WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
[Plugin: Better WP Security] Reset Password URL triggers 404 (22 posts)

  1. zeke.zark
    Member
    Posted 1 year ago #

    The login (wp-login.php), registration (wp-login.php?action=register) and forgotten password (wp-login.php?action=lostpassword) urls work fine.

    However, if I trigger the recover password function, the url in the subsequent email has wp-login.php?action=rp&key=ZZZZZZ&login=yyyy in the confirmation url. This url generates a 404 - not found.

    I can confirm that de-activating the plugin allows normal functionality.

    Any ideas how I can fix this? Thanks.

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Turning off hide backend will fix it until the next update.

  3. zeke.zark
    Member
    Posted 1 year ago #

    Thanks for the response.
    Actually, Hide Back end is turned off, and the problem still exists. When is the next update due?
    Cheers

  4. Sorry about that. It will now work in the dev version. Turns out I admittedly overtightened the filter query string section.

    You can get the dev version at http://plugins.svn.wordpress.org/better-wp-security/trunk

    I will try to get a full version out this weekend.

  5. zeke.zark
    Member
    Posted 1 year ago #

    That's cool.. happy to wait and check it out over the weekend. :)

  6. zeke.zark
    Member
    Posted 1 year ago #

    Hi, I have updated the plugin and tested again.
    The problem still stands: the url in the forgotten password email is wp-login.php?action=rp&key=ZZZZZZ&login=yyyy in the confirmation url and it generates a 404 - not found.

    Cheers

  7. resave your System Tweaks settings and you should be fine.

  8. zeke.zark
    Member
    Posted 1 year ago #

    Thanks.. All good!
    Zeke

  9. Glad to hear it. Thanks for the followup.

  10. bobbinson
    Member
    Posted 1 year ago #

    Hi Guys,

    I had the same issue when submitting the new password after a reset.

    I found the line of code causing the issue in the .htaccess file

    remove this line:
    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    Ive tested at it resolved the issue on my installation.
    If this is the line of code causing the issue for everyone, please can we get it sorted on the next update.

    kind regards
    bobbinson

  11. @bobbinson is this with 3.4.3? In my experience that shouldn't be needed with 3.4.3 (although you might have to re-save your options first).

  12. bobbinson
    Member
    Posted 1 year ago #

    I believe re saving the option would resolve it.

  13. LoveWoocommerce
    Member
    Posted 1 year ago #

    I think it will be used on woocommerce plugin, because I often get 404 error page.

  14. beachybonus
    Member
    Posted 1 year ago #

    Hi all,

    This is also an issue with version 3.4.6 with the 'hide admin area' and 'filter suspicious query strings' options enabled.

    The password reset email is received and the link it contains functions correctly, but submitting a new password still triggers a 404 error.

    This issue persists after resaving all options, including the 'System Tweak' settings.

    As noted by bobbinson, the issue is resolved by removing the following line from .htaccess:

    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    Any chance this could be revisited in the next update?

    Best regards
    BeachyB

  15. apsulli
    Member
    Posted 1 year ago #

    Even after removing that string from .htaccess, I'm having this issue. I get a "wrong password" error when I try to log in normally (yeah I forgot my password, what of it?), and when I try to reset the password, I get redirected to the 404 page. I'm a bit concerned as I can't get in to even my admin account, so I can't actually adjust any settings in the plugin. Basically, I'm locked out. I wouldn't call myself a total novice at this stuff, but I'm not an advanced user either. I was able to follow all of the instructions in this thread so far to no avail.

    This site is not anything huge for me, but it's enough that I wouldn't want to lose it. Any help would be hugely appreciated.

  16. apsulli
    Member
    Posted 1 year ago #

    Ok so I was able to get into my site at least (phew) by going into the database explorer using phpMyAdmin in cPanel then manually navigating to the users table of my DB and editing the user. I changed the function to MD5 then set the password in the value field. However, the 404 issue does persist. I hope this is indeed something that can be revisited as I was basically at defcon 4 because of my own stupidity.

  17. bobbinson
    Member
    Posted 1 year ago #

    Hi everyone just an update, this is a persistant issue and everytime I upgrade the plugin it puts RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR] into .htaccess causing password reset to fail and produce a 403 error when you try to submit the new password.

    Removing the line resolves it, but is annoying as every time there is an update I have to remove the line again.

  18. lukesnowden
    Member
    Posted 1 year ago #

    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs)$ [NC,OR]

    this should fix it.

  19. Thanks bobbinson and lukesnowden. Other had reported the issue fixed. I will add this line to take care of it. to the next version.

  20. apsulli
    Member
    Posted 1 year ago #

    So suddenly I cannot log in again using the password I've always used. The database password reset somehow isn't working, and I still get a 404 when trying to reset the password. I think I may finally be screwed... I really do like this app, but being locked out of and having to effectively destroy my site completely is pretty egregious. I hope this gets fixed in the future.

  21. Christiaan
    Member
    Posted 12 months ago #

    I have similar problem to apsulli, except it's a fresh install. I'm going reinstall and say goodbye to this plugin.

  22. therandomguy12345
    Member
    Posted 9 months ago #

    @Bit51

    For some reason, with Hide Backend option on, my "Lost Password" links result in 404 Error, too. How can this be fixed (even though I want to keep Hide Backend on)?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic