I don’t know what the plugin did but now even rolling back to version 1.3.5 I’m still unable to verify the 2FA codes or any backup codes for any users on the multisite network.
Note I can’t even disable 2FA on a single site in the network.
wp @production sg secure 2fa disable --url=www.timnolte.com
Tells me it successfully disabled 2FA but doesn’t actually. Leaving off the URL for a specific site also claims to have disabled 2FA but I can’t see where as it’s still require on all sites including the main network site.
Looks like the LiteSpeed cache was affecting the results of disabling the 2FA. I’m about to login to my sites again, though, once I enable 2FA I’m locked out again.
-
This reply was modified 1 year, 5 months ago by
Tim Nolte.
-
This reply was modified 1 year, 5 months ago by Tim Nolte.
Hello @tnolte,
I would recommend updating the plugin to the latest version available and test the two-factor authentication with a blank test website that is part of your network. Leave only our plugin active and enable the 2FA to test if the issues will continue. Any additional information such as console/network errors or warnings related to the 2fa feature and our plugins from the web developer browser tools will be helpful as well.
Best Regards,
Simeon Boev
Hello @tnolte,
I am sorry to hear you are having such troubles with the latest update. We will do our best to assist you.
In the latest update of the plugin we have improved the 2FA security with encryption. It requires all users 2FA secret codes to be encrypted, once the update passes, we store the encrypted values, so reverting to previous version will not fix the issue reported. There is an encryption file which will be generated by the service called sgs_encrypt_key.php and stored under wp-content directory of the application.
Usually if there are issues with the encryption file we reset all users 2FA and disable the service automatically.
Still you can use 2FA reset command for all users to have a fresh start. This way all users will be forced to setup their 2FA once again and all data should be stored as expected.
The command which can be used is:
wp sg 2fa reset all
Let us know of the results.
Best Regards,
Elena
Same here, users cannot log in with 2FA after the update. Nothing fancy on my setup, a single site of WP + Woo hosted on siteground with the SG Optimize and Security Plug-in.
Do i have to reset the 2FA cods on everybody?
Hello @negapo,
2FA is applied only on administrators and editor user roles by default. Could you please confirm if you are using any custom user roles on the website and if they are set to use 2FA as well.
As you are a SiteGround client, you can open a technical support ticket, so we can take a closer look on the setup.
Thank you for your cooperation!
Elena
@elenachavdarova thank you for actually providing a helpful response. I just logged into my hosting and I can see that new file. Given this is a multisite setup has this new encryption rollout been tested on a multisite? My setup includes network users that have access to multiple sites in the network. I know with even WordPress Core updates when there is an update you generally need to “upgrade the network”. Also has the plugin been tested with both WordPress 6.0 & 6.1 with multisite? My network was on 6.0 but I updated to 6.1 with the hope that it might fix things, which it didn’t either.
You are welcome, @tnolte!
We have tested the plugin on multisite setup – the upgrade process for users already using 2FA was tested as well.
It appears there is something specific in your case which is causing the reported behaviour.
As the file exists on the site – the user meta values should be encrypted as well. If all users are unable to login via 2FA what you can do is:
– Use wp-cli 2fa reset command to reset all users 2FA setup:
wp sg 2fa reset all
In case there is no wp-cli available on your hosting platform, you can manually force this by renaming the encryption file. On the next login the 2FA will be automatically reset if the file is renamed. You should be able to login and re-enable 2FA again. Then all data should be properly fetched and there should be no issues with the login.
Waiting forward for the results.
@elenachavdarova that all makes sense. I am out of town without a computer so will have to work on this more when I return Thursday/Friday. Trying to do too much from just my phone can be a challenge, even if I have an SSH client. Ha.
No worries, @tnolte!
Thank you for your cooperation so far. I hope we will be able to sort things out at the end 🙂
Also have 3 website broken on 2fa from the 1.3.6 upgrade (2 multisite) – didn’t have wp-cli access easily – so deleted the sg security entries from the database under usermeta which reset the accounts for 2FA (from this thread – How do I see the QR code again: https://wordpress.org/support/topic/how-do-i-see-the-qr-code-again/)
Hello @bartmann2,
You should see the QR code immediately after the deletion of the tables from the thread you quoted. There is a more elegant way to reset your user’s authentication code(the best way possible is with Wp-cli, but let’s say you do not have such access).
Navigate to your website document root > /wp-content > delete the file sgs_encrypt_key.php > login to your WordPress(you will not be asked to authenticate this time) > go to SG Security > Login security > Enable the Two-factor Authentication.
Deleting the file will stop the authentication and reset the encryption keys. Once you enable the option, the file would be recreated but all users will need to scan their new QR code.
Best regards,
Georgi Ganchev
Technical Support
SiteGround.com
Same problem here. Deleting the sgs_encrypt_key.php file solved it.
@elenachavdarova & @georgiganchev just to clarify, with my multisite instance simply deleting the sgs_encrypt_key.php didn’t do anything but keep me locked out. The only way to solve to problem was to execute the wp sg 2fa reset all command. It seems this is actually what caused the problem to begin with. I’m guessing that the act of generating that file actually didn’t update user records properly to begin with. I am specifically running my multisite instance on LiteSpeed with the WordPress LS Caching plugin installed. I found that simply running the WP-CLI commands additionally required me to purge the LiteSpeed caches in order to see those changes reflected. Seems that the SG Security plugin perhaps has some underlying compatibility issues with the LiteSpeed web server and caching.
Thank you for your update and cooperation, @tnolte!
Could you please share mode details of the LiteSpeed cache setup you are using. More specifically we are interested in the setup under LiteSpeed Cache -> Presets and Cache sections.
We will add LiteSpeed cache purge upon 2FA enabling and reset but still it will be great if we can replicate the reported behaviour on a test environment.
Best Regards,
Elena
