Categories and Menu-structure gone from dashboard but still work in front-end

I looked at the front end and saw it was working, including the submenu structure. It is most strange that the dashboard menu view shows a flat menu structure, because clearly it isn’t. Perhaps more specifics would help us. When you say you can’t post anything, what exactly happens when you try? Is the category list empty and all categories removed from posts and pages? Can you add one now?
I doubt it’s a WP upgrade. I have several sites and keep them current and don’t have a problem. Not knowing more, since the site is working it sounds like something might be amiss in the core files. You might try to reinstall the WP core and see if that fixes it.

Thank you for replying so quickly! I really appreciate the help.

When I create a new post, the list of categories is simply empty. New ones can be added, but I am reluctant to start recreating all the categories, since the original ones still work – besides, newly created ones disappear like the rest after a page-reload. This means, I can technically create new content but I can’t view it where it belongs on the website.

How would I go about reinstalling the WP core without losing all my work on the site? I’m rather new to the idea of messing around with the files outside of the wordpress dashboard.

James Huff answers this well on this post. Let me know if you have questions about this. Key thing is to keep your wp-config.php since that contains your database link as well as other stuff, and your content directory which contains your content as well as themes and plugins.

James Huff
Support Representative
Posted 5 years ago #

Try downloading WordPress again and delete then replace your copies of everything except the wp-config.php file and the /wp-content/ directory with fresh copies from the download. This will effectively replace all of your core files without damaging your content and settings. Some uploaders tend to be unreliable when overwriting files, so don’t forget to delete the original files before replacing them.

Hmm, using FileZilla I deleted everything but the wp-content folder and and wp-config.php and replaced it with a fresh wordpress install, but it has made no difference.

Does this mean the error is in one of these files?

UPDATE (this may be a stupid question but here goes):

So I was looking through the files with the PHPMyAdmin tool and found several wierd elements in the wp_terms folder, like “x86cool” for instance. I’ve googled some of them, and they seem to appear on a lot of different websites seemingly that have no relations to each other. A lot of these words seem to have to do with torrent sites. Does this mean it was hacked?

It is beginning to sound like you might have been hacked. I checked out some of my sites’ wp_terms tables and found that in all cases it just contained categories I had created. No weird stuff. I’m afraid I’m in the middle of a project with a tomorrow deadline, so I can’t do a lot of digging. I’d search this support site and others to see how to recover from being hacked. I never have been so I don’t have first hand experience with handling it, sorry to say.
When you say reinstalling core made no difference, does that mean you still can’t add categories and have them stick? Do the categories you have on old posts exist in the wp_terms table? Can you add a category to the terms table directly and have it stick? Do your traffic stats indicate any unusual activity? Sorry this is turning out to be a tough problem for you. Hopefully others will stop by and help.

No worries, I still appreciate your assistance.

Categories, which I add in the dashboard are shown in wp-terms after a short while. I haven’t been measuring traffic yet. The WordFence plugin, I’ve installed, says nothing is wrong. I only have backups of the site from after the error started occurring.

I’m going to look more into this hacking nonsense tomorrow, but I believe I have removed all the foreign terms in the database – they stopped reappearing after a while and nothing strange seems to be left in any of the files (i checked them all) – but let’s wait and see.

Anyone else with insight into this subject is WELCOME to chime in ??

I FIGURED IT OUT!

For anyone reading in the future:

After spending hours upon hours of digging through my files in my host’s FileAdministrator, I found in the plugins-directory a folder called WPCoreSys, in which was a file called WPCoresys.php. I don’t remember installing anything with this name, so I deleted it, and all the problems in the back-end of my site disappeared. Afterwards I found all the posts, this php-file had made and deleted them. They all had to do with illegal movie or software downloads. These posts weren’t visible from my posts-page (probably because of something the php-file did to hide them) but a quick google of my site revealed movie and software titles, by which I could view the posts in question, click edit at the bottom, and delete from there

TIP: Look for files in your database with generic software names (like WPcoresys), which you don’t remember having anything to do with and examine their code for keywords relating to your problem. If you don’t find any, there are a number of cheap or even free online services that sift through your files in order to identify hacks.

For the noobs like me: Google tings like “torrent site:yoursite.com” or “dvd site:yoursite.com” when looking for things that dont belong there. Or just google your own site and look through the results, and if anything odd pops up, delete it.

Happy WordPressing ??

Hi ataliare,
although this post signed as resolved: I have this problem just now, followed your kind advise and could clean up my site – thank you very much.

What my question is, how could this intruder get in my wordpress? I also installed the wordfence security plugin and it shows no error!

I’m afraid that there is a backdoor and it could happen again because some of the used plugins or themes are vulnarable.

Have you researched about that?

Thanks,
Ute

Hey uschu60,

I’m glad, you could use what I wrote.

I’m honestly not sure as to how someone gained access in my case, and I believe it can be for different reasons each time.

I think that in my case it had to do with the fact that my clients, who were responsible for the profile at UnoEuro up until the hack, hadn’t updated any of their login-info since the profile was made in 2013 -.- I updated the information right away and haven’t had issues since. The username was embarrassingly hackable and the password was quite short and simple.

There is another possibility. In 2013 when the profile at UnoEuro was made the at-the-time-developer made a simple website using concrete5 (a totally different cms if I’m right). I suspect some of the tables from said installation are still present in the MySQL-database. I don’t know if this is a potential backdoor, as I haven’t had the time to research it yet, but it’s on my to-do-list. Do you by any chance know whether this is in fact a vulnerability?

Now that I think of it, there was actually also a second WP-installation in the MySQL database with its own tables. These I deleted since they were easy to identify due to their timestamp and the fact that they were slight copies of everything from my own installation.

Hi ataliare,
I think it is always a good idea to clean up the database from all unused stuff, but I don’t know if this is a vulnerablity in this case. Many good websites wrote about backdoors in plugins or themes or as you wrote maybe the poor admin user access.

After my clean up yesterday I did some security changes:

– change the password of the database and user
– restricted IP access in the main root of the wp installation. Here is a guide: https://www.inmotionhosting.com/support/website/wordpress/lock-down-wordpress-admin-login-with-htaccess

The last point is a bit uneasy because I could change things only in my office but I could not risk another hack for my client until we know exactly what causes this attack.

Hi uschu60

Thanks for your advice! ??

It sounds like you have the hang of it. I’ve also considered restricting access, but my client needs to be able to log in once in a while because it contains a blog, and since they’re the ones paying for the hosting, denying them access to the hosting service is out of the question. I’ll look through the guide nonetheless. Thanks!

Hi guys,

I had the same problem. Did hours of searches. At last found WPCoreSys myself under plugins and when i searched it in wordpress here i am. Deleted it now hope it works, my categories are back. They kept disappearing in the dashboard as u described. Then after a while they came back with malware :). Now there s no malware posts or categories and my original categories are back so i m hopeful. Its odd no malware scans show this one. Cheers!! Thanx for posting this thread.

I know this topic is getting old, but I wanted to thank you for the solution. I’ve been wondering why I couldn’t see those damn categories for hours, but once WPCorSys deleted it all worked out fine.

Thank you !

Add my, ‘thank-you’ to the list. I had this same problem. Because I only use WP Dashboard and am not a coder, I didn’t know how to solve my problem – even after reading these posts.

I found Anti-Malware by Eli and ran a scan. It found a few suspicious files but nothing bad. However, I ran the scan a few more times just trying to understand what it was reporting. On the 4th scan if found WPcoresys. It identified it as a known problem and removed it.

My categories were immediately available again. More important was that I could now see 40+ malware posts with links and delete them. I was happy to pay a donation.

thanks for sharing your investigation and solutions.