WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
Filter Suspicious Query Strings breaks password reset (with solution) (2 posts)

  1. pakeller
    Member
    Posted 1 year ago #

    I found that enabling Filter Suspicious Query Strings stopped password reset from working. The e-mailed link goes to the usual password reset page, but after entering a new password I got a "page not found", and the password had not changed (the old one still worked).

    The action link on the password reset page looks like this:

    <form name="resetpassform" id="resetpassform" action="http://blog.mysite.com/wp-login.php?action=resetpass....

    After a bit of investigation, I found that making the following change to the modified .htaccess file fixed this:

    @@ -57,7 +57,7 @@
     RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
     RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
     RewriteCond %{QUERY_STRING} !^loggedout=true
    -RewriteCond %{QUERY_STRING} !^action=rp
    +RewriteCond %{QUERY_STRING} !^action=(rp|resetpass)
     RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
     RewriteRule ^(.*)$ - [F,L]

    In wp-login.php, we find this:

    case 'resetpass' :
    case 'rp' :
    	$user = check_password_reset_key($_GET['key'], $_GET['login']);
    
    	if ( is_wp_error($user) ) {
       ...

    which suggests that the rp and resetpass actions are equivalent.

    http://wordpress.org/extend/plugins/better-wp-security/

  2. finglandj
    Member
    Posted 1 year ago #

    I just encountered the same issue. Thanks pakeller for identifying the problem.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.