2FA & Interstitial issues

  • Kevin Pirnie

    (@kevp75)


    5 days, 3 hours ago

    PHP 8.4, nGinx 1.28.0
    Multiple issues. First and foremost. Cannot login like normal. I login to my site, it goes to wp-login.php and throws a WP Error page stating: Failed to create interstitial state. and does nothing else.

    Cannot set on any account. That one throws a WSOD, with this in the logs.

    [27-Mar-2026 13:42:41 UTC] PHP Fatal error: Uncaught Error: Call to undefined method WP_Error::initialize_from_global_state() in /MY_PATH/wp-content/plugins/better-wp-security/core/lib/class-itsec-lib-login-interstitial.php:356 Stack trace: #0 /MY_PATH/wp-includes/class-wp-hook.php(341): ITSEC_Lib_Login_Interstitial->force_interstitial() #1 /MY_PATH/wp-includes/class-wp-hook.php(365): WP_Hook->apply_filters() #2 /MY_PATH/wp-includes/plugin.php(522): WP_Hook->do_action() #3 /MY_PATH/wp-login.php(546): do_action() #4 {main} thrown in /MY_PATH/wp-content/plugins/better-wp-security/core/lib/class-itsec-lib-login-interstitial.php on line 356

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter Kevin Pirnie

    (@kevp75)

    5 days, 3 hours ago

    note. If I manually change the URL from the /wp-login.php to /wp-admin, I am logged in at my Dash

    Plugin Support Pawel [SolidWP Support]

    (@solidwppawel)

    2 days, 3 hours ago

    Hi Kevin,

    Thank you for reporting this with the full stack trace — that made it straightforward to track down.

    This is a confirmed bug in the plugin. The force_interstitial() method in class-itsec-lib-login-interstitial.php doesn’t check for a WP_Error return from ITSEC_Login_Interstitial_Session::create() before calling methods on the result. Other methods in the same file (like wp_login()) do have the proper is_wp_error() check — so this is an oversight in force_interstitial() specifically.

    The chain is:

    1. add_user_meta() fails when trying to store the interstitial session data
    2. create() returns a WP_Error (the “Failed to create interstitial state” message)
    3. force_interstitial() calls ->initialize_from_global_state() on the WP_Error object — fatal error

    The underlying trigger is add_user_meta() failing. This could point to a database issue — a previous report of this same error message turned out to be a disk space problem on the database server (MySQL error 28). It’s worth checking your database health: do you see any errors in your MySQL/MariaDB logs? Can you verify the wp_usermeta table is healthy? Running CHECK TABLE wp_usermeta; and REPAIR TABLE wp_usermeta; might help if the table has issues.

    Regarding PHP 8.4 — Solid Security 9.4.6 hasn’t had a dedicated PHP 8.4 compatibility update yet. There are known deprecation notices (implicit nullable parameters) on PHP 8.4 that can interfere with some operations. While these deprecations alone wouldn’t cause add_user_meta() to fail, they could contribute to unexpected behavior in the login flow.

    Workarounds:

    • As you’ve already found, navigating directly to /wp-admin bypasses the interstitial and works fine since you’re already authenticated.
    • If you need 2FA setup working, you can try adding define('SOLID_SECURITY_LEGACY_2FA_UI', true); to wp-config.php to use the older 2FA settings layout, which uses a different code path.
    • If the issue is specifically triggered during forced 2FA onboarding, you can temporarily disable 2FA by adding define('ITSEC_DISABLE_TWO_FACTOR', true); to wp-config.php, configure what you need, then remove the define.

    I’ve filed this as a bug with the development team — the missing error check needs to be patched regardless of the underlying add_user_meta() cause.

    Kind regards,
    Paweł

    Thread Starter Kevin Pirnie

    (@kevp75)

    2 days, 1 hour ago

    Appreciate you getting back to me. I’ve checked the table, its good.
    I’ll look into that legacy 2fa.

    lookin forward to the update 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.