Support » Networking WordPress » password reset link appears to be invalid error

  • Hi all,

    on our multisite install its become impossible for end users to recover their passwords. When they recieve the email with the link to set a new password they always get the error “password reset link appears to be invalid”. The URL on the page shows wp-login.php?action=lostpassword&error=invalidkey
    I’ve just spent some time testing this, I’ve disabled every single plugin and set a default theme (twenty fifteen) and I still have the exact same problem. The WordPress is installed on a dedicated server running Ubuntu 14.05 LTS and WordPress 4.7.3. There is no caching in place.
    I’ve had a good read on the available info from other people suffering from this issue and all seem to be related to plugins, themes, customisations or plugins. Given I’ve now removed everything except the base WordPress install I’m now looking for what else I can check or test? Can anyone suggest anything further?

    thanks, Andy.

Viewing 15 replies - 1 through 15 (of 21 total)
  • Thats a tough one. That shouldnt happen if you really disabled all plugins and use a default theme – did you remember to remove mu-plugins?

    What I would do is download latest WP and copy the wp-config.php over. If that doesnt work, you’re in trouble. Of course keep your previous version of WP as backup.

    thanks for your reply. Yes the MU plugin directory has been renamed, there are zero plugins showing from wp-admin.

    I just recreated the wp-config.php from the sample, using the bare minimum config and new salts and I still have the exact same error when attempting password reset unfortunately.

    thanks Andy.

    Andy –
    What I recommend is to download a fresh copy of WP. In case you corrupted yours. I would rename the existing WP directory. Download a fresh copy in the same folder as the previous WP. Copy over wp-config.php and .htaccess.

    Hi,

    ok, so I’ve taken a tar.gz of the WordPress 4.7.3 and I’ve moved the original WordPress directory and replaced it with the fresh WordPress and all I’ve done is moved over the wp-config.php. I forgot to mention, this installation is Nginx + PHP FPM so there’s no .htaccess.
    So after all that, I still have the exact same error. Unless its a bug, that would only seem to leave my wp-config.php and Nginx config as possible cuplrits? Should I post those in full here?

    thanks, Andy.

    > I forgot to mention, this installation is Nginx + PHP FPM so thereโ€™s no .htaccess
    Then how did you implement .htaccess rules? How did you translate the .htaccess rules to nginx rules? IMO, that is probably the problem (nginx configuration). But I am not sure why only the reset password is affected; and what exactly is the cause.

    Can you tell me how users initiate lost password? Do they hit the url http://domain.com/wp-login.php?action=lostpassword

    So far this tells me that it isnt a WP problem. Its pointing to a configuration issue

    Yep, so the password reset is requested from

    http://domain.com/wp-login.php?action=lostpassword

    the email has a link similar to:

    http://domain.com/wp-login.php?action=rp&key=7T2V5y5W44j0KOBGylCb&login=andytest

    and as soon as you access the above link you are redirected to

    http://domain.com/wp-login.php?action=lostpassword&error=invalidkey

    Hi,

    I’ve just installed Apache 2.4.7 and I get exactly the same error ๐Ÿ™

    thanks, Andy.

    • Has lost password ever worked?
    • Have you changed anything recently? Especially WRT ssl

    lostpassword is working correctly. Action rp (resetpassword) is generating an error. If you click on the email rp link this is what should happen in the browser:
    http://domain.com/wp-login.php?action=rp&key=7T2V5y5W44j0KOBGylCb&login=andytest
    redirects to http://domain.com/wp-login.php?action=rp
    redirects to http://domain.com/wp-login.php?action=lostpassword&error=invalidkey

    Many things could create that error. Server configuration: ssl, cookies… others but hard to determine.

    Hi,

    I haven’t personally used this type of password reset ever. I assume its worked in the past as no one has ever complained before.
    The site I’m testing against is HTTP, so no SSL. Server config is now default Apache 2.4 install, htaccess as mandated by WordPress. Wp-config.php also contains default settings plus what wp-admin instructs me to add.

    any suggestions of what else I can test or try?

    thanks, Andy.

    I have a newish WP 4.7.3 system and lostpassword/resetpassword works.

    Are you a developer? I can tell you the problem area to debug is wp-login.php line 567 – 590. My guess is its failing on line 578 check_password_reset_key() but only you can determine that.

    I’m a sys admin who can program in shell and perl, have hacked at PHP a bit from time to time but basically a novice. Also I’m pretty familiar with WordPress’s DB and have done quite a lot of stuff direct to the DB on multisite installs, but probably that won’t help me much here!

    I’m able to see that I’m hitting the problem at line 503 if ( 'invalidkey' == $_GET['error'] ) but I’m unsure where the $_GET error bit is coming from.

    Im continuing to read through the code but any hints or tips would be welcome ๐Ÿ˜‰

    thanks, Andy.

    Debugging can get quite involved. Email me directly

    • This reply was modified 2 years, 7 months ago by jkhongusc.

    I had the exact same problem when I switched to NGINX, the website I use is Multisite and registration is handled through subdomain site. So I switched this subdomain to Apache and left Nginx to serve only static files. That fixed the problem.

    Thanks for the info. As mentioned in the thread, I’m now testing against Apache (on another system) to simplify the troubleshooting, however I still have the same problem.

    One weird thing I’ve just noticed is that it seems I cannot logout, after doing a logout and being told I’m logged out I am actually still logged in and can access wp-admin. The only way I can really log out is clearing my local cookies. So seems like something bad is happening with sessions on the server. I actually don’t see any files in the PHP session.save_path “/var/lib/php5/sessions”. Incidentally on the live server I’m using memcache and also see this issue

    • This reply was modified 2 years, 7 months ago by andyldex.

    Hi all,

    I’ve now resolved this issue, on both my test system (Apache + mod PHP) and live (Nginx + PHP FPM). The issue in the end was WordPress was generating a wrong COOKIEHASH which was due to it failing to get anything from $siteurl = get_site_option( 'siteurl' ) in default-constants.php. And this in turn was due to a missing entry for “siteurl” in wp_sitemeta. Once I manually added the entry into wp_sitemeta everything started to work as expected.
    Many thanks to James (jkhongusc) for helping me out on this, much appreciated!

    Andy.

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘password reset link appears to be invalid error’ is closed to new replies.