Today, I had an unpleasant experience. When I tried to access my site, I was presented with a peculiar login page. No page was accessible. Even the wp-admin.php page was blocked out by the login page. There was only one input box for the password (see image).
A study of the source code of the login page showed the following:
I thought my site was hacked and launched a search in all the known places. I also carefully studied the access.log and the error.log to see I could detect some abnormal activity.
Then, I thought I would use the find text function in SSH to flush out the offending file.
I used the command:
grep -r -H “various_search_terms” *
The Grep command looks for the “various_search_terms” recursively (-r option) and provides the result in human readable format (-H option) in all (*) files under the current working directory (see more here).
However, even this did not help.
I even checked the MySql database to see if that had somehow been hacked.
I even checked the theme pages carefully to see if they had been hacked somehow.
Ultimately, it occurred to me that a plugin might have been corrupted. To test the theory, I renamed the entire “wp-content/plugins” directory to stop the plugins from being loaded.
That did the trick. The site opened and I knew where the fault was.
After that it was a laborious exercise of disabling each individual plugin by renaming its folder and checking whether it was the culprit.
Finally, I zeroed in on JetPack. It was the culprit.
I disabled it, logged into wp-admin and deleted it. Then I reinstalled a fresh copy.
Now, everything works as normal. It is, however, still a big mystery where the log-in page came from. I scanned the entire offending JetPack folder but couldn’t find it. I also don’t see how a corrupt plugin can throw up a login page.