Installing plugins in a duplicate folder (from wordpress)

  • Resolved pr0ject10n

    (@pr0ject10n)


    7 years, 4 months ago

    I used the plugin ‘Duplicator’ to duplicate my wordpress folder as two external files (the archive and php installer) and uploaded those into the projectionpictures folder with this path projection (name of the server)/web/projectionpictures.

    I then opended the php file to complete the installation.
    However when I sign into http://192.168.1.234/projectionpictures/wp-login.php and try to install or update further plugins I’m asked to enter connection information for the ftp address of my Synology unit. I’m not sure what the ftp address is but Synology inform me that port 21 is open. I don’t know what the ftp username or password is either, unless I do and don’t realise it.

    What do I have to do now so further plugins can be installed and updated in the newly created projectionpictures as I intend to make it a live site once the plugin problem is solved.

Viewing 15 replies - 91 through 105 (of 153 total)
1 2 3 6 7 8 9 10 11
  • Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    You don’t need WebDAV to host the site, but you may need it to manipulate files on the NAS. You should be able to use FTP instead, if it were working on port 21. If port 22 is working, you can use SFTP, which is better (more secure) anyway.

    I suggest you remove all write permissions from the Anonymous user for better security.

    The 3 digit permission number is used by Linux systems. If you need to know the meaning of any particular number, just Google it, as in “644 file permission”. The first digit is applied to the file owner. The middle is for user groups, the last for anonymous users. 4 is read only, 6 is read and write. Add 1 to any permission to allow execution.

    If you can view you site via 192.168.1.234, you should double check you virtual host configurations for domain name access.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    I used Filezilla last night as an experiment to look at folder permission numbers and all the folders in the web/ directory including itself were 777 throughout.

    Now web/ is still on 777 but phpmyadmin is on 755, wordpress is 755 and projectionpictures is 777 (but file categories have changed). I tried to drop projectionpictures to 755 but every time I did this certain folders inside it wouldn’t cooperate with WP dashboard in terms of their ability to be writeable. Oddly WordPress operates without a problem at all at 755. I found this chart bout the numbers and how certain files within should be lower amounts. If I tried to apply 644 to anything in projectionpictures as per the table below but got problems every time.

    Files/Folders Permissions

    All folders 755
    wp-content 755
    wp-includes 644
    All .php files 644
    htaccess 644
    wp-config.php (public_html folder) 644
    index.php (public_html folder) 644

    Incidentally to get filezilla to work as you know port 21 has to be open anyway. I think the router configuration doesn’t always know if the TalkTalk router has the relevant port open or not in some cases. As the router isn’t compatible model, and not listed in the ezinternet chart of routers. Although the odd thing is it does know what router brand and model it is, as I took a screen capture of a pop-up it produced.

    So the DSM folders now have this instead.

    web/
    SYSTEM Read only
    http (singular) Read only
    admin Read and Write
    administrators read and write
    anonymous Read and Write
    http (multiple) Read and Write

    You said: I suggest you remove all write permissions from the Anonymous user for better security.

    I will attempt this for web/ permissions but I have to keep any eye on plugins permissions to install for projectionpictures and wordpress. As none of the folders uses inherited permissions from web.

    phpmyadmin default settings (no change)
    Owner: Root
    admin Custom: Read & Write (No Del)
    adminstrators Read
    Everyone Read

    Projectionpictures (SYSTEM Read and http (multiple) Read, have gone)
    Owner: admin
    admin Custom: Read and Write
    administrators Custom: Read and Write
    Everyone Read

    WORDPRESS
    Owner: Single Http
    http (single) Custom Read and Write
    http (multiple) Read
    Everyone Read

    I’m going to attempt to change the IP address for projectionpictures this evening to see if it can be visible finally. If it does with the current folder permissions I’ll let you know and then I’ll revert back to the IP number/projectionpictures and look at removing the anonymous permission in web/,

    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    You don’t need WebDAV to host the site, but you may need it to manipulate files on the NAS. You should be able to use FTP instead, if it were working on port 21. If port 22 is working, you can use SFTP, which is better (more secure) anyway.

    I’ve done that. I’ve removed WebDAv and stopped FTP to use SFTP instead with Filezilla on port 22, I’ve closed 21 entirely.

    I suggest you remove all write permissions from the Anonymous user for better security.

    I’ve done that.

    If you can view you site via 192.168.1.234, you should double check you virtual host configurations for domain name access.

    Please clarify what mean by this. The DDNS number has remained the same and is still listed in the router and listed in 1and1.

    With regards to the ‘web’ permissions attributes I get can’t get it to drop lower than 777. If I do drop its attributes to 755 and do the same to projectionpictures I cant open wordpress dash in the folder again I get a 505 page warning.

    Web/ (on 777)
    http (singular) Read only
    admin Read and Write
    http (multiple) Read and Write
    SYSTEM Read

    Projectionpictures (on 777)
    Owner: admin
    admin Custom: Read and Write
    http (multiple) Custom: Read and Write
    Everyone Custom: Read and write

    I’ve manage to loose administrators Custom: Read and Write

    phpmyadmin default settings (on 755)
    Owner: Root
    admin Custom: Read & Write (No Del)
    adminstrators Read
    Everyone Read

    Hasnt changed

    WORDPRESS DEFAULT (on 755)
    Owner: Single Http
    http (single) Custom Read and Write
    http (multiple) Read
    Everyone Read

    Hasn’t changed

    In the Control Panel in User I only have admin and guest listed. Admin is active and guest is disabled. In Group panel I have http, administrators and users listed. administrators no longer has web permissions, http permissions has read/write for web and application permissions for FTP, File Station and FTP (there are others listed there but are not ticked). Users has no permissions for anything.

    In Shared Folder for web. Under Permissions for Local Groups, administrators, users, and http are listed. There are columns for No access, Read and Write, Custom, and Read Only. There is only a tick for http under read & write.

    For Local users only admin and guest are listed with columns for No access, Read and Write, Custom, and Read Only. Only admin with read and write is ticked.

    In Internal System user there are many lines for applications with columns for No access, Read and Write, Custom, and Read Only listed. Nothing is ticked.

    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    By virtual hosts I mean the entries for projectionpictures.com and projectionpictures.co.uk. It’s the only way public Internet traffic can find its way to /web/projectionpictures/ using those domain names.

    The PHP user “html” needs read/write permissions. Anonymous users must not have write permissions in general. Because the html user is in a group, read/write for owner and group plus only read for anonymous should work. That would be 775 for folders and 664 for files. If that does not work, something else is wrong besides permissions, something regarding the user PHP is using. Could the PHP user not be “html” and is some other user that’s not in a group?

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    Ok I’m still not online with projectionpictures and wordpress but I have managed to downgrade the permission numbers for the folder to 775.

    All folders 775
    uploads (except) 777
    wp-content 775
    wp-includes 775 (not 644 I get 505 display)
    All .php files 644
    htaccess 660
    wp-config.php (public_html folder) 660
    index.php (public_html folder) 644

    web/ is still 777 and if I try to downgrade it to 775 it refuses to in Fliezilla I get Error: set attrs for /web: permission denied

    I’m not sure what else I can do to get my site live as it needs someone to look at my file station externally to solve it the folder and the permissions for each.. I’m much more confident now about restoring the permissions using filezilla (so I can access phpmyadmin and restore the WP Dash) and the various number combinations, but thats not a lot of use if I cant see the live site of the WP Dash.

    Web/ (on 777)
    administrators Read and Write
    http (multiple) Read and Write
    SYSTEM Read

    Projectionpictures (on 775)
    Owner: admin
    admin Custom: Read and Write
    http (multiple) Custom: Read and Write
    Everyone Custom: Read (only)

    phpmyadmin default settings (on 755)
    Owner: Root
    admin Custom: Read & Write (No Del)
    administrators Custom Read & Write (No Del)
    Everyone Read

    WORDPRESS DEFAULT (on 755)
    Owner: Single Http
    http (single) Custom Read and Write
    http (multiple) Read and Write
    Everyone Read

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    I’ve logged into 1and1 more than once since the virus files took down my site and disrupted the wp dashboard for projectionpictures. I discovered a lot of entries in the DNS record that looked odd to me and lot more then there should be. Also in the dashboard for both the .com and .co.uk on the right side is a snap shot photo of what the forwarding screen should look like for the homepage of the site. And given that the sites been down for over a week, it shouldn’t be projectionpictures homepage. So I reset the DNS records for both variants and re-entered.

    A @ 89.242.86.242
    www @ 89.242.86.242

    There were a lot of entries using this one 217.160.231.12 and other long entries with projectionpictures at the end which looked odd to me.

    Tonight I’ve decided to leave the domain as projectionpictures in its live site URL without the IP prefix to see if anyone can see it in the next 24 hours. As I’m assuming these things take a little time to correct themselves.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    I have a question for you is the structure of my folders /web supposed to be structured in any way like it is in the video. It suggests moving the htaccess and index.php (edits it slightly) out side the wordpress folder into the web/. Interestingly in his video dead.letter file is in the web/ folder and the guy says wordpress installs it, but doesn’t mention what its for, I only saw it next to photo.scr. Dead.letter is not in my web/ folder.

    https://youtu.be/eIofxSb4Aa0

    The notes about admin ownership are helpful. As I login in as admin. So there is no need to use administrators in the permissions. When you enter a permission the very to choice is Administration followed by two boxes ‘change permission’ and ‘take ownership’,in his video he ticks change permission only and doesn’t tick ‘take ownership’.

    Would any part of that video be applicable to getting projectionpictures live?

    Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    Yeah, 217.160.231.12 has no business being in your DNS. It does take a while for DNS changes to propagate through all the name servers on the Internet. How long it takes depends on the entry’s TTL (time to live in seconds) entry which tells other name servers how long to wait before getting a refreshed record. That IP address resolves to a German hosting provider. It likely belongs to another hacked computer.

    If you haven’t already done so since the attack, you must change the password you use to access the account which manages your DNS settings.

    Something is not right with your FTP server if filezilla needs 777 to work. Maybe it starts up under the wrong user account? It wouldn’t stop your site form being live, but it is a security risk. To

    Sorry, but I didn’t have the patience to watch the entire vid because none of it applies to me. The vid is probably helpful for you though. I don’t use Synology so I’m unsure of the accuracy of what he says. Take the advice with a small amount of suspicion though. dead.letter is certainly not placed there by WP. I’ll allow it could be a Synology thing, but it’s not WP. Putting the WP .htaccess below the installation does make sense for some configurations, but with virtual host directing traffic to /web/projectionpictures/ it makes no sense to me. However, it does make sense for a .htaccess file to be in /web/, just not the one with WP directives. There is more one way to configure WP, which can add to the confusion.

    Without virtual host, where traffic all goes to /web/, the setup he suggests would be viable.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    The secret to solving this was an entirely new DDNS number. The one I had appeared to be blacklisted. I have to use Nord again in Romania.

    So I’ve got the site SSL in place if you take a look at my site with http://www.whynopadlock.com, do I need to be worried about this as it got an X:

    Invalid Intermediate You have an invalid or missing intermediate (bundle) certificate. This may not break your padlock on all browsers, but will on others. Please contact your SSL Vendor for assistance with this error.

    The https is in place and I’ve selected HTTP/2 as well in the DSM > Security on the screen about using 5001 and 5002. In web station / virtual host for each of these: projectionpictures.com, http://www.projectionpictures.com, projectionpictures, projectionpictures.co.uk, http://www.projectionpictures.co.uk . I’ve ticked each box for HSTS and HTTPS.

    With regards to: File station and filer ownership and permission. This is the current status. I would like to reduce web from 777 to 775 but I get blocked, how do you overcome that.

    Web/ (on 777 it refuses do drop to 775) error message I get (set attrs for /web: permission denied)
    admin (Custom) change permissions / Read & Write
    SYSTEM Read
    http (multiple) traverse / Execute files (only)
    http (multiple) Read and Write

    Projectionpictures (on 775) all files 664
    Owner: http (multiple)
    admin Custom: Full Control (Take Ownership and change permissions / Read and Write /Delete
    http (multiple) Custom: Read and Write
    http (multiple) Read only
    users Custom: Read and Write

    The 775 folder permissions in this folder are stopping my images appearing?

    phpmyadmin default settings (on 775) all files 664
    Owner: Root
    admin Custom: Read & Write (No Del)
    SYSTEM: Read
    http (multiple): Read

    WORDPRESS DEFAULT (on 775) No change all files 664
    Owner: Single Http
    http (single) Custom Read and Write
    http (multiple) Read and Write
    Everyone Read

    Any permissions that be removed?

    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    It works! That’s awesome, good work!

    Apparently (from some quick research I just did) a missing intermediate cert means you’re missing a cert file provided by Let’s Encrypt. You need to ask them for it if you don’t have it in the data they sent you. It gets installed as the cert for the certificate authority (CA) to complete the chain of trust from your server cert to the Let’s Encrypt root authority. It’s not some special unique cert, search around, you may find a way to download it from their site somewhere.

    I’m not sure what is causing you to need 777, only that something is wrong. Aside from that, I don’t see anything of concern in your other permissions. I don’t know if they are correct or not, but there is nothing concerning in the rest of them.

    Best I can tell, anything you use that requires 777 was not started under the proper user account. Things that start during boot up usually run under SYSTEM authority, which should then work under 700 or 770, depending on what user owns the folder. The zeros may cause problems for other apps, but not any running as SYSTEM. It’s for the other apps why we use 755 or 775.

    If the app you are using was started by you, then it’s running under your user account and your account needs to own the folder for 755 to work, or you should be in a group for 775 to work. Anyone at all can get 777 to work, which is why it is a security risk.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    I do actually have three files for a certificate but I wasnt using the chain.pem file I was installing the privkey.pem and cert.pem, but for some reason not the chain one as the entry box is labeled intermediate and doesn’t sound like the proper thing. So that is sorted now but the certificates don’t last very long do they. I think the free one I can use from my registrar 1and1 lasts a lot longer, I think a few years.

    Whynopadlock.com now gives me all green ticks.

    I have two certificates in place both from Let’s encrypt one called projectionpictures.com which cover all the virtual host variants I have in web station and another projection.synology.me which is connected to FTPS and System Default. Souldf I bother with the second projection.synology.me certificate at all and are any functions in the DSM apart from FTPS and System Default that should be covered by a certificate irrespective of who its issued to. I don’t need Directory Server in there?

    The security adviser app in the DSM states the ‘LAN services are accessible from the internet’ as medium risk and ‘SSH has not been changed from its default value’ as a high risk. Should I do anything about them?

    Under health check: A plugin has prevented updates by disabling wp_version_check()

    I’ll try to adjust the web/ 777 this afternoon. At the moment my uploaded images arent alway appearing and I’m getting the spinning sun symbol, I’m wondering if it any way connected to jetpack (without that you cant sync it up on the wordpress app on your phone or tablet.)

    Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    Progress!! Nice.

    Yeah, Let’s Encrypt certs need to be renewed frequently. Apparently it’s a painless process. Host provided certs typically last longer and the hosts often take care of everything as long as you keep using their service. I’d go with the host version if there is no extra cost.

    In my mind, you only need a certificate for http://www.projectionpictures.cοm because all the other URLs redirect to there. Unless I’m missing something about your setup and how you use your NAS.

    Web Station of course must be accessible from the Internet. If that is what security advisor is complaining about, it’s a false positive. Use firewall rules to only let in traffic that is necessary and block all else from outside, then all will be fine.

    You can change the SSH port if you want. It’ll make SFTP access a little unusual, but it’s not a big deal. If you’ve configured your firewall well and use good strong passwords, the default port is not that risky, but you do improve security some by changing the default port. It’s nothing a port scanner wouldn’t be able to get around, so you don’t get absolute security by changing.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    I managed to swap out certificates from lets encrypt to 1and1 which lasts a whole year instead. I managed to finally work on 1and1 site how to download private key as its hidden behind reissue certificate (thats useful), the other two files download from the label namesake. So I’ve got two certificates in the certificate panel.

    I did a whynopadlock on the server IP address and it a gave me this result:

    SSL Certificate Info
    Certificate Issuer Let’s Encrypt
    Certificate Type Let’s Encrypt Authority X3
    Issued On 2019-02-26

    Force HTTPS Your webserver is not forcing the use of SSL.
    You may want to add a redirect to ensure a secure connection is used. More Info

    Valid Certificate Your SSL Certificate is installed correctly.
    Domain Matching Your SSL certificate matches your domain name!
    Protected Domains: projection.synology.me

    The solution for forcing the HTTPS for the server is to do this:

    Add the following code to the .htaccess file in your webhosting account:

    RewriteEngine On
RewriteCond %{HTTP_HOST} projection\.synology\.me [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://projection.synology.me/$1 [R,L]

    Once this change is made your site will no longer be accessible on the insecure “http://projection.synology.me” URLs and all visitors will be redirected to “https://projection.synology.me” instead.

    Would that be a new htaccess file that doesn’t exist yet being added into the web/ alongside index.html or to a pre-existing one in wordpress or projectionpictures?

    Still stuck on certain images not appearing correctly for projectionpictures/run’n’gun page, although if I use ‘reader version’ in safari the images appear as they should do, so don’y understand the ‘brightness symbol’ flickering in their place.

    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    Moderator bcworkz

    (@bcworkz)

    7 years, 2 months ago

    The redirect rule can be added to the existing .htaccess file. It’s better near the top than on the bottom. You want all Internet traffic to any of your domains to redirect to projectionpictures.com, correct? If so, this is a better rule:

    RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://projectionpictures.com/$1 [R,L]

    It’ll save extra redirects. This would go in the .htaccess in /web/projectionpictures/, in case you have some in other folders.

    When I view your run ‘n’ gun page the only image is the common header background. There are no img tags at all in post content.

    Thread Starter pr0ject10n

    (@pr0ject10n)

    7 years, 2 months ago

    When I view your run ‘n’ gun page the only image is the common header background. There are no img tags at all in post content.

    Maybe when you looked at it I may have removed the three images. So what I’ll do is leave them on the page for 24 hours (or until you’ve replied to this). Maybe you can work out why there are not appearing properly (I’ve added one at the very bottom which I’ve used in the header). Why would the images in the common header appear, there are 5 of them which change randomly. While the ones on the run’n’gun refuse to appear?

    As they appear in wordpress page. I can see this page via Nord VPN in Romania. With my tablet and can see the images there immediately. Why is there a difference?
    http://192.168.1.234/wordpress/run-and-gun-video/

    I will try to install your code into the htaccess file in projection pictures folder.

    So here is the current one:

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

    And I simply place you code above RewriteEngine On in the original?

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://projectionpictures.com/$1 [R,L]
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    • This reply was modified 7 years, 2 months ago by pr0ject10n.
    • This reply was modified 7 years, 2 months ago by pr0ject10n.
Viewing 15 replies - 91 through 105 (of 153 total)
1 2 3 6 7 8 9 10 11

The topic ‘Installing plugins in a duplicate folder (from wordpress)’ is closed to new replies.