cschultzie3

Thanks for the help, @amjadali688

Thanks Peter. Just the free version.

Hi Peter. It is indeed a yellow exclamation triangle instead of a green checkmark. The strange thing is that after I posted this, it started working again on its own for a while, stopped again, started working again, and now has stopped working again ?? I’m going to run through the detailed steps you provided, thanks for providing those.

I know I don’t ??

Yeah, it is working now that I deleted the wordfence directory and reinstalled, but the last three times wordpress got a 5.0.x update, it’s disappeared and had to do the same delete directory then reinstall process. So whatever you think will stop that cycle from happening the next time wordpress is updated, I will do.

Sure, I can try that. Will I lose all my settings and people i’ve blocked from this? and it is working now since i reinstalled it, but i’m assuming I should still do this?
Just so I understand, why am I doing this? ?? could it be some setting is messed up and this is essentially resetting it to a base config?

thanks, didn’t realize that existed

Thanks. I was more just trying 777 since nothing else was working, figured if that would work i could then delete. I’ll reach out to my host. But do you think that means my stuff has been hacked, or could that be from a failed install/upgrade/something not nefarious?

@tothbalint So am I “losing” anything really (or would my visitors be) by making it go back to the homepage? to me it’s not sounding like a big deal making it redirect back to the homepage, but maybe i’m just missing something.

and truly, thanks for all the help here, I think i’ve learned more from your couple posts than hours of google’ing myself haha

@tothbalint thanks for explaining even the other guys post. I’ll give that link a try and I had installed the free WordFence prior to reading your recommendation here but looks like I might need to tweak the settings a bit (just left it at defaults for now) so it’ll work like you have it on your site, as that sounds like something I’d like to do too. and thanks for the hardening link, I’ll give that a read too.

This may be a stupid question but I’m thinking ahead here. The only public posting to my website i’m envisioning having would be where if I did a blog post, would be to allow people to comment underneath each post. If I use that plugin or the solution below I found online which supposedly just makes them all go back to the homepage, would that prevent people from commenting under my blog posts? I don’t want to screw myself up before I even get started haha

adding an author.php to my (child) theme with this in it;

<?php
header(“HTTP/1.1 301 Moved Permanently”);
header(“Location: /”);
?>

Alright, well I’ll try disabling the couple “required” for my theme ones and see if that makes it disappear. Thanks for all the help, and hanging in there with me with what were probably a lot of stupid questions. I’m not even sure why if that’s my SFTP name why it would be used with CDN but maybe I have to do more reading on how that all works.

@acstudent thanks for the link, but I’m not 100% certain I understand where that would help. Would it make all my website.com/author/AdminLogin pages now have a URL of mywebsite.com/author/WhateverIMakeUp, therefore shielding the usernames from the URLs? or does it do something else.

@tothbalint Sorry, maybe I said that wrong, I don’t have a page where it just lists all the usernames. I’m just worried that someone is going to go to mydomain.com/author/MyWordPressUsername and see that’s a valid username then try to hack their way in with that. Looking through logs I already see invalid login attempts from foreign countries with that name so assuming that’s where that got it from as that’s the only place I’ve seen it so far. My theme is Avada.

OK, I guess as long as the password is good it’s not a security risk. Is there a way to auto block people who try to login with my password so they can’t keep trying and brute force it?

So basically I just disable a plugin, see if that code disappears, then activate it again, then keep doing that till i see that bit of code disappear right? What happens if I disable all of them and it’s still there, does that mean it’s my hosting service injecting it into code or does it not work that way?

@tothbalint Maybe it’s my theme auto generating those author pages then, I’m really not sure. I guess having any author page redirect back to the home page again would help, but wouldn’t that still expose all the URLs with all the usernames though? Too bad there isn’t a way to just delete all the author pages and turn off it generating any more, or maybe there is a way I just don’t know of.

and thanks for that link, I’m not opposed to hacking some php in the way it described.

• This reply was modified 7 years, 2 months ago by cschultzie3. Reason: added 2nd paragraph

I’m not sure which is providing it, but I guess at least it’s starting to make more sense now. Knowing that though, is there a way to kill the login from the source code or mask it or something, seems like a real big security hole just having a login name in plain text in the source code, isn’t it?