WordPress.org

Forums

Login Lock
Getting error: This webpage has a redirect loop (30 posts)

  1. phoenixMagoo
    Member
    Posted 3 years ago #

    Started getting this error this morning: "This webpage has a redirect loop" when trying to login to my site. I erased the login-lock folder in my plugins directory and that fixed the issue. Just curious to know if anyone has seen this issue before with this plugin. I really like this plugin and would love to continue to use it.

    A little more background: I started getting the error randomly this morning. The plugin has worked fine up until this morning. It was the latest version of this plugin.

    Cheers!

    http://wordpress.org/extend/plugins/login-lock/

  2. wkeving
    Member
    Posted 3 years ago #

    I just started getting the error today, though it may have started sometime in the last few weeks as I haven't logged in recently.

  3. phoenixMagoo
    Member
    Posted 3 years ago #

    It seems to be break sever wide. I manage a handful of WordPress sites on a three different servers. Once 1 site has a redirect loop error, all the sites on the same server get the error. I'm not really sure if this helps anyone with a fix, but I think it might shed a little light on the problem.

    I've also read that this plugin is not supported and the developer(s) aren't responding to help emails about this issue. I would suggest moving on to another brute force security plugin and periodically check back on the status of Login Lock. It could be lights out.

  4. thedevnull
    Member
    Posted 3 years ago #

    I'm seeing this same issue as well. I shut off the Enable the password policies and it still is expiring my passwords. This plugin has a LOT of bugs in it that remain unfixed. I"m not sure the dev is really updating it.. =(

  5. aquila99
    Member
    Posted 3 years ago #

    I just had this issue: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects (Chrome) and The page isn't redirecting properly (Firefox). It came out of nowhere and I wasn't able to log-in to my site.

    Once I removed the plugin login-lock I was able to login without any other changes.

    I added the plugin login-lock back and I couldn't login.

    Finally I just removed it, I'm looking for another plugin of the sort.

  6. lomaymi
    Member
    Posted 3 years ago #

    Got this message today on two of my websites (which are in two different host). After I manually deactivate the plugin by going to phpMyAdmin both website started working again.

  7. phoenixMagoo
    Member
    Posted 3 years ago #

    Yeah. I'm thinking this plugin is not going to be updated by the developer. I've switched over to LoginLock. It's not as robust, but still is good for protecting against brute force attacks.

    Also, you can always deactivate a plugin by simply renaming or moving the plugin folder. It's a bit easier and doesn't require messing around in the database. Just another option.

    Cheers!

  8. camaleo
    Member
    Posted 3 years ago #

    I got the same problem after 30 days I have installed the plugin. The problem arises when the plugin wants to force you to change the password.

    Once you get the redirection loop just open the site home page (at that moment you are already logged in) and you will see a page asking to enter a new password: enter the new password and you will be redirected to the dashboard.

    :D

  9. Michael Davis
    Member
    Posted 3 years ago #

    Yeah, this might not actually be a bug, but the amateur looking page that you can't get rid of without clearing the browsers cookies looks like something created to do harm.

    This had me scanning my computer for viruses repeatedly before I tried disabling plugins. I sure had a higher opinion of this plugin before all this.

    And the fact that they don't respond to emails after their website encourages us to email them... all this has me smelling something phony and maybe it needs to be removed from the repository.

    Has anyone gone through the code line for line to see if they are even legit?

  10. Shawn33
    Member
    Posted 3 years ago #

    Just wanted to add my 2 cents here. For me the plugin stopped blocking login attempts at all and so is essentially worthless now. Tried to contact the developer and got no response. I don't think the developer is active with his website or plugins and I have removed login lock from my site.

    Anyone know if login lock makes any other changes to the database than just adding the wp_login_fails and wp_lockdown tables?

    Deleting the plugin did not remove these tables so if any other changes were made they are probably still in there.

    Not sure what happened to this plugin.

    Thanks.

  11. Hartech Softworks
    Member
    Posted 3 years ago #

    I have just noticed this problem on my sites, the plugin is broken.

  12. Saturn
    Member
    Posted 3 years ago #

    plugin is broken.

  13. nixonvs
    Member
    Posted 3 years ago #

    Clearly the plugin is broken and then I tried to visit the site and the certificate expired so I didn't go any further. I can't even email them. Dammit. I liked this plugin but the redirect loop issue is scary. I wonder if someone else had tried to visit my site and got that redirect would have been able to enter a new password and take over. Oh well.

    Funny thing is there's a link to donate to the site on my page. Yeah, right. It's gotta work to get my money (and I DO donate to some that work well).

    And since I notice there are no responses here from them, guess it's dead.

  14. nixonvs
    Member
    Posted 3 years ago #

    IMPORTANT UPDATE - THEIR TWITTER FEED TODAY 6/21 SAYS SOMETHING ABOUT HACKING. Again, didn't click link because their site certificate isn't right. https://twitter.com/wpsecurity/status/83341473415827457

  15. Saturn
    Member
    Posted 3 years ago #

    that's about wordpress' repository being hacked. nothing to do with WPSecurity.

    as for their certificate, it just expired. just means they've been too lazy to update it. but for a security site, somewhat sketchy.

  16. Saturn
    Member
    Posted 3 years ago #

    also that post is from a year ago (note the date - 2011, not 2012)

  17. brasofilo
    Member
    Posted 3 years ago #

    Could everybody who didn't report on the Compatibility box of this plugin that it is broken, please do so?

    Thanks :)

  18. douglaskastle
    Member
    Posted 2 years ago #

    I have run into this problem too many times on multiple wordpress installs, I have disabled this plugin.

    Also very surprised a website dedicated to security would let their SSL certificate expire.

  19. nixonvs
    Member
    Posted 2 years ago #

    Amen, Douglas! I emailed them about that months ago and still no fix.

  20. CreativeLoom
    Member
    Posted 2 years ago #

    Hi Everyone,

    I had to fix this recently for a client. The problem seems to be occurring because the plugin is trying to include wp-login.php in order to render the password reset box. There's a redirect at the top of wp-login.php, so potentially once the redirect occurs the plugin is triggered again and therefore calls the wp-login.php file once more...

    This is just a theory, it might even be occurring later on in wp-login.php, but the point is, to fix it, I went into the [wordpress-root-folder]/wp-content/plugins/login-lock/loginlock.php and replaced the function 'll_login_header' (starts on line 41) with the one below. Most of the code is already in the function but it's commented out, though it works:

    function ll_login_header($title = 'Log In', $message = '', $wp_error = '') {
    		global $error, $is_iphone, $interim_login, $current_site;
    
    		/*if ( !function_exists( 'login_header' ) ) {
    
    			ob_start();
    			require_once( ABSPATH . '/wp-login.php' );
    			ob_end_clean(); 
    
    		}
    
    		login_header( $title, $message, $wp_error );*/
    
    		add_filter( 'pre_option_blog_public', '__return_zero' );
    		add_action( 'login_head', 'noindex' );
    
    		if ( empty($wp_error) )
    			$wp_error = new WP_Error();
    
    		$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
    		$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
    
    		if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
    			add_action( 'login_head', 'wp_shake_js', 12 );
    
    		?>
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
    <head>
    	<title><?php bloginfo('name'); ?> › <?php echo $title; ?></title>
    	<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
    <?php
    	wp_admin_css( 'login', true );
    	wp_admin_css( 'colors-fresh', true );
    
    	if ( $is_iphone ) { ?>
    	<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" />
    	<style type="text/css" media="screen">
    	form { margin-left: 0px; }
    	#login { margin-top: 20px; }
    	</style>
    <?php
    	} elseif ( isset($interim_login) && $interim_login ) { ?>
    	<style type="text/css" media="all">
    	.login #login { margin: 20px auto; }
    	</style>
    <?php
    	}
    
    	do_action( 'login_enqueue_scripts' );
    	do_action( 'login_head' ); ?>
    </head>
    	<body class="login">
    	<?php   if ( !is_multisite() ) { ?>
    	<div id="login"><h1><a href="<?php echo apply_filters('login_headerurl', 'http://wordpress.org/'); ?>" title="<?php echo apply_filters('login_head
    	ertitle', esc_attr__('Powered by WordPress')); ?>"><?php bloginfo('name'); ?></a></h1>
    	<?php   } else { ?>
    	<div id="login"><h1><a href="<?php echo apply_filters('login_headerurl', network_home_url() ); ?>" title="<?php echo apply_filters('login_headertitle', esc_attr($current_site->site_name) ); ?>"><span class="hide"><?php bloginfo('name'); ?></span></a></h1>
    	<?php   }
    
    		$message = apply_filters('login_message', $message);
    		if ( !empty( $message ) ) echo $message . "\n";
    
    		// Incase a plugin uses $error rather than the $errors object
    		if ( !empty( $error ) ) {
    			$wp_error->add('error', $error);
    			unset($error);
    		}
    
    		if ( $wp_error->get_error_code() ) {
    			$errors = '';
    			$messages = '';
    			foreach ( $wp_error->get_error_codes() as $code ) {
    				$severity = $wp_error->get_error_data($code);
    				foreach ( $wp_error->get_error_messages($code) as $error ) {
    					if ( 'message' == $severity )
    						$messages .= '  ' . $error . "<br />\n";
    					else
    						$errors .= '    ' . $error . "<br />\n";
    				}
    			}
    			if ( !empty($errors) )
    				echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>\n";
    			if ( !empty($messages) )
    				echo '<p class="message">' . apply_filters('login_messages', $messages) . "</p>\n";
    		}
  21. Daniel Convissor
    Member
    Posted 2 years ago #

    nixonvs:

    Funny thing is there's a link to donate to the site on my page. Yeah, right. It's gotta work to get my money (and I DO donate to some that work well).

    Let alone sticking a donation link onto end users' websites, particularly without asking or providing a way to opt out, is tacky. When I tried to improve this plugin by contributing patches, the developer was put off by my taking those links out.

    So instead of forking and giving back, it was clear I needed to make a whole new plugin: Login Security Solution. It's solid, has unit tests and a far better feature set.

    --Dan

  22. esmi
    Forum Moderator
    Posted 2 years ago #

    Let alone sticking a donation link onto end users' websites, particularly without asking or providing a way to opt out, is tacky

    I've asked for the plugin to be investigated.

  23. It's not a donation link, that I can see, but a credit link on the login page. Which should be removed and made optional (it's borderline 'front facing' but enough that it's shady)

  24. Daniel Convissor
    Member
    Posted 2 years ago #

    Woah! Seems that investigation got the plugin yanked. Going to http://wordpress.org/extend/plugins/login-lock/ produces "Whoops! We couldn't find that plugin..."

  25. CreativeLoom
    Member
    Posted 2 years ago #

    Dan:

    Nice work with the plugin, after seeing your post I checked it out. I'll be recommending my client switches to using Login Security Solution. It's a pain being stuck with a plugin that's no longer maintained.

    Thanks

  26. nixonvs
    Member
    Posted 2 years ago #

    And good for us. It just goes to show you don't have to raise a lot of hell to make a point. Just speak up.

    Even if a plugin is free, if it's not maintained it's not worth the platform it's built on!

  27. douglaskastle
    Member
    Posted 2 years ago #

    Interesting result. Maybe this is a discussion for another part of the forum but I have been thinking about the ongoing support for plugins. A once great and maintained plugin that just rots. I wouldn't have known it was dud unless I consulted here, seems potentially dangerous. Consider the case of a person writing a good and useful app, then once uptake is sufficient introducing a bug that allows hackers to own your website. To me it's a case of when not if. I have a bad feeling about the long term future of WordPress from a security perspective. This plugin is a good example.

    Any way glad to see the plugin pulled and will investigate the alternate plugin to see if it is a workable alternative, I will report any bugs or questions there.

  28. Aaron Tweeton
    Member
    Posted 2 years ago #

    I had to use ManageWP to remove Login Lock from the sites I manage. Sorry to see I wasn't alone.

  29. Mark
    Member
    Plugin Author

    Posted 2 years ago #

    A couple of points here:

    - The plugin put a link on the login page so that admins can find help when they lock themselves out of their site. Simple as that. This was BY REQUEST from plugin users.

    - To our knowledge no one ever contact us from WordPress.org regarding the link on the login page. Had they done so we could have readily explained that users ASKED for it - and of course we could remove it had anyone in authority asked us to do so.

    - We stopped supporting Login Lock some time ago because demand was high and "thanks" was nearly non-existent. A typical scenario is where someone calls our toll free number and says "Hi, I use your Login Lock plugin. Someone hacked my site. How soon can you clean it up?" - multiply that times many per month, with 99% of callers having zero funds to spend on clean up. Nevertheless, we cleaned up many, many sites for free. We can no longer do that.

    - Anyone is, and always has been, free to modify our GPL code anyway they see fit.

    - We let the SSL cert go on the site because as you may notice the site is now empty...

    - Apologies that we can't continue providing people free support. It got to the point where it took to much time, which obviously distracts from earning money to get the bills paid.

  30. WP Monkey
    Member
    Posted 2 years ago #

    So sorry to hear that Mark, this is fantastic plugin. Please consider making this a premium plugin. I would gladly pay for this plugin to support your efforts.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags