Should be able to log into CP 2.3.0 after updating.
Current behavior
Does not accept old password. Cannot log in.
Possible solution no.1
Disable Guardian plugin (with 2FA).
Result: Login screen does not accept password.
Possible solution no.2
Disable Pepper plugin.
Result: Login screen does not accept password.
Possible solution no.3:
Attempt to reset password by following link in CP reset password email.
Result: Login screen does not accept the new password.
Possible solution no.4
In cPanel → PHPMyAdmin.
Click on the name of the database at the top left to expose the full list of database tables.
Look for the users table, and find your entry.
Click Edit, and replace whatever is currently in the user_pass box,
then in the dropdown to its left, select MD5.
Then go down to the bottom and hit Go.
Result: Login screen does not accept the new password.
Can anyone help?
Is it the Pepper plugin? Guardian? Something else?
Any help greatly appreciated.
You do not have permission for this request /wp-login.php
And yet on the third try it worked. But I don’t know why.
Back story to the first time it worked again:
I renamed and reactivated wp-guardian, and the 2fa worked fine.
For some reason, however, Pepper never reappeared (literally, visually) on the plugins page in the admin panel after I renamed it even though it was still visible via cPanel. So I deleted it in cPanel and uploaded the latest version from the directory and installed but did not activate it.
I’m unsure how to check whether it’s a cache issue.
Summary: I managed to login successfully after resetting my password after the CP reset email, then was just locked out as described above, and then managed to get back in on a third (or fourth) try with the 2fa.
On the caching front, is this on a production site or localhost? Are you running any plugins that do caching? (Some, like WP Optimize, don’t make it obvious.) Do you have an object cache? Cloudflare? Have you tried using a different browser on the first occasion when you try to login after resetting the password ?
@Doug If you are using multiple security plugins at the same time, that will definitely do it. I would recommend you don’t combine security plugins - unless you really know they will work well together.
Plus if they write to the htaccess file, and you have caching enabled, then disabling the plugins won’t help much in the short term - since its all cached (as @timkaye mentions). I cannot confirm if those plugins write to htaccess or not. But we’ve seen this with WordPress sites using WordFence.
My advice would be to rename the plugins via file-manager (for example (OLD_plugin-name.php). Including the caching plugin… chances are you will still be locked out though.
If that doesn’t solve the problem, you’re going to need someone to empty the cache files, and clean the htaccess of any security plugins that write there.
I suspect your web host can help you with this and getting your access back.
The more I read this thread, the more convinced I am you have security plugins conflicting with each other.
I would work this way - once you have access:
Clean the cache
Disable the caching plugin until all is working.
Disable ALL security plugins
Clean the cache, clean your browser history, close browser and reopen it
Can you login now?
Disable Pepper
and disable the 2FA setting
Leave caching disabled.
Clean the cache
Can you login now?
My hunch is Pepper plugin is the one conflicting with the other security plugin.
Many thanks for the responses; much appreciated. I’m only just now getting back to my computer but will have a hard look at them today.
Briefly for now:
(1) This only started yesterday, when I updated to 2.3.0. The problem did not exist previously, and all four of my plugins were activated and working as expected and with no conflicts: Elisabetta’s Pepper and Ciprian’s WP Guardian (for login security, 2FA), LiteSpeed Cache (pre-installed by my host, Lightning Base, and on the lowest preset), and CMS Tree Page View.
(2) As I mentioned, I am no longer locked out: Solution no. 3 above worked on about the third or fourth try; no problem logging in today.
I have not yet, however, reactivated Pepper, since I wanted to see whether that causes an issue on its own now that the login is working again. I’ll try that today.
@elisabettac77: Can I reactivate Pepper and then immediately change each user’s password myself on the Users’ page in admin rather than have users reset the password after receiving an email (I only have three users, and I’m actually two of them)?
It is indeed enabled, and I would not have thought of checking. I found the setting but am unsure how to understand the warning:
Disabling this option may negatively affect performance.
Any idea?
Edit: found this in LiteSpeed docs:
This option will cache the login page. Normally, there is no reason to uncheck this option. However, if there is something that may identify a user on the page, this should be off.
You’re using 2FA and a Pepper on that page. The first certainly identifies the user.
That page is actually quite a bit more complicated than it might seem, because it handles several different events, some of which happen sequentially. The Two Factor plugin, for example, uses it a second time after you’ve sent your username and password. If the Guardian plugin does the same, then you really don’t want to cache that page.
I’m not sure if the Pepper plugin would have the same effect because the pepper itself is site-wide, and so it might be compatible with caching the page. But I always turn off the option to cache the login page, because it seems fraught with danger to me.
Thanks for the explanation. I have wondered in what order the Pepper and 2FA work in that context.
Ciprian’s WP Guardian plugin is the 2FA plugin. I had an earlier thread discussing the emergent problems with Shield and decided to do without a security plugin on the advice and for the reasons discussed there.
But I did want 2FA, and Guardian provides that while otherwise (also according to Ciprian) remaining lightweight and fast. It has worked flawlessly, including with the Pepper.
So . . . until CP 2.3.0 the two plugins worked together fine. And they may still: I need to reactivate Pepper and try things out. But I still don’t understand what happened yesterday. Did Pepper do a self-reset after the WP update? I also have no idea why it disappeared from the admin plugin screen even after renaming it from PepperOFF back to Pepper in cPanel. Bizarre.
Anyway, if these two plugins work together again, I’ll also try turning of the login page cache in LiteSpeed for the additional security. I’ll report back.
No, Ciprian’s plugin is A two-factor plugin. The one I’m familiar with and use is actually called Two Factor. That’s why I know how it works but am not sure about Ciprian’s.