Locked out with 2.3.0

Expected behavior

Should be able to log into CP 2.3.0 after updating.

Current behavior

Does not accept old password. Cannot log in.

Possible solution no.1

Disable Guardian plugin (with 2FA).
Result: Login screen does not accept password.

Possible solution no.2

Disable Pepper plugin.
Result: Login screen does not accept password.

Possible solution no.3:

Attempt to reset password by following link in CP reset password email.
Result: Login screen does not accept the new password.

Possible solution no.4

In cPanel → PHPMyAdmin.
Click on the name of the database at the top left to expose the full list of database tables.
Look for the users table, and find your entry.
Click Edit, and replace whatever is currently in the user_pass box,
then in the dropdown to its left, select MD5.
Then go down to the bottom and hit Go.

Result: Login screen does not accept the new password.

Can anyone help?
Is it the Pepper plugin? Guardian? Something else?
Any help greatly appreciated.

Third time trying password reset worked. I’ll see if activating the plugins presents any new issue.

That sounds like some sort of caching issue.

What is the Guardian plugin?

wp-guardian by butterflymedia
Should be familiar to you?

1 Like

Thanks for the responses.

Unfortunately, was just locked out again:

403 Permission Denied

You do not have permission for this request /wp-login.php

And yet on the third try it worked. But I don’t know why.

Back story to the first time it worked again:

I renamed and reactivated wp-guardian, and the 2fa worked fine.

For some reason, however, Pepper never reappeared (literally, visually) on the plugins page in the admin panel after I renamed it even though it was still visible via cPanel. So I deleted it in cPanel and uploaded the latest version from the directory and installed but did not activate it.

I’m unsure how to check whether it’s a cache issue.

Summary: I managed to login successfully after resetting my password after the CP reset email, then was just locked out as described above, and then managed to get back in on a third (or fourth) try with the 2fa.

I confess I’m perplexed.

I thought about it being my plugin, but I wasn’t sure.

I don’t have this error in my plugin:

“You do not have permission for this request /wp-login.php”

I do have a 403 permission error, but it’s a PHP header. You would just see a blank page with a 403 <title>, so nothing visible.

Thanks; that’s good to know.

On the caching front, is this on a production site or localhost? Are you running any plugins that do caching? (Some, like WP Optimize, don’t make it obvious.) Do you have an object cache? Cloudflare? Have you tried using a different browser on the first occasion when you try to login after resetting the password ?

@Doug If you are using multiple security plugins at the same time, that will definitely do it. I would recommend you don’t combine security plugins - unless you really know they will work well together.

Plus if they write to the htaccess file, and you have caching enabled, then disabling the plugins won’t help much in the short term - since its all cached (as @timkaye mentions). I cannot confirm if those plugins write to htaccess or not. But we’ve seen this with WordPress sites using WordFence.

My advice would be to rename the plugins via file-manager (for example (OLD_plugin-name.php). Including the caching plugin… chances are you will still be locked out though.

If that doesn’t solve the problem, you’re going to need someone to empty the cache files, and clean the htaccess of any security plugins that write there.

I suspect your web host can help you with this and getting your access back.

2 Likes

I just remembered this happening to me a few times on WordPress years ago, so I just did a quick Google and came up with this: wordpress - Forbidden You don't have permission to access /wp-login.php on this server - Stack Overflow

The more I read this thread, the more convinced I am you have security plugins conflicting with each other.

I would work this way - once you have access:

Clean the cache
Disable the caching plugin until all is working.
Disable ALL security plugins
Clean the cache, clean your browser history, close browser and reopen it

Can you login now?

Disable Pepper
and disable the 2FA setting
Leave caching disabled.
Clean the cache

Can you login now?

My hunch is Pepper plugin is the one conflicting with the other security plugin.

1 Like

Pepper is adding the pepper. Wp-guardian might not like this and in return pepper might also be reading wp-guardian 2fa as a threat?

:spiral_notepad: I will add testing Pepper with WP Guardian to my todo list.

1 Like

Many thanks for the responses; much appreciated. I’m only just now getting back to my computer but will have a hard look at them today.

Briefly for now:

(1) This only started yesterday, when I updated to 2.3.0. The problem did not exist previously, and all four of my plugins were activated and working as expected and with no conflicts: Elisabetta’s Pepper and Ciprian’s WP Guardian (for login security, 2FA), LiteSpeed Cache (pre-installed by my host, Lightning Base, and on the lowest preset), and CMS Tree Page View.

(2) As I mentioned, I am no longer locked out: Solution no. 3 above worked on about the third or fourth try; no problem logging in today.

I have not yet, however, reactivated Pepper, since I wanted to see whether that causes an issue on its own now that the login is working again. I’ll try that today.

@elisabettac77: Can I reactivate Pepper and then immediately change each user’s password myself on the Users’ page in admin rather than have users reset the password after receiving an email (I only have three users, and I’m actually two of them)?

Many thanks again.

With Litespeed Cache, make sure it’s not caching the login page. I remember it has a specific setting for that.

It is indeed enabled, and I would not have thought of checking. I found the setting but am unsure how to understand the warning:

Disabling this option may negatively affect performance.

Any idea?

Edit: found this in LiteSpeed docs:

This option will cache the login page. Normally, there is no reason to uncheck this option. However, if there is something that may identify a user on the page, this should be off.

You’re using 2FA and a Pepper on that page. The first certainly identifies the user.

That page is actually quite a bit more complicated than it might seem, because it handles several different events, some of which happen sequentially. The Two Factor plugin, for example, uses it a second time after you’ve sent your username and password. If the Guardian plugin does the same, then you really don’t want to cache that page.

I’m not sure if the Pepper plugin would have the same effect because the pepper itself is site-wide, and so it might be compatible with caching the page. But I always turn off the option to cache the login page, because it seems fraught with danger to me.

Thanks for the explanation. I have wondered in what order the Pepper and 2FA work in that context.

Ciprian’s WP Guardian plugin is the 2FA plugin. I had an earlier thread discussing the emergent problems with Shield and decided to do without a security plugin on the advice and for the reasons discussed there.

But I did want 2FA, and Guardian provides that while otherwise (also according to Ciprian) remaining lightweight and fast. It has worked flawlessly, including with the Pepper.

So . . . until CP 2.3.0 the two plugins worked together fine. And they may still: I need to reactivate Pepper and try things out. But I still don’t understand what happened yesterday. Did Pepper do a self-reset after the WP update? I also have no idea why it disappeared from the admin plugin screen even after renaming it from PepperOFF back to Pepper in cPanel. Bizarre.

Anyway, if these two plugins work together again, I’ll also try turning of the login page cache in LiteSpeed for the additional security. I’ll report back.

Thanks again. All very helpful.

No, Ciprian’s plugin is A two-factor plugin. The one I’m familiar with and use is actually called Two Factor. That’s why I know how it works but am not sure about Ciprian’s.