Categories
General

How a security improvement blocked my admin area

Today I learnt a new lesson – how to rename WordPress tables and lose ability to get into site admin area, and fix that back.

I tried to use WPScanner, to check performance and security. Security mainly. Here is how its dashboard looks like (just for reference):

wpscanner performance results
WPScanner admin area

This service is really good at providing a list of basic things to improve:

  • monitor file changes in WordPress core,
  • permissions,
  • server response headers
  • PHP version
  • other security concerns.

Basically, nothing special, but it is a huge time saver to have everything in the same place with proper links to explanation articles or how-to’s, and results of your changes evaluation. Which is cool.

One of the issues was regarding WordPress tables prefix. This can be a problem only in 1 situation, when some plugin is not escaping data and passes variables (for example, a number) directly to the query’s WHERE clause. In this case hacker can do something like 1;SELECT * FROM wp_users;. And that can break the site and return all the data on a page (in some cases).

So I decided to change the prefix, just in case. I activated maintenance mode and renamed all the tables in DB to include not a default wp_ table prefix. After that I lost access to wp-admin area, with no thoughts how does this security improvement influenced the site.

It took me several minutes to understand, that I need to rename wp_capabilities option in former wp_options table as well to have for it a new prefix. But admin area was still unaccessible for me. Site itself worked ok.

And here I spent like half an hour, struggling to get the idea of the issue. As it turned out, I didn’t have permissions to build admin area menu, and thus WordPress just bailed me with such error:

Sorry, you are not allowed to access this page.

I checked all options, manually parsed usermeta – no success. After that a possible caching issue came to my mind. And that became a light bulb. Several hours earlier I have activated Redis cache on a server (with an accompanied WP plugin). And it seems wrong capabilities were cached – those, that were valid for all tables structure. So I had to run only 1 command: redis-cli flushall – and that fixed my problem.

Redis Cache

So, in case you are doing some changes with DB and/or files – don’t forget to disable all kind of caches that you have. Just in case 🙂

2 replies on “How a security improvement blocked my admin area”

Thanks for your information. I’ve experienced the same error, I’ve tried to disable the plugin and checking the folder permission and the problem still exists. Finally I found your article and tried to flush the Redis cache, and now the problem is fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *