Support » Plugin: iThemes Security (formerly Better WP Security) » Filter Suspicious Query Strings breaks password reset (with solution)

  • pakeller


    I found that enabling Filter Suspicious Query Strings stopped password reset from working. The e-mailed link goes to the usual password reset page, but after entering a new password I got a “page not found”, and the password had not changed (the old one still worked).

    The action link on the password reset page looks like this:

    <form name="resetpassform" id="resetpassform" action="

    After a bit of investigation, I found that making the following change to the modified .htaccess file fixed this:

    @@ -57,7 +57,7 @@
     RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
     RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
     RewriteCond %{QUERY_STRING} !^loggedout=true
    -RewriteCond %{QUERY_STRING} !^action=rp
    +RewriteCond %{QUERY_STRING} !^action=(rp|resetpass)
     RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
     RewriteRule ^(.*)$ - [F,L]

    In wp-login.php, we find this:

    case 'resetpass' :
    case 'rp' :
    	$user = check_password_reset_key($_GET['key'], $_GET['login']);
    	if ( is_wp_error($user) ) {

    which suggests that the rp and resetpass actions are equivalent.

Viewing 1 replies (of 1 total)
  • finglandj


    I just encountered the same issue. Thanks pakeller for identifying the problem.

Viewing 1 replies (of 1 total)
  • The topic ‘Filter Suspicious Query Strings breaks password reset (with solution)’ is closed to new replies.