Facebook Youtube Instagram

WordPress

WordPress is a popular free software for personal publications (blogs). It uses PHP and MySQL as server-side technologies. Its installation/maintenance is quite easy.

Requirements

To install WordPress on your hosting account, you need:

  • 80 MB free disk space
  • one free MySQL database slot. The database will be created by the automatic installation script.
Installation

To install WordPress, please navigate to the WordPress section > Install tab of your hosting Control Panel.

Please fill in the following fields:

  • Site Title: You need to enter the name of your WordPress site. You choose this name. For example, it can be related to the content of the blog, the name of your company, your domain name, etc.
  • Subdomain: Choose the subdomain, in which you want WordPress installed.
    If you want to install WordPress in a new subdomain, click on the link Create a subdomain, which will take you to the Subdomains section of the Control Panel.
  • Path: If you wish to install WordPress in the main folder of the subdomain you have chosen, you can leave this field empty. If you wish to install in a subfolder, please click the Select folder icon and choose an installation folder.
  • Use WWW: Prefix the address with www (e.g. http://www.yourdomain.com).
  • Use HTTPS: Set the site to use HTTPS instead of HTTP. This is only possible if there is a valid SSL certificate installed for the host.
AttentionWe advise that you install WordPress in a folder that does not contain other files and folders, as they can be overwritten by the installation script.

 

  • Username: Enter the username that you want to use for administering your site. You will be able to create additional WordPress users later, through the administrative panel of WordPress.
  • Password: Enter a password for the above username.
  • Password Again: Enter the password again.
  • Е-Mail: Enter the email address of the main user for administration. You will need this email for example to retrieve the password of your WordPress main user for administration (in case it is lost).
  • Accept license agreement: You need to check the license of WordPress and accept it.


wordpress_installation_form_en.png

After you fill in the above fields, click on the Install button. If the folder you are installing to contains files/folders, you will see a warning. If you want to choose another subdomain or subfolder for the installation, you need to click on the Cancel button. Otherwise, you can click on the Continue button.

Note that the results of some operations are cached, so you may not see your changes immediately. If that happens, please allow a few minutes for the cache to expire.

If the WordPress installation completes successfully, you will see a screen with the installation details:

wordpress_installation_success_en.png

AttentionWe strongly advise you that you keep your WordPress installation up-to-date, along with the plugins you add. You can perform the updates through the administrative section of your WordPress, where you will see notices that new versions of your WordPress and/or plugins are available.

The Log in button next to each administrative username allows you to log in to the WordPress dashboard of your website with that particular username. This way, you can log in without entering a password.

Most operations made on the WordPress page of the Control Panel are performed using the WP-CLI tool. These operations are logged in the ~/.wp-cli/history.log file in your hosting account.

For instructions on installing WordPress manually, check our Installing WordPress [version 5.x.x] article.

If you have WordPress installations that are not currently managed by the WordPress section of the hosting Control Panel, you can add use the Scan for WordPress installations button. It will scan your hosting account and list the WordPress installations it finds.

Scan

To import a WordPress installation from the list, you need to check its checkbox and click on the Import button.

import.jpgSome issues with your WordPress installation can be automatically fixed by the Control Panel. If an issue like that is detected, you will see an option to attempt a fix on the management page of your WordPress installation.

If your WordPress installation does not work and cannot be repaired automatically by the Control Panel, you can contact our support team for assistance.

The “Log in” button next to each administrative username allows you to log in to the WordPress dashboard of your website with that particular username. This way, you can log in without entering a password.

Note that the results of some operations are cached, so you may not see your changes immediately. If that happens, please allow a few minutes for the cache to expire.

Most operations made on the WordPress page of the Control Panel are performed using the WP-CLI tool. These operations are logged in the ~/.wp-cli/history.log file in your hosting account.

Note: It is only possible to force HTTPS for a WordPress installation if there is a valid SSL certificate installed for its domain/subdomain. You can enable a free Let’s Encrypt certificate with a single click using the SSL/HTTPS -> Let’s Encrypt certificates section of the Control Panel as described in our Let’s Encrypt certificates article.

You can use the WordPress section of the hosting Control Panel to force HTTPS for a WordPress installation by following the steps below:

1. Open the Manage tab.

2. Find the WordPress installation in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.

3. Check the Yes checkbox for Use HTTPS

Force HTTPS

4. Click on the Change button.

When you force HTTPS for WordPress, the tool performs the following actions:

  • Changes the Site URL (WordPress Address) setting.
  • Changes the Home (Site Address) setting.
  • Searches and replaces the current address with the new address in the database.

Note: If there are any hard-coded links of the website’s URL in the WordPress files, you will need to update them manually.

You can use the WordPress section of the hosting Control Panel to change the Site URL of a WordPress installation by following the steps below:

1. Open the Manage tab.

2. Find the WordPress installation in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.

3. Select the Site URL using the controls under the Site URL section. A preview of the URL is shown below the controls. The controls are as follows:

Use HTTPS: Set the site to use HTTPS instead of HTTP. This is only possible if there is a valid SSL certificate installed for the host.

Use WWW: Add www. prefix for the address.

Choose subdomain: Choose the subdomain from the list of the subdomains created on the account.

Choose domain: Choose the domain from the list of the parked and main domains on the account.

Choose directory: Choose a directory in the selected subdomain. Leave empty for the root of the domain/subdomain. If you choose a directory that is different than the current one, you are effectively moving WordPress to that directory. Details about that can be found in our Moving WordPress between directories or subdomains on the hosting account article.

Change Site URL

4. Click on the Change button.

When you change the address of WordPress, the tool performs the following actions:

  • Changes the Site URL (WordPress Address) setting.
  • Changes the Home (Site Address) setting.
  • Searches and replaces the current address with the new address in the database.

Note: If there are any hard-coded links of the website’s URL in the WordPress files, you will need to update them manually.

You can enable the recommended output compression, enable browser caching, and prevent 404 (Not found) errors for WordPress very easily by following these steps:

  1. Go to the Manage tab of the WordPress section in the hosting Control Panel.
  2. Click on the edit.gif (Edit) button next to your WordPress installation.
  3. Click on the Optimize button under the Tools section.

This will add the following code block to the .htaccess file of your WordPress installation:

### BEGIN Optimization enabled via Control Panel > WordPress ###
<IfModule mod_deflate.c>
    # Insert filters according to https://codex.wordpress.org/Output_Compression
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-httpd-php application/x-httpd-fastphp image/svg+xml

    # Drop problematic browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

    # Make sure proxies don’t deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
</IfModule>

## LEVERAGE BROWSER CACHING ##
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg “access 1 year”
    ExpiresByType image/jpeg “access 1 year”
    ExpiresByType image/gif “access 1 year”
    ExpiresByType image/png “access 1 year”
    ExpiresByType text/css “access 1 month”
    ExpiresByType application/pdf “access 1 month”
    ExpiresByType application/x-javascript “access 1 month”
    ExpiresByType application/javascript “access 1 month”
    ExpiresByType application/x-shockwave-flash “access 1 month”
    ExpiresByType image/x-icon “access 1 year”
    ExpiresDefault “access 2 days”
</IfModule>
## LEVERAGE BROWSER CACHING ##

### Skip 404 error handling by WordPress for static files ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !(robots\.txt|sitemap\.xml(\.gz)?)
    RewriteCond %{REQUEST_FILENAME} \.(css|js|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
    RewriteRule .* – [L]
</IfModule>
#### END Optimization enabled via Control Panel > WordPress ####

You can also add the code block listed above to the .htaccess file of your WordPress installation manually using the hosting File Manager section of the hosting Control Panel.

The Leverage Browser Caching code block is essential for preparing your WordPress installation for server-side caching. You can learn more about getting WordPress working properly with our server-side caching service in the Enabling server-side caching for WordPress article.

System backups are created automatically every day for all hosting accounts and kept for seven days on our servers; however, we would recommend that you always create manual backups before making any major changes to your WordPress websites.

To create, download, or restore from a WordPress backup, all you need to do is:

  1. Go to the hosting Control Panel’s WordPress section.
  2. Find the desired WordPress installation in the list, and click on the Edit (Edit) button next to it. This will take you to the management page for the WordPress installation.
  3. In the Backup section, click on the Backup button at the bottom to create a new backup, or click on the Download or Restore buttons next to a backup to download or restore your WordPress installation from that backup.

The backups generated from the WordPress section are stored in the wp_backups directory of your account’s Private directory.

By design, the WordPress section generates a backup before performing operations which may break your website or affect its uptime after completion (like changing the Site URL or setting a staging website as live). In such events, you can restore your website with a single click from the automatically created backup and minimize restoration efforts.

You can use the WordPress section of the hosting Control Panel to create staging sites of your WordPress installations, make and preview your changes on them, and finally, publish those changes to the main site.

Creating a staging site
  1. Open the Manage tab of the hosting Control Panel’s WordPress section.
  2. Find the WordPress site in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.
  3. Select the Site URL of the staging site using the controls under the Site URL section. A preview of the URL is shown below the controls. The controls are as follows:

    • Use HTTPS: Set the site to use HTTPS instead of HTTP. This is only possible if there is a valid SSL certificate installed for the host.
    • Use WWW: Add www. prefix for the address.
    • Choose subdomain: Choose the subdomain from the list of the subdomains created on the account.
    • Choose domain: Choose the domain from the list of the parked and main domains on the account.
    • Choose directory: Choose a directory in the selected subdomain. Leave empty for the root of the domain/subdomain.

    Please note that you need to choose a location that is different from the current one. Our recommendation is to use a different subdomain. Here, we are using a subdomain named “staging” as an example.

    Create a staging site

  4. Click on the Create staging button.

This will create a separate staging site at the chosen location by copying the files there. It will also use separate MySQL database and user, so you can edit the new installation without affecting the original site in any way. The staging site will be automatically added in the Manage tab of the WordPress section.

Publishing the staging site to the main one
  1. Open the Manage tab of the WordPress section in the hosting Control Panel.
  2. Find the main WordPress site in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.
  3. Find the staging site in the Staging section of the page, and click on the Set as live button.

    Set as live

  4. A prompt will appear asking you if you would like to overwrite the live WordPress site with the staging one (this includes the files and the database) or try to merge them. Choose the desired approach, and wait for the operation to finish.

    Push staging to live site prompt

    Note: Full backups will be created automatically of both websites before the operation, which you can use in case a problem with either of the sites occurs.

You can use the WordPress section of the hosting control panel to move or copy WordPress installations between directories or subdomains on the same hosting account by following the steps below:

1. Open the Manage tab.

2. Find the WordPress installation in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.

Move WordPress

3. Select the target subdomain and directory on the account. At the same time, you can optionally choose a different domain, start using HTTPS or prefix the address with www. The “Choose domain” dropdown lists the main and parked domains associated with the account. 

4. Click on the Change button.

5. You will be asked if you wish to move or copy the WordPress installation. If you wish to keep a copy of WordPress at the original location, please click on Copy. The two installations will use different MySQL databases and usernames. If you wish to delete the original installation, please click on Move.

Move or copy WordPress

If the source and target directories are overlapping, you won’t have the option to copy WordPress, and only the Move option will be available.

Depending on the size of the WordPress installation, the process might run in the background.

When you move or copy WordPress to another directory, the tool performs the following actions:

  • Copies/moves the files to the new directory.
  • Creates a new database and database user.
  • Copies/moves the data from the current database to the new one.
  • Changes the Site URL (WordPress Address) setting.
  • Changes the Home (Site Address) setting.
  • Performs search and replace in the database, replacing the current address with the new address.

The usernames and passwords for the WordPress installation will remain the same.

You can use the WordPress section of the hosting Control Panel to move or copy WordPress installations between different hosting accounts on our servers by following the steps below:

1. Open the Manage tab in the Control Panel for the account with the original WordPress installation.

2. Find the WordPress installation in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.

3. Click on the Backup now button. This will generate a backup of your entire WordPress installation – the database and the files.

4. Download the backup to your local computer by clicking on the Download button.

Backup

5. Open the Import tab of the WordPress section in the Control Panel for the account where you wish to move/copy the WordPress installation.

6. Click on the gray area to select the backup file on your local computer. If the file size is bigger than 200 MB, you need to upload it to the server via the hosting Control Panel’s File Manager or with FTP first, and then select the uploaded backup using the “or select an uploaded file” link.

Import

7. Select the Site URL of the new WordPress installation using the controls in the Select WordPress import destination section. A preview of the URL is shown below the controls. The controls are as follows:

Use HTTPS: Set the site to use HTTPS instead of HTTP. This is only possible if there is a valid certificate issued for the host.

Use WWW: Add www. prefix for the address.

Choose subdomain: Choose the subdomain from the list of the subdomains created on the account.

Choose domain: Choose the domain from the list of the parked and main domains on the account.

Choose directory: Choose a directory in the selected subdomain. Leave empty for the root of the domain/subdomain.

8. Click on the Import button. 

Depending on the size of the WordPress installation, the process might run in the background.

When you import WordPress from a backup, the tool performs the following actions:

  • Imports the files to the directory.
  • Creates a database and database user.
  • Imports the database structure and data to the database.
  • Changes the Site URL (WordPress Address) setting.
  • Changes the Home (Site Address) setting.
  • Performs search and replace in the database, replacing the address in the backup with the new address.

The usernames and passwords for the WordPress installation will remain the same.

Public access to the XML-RPC file (xmlrpc.php) on our servers is blocked by default, because the file is a common target for hackers. More details are available in our Error “412 Precondition Failed” (mod_security2) article. You can now easily enable access to it by following these steps:

1. Open the Manage tab of the WordPress section.

2. Find the WordPress installation in the list, and click on the Edit (Edit) button for it. This will take you to the management page for the WordPress installation.

3. Scroll down to the Tools subsection, and locate the option called Enable access to XML-RPC.

Tools sub-section

4. Click on the Enable button next to it.

This is it – you can now successfully install any plugin that requires access to XML-RPC.

Server-side caching may help reduce page load times by a significant margin if configured properly. You can learn more about the server-side caching service in the General information about server-side caching article.

To take advantage of server-side caching on a WordPress website, you need to:

  1. Configure WordPress to cache content.
  2. Choose how to clear the cache.
  3. Enable server-side caching.
1. Configure WordPress to cache content

You should configure your WordPress installation to send the correct caching headers.

If you have installed your WordPress instance using the WordPress section of the hosting Control Panel, content caching should be already enabled for your WordPress installation. Otherwise, you can enable it by following the instructions from our Optimizing WordPress article.

By optimizing your WordPress installation through the hosting Control Panel, the following line of code will be added to your .htaccess file, which will guarantee that a separate cache entry gets created for every different User Agent (browser):

Header append Vary User-Agent env=!dont-vary

If you don’t want to have a separate cache entry for every User Agent, you should comment or remove that line from the main .htaccess file of your WordPress installation.

Alternatively, you can install a plugin that allows you to set caching headers. The Cache-Control plugin has proven to work correctly on our servers.

Note: We advise that you do not combine multiple tools/methods that set HTTP Cache-Control headers as this may lead to unexpected results.

2. Choose how to clear the cache

You can configure WordPress to clear the server-side cache automatically whenever content is changed. All you need to do is download and activate the Server-Side Cache Autopurge plugin for your WordPress installation. The plugin works correctly out of the box, so no additional configuration is required. This plugin also allows you to purge the cache on demand via the “Purge Server-Side Cache” button at the top left side of the WordPress Dashboard, as well as via WP-CLI with the following command:

wp surecache purge

If you do not wish to install or use the Server-Side Cache Autopurge plugin, or you do not update content regularly, you can purge the server-side cache manually by using any of the methods listed in our Purging the server-side cache article.

3. Enable server-side caching

Once you have prepared WordPress for server-side caching, you can enable the server-side caching service by navigating to the hosting Control Panel’s Server-side Caching section and clicking on the Enable button next to the domain/subdomain where your WordPress is installed.

You can view a full list of the WordPress administrators on your websites, change their passwords, and also login with their username via the WordPress section of the hosting Control Panel.

To use these features and view this information, click on the Edit icon (Edit) next to the WordPress installation in the list inside the WordPress section. Under the WordPress administrators subsection, you will see a list of all the administrators on your WordPress website showing their respective login usernames, display names, and email address. Next to each administrator, you will find two buttons – Log in and Password. The Log in button allows you to log into the WordPress Dashboard as that user, and the Password button allows you to change the password for that user.

WordPress Administrators List

If the appearance or behavior of your site has changed, this may mean that it has been compromised. In this article, we will cover how our Incident Response Team handles such cases. We have selected a WordPress installation for this example, and while the details will be different, the logical framework of the investigation is nearly identical for all common web applications.

The Incident

Any WordPress installation will contain a number of standard core files in its main directory, and the same goes for all major CMS applications, so you should look for unexpected and unusual files and subdirectories in your web root directory. In this case, the user has the following two files in their WordPress installation directory:

  133ja3lore.php
  a1cw42ipim.php

We will be using some of the standard Unix command line tools in order to gain more information about these files, and about how they originally appeared on the account. We provide SSH access out of the box, as well as full Apache access logs, so you could reproduce these steps on your own.

Obtaining Timestamps

The stat utility gives us a lot of information about files, and this is how its output looks like:

[17:09:32] server~$ stat ~/www/www/133ja3lore.php
  File: ~/www/www/133ja3lore.php
  Size: 4909          Blocks: 16         IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 202768472   Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 4731/user)   Gid: ( 4674/user)
Access: 2018-02-02 15:16:02.000000000 +0800
Modify: 2018-02-02 15:16:02.000000000 +0800
Change: 2018-08-07 20:49:47.771134758 +0800
 Birth:
[17:09:43] server~$ stat ~/www/www/a1cw42ipim.php
  File: ~/www/www/a1cw42ipim.php
  Size: 4909          Blocks: 16         IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 202768462   Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 4731/user)   Gid: ( 4674/user)
Access: 2018-02-02 15:16:02.000000000 +0800
Modify: 2018-02-02 15:16:02.000000000 +0800
Change: 2018-08-07 19:41:46.676971426 +0800
 Birth:

The “~” symbol stands for “/home/$USER” where $USER is your hosting username.

The main difference between the mtime (modification time) and ctime (change time) is that mtime shows the last change of the contents of the file, while ctime shows the last change of the contents of the file or of one of its attributes (such as permissions or owner). Depending on the situation, we may search our logs for the ctime attribute, the mtime attribute, or even both.

In this case, we will take the ctime timestamp for further analysis, because for both files, it is the more recent attribute. We will also start by searching for the ctime timestamp we obtained from a1cw42ipim.php, because it was changed about an hour earlier than the same attribute of the other file. We will assume that it was uploaded first and should take us closer to the original Point of Entry.

Log Analysis

Current, real-time access logs are available from the Logs section of the Control Panel – this is helpful if the attack was very recent. In this case, the original event occurred a long time ago, so we will be using archived copies of the logs. These archives are stored in the Logs directory of the account, and can be viewed from the File Manager, via FTP, or through SSH. The archives are in the gzip format, so you can use the zgrep command to search in them. Furthermore, log archives are split into individual files, with names based on subdomain and day, so this is how a search for the timestamp obtained previously would look like:

zgrep "19:41:" ~/logs/2018-08/www-07.log.gz

When checking the access logs, we pay special attention to any POST requests that we discover. Unlike GET requests, where all data is encoded in the URL, POST requests include data in the body of the request. Most file uploads and setting updates use this method, and this is how malware is usually uploaded, too. The search yields the following lines of interest to our investigation:

www.domain.com 192.0.2.1 - - [07/Aug/2018:19:41:44 +0800] "POST /um-api/route/um!core!Files/ajax_image_upload/a2c75736fe HTTP...
www.domain.com 192.0.2.2 - - [07/Aug/2018:19:41:45 +0800] "POST /wp-content/uploads/ultimatemember/temp/Ao3uKpx8B9klgpJ6Ra7A8...

You should not expect to discover the Point of Entry on the first try. The malware that we investigate may have been uploaded by another malicious file, and more often than not, the same process will have to be repeated several times before the Point of Entry can be identified. It is also entirely possible that the account was compromised on another server and was then migrated. Additionally, this process is tuned and specific for our environment. However, any respectable hosting provider should be able to provide you with the access and tools required to perform these steps.

Once we have identified the original Point of Entry, we can begin working on cleaning up the account and hardening it against similar issues in the future. Unless a safe backup exists, this task can appear daunting, but it is actually pretty straightforward with a modern CMS.

Finding all executable files on your account and manually reviewing them for malware (since automated scanners do not work well enough for obfuscated PHP code) can range from difficult to outright impossible. Luckily, with a modern web application such as WordPress, you can simply re-install it while preserving your uploaded files. This is the fastest and the most effective method to bringing your site back up in a clean and secure state. We use it every day on all but the most specific and niche cases.

Save the wp-config.php file, your images, and your personal files

The wp-config.php file contains the basic configuration for your site, including the information necessary to connect to the database server. When saving it, open it and inspect its contents for anything suspicious, like a very long first line containing unusual characters. As a rule of thumb, if your text editor has an unusually long horizontal scroll bar, the file that you are editing is likely to be compromised. If that’s the case with the wp-config.php file, copy the database connection strings to a clean wp-config.php file from a fresh WordPress archive.

Your images and personal files should be stored in the wp-content/uploads directory. Ideally, there should be no PHP files at this location. Unfortunately, some plugins and themes may store some of their files in subdirectories there, making the task of correctly identifying and removing malware even harder. An easy way to list all PHP files in a given directory is to run the following command via SSH:

find ~/www/www/wp-content/uploads/ -iname "*.php"

If you receive no output, you can safely copy the uploads directory. Otherwise, you should review the identified PHP files manually in order to see if they were placed there by a harmless plugin, or by an attacker.

Before you delete anything, you should first get a list of your active plugins. You can either do this from the WordPress Dashboard, or by typing the following command in the SSH terminal inside your WordPress directory (e.g. ~/www/www):

wp plugin list --status=active

This is how the command’s output may look like:

 +----------------------------------+----------+-----------+---------+
 | name                             | status   | update    | version |
 +----------------------------------+----------+-----------+---------+
 | classic-editor                   |  active  | none      | 1.5     |
 | really-simple-ssl                |  active  | none      | 3.2.3   |
 +----------------------------------+----------+-----------+---------+

You can do the same for your active theme:

wp theme list --status=active
Delete the entire folder where WordPress is installed

The wp-config.php file and the uploads directory are all the files that you need to preserve from your current WordPress installation, since most of your site resides in the database. In some cases, the database needs cleaning, too – but these are relatively rare, and not as trivial to secure. By now, you should also have a list of your active plugins and themes, so that you can download their latest versions from the official vendors.

Upload a new clean full package of the latest WordPress version

You can obtain WordPress from their official website and install it manually, or you could use our automated installer. In either case, you can now copy the previously saved wp-config.php file and the uploads directory. You can also install all plugins and themes that you had been using previously. If they are publicly available in the WordPress repository, you can do so from the terminal:

wp plugin install really-simple-ssl classic-editor --activate

At this point, you can test your site – ideally, it should work just like it did before the incident. In the odd chance that it does not, you should contact our Support Team.

Additional precautions

When a WordPress site has been compromised, we assume that the attackers know its administrative credentials. This is why you should review and update the passwords for all administrative users. You should also double-check for any unusual users created around or after the attack.

We also encourage you to update your Control Panel password, as well as the passwords for all MySQL users. You should note that following a password change for your MySQL user, you should also update your wp-config.php file accordingly.

It is possible for a WordPress website to stop working correctly after a new plugin is installed, or an existing plugin is updated. If the WordPress Dashboard remains active, you can temporarily disable or remove the problematic plugin; however, some plugins also cause the WordPress Dashboard to stop working. In such cases, you can easily disable all plugins on your WordPress website via the hosting Control Panel’s WordPress section by following these steps:

  1. Find the WordPress installation in the list inside the WordPress section, and click on the Edit (Edit) button for it.
  2. Under the Tools subsection, click on the Disable button next to Disable all plugins.

This should allow you to log in your WordPress Dashboard, and resolve the problem with the misbehaving plugin. You should be able to re-activate your plugins via the WordPress Dashboard.

This tutorial covers the following topics:

  • Obtaining a list of the available WP-CLI commands
  • Updating the WordPress core
  • Updating WordPress plugins
  • Installing and activating/deactivating plugins
  • Managing WordPress themes
  • Managing WordPress users
  • Changing the WordPress URL
 

WP-CLI is the command line interface for WordPress, allowing you to manage all aspects of the application from the command prompt, without having to use a web browser. It’s a very powerful tool that could help you complete complex tasks that would otherwise require additional plugins or would take much more time to accomplish.

This tutorial focuses on using WP-CLI to complete typical WordPress administration tasks, such as updating themes and plugins, managing the dashboard users, and changing the site’s URL settings. Note that WP-CLI is available on all servers, but it requires SSH access. Thus, you will first need to make sure that you have enabled SSH access for your account. You can do that through the “SSH Access” section of the hosting Control Panel. More information on SSH is available in the following articles from our online documentation:

  • Enabling SSH
  • Connecting to your account over SSH

Once logged into your account over SSH, you will need to navigate to the location of your WordPress site. If you are looking to mange the site for your main domain name and you have not changed the default web root folder, you will need to run the following command:

cd ~/www/www/

If your WordPress site is located in another directory, you will need to navigate to that directory instead. Now that you are in the WordPress directory, you can start executing WP-CLI commands.

Obtaining a list of the available WP-CLI commands

You can obtain a list of all the available WP-CLI commands by running the following

wp help
Updating the WordPress core

You should first check the current version of your WordPress installation by running the following command:

wp core version

You can start the update with the following command:

wp core update

If there are no updates available, you will receive the following message:

Success: WordPress is up to date.
Updating WordPress plugins

Again, you should first check the status of the installed plugins, and that’s done by running:

wp plugin list
+---------------------+--------+-----------+---------+
| name | status | update | version |
+---------------------+--------+-----------+---------+
| all-in-one-seo-pack | active | none | 2.9.1 |
| contact-form-7 | active | none | 5.0.5 |
| fusion-builder | active | available | 1.1.6 |
| fusion-core | active | available | 3.1.6 |
| jetpack | active | none | 6.7 |
| LayerSlider | active | available | 6.3.0 |
| revslider | active | none | 5.4.2 |
| the-events-calendar | active | available | 4.6.25 |
| wp-mail-returnpath | active | none | 1.0.3 |
+---------------------+--------+-----------+---------+

We have a total of nine plugins installed in our sample WordPress project. You can see under the Status column that all of them are currently active and there are updates available for four of them. Here is how we can update one of the plugins:

wp plugin update fusion-builder
Enabling Maintenance mode...
Downloading update from https://updates.theme-fusion.com/?avada_action=get_download&item_name=Fusion%20Builder&nonce=27c6b23b34&t=1542808142&ver=5.7.1...
Unpacking the update...
Installing the latest version...
Removing the old version of the plugin...
Plugin updated successfully.
Disabling Maintenance mode...
+----------------+-------------+-------------+---------+
| name | old_version | new_version | status |
+----------------+-------------+-------------+---------+
| fusion-builder | 1.1.6 | 1.7.1 | Updated |
+----------------+-------------+-------------+---------+
Installing and activating/deactivating plugins

 Here are the commands for installing, activating, and deactivating plugins:

wp plugin install plugin_name
wp plugin activate plugin_name
wp plugin deactivate plugin_name

You should replace the plugin_name string with the actual name of the plugin. Deactivating plugins via the command line can be quite helpful if you have a plugin that has caused an issue with your website and yet you cannot log in at the dashboard with a browser, in order to deactivate it. In such cases, you would still be able to log into your account via SSH and deactivate the problematic plugin from the command line using WP-CLI. 

Managing WordPress themes

Here are the most common commands for managing the WordPress themes:

wp theme list
wp theme activate theme_name
wp theme delete theme_name
wp theme install theme_name
wp theme update theme_name

The first command shows you a list of the themes currently installed, and here is the output when executed in our sample installation:

wp theme list
+-----------------+----------+-----------+---------+
| name | status | update | version |
+-----------------+----------+-----------+---------+
| twentyfifteen | inactive | available | 1.8 |
| twentyseventeen | inactive | available | 1.3 |
| twentysixteen | inactive | available | 1.3 |
+-----------------+----------+-----------+---------+

This table shows there are three themes installed with updates available for all of them. Here is how a theme can be updated via the command line:

wp theme update twentyseventeen
Downloading update from https://downloads.wordpress.org/theme/twentyseventeen.1.7.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the theme...
Theme updated successfully.
+-----------------+-------------+-------------+---------+
| name | old_version | new_version | status |
+-----------------+-------------+-------------+---------+
| twentyseventeen | 1.3 | 1.7 | Updated |
+-----------------+-------------+-------------+---------+
Success: Updated 1 of 1 themes.
Managing WordPress users
  • You can obtain a list of the existing users with the following command:
wp user list
  • The following command can be used to change the password of a given user:
wp user update USERNAME --user_pass="PASSWORD"

This command is helpful if you have forgotten the password for a given user and do not have access to the email account associated with it.

  • Here is how you can create a new dashboard user directly from the command line:
wp user create USERNAME EMAIL --role=administrator

You should replace the USERNAME string with the desired username and the EMAIL with his/her actual email address. The “role” field sets the role of the user to create; the possible values are: ‘administrator’, ‘editor’, ‘author’, ‘contributor’, ‘subscriber’. Here is an example:

wp user create example user@example.com --role=administrator
Changing the WordPress URL

CMS applications like WordPress are configured to work and accept requests over a specific URL. This URL is set during the installation process. However, it’s often required to change it for a number of different reasons. For example, you might have to move your WordPress installation from one subdomain or subfolder to another, or may wish to change your domain name. Another fairly common situation is whenever you wish to force HTTPS connections to your website after installing an SSL certificate. This is a fairly complex task as it requires an update of all the database entries containing the old URL to the new one. The process is much easier with the use of WP-CLI, as you just need to run the following command:

wp search-replace 'http://your-old-URL.com' 'http://your-new-URL.com' --skip-columns=guid

Your site should now be configured to work over the new URL. Don’t hesitate to open a support ticket in case you detect any issues.

Note: There may be hard-coded links to resources in your files that contain the old URL. If you notice missing images, CSS files, or any other discrepancies, you may want to check the browser’s error console for specific errors. You can open the error console by clicking F12. It will help you locate files that may contain links to missing resources. You may also open a support ticket for help.

Company

Help

Follow Us

Facebook Youtube Instagram
Legal Policies

Privacy Policy

Terms and Conditions

Cookie Policy

Accessibility Policy

×

Privacy Policy

Effective Date: April 29, 2025

At Webs-Inn.com, we recognize the importance of protecting the privacy of our users and customers. This privacy policy describes how we collect, use, store, and protect the personal information we obtain through the use of our website and services. By using our services, you agree to the practices described in this document.

We collect personal information including, but not limited to, full name, email address, phone number, billing information, IP address, browsing data, browser type, and operating system. This information may be collected directly through forms that users complete when contracting our services or contacting us, or automatically through technologies such as cookies and web analytics tools.

The personal information collected is primarily used to provide the contracted services, such as web hosting, domain registration, email accounts, and technical support. We also use this information to process payments, issue invoices, improve the user experience on our website, send important service-related notifications, and maintain the security of our platforms. Additionally, the information may be used to comply with legal requirements, prevent fraudulent activities, and protect the rights of Webs-Inn and its users.

Webs-Inn does not share, rent, or sell your personal information to third parties, except when necessary for service provision or by legal obligation. We may share data with service providers acting on our behalf, such as payment processors or support platforms, always under strict confidentiality agreements. We may also disclose information when required by competent authorities, in accordance with applicable legislation.

We implement technical, organizational, and administrative measures to protect your personal information against unauthorized access, loss, or alteration. We have secure servers, restricted access to our systems, and updated security protocols; however, we acknowledge that no system is completely infallible.

As a user, you have the right to access your personal data, request its correction, deletion, or restriction, as well as object to its processing or request its portability. You can exercise these rights by contacting us at admin@webs-inn.com, clearly indicating your request.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected and while there is an active contractual relationship, or to comply with subsequent legal or contractual obligations.

We reserve the right to modify this privacy policy at any time, with immediate effect after publication. We recommend reviewing this section periodically to stay informed about any updates.

×

Terms and Conditions of Use

Effective Date: April 29, 2025

Access to and use of the webs-inn.com website and its services are subject to the following terms and conditions. By using our platform, you expressly agree to this agreement and commit to complying with it in its entirety. If you do not agree with any of the terms set forth herein, you must refrain from using our services.

Webs-Inn offers its users services related to domain name registration and management, shared or dedicated web hosting, corporate email accounts, and other services associated with website development and maintenance. To access these services, the user must create a personal account in our system, providing truthful, complete, and up-to-date information. The registered person will be responsible for maintaining the confidentiality of their access credentials and for all activities that occur under their account.

The user agrees to use Webs-Inn's services legally, ethically, and respectfully, refraining from taking actions that may harm the proper functioning of the platform, our servers, or other users. It is strictly prohibited to use our services for fraudulent activities, mass unsolicited emails (SPAM), distribution of malicious software, identity theft, or storage of illegal, violent, defamatory, or infringing content. In case of non-compliance, Webs-Inn reserves the right to suspend or cancel the user's account without prior notice.

All content, design, software, logos, texts, and images present on the Webs-Inn.com site are protected by intellectual property rights and belong to Webs-Inn or its authorized providers. The user is not allowed to copy, reproduce, modify, or distribute such content without prior written authorization.

Although we continuously work to ensure the stability and availability of the site, Webs-Inn does not offer an absolute guarantee of uninterrupted or error-free operation. Access to services may occasionally be affected by maintenance work, updates, or causes beyond our control. In no event shall Webs-Inn be liable for data loss, service interruptions, indirect damages, or lost profits arising from the use or inability to use our services.

These terms and conditions may be modified at any time. The modifications will take effect from the moment of their publication on the website, so it is recommended to review this section regularly. Continued use of the site after changes constitutes acceptance of them.

×

Cookie Policy

Effective Date: April 29, 2025

The webs-inn.com website uses cookies and similar technologies to enhance user experience, personalize content, analyze traffic, and remember visitor preferences. By browsing our website, you accept the use of cookies as described in this policy.

A cookie is a small text file that is stored on your device when you visit a website. Its purpose is to uniquely identify your browser or device and allow the site to remember your actions and preferences over time. This is useful for facilitating login, displaying relevant content, avoiding the need to repeat settings, and performing statistical analysis.

At Webs-Inn, we use essential cookies that are necessary for the site's functionality, such as those that allow access to your user account, shopping cart management, or site security. We also use analytical cookies that help us understand how visitors interact with the site, identify errors, and improve performance. Additionally, we may use third-party cookies, such as those from Google Analytics, which help us collect anonymous information about page usage and its most visited sections.

Users have the option to accept, reject, or delete cookies by configuring preferences directly in their browser. Most browsers allow cookie management through their settings and offer the ability to delete existing cookies or block future installations. It's important to note that disabling certain cookies may affect the proper functioning of the site and limit some features.

Webs-Inn reserves the right to modify this cookie policy at any time to adapt to legislative or technological changes. We recommend reviewing this section periodically to stay informed about how and why we use cookies.

×

Accessibility Policy

Effective Date: April 29, 2025

At Webs-Inn.com, we are committed to ensuring that our services and content are accessible to all people, including those with disabilities. We recognize the diversity of abilities and continuously work to improve the experience of all our users, in compliance with the principles of equality, inclusion, and non-discrimination.

We understand accessibility as the ability of any person, regardless of their physical, sensory, cognitive, or technological conditions, to navigate, understand, interact with, and contribute to the website effectively.

In this regard, we work to follow international best practices, such as the Web Content Accessibility Guidelines (WCAG) issued by the W3C, which establish clear criteria for making websites perceivable, operable, understandable, and robust. We are committed to advancing digital accessibility by developing future improvements that allow us to adapt to new technologies and the specific needs of our users.

We know that web accessibility is an ongoing process. Therefore, we appreciate any suggestions or reports of access barriers. If you experience difficulties accessing any content or functionality on our site, please contact us at admin@webs-inn.com. We are committed to evaluating and addressing each case as a priority, seeking solutions that ensure full participation for all individuals.

Webs-Inn.com reaffirms its commitment to digital inclusion and will continue to adopt measures to provide an accessible and equitable experience for all users.

© PGS | Designed & Powered by Webs-Inn Privacy