iThemes Security (formerly Better WP Security)
Brute force protection is causing "catchable fatal error" upon failed login (2 posts)

  1. homebysix
    Posted 2 years ago #

    I just noticed a problem with WordPress 3.9.1 and iThemes Security 4.2.4 on at least two of the sites I administer. The problem occurs when a visitor attempts to login with incorrect WP credentials. They are taken to a blank white screen containing the following error:

    Catchable fatal error: Object of class WP_Error could not be converted to string in /home3/username/public_html/wp-includes/formatting.php on line 584

    Upon inspecting line 584 of formatting.php, I see this:

     * Checks for invalid UTF8 in a string.
     * @since 2.8.0
     * @param string $string The text which is to be checked.
     * @param boolean $strip Optional. Whether to attempt to strip out invalid UTF8. Default is false.
     * @return string The checked text.
    function wp_check_invalid_utf8( $string, $strip = false ) {
    	$string = (string) $string; // <-- THIS IS LINE 584
    	if ( 0 === strlen( $string ) ) {
    		return '';

    Visitors who enter their username and password correctly still log in just fine. And visitors who enter either no username or no password still get the "you left a field blank" error as expected. This only happens for incorrect logins.

    Here's the interesting bit: If I turn off brute force protection, the problem is resolved completely. So that's what I've done.

    Here are my brute force settings, for reference.

    Max Login Attempts Per Host: 5
    Max Login Attempts Per User: 10
    Minutes to Remember Bad Login (check period): 5

    Would love to find out why this is happening so I can turn brute force protection back on. Any suggestions?


  2. homebysix
    Posted 1 year ago #

    I'm still having this settings with WP 4.0.1 and iThemes Security 4.5.2.

    When users try to log in with incorrect credentials, and iThemes Security's brute force protection is turned on, they see this error:

    Catchable fatal error: Object of class WP_Error could not be converted to string in /home3/username/public_html/wp-includes/formatting.php on line 716

    If they log in with incorrect credentials while iThemes Security's brute force protection feature is turned off, they see the regular "incorrect username or password" error message.

    Anybody want to help me dive in and troubleshoot?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic