WilliamD's picture

How do I know what this login is?  The configuration process only asks me to set the password for the wordpress account, but not the "login".  When I quit the configuration console, I am asked for my login, which I have no idea what it is.  Help.

Forum: 
Tags: 
Jeremy Davis's picture

By the sounds of it you are trying to log into the console!? FWIW all the login credentials for each appliance are documented on each appliance page. Although it's not specified, the SSH login is essentially a remote console login. E.g. on the WordPress appliance page it says:

Credentials (passwords set at first boot):

Webmin, SSH, MySQL, phpMyAdmin: username root
Wordpress: username admin

Jeremy Davis's picture

As you are probably aware, security is not an "on/off" type arrangement and you always need to make compromises. When the TurnKey Linux appliance was first developed (many years ago, prior to WordPress supporting 'live' upgrades) the file permissions were set to maximise security (at the cost of user-friendliness; but easily worked around via the commandline).

But as WordPress has evolved, the 'user friendliness' cost imposed by the choice of security settings has risen. In some respects it could be argued what started as a security plus has actually become a security minus. Whilst the risk of a compromised WordPress install hijacking the whole server is reduced; the chance of an out-of-date WordPress install getting hacked in the first place is increased...

The new (not yet released v14.0) version of our WordPress appliance reworks the permissions to allow easy in place upgrades. It does come with the 'price-tag' or reduced overall server security but users will find it easier to keep WordPress up to date so the risk of WordPress being compromised are less (so long as the user actually applies the updates!).

But to get to the point, there is an extensive post covering how one might go about "fixing" the security settings of the current appliance (including a lively debate about the pros and cons). Have a look here. This post specifically covers the steps to take to enable browser based upgrades.

joshtheprogrammer's picture

Hello,

TurnKeyLinux's Wordpress looks extremely interesting and I've been looking forward to trying it for awhile. Today I installed the raspberry pi version on my pi 4, and it installed great, but I have a problem. It wants me to log into wordpress on my local system using the username 'admin', so I did so then entered the password (which I set for all of my services when I first set up the system) but it kept saying "Incorrect password." How can I find the correct password to log into the admin console?

Thank you!

Jeremy Davis's picture

I'm not sure why? But it doesn't have a default password. It should be the password you set it to at firstboot.

Having said that, we have had a few users complain that they are having problems with particularly complex passwords. Punctuation/special characters seem to be the most likely to cause issues. So perhaps try again with a more simple password (upper case, lower case and numbers)- although you can make it secure by making it long. Alternatively once you can log into WordPres, you could change it then, in the WordPress UI. Try setting the password again interactively like this:

/usr/lib/inithooks/bin/wordpress.py

Alternatively, you can run it non interactively. Use the '-h' switch to double check the values required:

/usr/lib/inithooks/bin/wordpress.py -h
guru_fordy's picture

Found my way here after a search for a new install problem.
Can't login to /wp-login.php using the passwords I just set up.
Going to port 12321 on the root loads the turnkey page, which then takes root and my password, but then borks on loading session_login.cgi and I can never get back to the login again.
I'm installing it on Proxmox and accessing via it's IP, so in the setup I do say the web URL is the IP if that could be a problem.

Jeremy Davis's picture

The WordPress login problem is a known issue. A fix has already been applied to he build code, but an updated appliance has been yet to be built & released. I hope to release that ASAP.

In the meantime, you could apply the fix yourself. I.e. edit the file /usr/lib/inithooks/bin/wordpress.py. Make the changes noted there - edit the lines noted in red with a '-' prefix so they look like the lines in green that have a '+'. Then rerun the firstboot script:

/usr/lib/inithooks/bin/wordpress.py

Also FWIW using an IP as the "domain" should be fine, but note that you will need to update the domain if/when you use an actual domain. Re running that firstboot script will do that for you - although that will only work if you haven't manually changed the domain.

As to your Webmin issue, that is a new one. Although my first guess is that fail2ban is kicking in and blocking access. That should only be triggered after 3 failed logins, but If I'm correct, it sounds like it's triggering after only one. If that is the issue it should reset after 10 minutes.

To check that, try stopping the fail2ban service and restating Webmin via a terminal session:

systemctl stop fail2ban
systemctl restart webmin

If that doesn't help, first try checking that Webmin is running ok, again form a terminal:

systemctl status webmin

The line starting "Active:" should say "active (running)".

Regardless, try checking the journal for webmin logs. First recreate the issue (i.e. try to log in again), then again from a terminal, run this:

journalctl -u webmin --since "10 minutes ago"

Please share that, as well as any further info you may have.

Add new comment