Fixing the WordPress login issue

Posted on Sep 10, 2008 by john in WordPress, mo30dc2008

As I mentioned in yesterday’s post, I was having some big troubles with some of my blogs. There was a bug in WordPress version 2.6.1 that was allowing crafty hackers to create a user account in your log and then with a well written piece of code, they could force a reset of the admin password.

Most people were able to get past the bug by simply upgrading to version 2.6.2. Unfortunately, a simple upgrade didn’t do the trick for me on all by blogs. on 3 of them, I was unable to complete the upgrade because I wasn’t able to log in to my admin section and perform the necessary upgrade. So I was caught in a catch 22. I needed to log in to my admin section to upgrade, and I needed to upgrade to log in to my admin section.

This morning, thanks to the suggestion of one very helpful WordPress savant, I was finally able to solve the problem for the remaining blogs. I figured I would share with you the steps I took in order to complete the upgrade.

1. Download a backup of all my wordpress files to my hard drive.
2. Use PHPMyAdmin to make a backup of the current database.
3. Upload the new 2.6.2 WordPress files.
4. Use PHPMyAdmin, Open the options table, edit the “active_plugins” record.
     – Copy the list of active plugins, paste in to a notebad for reference.
     – Delete everything in “value” portion of the active_plugins record and hit save.
5. Log in to your WordPress admin section.
6. Upgrade the WordPress the database.
7. Log in to your WordPress admin secton (if you were kicked back out like I was)
8. Upgrade and activate the proper plugins.

That’s it.

After everything I went through last night dealing with this bug, the solution ended up being pretty simple. 10 minutes from start to finish and I’m back to blogging rather than bug chasing.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • StumbleUpon
  • Technorati
  • TwitThis

Tags: , ,

27 Responses to “Fixing the WordPress login issue”

  1. Neville Hobson

    13. Sep, 2008

    John, thanks for commenting on the post I wrote today about my ‘endless Wordpress login loop’ with a link to this post of yours.

    I’ve fixed my issue which I don’t think is the same as yours, involving a WordPress security exploit according to DreamHost support.

    I’ve updated my post with details of the problem and how it was fixed.

    http://tinyurl.com/6credp

  2. Brett

    13. Sep, 2008

    I have the same issue on a new install & I’m with you ’till step #5. Looks like step #7, login, which I can’t do, and which is the problem in the first place. As a new install, I’m also not upgrading the database. Any ideas?

  3. John

    14. Sep, 2008

    @Neville Hobson Thanks you for the update, too!

    @Brett hmmm, that’s interesting. Are you getting an error message, or is it simply just loading up the login page again? Does it say you have a problem with the username/password?

    Let me know, I’ll be glad to help.

  4. Matt

    15. Sep, 2008

    Thank you. That worked perfectly for me.
    Now for that long long overdue site redesign…

  5. billrowell.com » Bill Rowell » Blog Archive » WordPress Login Redirect Issue

    17. Sep, 2008

    [...] I was a victim of a security hole in an older version of WordPress. I found a useful article by John Hawkins that details the issue. His solution was a little more involved than I wanted to get into, so I [...]

  6. John Pash

    21. Sep, 2008

    I have the same problem and have read and tried many different fixes. None of them work. What I’ve found is that when you try to login, and are sent back to the login screen without a password, you are actually logged in. If I try going directly to an admin page (other than wp-admin/index.php) there is no problem. So it seems like there is a redirect problem. BTW, this installation is behind apache authentication and https, if that helps anyone.

  7. David Martín

    24. Sep, 2008

    Thank you very much!!

    I can fix the same problem with your hepfull information.

    Thank you very much again!

  8. Mike

    24. Sep, 2008

    You are my hero. I deactivated all of the plugins but somehow some strange plugin that I wasn't even using was still in there with a .bak extension. Deleting that value fixed everything. That's pretty ridiculous.

    Thanks

  9. John Hawkins

    25. Sep, 2008

    @David I'm glad I was able to help.

  10. John Hawkins

    25. Sep, 2008

    @Mike I've read so many different variants on how the problem manifests itself to different people/sites. I don't know if it's due to a combo of which plugins you have installed or if it's something else entirely. All I know is, I'm glad I'm past it!

  11. Dan Pickett

    29. Sep, 2008

    John,

    So helpful – I was freaking out – thanks!

  12. Shane Robinson

    29. Sep, 2008

    Thanks, John. This worked for me after having problems with the “Maintenance Mode” plugin. That plugin has gone to the trash for good!

  13. John Hawkins

    03. Oct, 2008

    @Dan – Glad it helped! Thanks for stopping by!

  14. John Hawkins

    03. Oct, 2008

    @Shane I've never used the Maintenance Mode plugin. I was interested in checking it out. Sounds like I don't need to waste my time. :)

  15. Andy Polaine

    15. Oct, 2008

    I just renamed the plugins folder so that WP couldn't find any, logged in (it stops the login loop happening), upgraded, and re-named the plugins folder back to 'plugins'.

  16. antonio

    15. Oct, 2008

    awesome… this fix worked for me.

    Thanks!

  17. John Hawkins

    16. Oct, 2008

    Ahh, nice! That's another way of getting around it. Thanks for commenting.

  18. John Hawkins

    16. Oct, 2008

    Good deal. Gald to help!

  19. Shane Robinson

    06. Nov, 2008

    Yep. Definitely the Maintenance Mode plugin. Just went through the same thing all over again with a different client site.

    Stay far far away from the Maintenance Mode plugin!!

  20. John Hawkins

    06. Nov, 2008

    Ohh, that's good to know. Thanks. I was planning on trying that out in my next batch of plugins.

  21. Rick M

    15. Nov, 2008

    This is excellent. Simple, straightforward, and worked perfectly. Thanks a lot!

  22. dvst8download

    26. Nov, 2008

    Thank you, this fixed an endless login loop I was experiencing halfway through the 2.6.5 update. I would login, it would then redirect me to the upgrade.php page for a split-second, then loop me back to login. You instructions to remove the active plugins was the fix. That allowed me to login and complete the database update, then manually re-activate plugins. Thanks again for posting!

  23. WTJ

    03. Feb, 2009

    Thanks! that really help!

  24. Lisa

    03. Apr, 2009

    Wow what a pain that must have been! I was pretty lucky and none of my 5 blogs were affected by this issue. Boy oh boy would that have been a disaster. By the way what was the goal of the hackers anyways? To add malicious code?

  25. joe

    10. Apr, 2009

    Just stumbled across this blog. Thanks John, I had this problem too and your fix worked and resolved the problem.

  26. mass mailer

    10. Apr, 2009

    Looked that our is best

  27. 3D camera

    10. Apr, 2009

    You are doing it wrong. Teach him to play the oboe. Full ride college scholarship

ss_blog_claim=6bc1a30ee9fea29387a09f61d81c50b0