Re-installation: install.php will not run

Hi PaulaO. If you’ve been hacked, then 1 thing you need to do & do it yesterday is to change your control panel, WordPress dashboard, & WordPress database passwords to something complex. This article
https://www.brighter-vision.com/protect-yourself-with-passwords-or-pay
might prove helpful in that regard. There are also a gazillion other resources regarding passwords–that 1 was just mentioned because I happen to know the url by heart– but, in order to prevent the bad guys from getting back in, it’s an extraordinarily important first line of defense.

Is this a single or multisite installation? 1 thing it sounds like is that you may have chosen a secure (https) install when in fact you don’t have an SSL certificate. That’ll make things blow up pretty spectacularly. If you don’t have one, then you need to choose the http protocol. Perhaps also try renaming your wp-config.php by appending a 1 on the end, ie, wp-config.ph1 & see if the install won’t run.

Please note also that sometimes the database can get hacked as well. I do suggest that you consider looking at your database using a text editor for words like:

<script
<? php;
base64;
eval 

preg_replace
strrev

This is not an exhaustive list, & the presence of those words are not definitive proof of a compromise, though some are more suggestive than others. I also recommend that you paste your .htaccess file for us to look at to ensure there are no backdoors hidden there where the bad actors can re-enter your site.

If this all sounds entirely too overwhelming (though you seem to be pretty savvy regarding all this) there is a place to hire a professional at https://jobs.wordpress.net. Most site owners are under the mistaken impression that once they’ve removed the evidence of the hack, the problem is resolved. The truth is that the vast majority of criminals leave backdoors where they can reenter & regain control of the site, & if that isn’t fixed, all your hard work blows up in mere seconds once the bad actors take control again.

Good luck. Keep in touch.

Yes, the certificate file is there. I have no clue what the etc/ssl/certs path is.

I checked with my webhost (DreamHost) and the certificate is still valid.

I have changed every single password on every single site I run several times. What was happening this time was some sort of leftover javascript was still running on occasion and I could not find it.

The website is functioning. I can install the theme, make changes and everything. It is there, viewable. I just get these error messages now.

Paula, please paste your .htaccess file for us to look at in your next reply. Again–could you please tell us if this is a single or multisite installation?

Lastly, since you’re on Dreamhost, could you please look at your CPanel & see if there’s an aplet present to view error logs? If so, could you please paste entries in your next reply.

The reason I suggested looking at your database is to ensure no spurious code remains there. The site owner can delete/reinstall all files, but if the database has been compromised, then the site still remains under the control of the bad actors.

Paula, also, please go to ‘Settings > General’ in your WordPress dashboard & tell us both your site url & your WordPress address.

DreamHost doesn’t have a panel module for error logs. But I work there and based on the error message, I checked out the site paulaoffutt.com

That site looks like it’s up and running, and I checked the files for anything obvious. It looks okay to me but I did not do a full security scan.

Where are you getting the errors? Just on running the background or do they show up on your wp-admin pages?

I DID a hard reset on your temp folder, just in case something dumb was lingering, and you may need to log back in to your blog, but it looks okay from the outside.

ipstenu, I was hoping you’d get involved. I guess I should’ve gone up on Slack & pinged you. But this broken wrist of mine is severely cramping my style (literally), & you already know what an accessibility nightmare Slack is, though to their credit, they’re improving some. The site, I think, is actually paulaoffutt.com/blog. Could you check that, please? Thank you. & I’ll put in my notes that DH doesn’t have that facility.

If you’re command line savvy, we have logs in /home/username/logs/domain.com/http/

It’s not very user friendly. I know :/

paulaoffutt.com/blog has some bad file permissions (they were read-write) and I fixed that. But since you have the AIO firewall up, there isn’t much else I can do. I checked the WP files in that folder and they all look correct as well.

I was beginning to think it might’ve been something like that. Thanks, @ipstenu.

Sorry. I broke my glasses and could not read my computer.

Oh. Whatever Ipstenu did worked. I am no longer getting error messages. The one about the cert is gone. And uploading themes/plugins do not generate an error message either. Both are listed in the first post.

I love Dreamhost and their staff. Been with them since ’02. It is their new scanning capabilities that caught the problems before I did.

What security plugin should I be using? AIO did not catch these on either of the two sites which is why DH thinks it was an FTP issue, although I don’t.

Lol, Paula, I’m working my computer now w/a broken wrist–it’s a pita. So I can identify w/the glasses thing.

Ipstenu & I sometimes meet on the WordPress support forums weekly chat. I was really hoping she’d pop in this thread, as I was aware she worked for Dreamhost. Truthfully, I should’ve pinged her. But w/this broken wrist & a very sick kitten, I kinda got distracted. Apologies.

It looks as though ipstenu got stuff working for you. If that be the case, could you please mark the topic as ‘resolved’ so the volunteers know you’ve been helped & can feel free to go on to help others. Thanks. & thanks as well, @ipstenu. Good luck w/your endeavors, Paula.

o, yeah–& you asked what security plugin I recommend. My current favorite is Wordfence. Others have their own, of course, & it’s no substitute for doing your part such as keeping your site up-to-date, having good passwords, etc, just as vitamin supplements can’t make up for peoples’ stupidity w/their knives & forks, for example, but I really like it. By default it checks only WordPress core files, but, since themes & plugins are actually the most likely to get compromised, I usually check the options to have Wf check themes & plugins as well. Turn that off if scans aren’t finishing, etc.

The hacker somehow got code into the functions.php file of a child theme. I had permissions set correctly, or I thought I did. Did it to both sites where I had a child theme.

And yes, I will put the Resolved in the subject line.

Thank you for your help!

& that is a disadvantage of using child themes, Paula, ie, if there are known vulnerabilities in the theme code, it’s not updated & the necessary patches are therefore not applied, as would be the case when using a theme right out of the box, as it were.

Please ensure the devices you use to log into your website are clean of malware, that you’ve changed the default username/password on your router, especially if it’s something like “admin” or “pass”–or, heaven forbid–none at all. Use secure file transfer rather than plain FTP, & don’t log in from public networks such as hotels, restaurants, etc. Update your site frequently & use complex passwords. A plugin that prevents brute force attacks & shuts down vulnerability scanners, ie, bots scanning sites for vulnerable code that can be exploited should also help.

Thanks again, @ipstenu for getting things working for Paula. Come back & visit us anytime, Paula.