• Resolved alfonsoborghi

    (@alfonsoborghi)


    Hello,
    everything was working fine since 2 days ago, when FE user wasn’t no more able to login.
    The reason WP firewall was blocking is “Local login required and Nonce missing.[58] Login attempt blocked.”
    Just disabling “only Allow Local Login” they are able to login, but all user are login in from local…
    I’d like to activate this security option again, can you tell me what wrong?
    Thank you

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Steven Ayers

    (@sovstack)

    @alfonsoborghi,

    Thank you for reaching out for support. I am assuming FE user is “Front-End” user. Is this affecting the ‘administrator’ roles or only subscriber and other roles roles? The login form has to include a nonce which is generated by the WP Security Safe plugin. The nonce will be a hidden field that will be checked on every attempt to login. If the nonce has expired (24 hr expiration) or is missing, you will get that error in the logs.

    The field will look something like this:
    <input type=”hidden” id=”_wpnonce” name=”_wpnonce” value=”68515e239d”>

    That value is a unique string that is generated for the purpose of logging in. The value changes for each user to verify that the user is indeed visiting the page before logging in.

    How to troubleshoot:

    1. Turn on the WP Security Safe local login feature and DO NOT LOG OUT.
    2. Open up an incognito window in the browser and visit your login page, which will prompt you to login in that incognito session.
    3. Right-click on the form, and inspect element or view the page source. You should find a field with the name of name=”_wpnonce” within the form. If it is not there, the login validation will fail.
    4. If it is there, then the value is not coming through properly and failing due to it not matching.

    Please try this and let me know what you discover. Be sure to stay logged in in the other session to prevent locking yourself out of the admin.

    If you need help troubleshooting this, please add support@sovstack.com as an administrative user and I can login and troubleshoot this for you. If you add me to your website as an administrator, please check the checkbox to notify the user when creating the account. Once this process is done, please delete my account.

    – Steven

    Thread Starter alfonsoborghi

    (@alfonsoborghi)

    Hi, thank you for your fast reply.
    I checked the wp-login.php and actually it works now.
    The issue is that many FE users use another page to login:
    https://www.rotarymodena.it/?page_id=1666&#8221; a page generated by a “Login user page” template, wich has not the nonce hidden field.
    So I simply need to add this hidden field to the template. I do not know why it was working before, anyway how do I get the nonce number to include in the form?.
    Thank you very much

    Plugin Author Steven Ayers

    (@sovstack)

    You can use the snippet of code below to generate the line of code you need.

    <?php wp_nonce_field( ‘login-local-‘ . SECSAFE_SLUG ); ?>

    The line of code must get placed within the boundaries of the <form></form> tags for the public login. This means that this code may not get the results you want if you cannot get the _nonce field within the tags. It depends on how that form is being created. If the form is being created by calling a WordPress function or another plugin, then please share that code with me and I will make WP Security Safe compatible with it.

    Thanks,

    -Steven

    Thread Starter alfonsoborghi

    (@alfonsoborghi)

    In the template, the login form is called by:

    <?php wp_login_form( $args ); ?>

    but this is what it really get, the nonce field is not present, but how can I modify the wp_login_form call, can I use the $args variable?:

    <form name="loginform" id="loginform" action="https://www.rotarymodena.it/wp-login.php" method="post">
    			
    			<p class="login-username">
    				<label for="user_login">Nome utente</label>
    				<input type="text" name="log" id="user_login" class="input" value="" size="20" />
    			</p>
    			<p class="login-password">
    				<label for="user_pass">Password</label>
    				<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" />
    			</p>
    			
    			<p class="login-remember"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Ricordami</label></p>
    			<p class="login-submit">
    				<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary" value="Login" />
    				<input type="hidden" name="redirect_to" value="https://www.rotarymodena.it" />
    			</p>
    			
    		</form>

    Thank you

    Plugin Author Steven Ayers

    (@sovstack)

    I believe I will need to make the plugin compatible with this. The parameters passed with $args will not be able to trigger the nonce field.

    Please disable the Local Login feature for now. I will investigate a solution and roll out a new version of WP Security Safe in a day or so. I will comment on this thread once the version is available.

    -Steven

    Plugin Author Steven Ayers

    (@sovstack)

    I have found a solution to this issue. I will release a new version of WP Security Safe 10 hours from now. I need to test this solution thoroughly before I release it.

    -Steven

    Plugin Author Steven Ayers

    (@sovstack)

    @alfonsoborghi,

    I have released version 2.2.3 and it includes a bug fix that should solve your login issue. Please update the plugin and clear your cache (if you are using W3TC or Super Cache..etc). Please let me know if this solves your issue.

    Also, please review the changelog notes for version 2.2.3.

    Thank you,

    -Steven

    Thread Starter alfonsoborghi

    (@alfonsoborghi)

    Hi Steven,
    I’ve updated the plugin and now it’s working perfectly!

    Thank you very much!

    Alfonso

    Plugin Author Steven Ayers

    (@sovstack)

    @alfonsoborghi,

    I’m glad to hear that this fixed your issue. Please write a review of WP Security Safe as this helps support further development of this plugin.

    Thank you,

    -Steven

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘FE user blocked when “Only Allow Local Logins” is active’ is closed to new replies.