When your wordpress website's dasboard leads to 404 errors, it can be frightening but don't worry, it is something that can be fixed. This usually happens when your website uses outdated core WP, plugins or themes.
1. A malware attack might have placed a .htaccess file in the root directory of your hosting. You have to remove it. Bear in mind that this file will be on the root of your hosting and it is not the .htaccess file on the wordpress website's directory.
2. Create a backup of your wordpress website.
3. If you're sure the wp-config file has the correct code, you can leave that as it is. Check wordpress.org to see what the default wp-config.php file looks like. Here is the link: https://core.trac.wordpress.org/browser/trunk/wp-config-sample.php
4. Do a fresh install of wordpress on a subdomain. Make sure you choose the same Wordpress version of your original website. You can find this information on the /wp-includes/version.php file of your original wordpress site.
5. On this sub-domain (fresh install), remove the .htaccess file, wp-content folder and the wp-config file.
6. On your original website, remove all files and folders except the wp-content folder and the wp-config.php file
7. Copy the files and folders on the sub-domain to your website's directory to make sure the fresh files of wordpress are on your website.
7. Create a new .htaccess file on your wordpress website's directory. It should contain just the following code:
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Additional checks & tips:
8. Check whether the version on the /wp-includes/version.php file and the db_version in the wp_options table of your database database is the same. Change it in the version.php file, not the database.
9. Delete suspicious folders in the wp-plugins folder. These would be easy to spot and would have random strings at the end of their names. Example: pluginname-4$33qc13x or pluginname-4$33qc13x-module.
10. By now, you should have access to the dashboard assuming you're dealing with a malware attack with a .htaccess file at the root. Make sure you update all your plugins and themes.
11. Change the password of your admin accounts.
12. Remove suspicious cron jobs that would potentially regenerate this malicious .htaccess file.
Deepak founded VizConn in 2011 and writes about Digital Marketing, CMS, UX design and business in our blog. Got a question for Deepak? Let us know and we will pass it on to him. He responds to most questions via email.
