chandelierrr
Forum Replies Created
-
Hi @c9a,
Thanks for reporting this, and for confirming this on WordPress 6.9.4.
From what you described, and from our initial code review, this likely comes from Orderable’s Receipt Layouts feature applying a block allowlist too broadly in the editor. That filter is meant for receipt layouts, but it may also run on normal Pages and Posts. Spectra registers many blocks in JavaScript, and that type of allowlist can exclude them, and that would match missing Spectra blocks, failed paste, and missing List View options, and it fits your test where deactivating Orderable fixes everything.
I have not confirmed this on a staging site yet, but your steps are clear and I have logged it for a proper fix. For now, deactivating Orderable only while editing those pages is the temporary workaround.
Thanks again for taking the time to report it.
Hi @bentziwpbinder, thanks for reporting this, and we’re here to help.
Kadence Security’s dashboard and User Security screens load through the WordPress REST API and JavaScript, so when the dashboard is blank or filters/settings do not stick, it is usually an environment or conflict issue.
To narrow it down, please try these steps:
- Update Kadence Security to the latest version.
- Conflict test: deactivate all other plugins except Kadence Security, switch to a default theme (Twenty Twenty-Five), then check the dashboard and User Security filters again.
- If you use JS minification/combine in a cache plugin, exclude Kadence Security scripts or turn that off temporarily.
- Confirm the REST API is reachable: visit
yoursite.com/wp-json/in the browser. If that fails or redirects oddly, check server rules, security plugins, or Hide Backend settings. - Confirm your server allows the HTTP methods the REST API needs. Some hosts, WAFs, or
.htaccessrules block <code class=””>PUT, <code class=””>PATCH, <code class=””>DELETE, or <code class=””>OPTIONS, which can prevent settings from saving and filters from applying. Your host or server admin can verify that <code class=””>GET, <code class=””>POST, <code class=””>PUT, <code class=””>PATCH, <code class=””>DELETE, and <code class=””>OPTIONS are allowed for/wp-json/requests. - Add <code class=””>define( ‘SCRIPT_DEBUG’, true ); to
wp-config.phptemporarily, reload the Security pages, and note any new console errors.
If the conflict test fixes it, reactivate plugins one by one to find the culprit. If it still fails with only Kadence Security active, try deactivating and reinstalling a fresh copy from WordPress.org.
Let us know how it goes.
Hi there,
Thanks for reaching out!
Resetting MFA so each person scans a new QR code on login is doable, but there is not a single “Reset MFA” button for another user in the plugin settings. Also, after a hosting move, MFA often stops working for everyone because of the encryption key, so it is worth checking that before you reset users one by one.
First, check the hosting migration:
Kadence Security stores Mobile App 2FA secrets encrypted usingITSEC_ENCRYPTION_KEYin wp-config.php. If that constant was missing or changed during the move, existing authenticator codes will not work.
1. CompareITSEC_ENCRYPTION_KEYon the new server with the value from your old host (or a backup of wp-config.php).
2. If it changed, go to Security → Tools → Rotate Encryption Key, enter the previous key, and run the tool.
3. Have a user test their existing app code again before you reset everyone.
If codes are still rejected after that, also confirm the server time is correct. TOTP codes depend on accurate time.
To force one user through a fresh MFA setup (admin)
The current profile UI is mainly for each user’s own account. To clear 2FA for another user, use the legacy profile layout:
1. Add this line to wp-config.php (above “That’s all, stop editing!”):define( 'SOLID_SECURITY_LEGACY_2FA_UI', true );
2. Go to Users → All Users, edit the user.
3. Scroll to Two-Factor Authentication Options.
4. Uncheck every method under Enabled, then click Update User.
5. Have the user log out, remove the old site entry from their authenticator app, and log in again.
If Require Two-Factor (Pro) applies to that user’s role/group, they should be sent through the 2FA onboarding flow and can scan a new QR code there.
If a user can still log in
They can go to Users → Profile, open Solid Security Two-Factor Authentication, click Configure, choose Mobile App, and complete setup with a new QR code. If they only see Configure and cannot get a new secret, the legacy UI constant above also restores the older layout with Generate new secret.
If users are locked out
Temporarily add this to wp-config.php so they can log in with username and password only:define( 'ITSEC_DISABLE_TWO_FACTOR', true );
Remove that line (or comment it out) as soon as users have set up 2FA again. Leaving it in disables 2FA for the whole site.
Doing this for many users
There is no bulk “reset all MFA” action in the plugin today, so you’ll need to repeat the per-user steps above, or use WP-CLI if your host provides shell access (wp itsec two-factor user method disablefor each method per user).
Helpful doc: https://www.liquidweb.com/help-docs/software/kadence/solid/security/configure-2fa/Hi @akhilalosious,
Thanks for reaching out and for including the Network tab details. That
rest_no_routeresponse is a helpful clue.When you click No > Skip Site Scan, Kadence Security saves your answer and moves setup to the next step. That happens through a REST API request (a PUT to
/wp-json/ithemes-security/v1/site-types/non-profit). The button itself does not run a scan, but it still needs that REST call to succeed.Getting a 404 with
rest_no_routeon that action usually means WordPress received the request, but the server or something on the site blocked the specific method or route the plugin needs.Kindly try these steps for troubleshooting:
- Go to Settings → Permalinks and make sure you are not using Plain. Resave the permalinks to flush them.
- Confirm the REST API is working by visiting:
https://yoursite.com/wp-jsonhttps://yoursite.com/wp-json/ithemes-security/v1/site-types- You should see JSON, not a blank page or HTML error. 401 is okay.
- Confirm with your hosting provider that the server allows all REST HTTP methods: GET, POST, PUT, PATCH, DELETE, and OPTIONS (this is an important step)
- If the problem persists, rule out plugin or theme conflicts on a staging environment.
I hope this helps!
- This reply was modified 6 days, 9 hours ago by chandelierrr. Reason: incorrect format
Hi Patrice,
Thanks for reaching out.
No, the current Kadence Security does not include a setting to mask or hide the WordPress version (not in Pro either).
What you can use instead in Kadence Security is to enable Protect System Files (enabled by default) under Security → Settings → Advanced → System Tweaks, which helps block public access to files like
readme.htmlthat can reveal version information (although it’s not full version masking)If you still want to hide the generator tag you may need to use a small custom code snippet (child theme or code snippets plugin) to remove the generator meta tag from the page source.
I hope this helps.
Hi @jeffscroggs,
Glad you reached out, and thanks for sharing the error details.
The Fatal Error/Scan Failed entry doesn’t necessarily mean PHP crashed on your site. In Kadence Security, that log type means the File Change scan was interrupted before it could finish. Your log shows it stopped during the “get-files” step on the uploads chunk (when the plugin walks
wp-content/uploadsand hashes files to compare against the last scan).The
apple-touch-icon.pngURL in the log is just the page request that happened to be running when the failure was recorded (notice there’s no logged-in user) and it’s not the file that caused the problem.Kindly try these steps and observe if it resolves the error:
- In Security → Settings → Features → Site Check → File Change, under Excluded Files and Folders, consider excluding
/wp-content/uploads(or specific heavy subfolders like backup/cache dirs if you use those). - Under Ignore File Types, add extensions you don’t need monitored such as
.pdf,.zip,.doc,.docx, if those make up most of your uploads. - Wait for another File Change scan to run and check Security → Logs around the same time for related recovery entries. Those confirm a timeout/stuck scan rather than a specific bad file.
- If scans keep failing: enable Debug (under the Security menu), go to Scheduler, click Reset, then re-run your scans.
- To enable Debug, open your
wp-config.phpfile and paste this code:define('ITSEC_DEBUG', true);before the line that says/* That's all, stop editing! Happy publishing. */
- To enable Debug, open your
- Ask your host (or check your server error log) whether PHP hit a max execution time limit around <code class=””>2026-06-11 19:19.
Let us know how it goes.
Hi @wp207, can you please try to check if you can submit via our contact form here? https://software.liquidweb.com/support/
Hi @wp207,
Glad you reached out and we’re here to help!
In order to give you the next best steps, can you please confirm whether you’re referring to the Site Scan functionality of the plugin?If so, kindly forward the raw details of the error that you’re seeing in Security > Logs.
If the problem is different, kindly elaborate the issue and if possible, include screenshots/error details.
Looking forward to your response.Hello @digitaliway,
Glad you reached out, and thanks for providing the error details.
Based on the stack trace, our REST “request from URL” hook getting an unexpected value (not a full request), then calling code that assumes it always is one, causing a fatal error.
Can you please try these checks to see if it helps:
- Update Kadence Security to the latest version
- In WP Settings → General, confirm WordPress Address and Site Address all show “https”
- In WP Settings → Permalinks, click Save once to flush rewrite rules
If it still fails, kindly proceed with a conflict check on a staging environment where you can replicate the issue. Temporarily deactivate other plugins (and switch to a default theme), then try our Settings screen again. If it only breaks with everything else on, note which plugin/theme combination first brings it back.
Let us know what you find out.
Hi @isidore1964,
No worries at all, and glad you narrowed it down!
I’ll close this thread for now, but please don’t hesitate to reach out again anytime.
Hi @crdunst,
Glad you reached out to us, and fair question given the release notes.
Yes, the Two-Factor Authentication functionality remains the same. The QR change is only for the optional authenticator-app setup, not for the email-code flow.I hope this helps!
Hi @isidore1964,
Glad you reached out, and sorry you’re running into trouble after the update.
To help isolate the cause, we need a bit more detail from your site. Can you please provide more details about the problem? Specifically:- What exactly breaks? For example: white screen, PHP error message, block editor won’t load, recipe pages or shortcodes broken, etc. A short list of steps to reproduce the issue helps a lot.
- Errors from WordPress debug logging by temporarily enabling it on a staging environment where the issue occurs. In
wp-config.php, above the line that says/* That's all, stop editing! */, add or set:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );Then reproduce the problem once, and check
wp-content/debug.logfor new lines from that time.- Your site environment details: WP version, PHP version, plugin versions, active theme
With the exact symptoms plus debug.log info, we can narrow this down much faster.
Thanks again for taking the time to report this.
Hi @jahggler , thanks for reporting this and for sharing the stack trace.
Since this thread was marked resolved, could you please open a new support topic for this so we can align to the WordPress.org forum guidelines?Thank you!
Hi @jampotjaffa,
So sorry for the delayed response, and I’m glad you got the issues squared away!
I’m adding some of our help articles here for future reference that can help you when you encounter those issues again:- Help! I’ve locked myself out of my site! – helpful when you get locked out or forgot the HBE URL.
- Encryption Key Management – can help you set a new encryption key or rotate the existing one, since there’s no option to edit the initial post.
I’ll mark this thread resolved now, but feel free to reach out again if you need help.
Hello @jampotjaffa,
Thanks for the detailed report, and we’re here to help!
Those first two warnings:
- <code class=””>Constant DISALLOW_FILE_EDIT already defined
- <code class=””>Constant FORCE_SSL_ADMIN already defined
mean those constants are being defined more than once in your
wp-config.php. They’re normally written there by Solid Security, but in your case the same lines appear twice (often due to a previous iThemes/Solid config block being left in place).Because those warnings are being output on the page, PHP/WP cannot send redirect/login headers anymore, which then triggers <code class=””>Cannot modify header information – headers already sent …
To resolve this, please follow these steps:
- Back up
wp-config.phpfirst (download a copy) - In
public_html/wp-config.php, ensure these are only defined once. So you’ll want to remove the duplicate copies.- <code class=””>define( ‘DISALLOW_FILE_EDIT’, true );
- <code class=””>define( ‘FORCE_SSL_ADMIN’, true );
- Save the changes.
Also, please remove your <code class=””>ITSEC_ENCRYPTION_KEY from the forum post (it shouldn’t be shared publicly).
The end result should look like:
// BEGIN Solid Security - Do not modify or remove this line
// Solid Security Config Details: 2
define( 'DISALLOW_FILE_EDIT', true );
define( 'FORCE_SSL_ADMIN', true );
// END Solid Security - Do not modify or remove this line
define( 'ITSEC_ENCRYPTION_KEY', '…keep-this…' );If you’re locked out and can’t reach wp-admin yet, you can temporarily disable Solid Security via FTP/File Manager by renaming:
wp-content/plugins/better-wp-security/to <code class=””>better-wp-security.disabled/ then try logging in again.Once the duplicate defines are fixed, you can rename the folder back to re-enable the plugin.
I hope this helps.