Did you make any change lately:
1. Some change to the “Firewall Policies > Advanced Policies > HTTP Response Headers” section?
2. Installed/re-configured a new theme or plugin?
Can you try to disable the “Enable bot protection” from the “Login Protection Page”?
Which browser, version and OS is affected, and which one isn’t?
-
This reply was modified 6 years ago by
nintechnet.
Thanks for your reply!
1. No changes were made to HTTP Headers, neither through NF, nor manually.
2. No new themes/plugins were installed.
Interestingly, when I disable “Enable bot protection”, the server replies with HTTP 401 (Unauthorized), so there’s no Content Encoding Error anymore … which, optimistically speaking, is a step forward 😉
(Tested on Chrome 80, FF 74.0.1, Edge 80, Opera 66; Win10, several Linux’ and MacOS)
What is your PHP version?
It looks like you’re having issue with either the init_set PHP functions (it could be blocked by your host) or the zlib.output_compression PHP directive. Both are used by the firewall’s “Enable bot protection” feature which will handle the encoding.
Thanks, that’s an idea! I’m running on 7.3.15. zlib.output_compression is set off.
If init_set is blocked (shared server :/), there’s no chance to avoid 401 (even w/o bot protection enabled), correct?
The 401 is always returned as long as you don’t enter the right password (or captcha), i.e. when you access the page. If you disabled “Enable bot protection”, does it work as expected?
No, unfortunately, that’s just the problem …
Login Protection enabled:
Bot Protection enabled: Content Encoding Error, can’t access website at all.
Bot Protection disabled: Returning 401 without even being able to enter user/pass or solve captcha.
Login Protection disabled:
Can login to WP backend without running into errors.
Can you try to run this command 3 times:
* Once with Login Protection enabled + bot protection enabled.
* Once with Login Protection enabled + bot protection disabled.
* Once with Login Protection disabled.
curl 'https://YOUR_WEBSITE/wp-login.php' -I -A 'Mozilla/5.0' -H 'Accept: *' -H 'Accept-Language: *'
And to paste the results here.
Thanks, I’d appreciate that, but unfortunately I don’t have access to the console in the limited package of my webhoster :/
From your point of view, is there anything against restricting access to wp-login.php via htaccess? This way, bruteforce attacks could still take place, though it sets up a second hurdle.
Sure, you can disable it from the .htaccess or password-protect it (.htaccess + .htpasswd).
Thank you, then I will resort to this makeshift solution. Sorry I couldn’t get to the bottom of the problem any further, many thanks for the great support and your time!
