send large amounts of data may also cause this.  For example, some idiots keep trying to brute force my admin login and I had it set to send an email on all failed logins.  I had to install a new plugin because it was sending out so many emails it hit the max limit on my hosting service.  The new plugin restricted the login attempts to 5 and then blocks them after that.  This solved my problem, I just had to go delete all the .core files dumped into my folder.

Jun 14 2013

WordPress Allow Comments Checkbox Missing

Has your “Allow Comments” check box gone away for some reason?  You can go to “screen options” near the top right of the “edit post” or “edit page” page.  There are several options there, but the “discussion” one will bring your check box to allow comments or not.  You can also see in under “All Posts” then “Quick Edit” regardless of the “discussion” box status.


Apr 13 2013

WordPress Admin Page Being Redirected Due To Brute Force Attempts

Some idiots are always trying to brute force all WordPress pages by attempting to login as “admin.”  Rather than reinvent the wheel, Immotion explains it pretty well:

What is a Brute Force Attack?

One of the methods to gain information -primarily LOG-IN information – is by using a method called BRUTE FORCE attack.  Basically, as the name suggests, they are not hiding the attack, and there’s no efficiency to the attack. You could say it’s like taking the “shotgun approach.”  It simply is hitting the server looking for one thing, the correct login information for your WordPress site.  Hackers will often infect other computer systems and then set them to attempt logging into the WordPress Administrator.  The illustration below shows graphically how the attack traffic can come from many locations and be mixed with normal website traffic.  The attack can also come from just one location, but the method of trying to crack the login is the same – it is simply going through a sequential search for your login.  Brute force attacks can also increase resource usage of the website.  Therefore, brute force attacks are not only trying to crack through your security, but they are also driving up resource usage when multiple attempts on the WordPress login is occurring.

 

brutef

 

Preventing WordPress Brute Force Attacks

Since users are no longer using WordPress as simply a blogging solution, there isn’t as much emphasis on user management for the owners of the WordPress site.  And this may also be a contributing factor to the problem.  WordPress Site Administrators should regularly cycle their passwords and review their user lists to make sure that no one has been added that isn’t supposed to be on the list. Especially users added as Administrator-level users.  There are also WordPress sites that do not require that people register to post comments or other actions on the website. To prevent unauthorized access we recommend the following:

  • Block access to the WP-LOGIN.PHP  using the HTACCESS file by requiring an additional password
  • Block access to the WP-LOGIN.PHP using the HTACCESS file by allowing only specific IP address or range of IP addresses
  • Find a plugin that prevents access to the login screen after a particular number of tries.  The plugin should then use an interval of inaccessibility before the next attempt to login would be allowed.

 

The first two methods using .htaccess are recommended as they will help to prevent excessive resource usage. There is no guarantee of this with the plug-in, unless the plugin can limit access no matter how many times login attempts are being made.  The following information are examples of the code solutions for the .htaccess file as listed above.  You get to .htaccess using Cpanel interface that all hosts provide.  Use the “file manager” to find it then use their “code editor” to add the code.

_cpanelFM

 

.HTACCESS method to deny user login using specific IP address or range of IP addresses:

Note:The below code needs to be in the .htaccess file located in the WP-ADMIN folder. If you don’t see one, then create a blank text file and name it .htaccess saving it in the wp-admin folder

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Admin Access Only”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Admin 1 IP address
allow from xx.xx.xx.xxx
# whitelist Admin 2 IP address
allow from xx.xx.xx.xxx
</LIMIT>
————————————————–
Another hosting company gave me this and it works on this site using it in the .htaccess I had to create.  Replace Xs with your IP address which you can get from Whatsmyipaddress.com:

<Files ~ “^wp-login.php”>
Order deny,allow
Deny from all

Allow from xx.xx.xx.xx
</Files>

—————————————————————————————————————————
You can add more IP addresses by adding an additional Allow from xx.xx.xx.xx to the code above.
—————————————————————————————————————————

.HTACCESS method to deny user login using additional password for wp-login access:

 

Note:The code below would be in the .htaccess file located in the .htaccess file located where you have installed WordPress.  If you don’t see one, then create a blank text file and name it .htaccess

 

<FilesMatch “\.wp-login.php$”>
AuthName “WordPress”
AuthType Basic
AuthUserFile /home/username/.htpasswd
Require valid-user
</FilesMatch>

———————————————————

Some other common sense things to do to secure your WordPress site

Delete the ‘admin’ account

The default Administrator account on WordPress has a username of ‘admin’. Everyone knows that so don’t use it.  Create another user with admin privileges.  Login with that name to make sure it works and then delete the “admin” user.

Go into the Dashboard » Users » Add New User screen. Create a new user with the role of Administrator. Now log out, and log back in as the new user.

Go to the Users screen again and delete ‘admin’. You can transfer all of the content created by ‘admin’ to your new user account before confirming deletion.

I recommend the plugin “WP Security Login Notification” too.  It will tell you when there are failed login attempts.