Plugin Support
Laszlo
(@laszloszalvak)
Hi @cortinashd
I checked the linked page and these kind of problems are usually caused by a firewall on your server, in most cases ModSecurity. That has the “.profile” string on its black list, so whenever the a request contains this in the query string, the request will be automaticalyl blocked so the visitor usually gets redirected to a 403 or 404 error page.
The problem is that, Google uses the “.profile” string in one of its scopes:
and the request will contain it, and that will make the request being blocked.
In your case I can see the same problem, too. You can simply check the problem by opening your /wp-login.php page with the .profile string in a GET parameter, e.g.:
where example.com should be replaced with your own domain. The request will be blocked and it will redirect to the 404 error page.
However if you make the url no longer contain the black listed .profile string, let’s say you remove the last “e” character:
that will redirect to the /wp-login.php page fine.
To fix this problem, you should get in touch with your host, and tell them their firewall blocks the OAuth requests of Google because of this blacklisted .profile string. Maybe they could whitelist it when it appears in the “https://www.googleapis.com/auth/userinfo.profile” context.
Best regards,
Laszlo.
I update my entry:
Now it happens that the google login works at times but then it stops working and the 404 error appears.
Hello @laszlo, thanks for your prompt response, I have a droplet with digitalocean, please can you tell me how to unblock the firewall, I understand that it should be done by accessing the console, what I ignore are the sudo commands that I must apply, my server runs low ubuntu version 20.04.
Plugin Support
Laszlo
(@laszloszalvak)
Hi @cortinashd
I am not that familiar with the configuration of ModSecurity, but as far as I know they have a config file where they have their rules. So you can add or remove the necessary rules there.
In the documentation of Digital Ocean I can see an example for removing rules by ID:
https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu#excluding-hosts-and-directories
and that is what you could probably give a try.
From the reports we got, the customers usually told the problem was caused by one of these ModSecurity rules:
which were restricting access.
As I mentioned above, I am not that familiar with its configuration, but I checked some topics, and according to this article:
https://www.inmotionhosting.com/support/security/find-and-disable-specific-modsecurity-rules/
You can actually find the ModSecurity rules which are getting triggered and you can also find an example there for removing the problematic rule.
I hope that will help.
If you still didn’t manage to fix the problem, then I would suggest getting in touch with the support staff of Digital Ocean. I think they could tell you the way you can actually find and disable this rules on their way.
Important Note:
I can not see this 404 error occur when the “.profile” string appears in other urls, but only on the /wp-login.php page. By default we handle the OAuth flow over the /wp-login.php page, so as an alternative solution, you could make Nextend Social Login handle the its codes over other pages.
For that, you should use the “Page for register flow” and the “OAuth redirect uri proxy page” settings, which both can be found at our Global Settings > General tab: https://nextendweb.com/nextend-social-login-docs/global-settings/
For the Page for register flow: You should create a new page and place the shortcode into it: [nextend_social_login_register_flow] then select that page for this setting. Extra information before the registration with social login – like Terms and Conditions – would be asked on this page.
For the OAuth redirect uri proxy page: You should create another new and completely empty page and select it as OAuth redirect uri proxy page. Once it is done, the redirect URL of each configured provider will change, as the OAuth flow will be handled over this new page instead of the /wp-login.php page. So you will need to add the new redirect URLs into each of your Apps. ( Nextend Social Login will also warn you about this with a message, where you can see all the steps, but actually you can find the redirect urls in the Getting Started section of the providers, too. – The redirect uris are the urls that usually contain this query string: “?loginSocial=” )
Best regards,
Laszlo.
