Support » Plugin: iThemes Security (formerly Better WP Security) » [Plugin: Better WP Security] Reset Password URL triggers 404

  • The login (wp-login.php), registration (wp-login.php?action=register) and forgotten password (wp-login.php?action=lostpassword) urls work fine.

    However, if I trigger the recover password function, the url in the subsequent email has wp-login.php?action=rp&key=ZZZZZZ&login=yyyy in the confirmation url. This url generates a 404 – not found.

    I can confirm that de-activating the plugin allows normal functionality.

    Any ideas how I can fix this? Thanks.

Viewing 15 replies - 1 through 15 (of 21 total)
  • Turning off hide backend will fix it until the next update.

    Thanks for the response.
    Actually, Hide Back end is turned off, and the problem still exists. When is the next update due?

    Sorry about that. It will now work in the dev version. Turns out I admittedly overtightened the filter query string section.

    You can get the dev version at

    I will try to get a full version out this weekend.

    That’s cool.. happy to wait and check it out over the weekend. 🙂

    Hi, I have updated the plugin and tested again.
    The problem still stands: the url in the forgotten password email is wp-login.php?action=rp&key=ZZZZZZ&login=yyyy in the confirmation url and it generates a 404 – not found.


    resave your System Tweaks settings and you should be fine.

    Thanks.. All good!

    Glad to hear it. Thanks for the followup.

    Hi Guys,

    I had the same issue when submitting the new password after a reset.

    I found the line of code causing the issue in the .htaccess file

    remove this line:
    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    Ive tested at it resolved the issue on my installation.
    If this is the line of code causing the issue for everyone, please can we get it sorted on the next update.

    kind regards

    @bobbinson is this with 3.4.3? In my experience that shouldn’t be needed with 3.4.3 (although you might have to re-save your options first).

    I believe re saving the option would resolve it.

    I think it will be used on woocommerce plugin, because I often get 404 error page.

    Hi all,

    This is also an issue with version 3.4.6 with the ‘hide admin area’ and ‘filter suspicious query strings’ options enabled.

    The password reset email is received and the link it contains functions correctly, but submitting a new password still triggers a 404 error.

    This issue persists after resaving all options, including the ‘System Tweak’ settings.

    As noted by bobbinson, the issue is resolved by removing the following line from .htaccess:

    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    Any chance this could be revisited in the next update?

    Best regards



    Even after removing that string from .htaccess, I’m having this issue. I get a “wrong password” error when I try to log in normally (yeah I forgot my password, what of it?), and when I try to reset the password, I get redirected to the 404 page. I’m a bit concerned as I can’t get in to even my admin account, so I can’t actually adjust any settings in the plugin. Basically, I’m locked out. I wouldn’t call myself a total novice at this stuff, but I’m not an advanced user either. I was able to follow all of the instructions in this thread so far to no avail.

    This site is not anything huge for me, but it’s enough that I wouldn’t want to lose it. Any help would be hugely appreciated.



    Ok so I was able to get into my site at least (phew) by going into the database explorer using phpMyAdmin in cPanel then manually navigating to the users table of my DB and editing the user. I changed the function to MD5 then set the password in the value field. However, the 404 issue does persist. I hope this is indeed something that can be revisited as I was basically at defcon 4 because of my own stupidity.

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘[Plugin: Better WP Security] Reset Password URL triggers 404’ is closed to new replies.