Yesterday, I upgraded my main blog to WordPress 2.6.2, the latest version released a few days ago.
As has been my previous experience in upgrading blogs using DreamHost’s excellent 1-Click procedure, it was a seamless experience, successfully done in less than 15 minutes.
Today, though, I had a completely different experience upgrading this blog to version 2.6.2, one that produced a wholly unexpected result.
Here’s what happened:
- Prepared blog for upgrade: backed up database, disabled all plugins, changed theme to default Kubrick
- Went ahead and started the 1-Click upgrade process via my DreamHost control panel
- Ten minutes later, the expected auto-email from DreamHost arrived saying upgrade success
- The email had the usual link to click on to upgrade the database (although with every upgrade release this year, the database hasn’t required upgrading)
- Clicking that link just gave me the log in page, though, and any attempt to log in just produced the log in page again.
- Trying to go directly to any admin page just produced the log in page
- Unable to log in to blog admin so a help ticket filed with DreamHost support
A Google search on the phrase “wordpress login repeats login page” didn’t produce much except for an interesting post in the WordPress support forum describing a similar issue but related to a fresh 2.6.2 install rather than an upgrade.
That post describes issues regarding Apache and PHP with this resolution:
[…] Fixed, since it is load balanced behind an ssl accelerator the SSL is added through the appliance and the apache/php install knows nothing of the https. I edited the two rows in the wp_options table that had http and changed it to https. All works as it should now.
Ok, but I prefer to wait for a response from DreamHost support before thinking about any issues on the server.
After a bit of further head-scratching, I’ve taken advantage for the first time of the in-built “reassurance feature” of DreamHost’s 1-Click installs – rolled back the blog to the previously-installed version.
That’s good insurance. Whenever you upgrade your blog via DreamHost, the system creates a mirror copy before the upgrade. Then if you ever need to go back, it’s a simple matter of logging in via FTP, renaming a couple of top-level directories, and voila – back to where you were before.
Now waiting to see what DreamHost support have to say.
[Later] An interesting response from DreamHost support, with a solution.
First, the issue behind the problem according to DreamHost support:
It looks like you got hit by a very mean wordpress exploit, ironically due to a security hole that was around pre-2.5. I’ve gone ahead and removed the references to it in your database, however there are a few steps you’ll need to do on your end to make sure its cleared out.
Those steps weren’t complicated to understand and follow, starting with doing a completely fresh install of WordPress 2.6.2 and some security procedures. As I wanted to ensure that the install was registered in DH’s database to enable future upgrades via the 1-Click procedure, this meant a bit of jiggery-pokery on the server to do some more top-level directory renaming before running the 1-Click installer.
Once the install was successful – and taking less than 10 minutes, as the 1-Click works fast – next steps included uploading fresh copies of all the plug-ins I wanted as well as themes and then activating them.
Luckily nearly all plugin and theme settings were in the Wordpress database, so I had only a little extra work to do once plug-ins had been activated.
So about an hour’s work in total, and we’re back up and running and with 2.6.2 installed.
When DreamHost told me about the security exploit, I immediately wondered whether the Thesis theme I run on this blog might have been the culprit.
This morning, I saw a notice on the Thesis site about a fix for a security vulnerability in one of the theme’s files. I applied that fix immediately but it appears that the vulnerability had been there for a couple of weeks since I installed the latest update to Thesis.
DreamHost support’s reaction when I suggested this to them:
It could of been a possible point of entry yes, however wordpress, prior to 2.5.1, had quite a few (4 to be exact) holes itself, so there are several candidates for trouble.
Not sure about the WordPress issues as this blog had been running 2.6 since mid July, not 2.5.1.
Still, the security hole is now plugged thanks to quick and very helpful advice from DreamHost support.
{ 3 comments… read them below or add one }
I recently went through the exact same thing an a few of my blogs. I wrote up an explanation of how to solve it. You can see it here.
Let me know if that works for you.
John, thanks for the link to your solution.
I’ve just heard back from DreamHost support who think the blog has been hit by a pre-2.5 security exploit; they’ve done some fixing at their end.
Looks like next steps are similar to what you’ve written in your post, involving a manual fresh install.
I’ll update this post with conclusions once I’ve done the fixing I need to do.
I am having the log in loop problem. What file do I need to change to allow dreamhost to let me re-upgrade to 2.6.2? As it is now, if I got to the one click installs, it simply lists 2.6.2 as the current version and will not let me reinstall 2.6.2. Thanks for the help.