Update: As Patrick Nommensen pointed out in the comments, there’s a possibility that the lock-out is the result of 1&1 protecting the server while they patch the exploit. If you don’t need to log into your WordPress site right now feel free to sit back and 1&1 does what they do best.
Today we received an email from another agency in town that we like to partner with, asking for help with one of the sites they manage. The front-end of the site was working fine but whenever they attempted to access the WordPress administration area (/wp-admin) they were redirected to http://127.0.0.1/wp-login.php. After checking the wp-config.php file, searching the database, and grepping the codebase we came up short; there was nothing under our control that should be causing that. Other URLs in /wp-admin were still accessible, we were just being blocked from accessing wp-login.php.
We contacted the site’s host, 1&1, on behalf of the client and were informed this was a known issue. Apparently at least some of their servers were exploited within the past few days, locking WordPress users out of their sites. We don’t have details to share on the compromise at this time but I’d recommend watching the 1&1 Twitter account for details.
To ensure users of the site weren’t left out in the cold we developed the following workaround until 1&1 can resolve the issues with their servers. We should warn you that, while this has proven effective and will not impact the way your site functions once 1&1 restores access, you’re trying this at your own risk:
- Using your FTP client (or SSH for those developers among you), copy wp-login.php to wp-login2.php (really, any random filename will suffice. Should you choose to use a more obscure filename simply replace wp-login2.php with your filename throughout the rest of these instructions). It’s important to leave the original wp-login.php file untouched so that the site will continue to function as before once 1&1 fixes the issues on the servers.
- Open your new copy of wp-login.php and make the following changes (line 841 in WordPress 3.8):
change:
<form id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post" name="loginform">
to:
<form id="loginform" action="<?php echo esc_url( site_url( 'wp-login2.php', 'login_post' ) ); ?>" method="post" name="loginform">
To login, visit {your domain}/wp-login2.php – visiting /wp-admin to login will not work without further modifications. Features like user activation and password resets will also be unavailable without further changes to your code.
Once 1&1 has restored normal access to your WordPress site we’d encourage you to remove wp-login2.php from your sites. While there shouldn’t be any immediate issue leaving it in your site this process is intended to be a temporary workaround, not a long-term solution. If you’re not working on your site today you should be fine doing nothing and remaining locked out while 1&1 sorts things out.
It’s not a totally ideal solution, but this workaround should at least let you back into your WordPress site until the server issues are smoothed out. This may not be a bad time to make a backup of your site’s files and database, either (but you already have a regular backup scheduled, right?).