abletec

Hello, RDC4, & welcome. Please provide your .htaccess file & site url. Yu can copy & paste your .htaccess file enclosed in (backticks), i.e.:

line 1
line 2
line 3

These would be very helpful in diagnosing the problem. The reason for the 500 error is that most likely you didn’t copy the .htaccess code correctly, or, because it came from a web browser, contains some illegal characters.

Hello, bobjgarrett, & welcome. Could you please provide us a site url? That’d be really helpful.

Also, in your WordPress folder there is often a file called error.log or error_log. If you find such a file w/entry dates that correspond to your error, & if the interpretation eludes you, feel free to post them here so we can have a look. Lastly, it can also be helpful to open your wp-config.php file, either using an FTP (preferably secure FTP) client or your hosting provider’s file manager & change wp_debug from ‘false’ to ‘true’. This causes your site to display errors when you visit. This is a serious security risk, so please leave it in place just long enough to copy-&-paste the errors, then switch it back to ‘false’ again.

Hello, wowbagger, & welcome. It’s actually much better to post your own forum topic regarding this. Threads marked ‘resolved’ seldom get looked at. You can post a link here back to it if you choose to do so.

There are about a gazillion ways sites can get hacked–anything from a brute force attack of weak passwords to the exploitation of any of a number of vulnerabilities, especially if the CMS installed is out of date. You don’t share w/us whether this site is on shared hosting, VPS, or dedicated server, so it’s really hard to comment much. An example of this is that sometimes updates can be scheduled automatically if WordPress was installed via the hosting provider’s control panel. So it’s pretty tough to answer your questions w/o that sort of knowledge.

If you’re certain the site’s been compromised, then the standard procedure is to reinstall all WordPress files w/known good copies. That also applies to user-uploaded content, as sometimes user content can either be tainted directly or bad files can be added to the uploads directory (or wherever user files live). You should also examine the database closely for injected code.

Here’s the short version of advice I provide owners of compromised sites. Since you’re an experienced Linux admin, it should be enough to get you started.

A resource you can go to is:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

When dealing w/a site compromise, the objectives are twofold:
1) Fix the site; &
2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.

Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.

Here are the steps to take.

First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

All these steps are required to ensure that no one can snoop your credentials, etc.

Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database.

Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain content that can’t be replaced.

Please also back up your database as well. The article at
http://codex.ww.wp.xz.cn/Backing_Up_Your_Database
shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

<script
<? php;
base64;
eval 

preg_replace
strrev

You might also wish at this point to backup your WordPress content. To do that:
* Log into your WordPress dashboard.
* Go to ‘Tools > Export’.
* Choose to export all content.

While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word (don’t forget to use a very strong password), then delete the old admin username account.

Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Let someone knowledgeable look at your .htaccess file.
6) If you have doubts about your database, please have a professional take a look.

Hello again, haychart.
1) Could you please provide a site url?
2) Could you please open your wp-config.php & change wp-debug to ‘true’? Then log onto your site & see if there are errors thrown. This is a serious security risk so please change it back to ‘true’ again as soon as you’ve obtained the information.
3) Could you please see if your hosting control panel contains any error logs & paste any relevant info to your next reply. Also, please check your WordPress folders & see if there are any files called error_log or error.log & paste any recent error messages to your next response as well.

Alphie, let’s do this. Please open your config file. Please keep the entry pertaining to wp_max_memory_limit, but erase the others that contain wp_memory_limit & substitute:
define(‘WP_MEMORY_LIMIT’, ‘128M’);

You can actually just use copy-&-paste.

Then please try clearing your browser cache & see if you can edit pages. Please let us know.

Hello brian1209, & welcome. You’re actually receiving an internal server error. Also, wp-content does not generally contain an instal.php file. The error seems to indicate there is 1, however, suggesting that WordPress has been installed incorrectly. Perhaps removing & reinstalling will fix the problem.

Hi, Alphie, & welcome. My first thought is that perhaps the update was incomplete. To that end, perhaps it might be advisable to reinstall WordPress & see if that makes a difference.

Secondly, please try switching to a default theme (they begin w/the word ‘twenty’) to see if this resolves the problem. If so, we know it’s a problem w/the theme you’re using.

3rd, if that does not help, please open wp-config.php & change wp-debug to ‘true’ instead of false, then log into your site to see if any errors are displayed. Copy & paste those into your reply, if applicable, please. Also, there are often files in your WordPress folder(s) called error.log or error_log. These could provide relevant information Additionally, some hosting providers allow you to look at error logs for your server via their control panels. These might also be instructive. If they yield anything, you may wish to paste them to your next reply as well.

Lastly, you didn’t say what kind of hosting this is, i.e., shared, vps, or dedicated. It could make a difference. Finally, a site url might prove helpful.

Hello, rmd624, welcome. Perchance was this install imported from another site &/or uploaded from a local installation?

Although the site is not live, could you please nonetheless provide a site url so we can have a look?