Blog

Details

Category: Blog

This post is not about hacking into websites, so please leave if you're looking for info on that. It's because of hackers that a lot of people try to secure the login page of their sites. I've used Ksecure (Kareebu) and Jsecure on some of my websites in order to change the default admin page for the backend. I believe there's an option in other admin tools and security components, but these are simple for the simple sites I create. However, I was recently locked out of one of those sites by the very plugin that was supposed to keep others locked out. So if that happens to you, follow my advice and maybe avoid a lot of the time I spent on it.

The Problem

I had one site that I updated from Ksecure (errors in PHP and no longer supported) to Jsecure. Apparently, I messed up while typing the new password in Jsecure, which I usually check in another browser before I logout. So, I typed the new password wrong AND didn't test it out. Oops. But this could also happen to you if you inherit a site and have to get past some sort of security measure (these two in particular) in order to access the backend login. Like if I were to die tomorrow, and all the sites I built would have hidden backend logins. It probably happens more than we know, with folks just buying new sites instead of bothering with hiring someone to get into the old one.

The Non-Solutions

I am assuming you have access to the CPane or FTPl for all of this, even these non-solutions.  The first thing I tried was to restore the website to a previous version, assuming I would go back to before I changed the password. However, there were not enough previous versions on my host, as I'd done it over a month earlier. There was also a chance I had not changed the password and the newest version of the CMS was causing the whole problem, so it was worth a try. Just be aware that any updated content will be gone if you do this, which wasn't a problem for me because I hadn't logged into the site for a month.

Another non-solution was to uninstall the security plugins. This is only because, while it can be done, I'd be very careful about just getting rid of folders that are tied to the main login system. If you find very good instructions somewhere, it will probably work, but there's a simpler way.

Oh, I did also try taking the PHP version back down, in case the security script was causing problems on that level, but it also did not work for me. Sometimes, this solution does work when you're using a plugin that simply can't adjust to the new version of PHP used by your hosting company.

And that simpler way is not in the database for the website. I figured there'd be an entry that I could change with the password. Apparently not, at least for these programs. I guess there might have been a way to disable the program, but even that's pretty complicated.

The Easy Fix

Of course, it's kind of fun to scramble around and nearly kill your website in order to find your own solution, but this one was really pretty easy. Change the name of the php file that runs the plugin. Basically, you're looking for jsecurelite.php or ksecure.php. Rename it, either in CPanel or using FTP. Login to the site using the default login settings. Change the password as an administrator. Rename the php file back to what it was, and done. Or uninstall the security measure to not have to worry about it. All of my hacked websites have been through the CPanel, anyhow.

I assume this same sort of name changing works when there's a php error from another site component, too. I haven't done it before, though I have used the file renaming to keep an old file around in case the new one doesn't work, like php.ini files. Next time I have a major malfunction and I know what's causing it, I'll give this a shot before I go nuts with code, just to see what happens. Sometimes, it probably results in catastrophe, in which case you just rename the file to what it was and troubleshoot the old-fashioned way.