Bug – Reset password link invalid after renaming login page

Hi can you check the log files? Do you have any other plugin that might interfere with the password reset function?

mbrsolution – which login files? what specifically am I looking for? If you can give me some direction I will try to troubleshoot.

My gut tells me it is not a conflict with another plugin. AIOWS is the only security plugin I am using.

I’m switching to this user account (instead of DLo978) for conversing on this thread. It is the more relevant account.

@dlo978 someone had this issue as well and it turned out to be the theme they were using. Can you test one of WordPress default themes like Twenty Fourteen or so?

For the log file go to WP Security -> Dashboard -> AIOWPS Logs.

Hi mbrsolution –

I’ve located the problem. I was able to replicate the issue with a completely clean install of WordPress multisite. No content, no themes. I’m pretty sure the issue is that the rename login page feature of AIOWS does not work with multisite.

If I turn that feature off it works. If I turn that feature on in multisite, I get the error above when trying to reset my password. I have tried the rename login page feature on other single installs of WordPress and have no issue.

Just to follow through on the troubleshooting you suggested, I checked the logs and there was no messages related to my repeated attempts.

Also, one curious thing. When you try to replicate this yourself using a clean install of multisite and that one setting turned on, the first time it works. I replicated that twice. But subsequent attempts don’t work. I’m not sure if that is indicative of a cookie change, or maybe a hidden field that isn’t present on the form the first time before adding AIOWS.

Anyway, I’m confident that if you try a clean install, change the login page, and then try to reset your password more than once, you will get the same error.

Assuming this is a multisite issue, it’s a real bummer. It’s the second AIOWS bug I’ve found with multisite, and it makes the plugin impossible to use. On single sites it seems ok, but I wish I could use it across the board.

Hi thank you for your reporting your finding. The plugin developers will investigate further your issue.

Regards

I have just tested this on multi-site environment and I cannot reproduce the issue you are seeing.
If you would like me to personally look into this further for you, you can contact me and we can work something out.
https://wpsolutions-hq.com/contact/

@webdevdlo, are you still having issues?

Thank you for following up and asking mbrsolution. I no longer use the plugin.

@webdevdlo thank you for reporting back.

I will mark this thread as resolved.

For anyone else having this issue:

Are you by any chance hosting your site on wpengine or perhaps with a hosting company which caches pages?

My investigations have revealed that the “Your password reset link appears to be invalid” error is caused by server caching and cookies.

The wpengine site states the following:

Cookies and PHP $_SESSION variables are used by many plugins and themes for WordPress. While we don’t currently prevent cookies or sessions, they may not work as you expect on our servers.
…………..
There are certain special cases, where caching is disabled. One such case is when the website visitor logs into WordPress. WordPress sets cookies related to that login, and our system is set up to recognize those WordPress login cookies. When those cookies are found and are valid, then page caching is disabled.

Another special case where caching needs to be disabled is for eCommerce sites. Sections of the site, such as product pages, the cart, and the checkout page, need to be un-cached for all visitors. Because these settings can vary from site to site, we currently require you to open a 24/7 Live Chat, which you can do from within your User Portal.

The fix for this is quite easy:
Contact wpengine support (or your host provider) and explain to them that your wp-login page is the not standard page one would normally use. Tell them that for security purposes you are hiding your login page and give them the link to hidden page. Then ask them to permanently uncache any visits to your hidden login page and to treat the login cookies for the hidden page as they do for the normal login page.