Skip Navigation

[Resolved] “Sorry, you are not allowed to access this page.” after Starter Theme Setup

This thread is resolved. Here is a description of the problem and solution.

Problem: After updating several plugins on an old site I'm unable to access the Dashboard as an admin user. I also found a non-standard file on my server, galau.htm, which includes the title "Hacked by Jingklong".

Solution: Since there is evidence this site was hacked, it's difficult to know which files were affected and which database entries have been compromised. I recommend starting from scratch. Install a fresh copy of WordPress, then install all the latest plugins by downloading them from their respective authors. Install a clean copy of your theme. Then begin recreating content and users. Consult a security expert or leverage the online WordPress community about the state of your old site and potential recovery steps.

Relevant Documentation: https://codex.wordpress.org/FAQ_My_site_was_hacked

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 14 replies, has 2 voices.

Last updated by alexG-4 3 years, 4 months ago.

Assigned support staff: Christian Cox.

Author
Posts
#530451

I'm updating an old site (hidden link) that used Types and another theme to now use the Starter Theme, and Views and Layouts and probably other Toolset features.

After adding and activating the Starter Child Theme I went through your rather nice new auto-setup process that configures Layouts and imports a reference site (great idea!). It seemed to work OK, except that now when I log in and visit ..../wp-admin I get the message

Sorry, you are not allowed to access this page.

on a blank screen.

But if I go to the site's home page, I can see the admin bar at the top, so I HAVE logged in, and I can happily work in the admin area - but I still get that message on .../wp-admin

I've tried removing ALL plugins - and it still appears - so I guess it's some permissioning problem. which I noticed after importing the reference site: so I think that import may caused the problem.

Regards

Alex

#530584

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

Hi, this is definitely unusual. First, please log out completely using the admin bar on your homepage. Then clear your browser's cookies and log in again. If you're still unable to access wp-admin, enable server debug logging to get a clearer idea of what's going on. You can see how to enable debug logging here:
https://toolset.com/documentation/user-guides/debugging-toolset/

Go in your wp-config.php file and look for define(‘WP_DEBUG’, false);. Change it to:

define('WP_DEBUG', true);

Then add these lines, just before it says 'stop editing here':

ini_set('log_errors',TRUE);
ini_set('error_reporting', E_ALL);
ini_set('error_log', dirname(__FILE__) . 'https://cdn.toolset.com/error_log.txt');
ini_set('display_errors', 'Off');

Then attempt to go to wp-admin/ again. If any server-side errors are generated, this will create an error_log.txt file in your site's root directory. Please send me its contents. Once that is done, you can revert the updates you made to wp-config.php.

#531116

Oh my goodness - I've replied here TWICE but my reply never got posted because I'd been clearing my cookies and I never noticed the error message!

Third time...

Thanks for the guidance Christian: I followed the above process and the first time I saw some weird error messages in the error log relating to WP Super Cache, and some other things. I couldn't understand why I was getting WP Supercache messages because I didn't have it installed!

So - I installed it, did the basic configuration, then uninstalled it - and then re-tried your process.

This time there were NO messages in the error log after going through your process, but the messages

"Sorry, you are not allowed to access this page."

still appears on the .../wp-admin/ page.

However, when I visit the home page (and other external pages), I DO get some other error messages, both displayed on the page and in the error log. They are:

--------------------------------

Notice: Trying to get property of non-object in /home1/oxford/public_html/yourdigitalally.com/wp-includes/nav-menu.php on line 727

Notice: Trying to get property of non-object in /home1/oxford/public_html/yourdigitalally.com/wp-includes/nav-menu.php on line 727

Notice: Trying to get property of non-object in /home1/oxford/public_html/yourdigitalally.com/wp-includes/nav-menu.php on line 731

-------------------------------------

Maybe that suggests what the issue might be.

Thanks

Alex

#531173

I've just noticed that the admin menu has the dashboard and update items missing:

hidden link

It should look like this:

hidden link

... and I've checked to ensure that .../wp-admin/index.php DOES exist, with the correct permissions.

Alex

#531458

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

Okay thanks, that notice doesn't seem relevant so I don't think the log is telling us anything useful. Let's try these steps:
- Clear your browser cache and cookies, then log back in and try to access the Dashboard.
- If this does not work, using FTP or your Host Control Panel's File Manager, navigate to wp-content/themes and find the toolset-starter theme folder. Rename the folder to something like toolset-starter-backup and try to access your dashboard again.
- If this does not work, try renaming your Toolset plugin folders in wp-content/plugins one at a time, starting with types-access. After renaming each folder, check your Dashboard again for access. Let me know if renaming a specific folder resolves the issue. The following folders are Toolset plugins: types, types-access, wp-views, layouts, framework-installer, toolset-maps.

Let me know the results of these steps.

#531840

Hello Christian

I did as you suggested, but with no effect.

Note that in my original post I stated that I tested it with ALL plugins removed, and it still had no effect.

I assumed that something happened to permissioning whilst installing the reference site which remains unchanged when plugin/themes are removed.

Thanks

Alex

#532468

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

Next, I would try a WordPress Manual Update as described here:
https://codex.wordpress.org/Updating_WordPress#Manual_Update
Make a backup of your current site files just to be safe before running the update.

If this does not resolve the problem, then it would seem that your user permissions have been corrupted somehow in the database. Do you have access to your database using phpMyAdmin or some other GUI? If so, please log in and go to your wp_users table. Find the ID associated with your user_login. Then go to the wp_usermeta table and find the wp_user_level associated with your user ID. It should be "10". If not, change it to 10. Next, find the wp_capabilities row associated with your user ID. Do not make any changes here yet, but copy and paste the entire contents of this field here for me to review. I'll recommend changes, if any, that should be made.

#535014

Hi Christian

Thanks for the suggestions... none worked.

I've looked into the database, and Capability of the user is

a:23:{s:18:"SPF Manage Options";b:1;s:17:"SPF Manage Forums";b:1;s:22:"SPF Manage User Groups";b:1;s:22:"SPF Manage Permissions";b:1;s:21:"SPF Manage Components";b:1;s:16:"SPF Manage Users";b:1;s:19:"SPF Manage Profiles";b:1;s:17:"SPF Manage Admins";b:1;s:18:"SPF Manage Toolbox";b:1;s:18:"SPF Manage Plugins";b:1;s:17:"SPF Manage Themes";b:1;s:13:"administrator";b:1;s:13:"bbp_keymaster";b:1;s:17:"ddl_create_layout";b:1;s:28:"ddl_assign_layout_to_content";b:1;s:15:"ddl_edit_layout";b:1;s:17:"ddl_delete_layout";b:1;s:14:"frm_view_forms";b:1;s:14:"frm_edit_forms";b:1;s:16:"frm_delete_forms";b:1;s:19:"frm_change_settings";b:1;s:16:"frm_view_entries";b:1;s:18:"frm_delete_entries";b:1;}

Thanks!

Alex

#535252

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

This seems okay to me, so it seems that something else must be going on. It's possible that the table prefixes are out of sync in your database after the import. Take a look at this post:
https://wordpress.org/support/topic/wp-admin-sorry-you-are-not-allowed-to-access-this-page-1/

If there was a capitalization issue during the data migration, this could be the culprit. Can you look in your DB to ensure the table prefixes were imported correctly, and match up with your wp-config.php file?

Another user there mentions that upgrading to PHP 5.6 resolved some of these issues. Is this something that your host offers? If so, perhaps an upgrade will help. If you're not able to do this, I can take a look at your site's DB if you provide me with a SQL dump. I can try to import this on my own local environment and see if the problem is replicable on a higher PHP version. Please let me know how you would like to proceed.

#535351

Hi Christian

I looked though that support thread on wordpress.org and think I understand the directions.

My wp-config.php has

$table_prefix = 'wp_';

so the tables to look at were simply called:

wp_usermeta
and
wp_options

without any <customPrefix>

... so I don't think there was anything I could search for to change. Am I right?

I also upgraded my PHP version, and double -checked that by adding a phpinfo.php files, as instructed by Hostgator. I'm definitely now using PHP Version 5.6.30

I also re-saved my permalinks (to re-write my .htaccess file), as someone else on that thread suggested.

... and I'm still getting that error.

I note that the original poster on that thread never reported that his problem was resolved by any of those suggestion.

I've posted there myself asking for other suggestions. Do you have any more, Christian?

Alex

#535733

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

In this case, it's probably best for me to take a clone of your database and install it locally on my own environment to see if I can get you into the admin area again. Sorry for the inconvenience - normally upgrades don't lock you out like this. Here's what I would need from you:
- A database dump SQL file
- The login credentials of an admin user that existed before the update

You can upload the SQL file to a file sharing service like Dropbox or Drive, then provide a download link for me in the private reply fields here. Please also share those login credentials.

#538263

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

Do you have any idea what this is? It's not a normal WordPress page, and it's really suspicious.
hidden link

The title of this page is "Hacked by Jingklong".

#538323

Wow! No - I'd not noticed it before.

I've removed it, but it's not effected the problem.

Christian - do you think it's going to be easier at this point for me to start with a fresh install, and then use the module manager to replicate the design, and export/import the posts?

Or are you hopeful that further investigations will root out the issue?

Alex

#538641

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

I think a fresh install is your best option in this case. Since there is evidence this site was hacked, it's difficult for me to know what is supposed to be here and what is not. Module Manager is a great way to get the overall content structure set up on a new site, so if you have modules on other sites you would like to replicate I recommend reusing them on a clean install. However I would be extremely careful about exporting and importing content from this site. If a hacker was able to gain access to your server and database there could be malicious content, including JavaScript execution, in any of your posts. Likewise, there could be malicious content added to any plugin files on your server.

I would consider manually inspecting the contents of each post before importing anything. If you see any suspicious content, remove it and re-export. I would also install plugins from scratch again rather than migrating them to the new site. I would check each user in the users table and delete any unknown users. This is just a start, but I'm not really qualified to go into much detail about security measures because it's not something we specialize in here.

#539053

Thanks, Christian

You're right: I should assume the worst and re-build with safety in mind. I've never used the Module Manager in earnest, so this will be good experience.

Thanks for your advice and efforts to track down the initial problem.

Alex